diff mbox series

io_uring: Replace 0-length array with flexible array

Message ID 20230105033743.never.628-kees@kernel.org (mailing list archive)
State Superseded
Headers show
Series io_uring: Replace 0-length array with flexible array | expand

Commit Message

Kees Cook Jan. 5, 2023, 3:37 a.m. UTC
Zero-length arrays are deprecated[1]. Replace struct io_uring_buf_ring's
"bufs" with a flexible array member. (How is the size of this array
verified?) Detected with GCC 13, using -fstrict-flex-arrays=3:

In function 'io_ring_buffer_select',
    inlined from 'io_buffer_select' at io_uring/kbuf.c:183:10:
io_uring/kbuf.c:141:23: warning: array subscript 255 is outside the bounds of an interior zero-length array 'struct io_uring_buf[0]' [-Wzero-length-bounds]
  141 |                 buf = &br->bufs[head];
      |                       ^~~~~~~~~~~~~~~
In file included from include/linux/io_uring.h:7,
                 from io_uring/kbuf.c:10:
include/uapi/linux/io_uring.h: In function 'io_buffer_select':
include/uapi/linux/io_uring.h:628:41: note: while referencing 'bufs'
  628 |                 struct io_uring_buf     bufs[0];
      |                                         ^~~~

[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays

Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: stable@vger.kernel.org
Cc: io-uring@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/uapi/linux/io_uring.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kees Cook Jan. 5, 2023, 4:33 a.m. UTC | #1
On Wed, Jan 04, 2023 at 07:37:48PM -0800, Kees Cook wrote:
> Zero-length arrays are deprecated[1]. Replace struct io_uring_buf_ring's
> "bufs" with a flexible array member. (How is the size of this array
> verified?) Detected with GCC 13, using -fstrict-flex-arrays=3:
> 
> In function 'io_ring_buffer_select',
>     inlined from 'io_buffer_select' at io_uring/kbuf.c:183:10:
> io_uring/kbuf.c:141:23: warning: array subscript 255 is outside the bounds of an interior zero-length array 'struct io_uring_buf[0]' [-Wzero-length-bounds]
>   141 |                 buf = &br->bufs[head];
>       |                       ^~~~~~~~~~~~~~~
> In file included from include/linux/io_uring.h:7,
>                  from io_uring/kbuf.c:10:
> include/uapi/linux/io_uring.h: In function 'io_buffer_select':
> include/uapi/linux/io_uring.h:628:41: note: while referencing 'bufs'
>   628 |                 struct io_uring_buf     bufs[0];
>       |                                         ^~~~
> 
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> 
> Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> Cc: Jens Axboe <axboe@kernel.dk>
> Cc: Pavel Begunkov <asml.silence@gmail.com>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: stable@vger.kernel.org
> Cc: io-uring@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  include/uapi/linux/io_uring.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
> index 2780bce62faf..9d8861899cde 100644
> --- a/include/uapi/linux/io_uring.h
> +++ b/include/uapi/linux/io_uring.h
> @@ -625,7 +625,7 @@ struct io_uring_buf_ring {
>  			__u16	resv3;
>  			__u16	tail;
>  		};
> -		struct io_uring_buf	bufs[0];
> +		struct io_uring_buf	bufs[];
>  	};
>  };

Oops, please ignore. My test build misfired...

>  
> -- 
> 2.34.1
>
kernel test robot Jan. 5, 2023, 5:58 a.m. UTC | #2
Hi Kees,

I love your patch! Yet something to improve:

[auto build test ERROR on kees/for-next/pstore]
[also build test ERROR on kees/for-next/kspp linus/master v6.2-rc2 next-20230105]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/io_uring-Replace-0-length-array-with-flexible-array/20230105-114008
base:   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/pstore
patch link:    https://lore.kernel.org/r/20230105033743.never.628-kees%40kernel.org
patch subject: [PATCH] io_uring: Replace 0-length array with flexible array
config: arc-defconfig
compiler: arc-elf-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/6239ffe2f8611e707b90e0c902bfa1f0dbe578bb
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Kees-Cook/io_uring-Replace-0-length-array-with-flexible-array/20230105-114008
        git checkout 6239ffe2f8611e707b90e0c902bfa1f0dbe578bb
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arc olddefconfig
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arc SHELL=/bin/bash

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from include/linux/io_uring.h:7,
                    from kernel/fork.c:97:
>> include/uapi/linux/io_uring.h:628:41: error: flexible array member in union
     628 |                 struct io_uring_buf     bufs[];
         |                                         ^~~~
   kernel/fork.c:162:13: warning: no previous prototype for 'arch_release_task_struct' [-Wmissing-prototypes]
     162 | void __weak arch_release_task_struct(struct task_struct *tsk)
         |             ^~~~~~~~~~~~~~~~~~~~~~~~
   kernel/fork.c:862:20: warning: no previous prototype for 'arch_task_cache_init' [-Wmissing-prototypes]
     862 | void __init __weak arch_task_cache_init(void) { }
         |                    ^~~~~~~~~~~~~~~~~~~~
   kernel/fork.c:957:12: warning: no previous prototype for 'arch_dup_task_struct' [-Wmissing-prototypes]
     957 | int __weak arch_dup_task_struct(struct task_struct *dst,
         |            ^~~~~~~~~~~~~~~~~~~~
--
   In file included from include/linux/io_uring.h:7,
                    from kernel/exit.c:67:
>> include/uapi/linux/io_uring.h:628:41: error: flexible array member in union
     628 |                 struct io_uring_buf     bufs[];
         |                                         ^~~~
   kernel/exit.c:1901:13: warning: no previous prototype for 'abort' [-Wmissing-prototypes]
    1901 | __weak void abort(void)
         |             ^~~~~
--
   In file included from include/linux/io_uring.h:7,
                    from fs/exec.c:64:
>> include/uapi/linux/io_uring.h:628:41: error: flexible array member in union
     628 |                 struct io_uring_buf     bufs[];
         |                                         ^~~~
--
   In file included from include/linux/io_uring.h:7,
                    from io_uring/io_uring.c:72:
>> include/uapi/linux/io_uring.h:628:41: error: flexible array member in union
     628 |                 struct io_uring_buf     bufs[];
         |                                         ^~~~
   io_uring/io_uring.c: In function '__io_submit_flush_completions':
   io_uring/io_uring.c:1443:40: warning: variable 'prev' set but not used [-Wunused-but-set-variable]
    1443 |         struct io_wq_work_node *node, *prev;
         |                                        ^~~~
--
   In file included from include/linux/io_uring.h:7,
                    from io_uring/kbuf.c:10:
>> include/uapi/linux/io_uring.h:628:41: error: flexible array member in union
     628 |                 struct io_uring_buf     bufs[];
         |                                         ^~~~
   In file included from include/linux/container_of.h:5,
                    from include/linux/kernel.h:21,
                    from io_uring/kbuf.c:2:
   io_uring/kbuf.c: In function 'io_register_pbuf_ring':
   include/linux/build_bug.h:16:51: error: bit-field '<anonymous>' width not an integer constant
      16 | #define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
         |                                                   ^
   include/linux/compiler.h:232:33: note: in expansion of macro 'BUILD_BUG_ON_ZERO'
     232 | #define __must_be_array(a)      BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
         |                                 ^~~~~~~~~~~~~~~~~
   include/linux/overflow.h:277:50: note: in expansion of macro '__must_be_array'
     277 |                 (count) * sizeof(*(p)->member) + __must_be_array((p)->member),  \
         |                                                  ^~~~~~~~~~~~~~~
   include/linux/overflow.h:293:32: note: in expansion of macro 'flex_array_size'
     293 |                 sizeof(*(p)) + flex_array_size(p, member, count),       \
         |                                ^~~~~~~~~~~~~~~
   io_uring/kbuf.c:508:30: note: in expansion of macro 'struct_size'
     508 |                              struct_size(br, bufs, reg.ring_entries),
         |                              ^~~~~~~~~~~
   include/linux/build_bug.h:16:51: error: bit-field '<anonymous>' width not an integer constant
      16 | #define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
         |                                                   ^
   include/linux/compiler.h:232:33: note: in expansion of macro 'BUILD_BUG_ON_ZERO'
     232 | #define __must_be_array(a)      BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
         |                                 ^~~~~~~~~~~~~~~~~
   include/linux/overflow.h:278:56: note: in expansion of macro '__must_be_array'
     278 |                 size_mul(count, sizeof(*(p)->member) + __must_be_array((p)->member)))
         |                                                        ^~~~~~~~~~~~~~~
   include/linux/overflow.h:293:32: note: in expansion of macro 'flex_array_size'
     293 |                 sizeof(*(p)) + flex_array_size(p, member, count),       \
         |                                ^~~~~~~~~~~~~~~
   io_uring/kbuf.c:508:30: note: in expansion of macro 'struct_size'
     508 |                              struct_size(br, bufs, reg.ring_entries),
         |                              ^~~~~~~~~~~
   include/linux/build_bug.h:16:51: error: bit-field '<anonymous>' width not an integer constant
      16 | #define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
         |                                                   ^
   include/linux/compiler.h:232:33: note: in expansion of macro 'BUILD_BUG_ON_ZERO'
     232 | #define __must_be_array(a)      BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
         |                                 ^~~~~~~~~~~~~~~~~
   include/linux/overflow.h:277:50: note: in expansion of macro '__must_be_array'
     277 |                 (count) * sizeof(*(p)->member) + __must_be_array((p)->member),  \
         |                                                  ^~~~~~~~~~~~~~~
   include/linux/overflow.h:294:40: note: in expansion of macro 'flex_array_size'
     294 |                 size_add(sizeof(*(p)), flex_array_size(p, member, count)))
         |                                        ^~~~~~~~~~~~~~~
   io_uring/kbuf.c:508:30: note: in expansion of macro 'struct_size'
     508 |                              struct_size(br, bufs, reg.ring_entries),
         |                              ^~~~~~~~~~~
   include/linux/build_bug.h:16:51: error: bit-field '<anonymous>' width not an integer constant
      16 | #define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
         |                                                   ^
   include/linux/compiler.h:232:33: note: in expansion of macro 'BUILD_BUG_ON_ZERO'
     232 | #define __must_be_array(a)      BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
         |                                 ^~~~~~~~~~~~~~~~~
   include/linux/overflow.h:278:56: note: in expansion of macro '__must_be_array'
     278 |                 size_mul(count, sizeof(*(p)->member) + __must_be_array((p)->member)))
         |                                                        ^~~~~~~~~~~~~~~
   include/linux/overflow.h:294:40: note: in expansion of macro 'flex_array_size'
     294 |                 size_add(sizeof(*(p)), flex_array_size(p, member, count)))
         |                                        ^~~~~~~~~~~~~~~
   io_uring/kbuf.c:508:30: note: in expansion of macro 'struct_size'
     508 |                              struct_size(br, bufs, reg.ring_entries),
         |                              ^~~~~~~~~~~


vim +628 include/uapi/linux/io_uring.h

   615	
   616	struct io_uring_buf_ring {
   617		union {
   618			/*
   619			 * To avoid spilling into more pages than we need to, the
   620			 * ring tail is overlaid with the io_uring_buf->resv field.
   621			 */
   622			struct {
   623				__u64	resv1;
   624				__u32	resv2;
   625				__u16	resv3;
   626				__u16	tail;
   627			};
 > 628			struct io_uring_buf	bufs[];
   629		};
   630	};
   631
Greg Kroah-Hartman Jan. 5, 2023, 7:39 a.m. UTC | #3
On Wed, Jan 04, 2023 at 07:37:48PM -0800, Kees Cook wrote:
> Zero-length arrays are deprecated[1]. Replace struct io_uring_buf_ring's
> "bufs" with a flexible array member. (How is the size of this array
> verified?) Detected with GCC 13, using -fstrict-flex-arrays=3:
> 
> In function 'io_ring_buffer_select',
>     inlined from 'io_buffer_select' at io_uring/kbuf.c:183:10:
> io_uring/kbuf.c:141:23: warning: array subscript 255 is outside the bounds of an interior zero-length array 'struct io_uring_buf[0]' [-Wzero-length-bounds]
>   141 |                 buf = &br->bufs[head];
>       |                       ^~~~~~~~~~~~~~~
> In file included from include/linux/io_uring.h:7,
>                  from io_uring/kbuf.c:10:
> include/uapi/linux/io_uring.h: In function 'io_buffer_select':
> include/uapi/linux/io_uring.h:628:41: note: while referencing 'bufs'
>   628 |                 struct io_uring_buf     bufs[0];
>       |                                         ^~~~
> 
> [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> 
> Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> Cc: Jens Axboe <axboe@kernel.dk>
> Cc: Pavel Begunkov <asml.silence@gmail.com>
> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> Cc: stable@vger.kernel.org

Build problem aside, why is this a stable kernel issue?

thanks,

greg k-h
Kees Cook Jan. 5, 2023, 6:04 p.m. UTC | #4
On Thu, Jan 05, 2023 at 08:39:48AM +0100, Greg KH wrote:
> On Wed, Jan 04, 2023 at 07:37:48PM -0800, Kees Cook wrote:
> > Zero-length arrays are deprecated[1]. Replace struct io_uring_buf_ring's
> > "bufs" with a flexible array member. (How is the size of this array
> > verified?) Detected with GCC 13, using -fstrict-flex-arrays=3:
> > 
> > In function 'io_ring_buffer_select',
> >     inlined from 'io_buffer_select' at io_uring/kbuf.c:183:10:
> > io_uring/kbuf.c:141:23: warning: array subscript 255 is outside the bounds of an interior zero-length array 'struct io_uring_buf[0]' [-Wzero-length-bounds]
> >   141 |                 buf = &br->bufs[head];
> >       |                       ^~~~~~~~~~~~~~~
> > In file included from include/linux/io_uring.h:7,
> >                  from io_uring/kbuf.c:10:
> > include/uapi/linux/io_uring.h: In function 'io_buffer_select':
> > include/uapi/linux/io_uring.h:628:41: note: while referencing 'bufs'
> >   628 |                 struct io_uring_buf     bufs[0];
> >       |                                         ^~~~
> > 
> > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> > 
> > Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> > Cc: Jens Axboe <axboe@kernel.dk>
> > Cc: Pavel Begunkov <asml.silence@gmail.com>
> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > Cc: stable@vger.kernel.org
> 
> Build problem aside, why is this a stable kernel issue?

My thinking was that since this is technically a UAPI change, it'd be
best to get it changed as widely as possible.
Greg Kroah-Hartman Jan. 5, 2023, 7:38 p.m. UTC | #5
On Thu, Jan 05, 2023 at 10:04:19AM -0800, Kees Cook wrote:
> On Thu, Jan 05, 2023 at 08:39:48AM +0100, Greg KH wrote:
> > On Wed, Jan 04, 2023 at 07:37:48PM -0800, Kees Cook wrote:
> > > Zero-length arrays are deprecated[1]. Replace struct io_uring_buf_ring's
> > > "bufs" with a flexible array member. (How is the size of this array
> > > verified?) Detected with GCC 13, using -fstrict-flex-arrays=3:
> > > 
> > > In function 'io_ring_buffer_select',
> > >     inlined from 'io_buffer_select' at io_uring/kbuf.c:183:10:
> > > io_uring/kbuf.c:141:23: warning: array subscript 255 is outside the bounds of an interior zero-length array 'struct io_uring_buf[0]' [-Wzero-length-bounds]
> > >   141 |                 buf = &br->bufs[head];
> > >       |                       ^~~~~~~~~~~~~~~
> > > In file included from include/linux/io_uring.h:7,
> > >                  from io_uring/kbuf.c:10:
> > > include/uapi/linux/io_uring.h: In function 'io_buffer_select':
> > > include/uapi/linux/io_uring.h:628:41: note: while referencing 'bufs'
> > >   628 |                 struct io_uring_buf     bufs[0];
> > >       |                                         ^~~~
> > > 
> > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> > > 
> > > Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> > > Cc: Jens Axboe <axboe@kernel.dk>
> > > Cc: Pavel Begunkov <asml.silence@gmail.com>
> > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > > Cc: stable@vger.kernel.org
> > 
> > Build problem aside, why is this a stable kernel issue?
> 
> My thinking was that since this is technically a UAPI change, it'd be
> best to get it changed as widely as possible.

You can't break the uapi, so it should be the same with or without your
change right?

confused,

greg k-h
Kees Cook Jan. 5, 2023, 8:01 p.m. UTC | #6
[resend -- I failed to CC the thread]

On Thu, Jan 05, 2023 at 08:38:01PM +0100, Greg KH wrote:
> On Thu, Jan 05, 2023 at 10:04:19AM -0800, Kees Cook wrote:
> > On Thu, Jan 05, 2023 at 08:39:48AM +0100, Greg KH wrote:
> > > On Wed, Jan 04, 2023 at 07:37:48PM -0800, Kees Cook wrote:
> > > > Zero-length arrays are deprecated[1]. Replace struct io_uring_buf_ring's
> > > > "bufs" with a flexible array member. (How is the size of this array
> > > > verified?) Detected with GCC 13, using -fstrict-flex-arrays=3:
> > > > 
> > > > In function 'io_ring_buffer_select',
> > > >     inlined from 'io_buffer_select' at io_uring/kbuf.c:183:10:
> > > > io_uring/kbuf.c:141:23: warning: array subscript 255 is outside the bounds of an interior zero-length array 'struct io_uring_buf[0]' [-Wzero-length-bounds]
> > > >   141 |                 buf = &br->bufs[head];
> > > >       |                       ^~~~~~~~~~~~~~~
> > > > In file included from include/linux/io_uring.h:7,
> > > >                  from io_uring/kbuf.c:10:
> > > > include/uapi/linux/io_uring.h: In function 'io_buffer_select':
> > > > include/uapi/linux/io_uring.h:628:41: note: while referencing 'bufs'
> > > >   628 |                 struct io_uring_buf     bufs[0];
> > > >       |                                         ^~~~
> > > > 
> > > > [1] https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays
> > > > 
> > > > Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers")
> > > > Cc: Jens Axboe <axboe@kernel.dk>
> > > > Cc: Pavel Begunkov <asml.silence@gmail.com>
> > > > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
> > > > Cc: stable@vger.kernel.org
> > > 
> > > Build problem aside, why is this a stable kernel issue?
> > 
> > My thinking was that since this is technically a UAPI change, it'd be
> > best to get it changed as widely as possible.
> 
> You can't break the uapi, so it should be the same with or without your
> change right?
> 
> confused,

Correct -- but we've had a hard time finding breakages (with extremely
weird stuff like non-C .h file scrapers) due to the lag between making
UAPI changes like this.

Anyway, I can drop the CC stable if it's more sensible.
diff mbox series

Patch

diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
index 2780bce62faf..9d8861899cde 100644
--- a/include/uapi/linux/io_uring.h
+++ b/include/uapi/linux/io_uring.h
@@ -625,7 +625,7 @@  struct io_uring_buf_ring {
 			__u16	resv3;
 			__u16	tail;
 		};
-		struct io_uring_buf	bufs[0];
+		struct io_uring_buf	bufs[];
 	};
 };