Old code in the kernel uses 1-byte and 0-byte arrays to indicate the
presence of a "variable length array":
struct something {
int length;
u8 data[1];
};
struct something *instance;
instance = kmalloc(sizeof(*instance) + size, GFP_KERNEL);
instance->length = size;
memcpy(instance->data, source, size);
There is also 0-byte arrays. Both cases pose confusion for things like
sizeof(), CONFIG_FORTIFY_SOURCE, etc.[1] Instead, the preferred mechanism
to declare variable-length types such as the one above is a flexible array
member[2] which need to be the last member of a structure and empty-sized:
struct something {
int stuff;
u8 data[];
};
Also, by making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
unadvertenly introduced[3] to the codebase from now on.
[1] https://github.com/KSPP/linux/issues/21
[2] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
[3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
drivers/tty/n_hdlc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 98361acd3053..b5499ca8757e 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -115,7 +115,7 @@
struct n_hdlc_buf {
struct list_head list_item;
int count;
- char buf[1];
+ char buf[];
};
#define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
--
2.23.0
On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
> Old code in the kernel uses 1-byte and 0-byte arrays to indicate the
> presence of a "variable length array":
>
> struct something {
> int length;
> u8 data[1];
> };
>
> struct something *instance;
>
> instance = kmalloc(sizeof(*instance) + size, GFP_KERNEL);
> instance->length = size;
> memcpy(instance->data, source, size);
>
> There is also 0-byte arrays. Both cases pose confusion for things like
> sizeof(), CONFIG_FORTIFY_SOURCE, etc.[1] Instead, the preferred mechanism
> to declare variable-length types such as the one above is a flexible array
> member[2] which need to be the last member of a structure and empty-sized:
>
> struct something {
> int stuff;
> u8 data[];
> };
>
> Also, by making use of the mechanism above, we will get a compiler warning
> in case the flexible array does not occur last in the structure, which
> will help us prevent some kind of undefined behavior bugs from being
> unadvertenly introduced[3] to the codebase from now on.
>
> [1] https://github.com/KSPP/linux/issues/21
> [2] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
> [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
>
> Signed-off-by: Gustavo A. R. Silva <[email protected]>
> ---
> drivers/tty/n_hdlc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
> index 98361acd3053..b5499ca8757e 100644
> --- a/drivers/tty/n_hdlc.c
> +++ b/drivers/tty/n_hdlc.c
> @@ -115,7 +115,7 @@
> struct n_hdlc_buf {
> struct list_head list_item;
> int count;
> - char buf[1];
> + char buf[];
> };
>
> #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
Have you checked, that you don't have to "+ 1" here now?
Other than that:
Acked-by: Jiri Slaby <[email protected]>
thanks,
--
js
suse labs
On 1/20/20 23:54, Jiri Slaby wrote:
> On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
>> Old code in the kernel uses 1-byte and 0-byte arrays to indicate the
>> presence of a "variable length array":
>>
>> struct something {
>> int length;
>> u8 data[1];
>> };
>>
>> struct something *instance;
>>
>> instance = kmalloc(sizeof(*instance) + size, GFP_KERNEL);
>> instance->length = size;
>> memcpy(instance->data, source, size);
>>
>> There is also 0-byte arrays. Both cases pose confusion for things like
>> sizeof(), CONFIG_FORTIFY_SOURCE, etc.[1] Instead, the preferred mechanism
>> to declare variable-length types such as the one above is a flexible array
>> member[2] which need to be the last member of a structure and empty-sized:
>>
>> struct something {
>> int stuff;
>> u8 data[];
>> };
>>
>> Also, by making use of the mechanism above, we will get a compiler warning
>> in case the flexible array does not occur last in the structure, which
>> will help us prevent some kind of undefined behavior bugs from being
>> unadvertenly introduced[3] to the codebase from now on.
>>
>> [1] https://github.com/KSPP/linux/issues/21
>> [2] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
>> [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
>>
>> Signed-off-by: Gustavo A. R. Silva <[email protected]>
>> ---
>> drivers/tty/n_hdlc.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
>> index 98361acd3053..b5499ca8757e 100644
>> --- a/drivers/tty/n_hdlc.c
>> +++ b/drivers/tty/n_hdlc.c
>> @@ -115,7 +115,7 @@
>> struct n_hdlc_buf {
>> struct list_head list_item;
>> int count;
>> - char buf[1];
>> + char buf[];
>> };
>>
>> #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
>
> Have you checked, that you don't have to "+ 1" here now?
>
Yep. That's not necessary.
_In terms of memory allocation_, zero-length/one-element arrays and flexible-array
members work exactly the same way.
> Other than that:
> Acked-by: Jiri Slaby <[email protected]>
>
Thanks!
--
Gustavo
Gustavo Silva wrote:
> On 1/20/20 23:54, Jiri Slaby wrote:
>> On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
>>> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
>>> index 98361acd3053..b5499ca8757e 100644
>>> --- a/drivers/tty/n_hdlc.c
>>> +++ b/drivers/tty/n_hdlc.c
>>> @@ -115,7 +115,7 @@
>>> struct n_hdlc_buf {
>>> struct list_head list_item;
>>> int count;
>>> - char buf[1];
>>> + char buf[];
>>> };
>>>
>>> #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
>>
>> Have you checked, that you don't have to "+ 1" here now?
>>
>
> Yep. That's not necessary.
>
> _In terms of memory allocation_, zero-length/one-element arrays and flexible-array
> members work exactly the same way.
This is not true, but maybe it's still not necessary in this particular code, I didn't examine it.
Consider the following:
#include <stdio.h>
struct flex {
int count;
char buf[PRE];
char flex[];
};
struct one {
int count;
char buf[PRE];
char one[1];
};
void main() {
printf("%ld %ld\n", sizeof(struct flex), sizeof(struct one));
}
--snip--
% gcc -o siz siz.c -std=c99 -DPRE=7 && ./siz
12 12
% gcc -o siz siz.c -std=c99 -DPRE=8 && ./siz
12 16
Since all the preceding stuff in the struct in the patch is aligned, then the [1] will definitely add something to the sizeof count.
--
Mikael Magnusson
On 1/21/20 09:14, Gustavo A. R. Silva wrote:
>
>
> On 1/21/20 09:00, Mikael Magnusson wrote:
>> Gustavo Silva wrote:
>>> On 1/20/20 23:54, Jiri Slaby wrote:
>>>> On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
>>>>> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
>>>>> index 98361acd3053..b5499ca8757e 100644
>>>>> --- a/drivers/tty/n_hdlc.c
>>>>> +++ b/drivers/tty/n_hdlc.c
>>>>> @@ -115,7 +115,7 @@
>>>>> struct n_hdlc_buf {
>>>>> struct list_head list_item;
>>>>> int count;
>>>>> - char buf[1];
>>>>> + char buf[];
>>>>> };
>>>>>
>>>>> #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
>>>>
>>>> Have you checked, that you don't have to "+ 1" here now?
>>>>
>>>
>>> Yep. That's not necessary.
>>>
>>> _In terms of memory allocation_, zero-length/one-element arrays and flexible-array
>>> members work exactly the same way.
>>
>> This is not true, but maybe it's still not necessary in this particular code, I didn't examine it.
>>
>
> I should have said _in terms of dynamic memory allocation_.
>
> Your example is correct:
>
> "... a one-element array always occupies at least as much space as a single object of the type."[1]
>
> But the above does not affect on the current code.
>
Oh wait! Yeah; I see the issue in #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) now...
I need to double check this.
Thanks for the feedback!
--
Gustavo
On 1/21/20 09:00, Mikael Magnusson wrote:
> Gustavo Silva wrote:
>> On 1/20/20 23:54, Jiri Slaby wrote:
>>> On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
>>>> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
>>>> index 98361acd3053..b5499ca8757e 100644
>>>> --- a/drivers/tty/n_hdlc.c
>>>> +++ b/drivers/tty/n_hdlc.c
>>>> @@ -115,7 +115,7 @@
>>>> struct n_hdlc_buf {
>>>> struct list_head list_item;
>>>> int count;
>>>> - char buf[1];
>>>> + char buf[];
>>>> };
>>>>
>>>> #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
>>>
>>> Have you checked, that you don't have to "+ 1" here now?
>>>
>>
>> Yep. That's not necessary.
>>
>> _In terms of memory allocation_, zero-length/one-element arrays and flexible-array
>> members work exactly the same way.
>
> This is not true, but maybe it's still not necessary in this particular code, I didn't examine it.
>
I should have said _in terms of dynamic memory allocation_.
Your example is correct:
"... a one-element array always occupies at least as much space as a single object of the type."[1]
But the above does not affect on the current code.
[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
Thanks
--
Gustavo
> Consider the following:
> #include <stdio.h>
>
> struct flex {
> int count;
> char buf[PRE];
> char flex[];
> };
>
> struct one {
> int count;
> char buf[PRE];
> char one[1];
> };
>
> void main() {
> printf("%ld %ld\n", sizeof(struct flex), sizeof(struct one));
> }
>
> --snip--
>
> % gcc -o siz siz.c -std=c99 -DPRE=7 && ./siz
> 12 12
> % gcc -o siz siz.c -std=c99 -DPRE=8 && ./siz
> 12 16
>
> Since all the preceding stuff in the struct in the patch is aligned, then the [1] will definitely add something to the sizeof count.
>
On 1/21/20 09:24, Gustavo A. R. Silva wrote:
>
>
> On 1/21/20 09:14, Gustavo A. R. Silva wrote:
>>
>>
>> On 1/21/20 09:00, Mikael Magnusson wrote:
>>> Gustavo Silva wrote:
>>>> On 1/20/20 23:54, Jiri Slaby wrote:
>>>>> On 21. 01. 20, 0:45, Gustavo A. R. Silva wrote:
>>>>>> diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
>>>>>> index 98361acd3053..b5499ca8757e 100644
>>>>>> --- a/drivers/tty/n_hdlc.c
>>>>>> +++ b/drivers/tty/n_hdlc.c
>>>>>> @@ -115,7 +115,7 @@
>>>>>> struct n_hdlc_buf {
>>>>>> struct list_head list_item;
>>>>>> int count;
>>>>>> - char buf[1];
>>>>>> + char buf[];
>>>>>> };
>>>>>>
>>>>>> #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
>>>>>
>>>>> Have you checked, that you don't have to "+ 1" here now?
>>>>>
>>>>
>>>> Yep. That's not necessary.
>>>>
>>>> _In terms of memory allocation_, zero-length/one-element arrays and flexible-array
>>>> members work exactly the same way.
>>>
>>> This is not true, but maybe it's still not necessary in this particular code, I didn't examine it.
>>>
>>
>> I should have said _in terms of dynamic memory allocation_.
>>
>> Your example is correct:
>>
>> "... a one-element array always occupies at least as much space as a single object of the type."[1]
>>
>> But the above does not affect on the current code.
>>
>
> Oh wait! Yeah; I see the issue in #define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe) now...
>
This would be the new patch; and I'm making use the the struct_size helper
this time, to safely calculate the allocation size:
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 98361acd3053..27b506bf03ce 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -115,11 +115,9 @@
struct n_hdlc_buf {
struct list_head list_item;
int count;
- char buf[1];
+ char buf[];
};
-#define N_HDLC_BUF_SIZE (sizeof(struct n_hdlc_buf) + maxframe)
-
struct n_hdlc_buf_list {
struct list_head list;
int count;
@@ -524,7 +522,8 @@ static void n_hdlc_tty_receive(struct tty_struct *tty, const __u8 *data,
/* no buffers in free list, attempt to allocate another rx buffer */
/* unless the maximum count has been reached */
if (n_hdlc->rx_buf_list.count < MAX_RX_BUF_COUNT)
- buf = kmalloc(N_HDLC_BUF_SIZE, GFP_ATOMIC);
+ buf = kmalloc(struct_size(buf, buf, maxframe),
+ GFP_ATOMIC);
}
if (!buf) {
@@ -853,7 +852,7 @@ static struct n_hdlc *n_hdlc_alloc(void)
/* allocate free rx buffer list */
for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
- buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
+ buf = kmalloc(struct_size(buf, buf, maxframe), GFP_KERNEL);
if (buf)
n_hdlc_buf_put(&n_hdlc->rx_free_buf_list,buf);
else if (debuglevel >= DEBUG_LEVEL_INFO)
@@ -862,7 +861,7 @@ static struct n_hdlc *n_hdlc_alloc(void)
/* allocate free tx buffer list */
for(i=0;i<DEFAULT_TX_BUF_COUNT;i++) {
- buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
+ buf = kmalloc(struct_size(buf, buf, maxframe), GFP_KERNEL);
if (buf)
n_hdlc_buf_put(&n_hdlc->tx_free_buf_list,buf);
else if (debuglevel >= DEBUG_LEVEL_INFO)
And it seems that that extra "+ 1" is not needed. The frame size is always being
verified in multiple places:
/* verify frame size */
if (count > maxframe ) {
if (debuglevel & DEBUG_LEVEL_INFO)
printk (KERN_WARNING
"n_hdlc_tty_write: truncating user packet "
"from %lu to %d\n", (unsigned long) count,
maxframe );
count = maxframe;
}
^^^^^^
and _count_ is being limited to _maxframe_, before copying data into _buf_ :
/* copy received data to HDLC buffer */
memcpy(buf->buf,data,count);
buf->count=count;
So we might save some bytes, too.
I'll properly write and send v2, shortly.
Thanks
--
Gustavo