[PATCH v2][next] stddef: Document designated initializer semantics for __TRAILING_OVERLAP()

[PATCH v2][next] stddef: Document designated initializer semantics for __TRAILING_OVERLAP()

[Gustavo A. R. Silva]

Document the designated initializer behavior for overlapping storage
between NAME and MEMBERS, and clarify the implications for static
initialization to help avoid unintended overwrites.

Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
Changes in v2:
 - Fix a couple of typos.
 - Update format.

v1:
 - Link: https://lore.kernel.org/linux-hardening/af6p68531gNsTM5U@kspp/

 include/linux/stddef.h | 65 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/include/linux/stddef.h b/include/linux/stddef.h
index 80b6bfb944f0..ce0e5d7b205b 100644
--- a/include/linux/stddef.h
+++ b/include/linux/stddef.h
@@ -100,6 +100,71 @@ enum {
  * Creates a union between a flexible-array member (FAM) in a struct and a set
  * of additional members that would otherwise follow it.
  *
+ * Beware that, as this helper encloses TYPE NAME and MEMBERS in the same
+ * union, designated initializers for MEMBERS may overwrite portions
+ * previously initialized through NAME.
+ *
+ * For example:
+ *
+ * struct flex {
+ *	size_t count;
+ *	u8 fam[];
+ * };
+ *
+ * struct composite {
+ *	...
+ *	__TRAILING_OVERLAP(struct flex, flex, fam, __packed,
+ *		u8 data;
+ *	);
+ * } __packed;
+ *
+ * static struct composite comp = {
+ *	.flex = {
+ *		.count = 1,
+ *	},
+ *	.data = 2,
+ * };
+ *
+ * In the example above, .flex and .data initialize different views of the same
+ * union storage. Since .data is initialized last, it _may_ overwrite portions
+ * previously initialized through .flex, leading to .flex.count being zeroed
+ * out.
+ *
+ * A couple of alternatives are shown below.
+ *
+ * a) Initialize only one view of the overlapped storage and assign the rest
+ *    at runtime:
+ *
+ *	static struct composite comp = {
+ *		.flex = {
+ *			.count = 1,
+ *		},
+ *	};
+ *
+ *	static void foo(void)
+ *	{
+ *		comp.data = 2;
+ *		...
+ *	}
+ *
+ *	(Compiler Explorer test code: https://godbolt.org/z/voM4E36dT)
+ *
+ * b) Alternatively, replace designated initializers with runtime assignments.
+ *
+ *	static void foo(void)
+ *	{
+ *		struct composite comp;
+ *
+ *		comp.flex.count = 1;
+ *		comp.data = 2;
+ *		...
+ *	}
+ *
+ * For another example of the above see commit 5e54510a9389 ("acpi: nfit:
+ * intel: avoid multiple -Wflex-array-member-not-at-end warnings")
+ *
+ * Link: https://git.kernel.org/linus/5e54510a9389caa9
+ *
  * @TYPE: Flexible structure type name, including "struct" keyword.
  * @NAME: Name for a variable to define.
  * @FAM: The flexible-array member within @TYPE
-- 
2.51.0

Re: [PATCH v2][next] stddef: Document designated initializer semantics for __TRAILING_OVERLAP()

[Kees Cook]

On Sun, 10 May 2026 15:10:31 -0600, Gustavo A. R. Silva wrote:
> Document the designated initializer behavior for overlapping storage
> between NAME and MEMBERS, and clarify the implications for static
> initialization to help avoid unintended overwrites.
> 
> 

Applied to for-next/hardening, thanks!

[1/1] stddef: Document designated initializer semantics for __TRAILING_OVERLAP()
      https://git.kernel.org/kees/c/3c7495593752

Take care,

-- 
Kees Cook