From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Kees Cook <kees@kernel.org>
Cc: linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-hardening@vger.kernel.org
Subject: [PATCH v2][next] stddef: Document designated initializer semantics for __TRAILING_OVERLAP()
Date: Sun, 10 May 2026 15:10:31 -0600 [thread overview]
Message-ID: <agD0R-kNbg9YMOCT@kspp> (raw)
Document the designated initializer behavior for overlapping storage
between NAME and MEMBERS, and clarify the implications for static
initialization to help avoid unintended overwrites.
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
Changes in v2:
- Fix a couple of typos.
- Update format.
v1:
- Link: https://lore.kernel.org/linux-hardening/af6p68531gNsTM5U@kspp/
include/linux/stddef.h | 65 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/include/linux/stddef.h b/include/linux/stddef.h
index 80b6bfb944f0..ce0e5d7b205b 100644
--- a/include/linux/stddef.h
+++ b/include/linux/stddef.h
@@ -100,6 +100,71 @@ enum {
* Creates a union between a flexible-array member (FAM) in a struct and a set
* of additional members that would otherwise follow it.
*
+ * Beware that, as this helper encloses TYPE NAME and MEMBERS in the same
+ * union, designated initializers for MEMBERS may overwrite portions
+ * previously initialized through NAME.
+ *
+ * For example:
+ *
+ * struct flex {
+ * size_t count;
+ * u8 fam[];
+ * };
+ *
+ * struct composite {
+ * ...
+ * __TRAILING_OVERLAP(struct flex, flex, fam, __packed,
+ * u8 data;
+ * );
+ * } __packed;
+ *
+ * static struct composite comp = {
+ * .flex = {
+ * .count = 1,
+ * },
+ * .data = 2,
+ * };
+ *
+ * In the example above, .flex and .data initialize different views of the same
+ * union storage. Since .data is initialized last, it _may_ overwrite portions
+ * previously initialized through .flex, leading to .flex.count being zeroed
+ * out.
+ *
+ * A couple of alternatives are shown below.
+ *
+ * a) Initialize only one view of the overlapped storage and assign the rest
+ * at runtime:
+ *
+ * static struct composite comp = {
+ * .flex = {
+ * .count = 1,
+ * },
+ * };
+ *
+ * static void foo(void)
+ * {
+ * comp.data = 2;
+ * ...
+ * }
+ *
+ * (Compiler Explorer test code: https://godbolt.org/z/voM4E36dT)
+ *
+ * b) Alternatively, replace designated initializers with runtime assignments.
+ *
+ * static void foo(void)
+ * {
+ * struct composite comp;
+ *
+ * comp.flex.count = 1;
+ * comp.data = 2;
+ * ...
+ * }
+ *
+ * For another example of the above see commit 5e54510a9389 ("acpi: nfit:
+ * intel: avoid multiple -Wflex-array-member-not-at-end warnings")
+ *
+ * Link: https://git.kernel.org/linus/5e54510a9389caa9
+ *
* @TYPE: Flexible structure type name, including "struct" keyword.
* @NAME: Name for a variable to define.
* @FAM: The flexible-array member within @TYPE
--
2.51.0
reply other threads:[~2026-05-10 21:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agD0R-kNbg9YMOCT@kspp \
--to=gustavoars@kernel.org \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox