[PATCH] selftests/iommu: Fix array-bounds warning in get_hw

iommu.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] selftests/iommu: Fix array-bounds warning in get_hw_info
@ 2025-11-13 20:08 Nirbhay Sharma
  2025-11-21 23:51 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: Nirbhay Sharma @ 2025-11-13 20:08 UTC (permalink / raw)
  To: Jason Gunthorpe, Kevin Tian, Shuah Khan
  Cc: iommu, linux-kselftest, linux-kernel, david.hunter.linux,
	linux-kernel-mentees, Nirbhay Sharma

GCC warns about potential out-of-bounds access when the test provides
a buffer smaller than struct iommu_test_hw_info:

iommufd_utils.h:817:37: warning: array subscript 'struct
iommu_test_hw_info[0]' is partly outside array bounds of 'struct
iommu_test_hw_info_buffer_smaller[1]'
[-Warray-bounds=]
  817 |                         assert(!info->flags);
      |                                 ~~~~^~~~~~~

The warning occurs because 'info' is cast to a pointer to the full
8-byte struct at the top of the function, but the buffer_smaller test
case passes only a 4-byte buffer. While the code correctly checks
data_len before accessing each field, GCC's flow analysis with inlining
doesn't recognize that the size check protects the access.

Fix this by accessing fields through appropriately-typed pointers that
match the actual field sizes (__u32), declared only after the bounds
check. This makes the relationship between the size check and memory
access explicit to the compiler.

Signed-off-by: Nirbhay Sharma <nirbhay.lkd@gmail.com>
---
 tools/testing/selftests/iommu/iommufd_utils.h | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h
index 9f472c20c190..37c1b994008c 100644
--- a/tools/testing/selftests/iommu/iommufd_utils.h
+++ b/tools/testing/selftests/iommu/iommufd_utils.h
@@ -770,7 +770,6 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
 				 void *data, size_t data_len,
 				 uint32_t *capabilities, uint8_t *max_pasid)
 {
-	struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data;
 	struct iommu_hw_info cmd = {
 		.size = sizeof(cmd),
 		.dev_id = device_id,
@@ -810,11 +809,19 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
 		}
 	}
 
-	if (info) {
-		if (data_len >= offsetofend(struct iommu_test_hw_info, test_reg))
-			assert(info->test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL);
-		if (data_len >= offsetofend(struct iommu_test_hw_info, flags))
-			assert(!info->flags);
+	if (data) {
+		if (data_len >= offsetofend(struct iommu_test_hw_info,
+					    test_reg)) {
+			__u32 *test_reg = (__u32 *)data + 1;
+
+			assert(*test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL);
+		}
+		if (data_len >= offsetofend(struct iommu_test_hw_info,
+					    flags)) {
+			__u32 *flags = data;
+
+			assert(!*flags);
+		}
 	}
 
 	if (max_pasid)
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] selftests/iommu: Fix array-bounds warning in get_hw_info
  2025-11-13 20:08 [PATCH] selftests/iommu: Fix array-bounds warning in get_hw_info Nirbhay Sharma
@ 2025-11-21 23:51 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2025-11-21 23:51 UTC (permalink / raw)
  To: Nirbhay Sharma
  Cc: Kevin Tian, Shuah Khan, iommu, linux-kselftest, linux-kernel,
	david.hunter.linux, linux-kernel-mentees

On Fri, Nov 14, 2025 at 01:38:55AM +0530, Nirbhay Sharma wrote:
> GCC warns about potential out-of-bounds access when the test provides
> a buffer smaller than struct iommu_test_hw_info:
> 
> iommufd_utils.h:817:37: warning: array subscript 'struct
> iommu_test_hw_info[0]' is partly outside array bounds of 'struct
> iommu_test_hw_info_buffer_smaller[1]'
> [-Warray-bounds=]
>   817 |                         assert(!info->flags);
>       |                                 ~~~~^~~~~~~
> 
> The warning occurs because 'info' is cast to a pointer to the full
> 8-byte struct at the top of the function, but the buffer_smaller test
> case passes only a 4-byte buffer. While the code correctly checks
> data_len before accessing each field, GCC's flow analysis with inlining
> doesn't recognize that the size check protects the access.
> 
> Fix this by accessing fields through appropriately-typed pointers that
> match the actual field sizes (__u32), declared only after the bounds
> check. This makes the relationship between the size check and memory
> access explicit to the compiler.
> 
> Signed-off-by: Nirbhay Sharma <nirbhay.lkd@gmail.com>
> ---
>  tools/testing/selftests/iommu/iommufd_utils.h | 19 +++++++++++++------
>  1 file changed, 13 insertions(+), 6 deletions(-)
> 
> diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h
> index 9f472c20c190..37c1b994008c 100644
> --- a/tools/testing/selftests/iommu/iommufd_utils.h
> +++ b/tools/testing/selftests/iommu/iommufd_utils.h
> @@ -770,7 +770,6 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
>  				 void *data, size_t data_len,
>  				 uint32_t *capabilities, uint8_t *max_pasid)
>  {
> -	struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data;
>  	struct iommu_hw_info cmd = {
>  		.size = sizeof(cmd),
>  		.dev_id = device_id,
> @@ -810,11 +809,19 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
>  		}
>  	}
>  
> -	if (info) {
> -		if (data_len >= offsetofend(struct iommu_test_hw_info, test_reg))
> -			assert(info->test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL);
> -		if (data_len >= offsetofend(struct iommu_test_hw_info, flags))
> -			assert(!info->flags);
> +	if (data) {
> +		if (data_len >= offsetofend(struct iommu_test_hw_info,
> +					    test_reg)) {
> +			__u32 *test_reg = (__u32 *)data + 1;

This seems too obfuscated, can't we keep the struct somehow and still
remove the warning?

I also feel like you have a compiler bug here, if gcc has inlined
enough to know the size of data then it surely should know the
constant value of data_len?

Failing that, how about just change the caller, maybe like this:

--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -760,6 +760,7 @@ TEST_F(iommufd_ioas, get_hw_info)
        } buffer_larger;
        struct iommu_test_hw_info_buffer_smaller {
                __u32 flags;
+               struct iommu_test_hw_info dummy;
        } buffer_smaller;
 
        if (self->device_id) {
@@ -791,9 +792,11 @@ TEST_F(iommufd_ioas, get_hw_info)
                 * Provide a user_buffer with size smaller than the exact size to check if
                 * the fields within the size range still gets updated.
                 */
-               test_cmd_get_hw_info(self->device_id,
-                                    IOMMU_HW_INFO_TYPE_DEFAULT,
-                                    &buffer_smaller, sizeof(buffer_smaller));
+               test_cmd_get_hw_info(
+                       self->device_id, IOMMU_HW_INFO_TYPE_DEFAULT,
+                       &buffer_smaller,
+                       offsetofend(struct iommu_test_hw_info_buffer_smaller,
+                                   flags));
                test_cmd_get_hw_info_pasid(self->device_id, &max_pasid);
                ASSERT_EQ(0, max_pasid);
                if (variant->pasid_capable) {

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-11-21 23:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-13 20:08 [PATCH] selftests/iommu: Fix array-bounds warning in get_hw_info Nirbhay Sharma
2025-11-21 23:51 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).