Fixing the _DEFINE_FLEX() helper in the Linux kernel

A couple of months ago, I submitted a patch to address a dozen -Wflex-array-member-not-at-end warnings in ACPI:

Originally, I opted for the __struct_group() approach to fix these issues.

diff --git a/include/uapi/linux/ndctl.h b/include/uapi/linux/ndctl.h
index 73516e263627..34c11644d5d7 100644
--- a/include/uapi/linux/ndctl.h
+++ b/include/uapi/linux/ndctl.h
@@ -227,12 +227,15 @@ enum ars_masks {
  */
 
 struct nd_cmd_pkg {
-	__u64   nd_family;		/* family of commands */
-	__u64   nd_command;
-	__u32   nd_size_in;		/* INPUT: size of input args */
-	__u32   nd_size_out;		/* INPUT: size of payload */
-	__u32   nd_reserved2[9];	/* reserved must be zero */
-	__u32   nd_fw_size;		/* OUTPUT: size fw wants to return */
+	/* New members MUST be added within the __struct_group() macro below. */
+	__struct_group(nd_cmd_pkg_hdr, __hdr, /* no attrs */,
+		__u64   nd_family;		/* family of commands */
+		__u64   nd_command;
+		__u32   nd_size_in;		/* INPUT: size of input args */
+		__u32   nd_size_out;		/* INPUT: size of payload */
+		__u32   nd_reserved2[9];	/* reserved must be zero */
+		__u32   nd_fw_size;		/* OUTPUT: size fw wants to return */
+	);
 	unsigned char nd_payload[];	/* Contents of call      */
 };

The idea behind this approach is to _separate_ the flexible-array member from the rest of the members in the flexible structure, while at the same time a new type for the “header part” of the flexible structure is created. We then proceed to use the newly created type to replace the type of the objects causing trouble –the ones causing the -Wflex-array-member-not-at-end warnings– in the composite structures.

However, the approach briefly described above is usually better suited for fixing instances of structures with a flexible-array member in the middle that are intended to live on the heap –I’ll go into more detail about this approach in a future post.

So, after some time, I realized that using the DEFINE_RAW_FLEX() helper was probably a better approach in this particular case, since basically all the instances triggering the -Wflex-array-member-not-at-end warnings were on-stack objects.

The DEFINE_FLEX() and DEFINE_RAW_FLEX() macros were specifically designed to define automatic (on-stack) objects of a flexible structure type, where the size of the flexible-array member is known at compile time.

So, I submitted a new version of the patch above, this time using DEFINE_RAW_FLEX(), and without any changes in the UAPI header because we didn’t need to change struct d_cmd_pkg anymore:


diff --git a/drivers/acpi/nfit/intel.c b/drivers/acpi/nfit/intel.c
index 3902759abcba..114d5b3bb39b 100644
--- a/drivers/acpi/nfit/intel.c
+++ b/drivers/acpi/nfit/intel.c
@@ -55,21 +55,17 @@ static unsigned long intel_security_flags(struct nvdimm *nvdimm,
 {
 	struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
 	unsigned long security_flags = 0;
-	struct {
-		struct nd_cmd_pkg pkg;
-		struct nd_intel_get_security_state cmd;
-	} nd_cmd = {
-		.pkg = {
-			.nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
-			.nd_family = NVDIMM_FAMILY_INTEL,
-			.nd_size_out =
-				sizeof(struct nd_intel_get_security_state),
-			.nd_fw_size =
-				sizeof(struct nd_intel_get_security_state),
-		},
-	};
+	DEFINE_RAW_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
+			sizeof(struct nd_intel_get_security_state));
+	struct nd_intel_get_security_state *cmd =
+			(struct nd_intel_get_security_state *)nd_cmd->nd_payload;
 	int rc;
 
+	nd_cmd->nd_command = NVDIMM_INTEL_GET_SECURITY_STATE;
+	nd_cmd->nd_family = NVDIMM_FAMILY_INTEL;
+	nd_cmd->nd_size_out = sizeof(struct nd_intel_get_security_state);
+	nd_cmd->nd_fw_size = sizeof(struct nd_intel_get_security_state);
+
 	if (!test_bit(NVDIMM_INTEL_GET_SECURITY_STATE, &nfit_mem->dsm_mask))
 		return 0;

To what Dan Williams replied:

Can this keep the C99 init-style with something like (untested):

_DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
             sizeof(struct nd_intel_get_security_state), {
		.pkg = {
		        .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
		        .nd_family = NVDIMM_FAMILY_INTEL,
		        .nd_size_out =
		                sizeof(struct nd_intel_get_security_state),
		        .nd_fw_size =
		                sizeof(struct nd_intel_get_security_state),
		},
	});
	

?

At the moment, the short answer was: no –the helper was not able to do that “cleanly.”

However, Dan’s question along with another issue I was recently trying to address, led me to take another look at the internals of _DEFINE_FLEX():

391 /**
392  * _DEFINE_FLEX() - helper macro for DEFINE_FLEX() family.
393  * Enables caller macro to pass (different) initializer.
394  *
395  * @type: structure type name, including "struct" keyword.
396  * @name: Name for a variable to define.
397  * @member: Name of the array member.
398  * @count: Number of elements in the array; must be compile-time const.
399  * @initializer: initializer expression (could be empty for no init).
400  */
401 #define _DEFINE_FLEX(type, name, member, count, initializer...)                 \
402         _Static_assert(__builtin_constant_p(count),                             \
403                        "onstack flex array members require compile-time..."); \
404         union {                                                                 \
405                 u8 bytes[struct_size_t(type, member, count)];                   \
406                 type obj;                                                       \
407         } name##_u initializer;                                                 \
408         type *name = (type *)&name##_u

The “macro wizardry” behind this helper allows for the allocation of the total space needed for an instance of a flexible structure along with its flexible-array member on the stack. As mentioned above, there are situations where the size of the flexible-array member is known at compile time. In these cases, we can rely on the DEFINE_FLEX() family of helpers to declare the necessary objects, ensuring that any flexible-array member remains the last member of the composite structure –not placed in the middle.

Dan noticed that DEFINE_FLEX() and DEFINE_RAW_FLEX() are just wrappers for _DEFINE_FLEX(), and that these wrappers don’t allow for external static initialization:

424 #define DEFINE_RAW_FLEX(type, name, member, count)      \
425         _DEFINE_FLEX(type, name, member, count, = {})

...

442 #define DEFINE_FLEX(TYPE, NAME, MEMBER, COUNTER, COUNT) \
443         _DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .obj.COUNTER = COUNT, })

However, _DEFINE_FLEX() _does_ have the infrastructure to initialize the members of the TYPE object created by this helper –with just a _small_ tweak: the obj member created by the helper at line 406 must be exposed to the call site, as shown in DEFINE_FLEX() at line 443 above when COUNTER is set to COUNT.

So I replied the following:

The code below works - however, notice that in this case we should
go through 'obj', which is an object defined in _DEFINE_FLEX().

         _DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
                         sizeof(struct nd_intel_get_security_state), = {
                 .obj = {
                         .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
                         .nd_family = NVDIMM_FAMILY_INTEL,
                         .nd_size_out =
                                 sizeof(struct nd_intel_get_security_state),
                         .nd_fw_size =
                                 sizeof(struct nd_intel_get_security_state),
                 },
         });

Then, in a subsequent e-mail I commented:

Now, I can modify the helper like this:

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 69533e703be5..170d3cfe7ecc 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -404,7 +404,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
         union {                                                                 \
                 u8 bytes[struct_size_t(type, member, count)];                   \
                 type obj;                                                       \
-       } name##_u initializer;                                                 \
+       } name##_u = { .obj initializer };                                      \
         type *name = (type *)&name##_u

  /**

and then we can use the helper as follows:

         _DEFINE_FLEX(struct nd_cmd_pkg, nd_cmd, nd_payload,
                         sizeof(struct nd_intel_get_security_state), = {
                         .nd_command = NVDIMM_INTEL_GET_SECURITY_STATE,
                         .nd_family = NVDIMM_FAMILY_INTEL,
                         .nd_size_out =
                                 sizeof(struct nd_intel_get_security_state),
                         .nd_fw_size =
                                 sizeof(struct nd_intel_get_security_state),
         });

OK, I'll go and update the helper.

-Gustavo

And that’s exactly what I did in the patch below. With that change, the _DEFINE_FLEX() helper now works correctly and can statically initialize struct members without exposing any internals. 🙂

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index f33d74dac06f2b..7b7be27ca11318 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -396,7 +396,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
  * @name: Name for a variable to define.
  * @member: Name of the array member.
  * @count: Number of elements in the array; must be compile-time const.
- * @initializer: initializer expression (could be empty for no init).
+ * @initializer: Initializer expression (e.g., pass `= { }` at minimum).
  */
 #define _DEFINE_FLEX(type, name, member, count, initializer...)			\
 	_Static_assert(__builtin_constant_p(count),				\
@@ -404,7 +404,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
 	union {									\
 		u8 bytes[struct_size_t(type, member, count)];			\
 		type obj;							\
-	} name##_u initializer;							\
+	} name##_u = { .obj initializer };					\
 	type *name = (type *)&name##_u
 
 /**
@@ -444,7 +444,7 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
  * elements in array @member.
  */
 #define DEFINE_FLEX(TYPE, NAME, MEMBER, COUNTER, COUNT)	\
-	_DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .obj.COUNTER = COUNT, })
+	_DEFINE_FLEX(TYPE, NAME, MEMBER, COUNT, = { .COUNTER = COUNT, })

Also, as seen in the patch above, I also fixed the DEFINE_FLEX() wrapper.

So, here is a short example of how to use this helper to statically initialize members in a structure –let’s assume FIXED_SIZE == 1:

struct flex {
        int a;
        int b;
        struct foo flex_array[];
};

_DEFINE_FLEX(struct flex, instance, flex_array, 
             FIXED_SIZE, = {
                .a = 0, 
                .b = 1,
             });

In case you don’t need to initialize any members to specific values, just pass = {} as argument, or probably you should just use DEFINE_RAW_FLEX() or DEFINE_FLEX() instead.

_DEFINE_FLEX(struct flex, instance, flex_array, FIXED_SIZE, = {});

For more details, take a look at the patch already in linux-next:

Thanks! ⚔️🛡️🐧

My next post will be titled “(ab)using DEFINE_FLEX() & DEFINE_RAW_FLEX().” Stay tune!

Speaking at The University of Adelaide

While in Australia 🇦🇺, I had the honor of being invited to give a guest talk to graduate and master’s students at The University of Adelaide. It was a truly special experience because it was my first time presenting at a university, and one I deeply value as a meaningful milestone in my career. 🙂🙏🏼

Enhancing spatial safety: Better array-bounds checking in C (and Linux) (University of Adelaide –Guest talk)

The C language has historically suffered from a lack of proper bounds-checking on all kinds of arrays. The Kernel Self-Protection Project has been addressing this issue for several years. In this presentation, we will learn about the most recent hardening efforts to resolve the problem of bounds-checking, particularly for fixed-size and flexible arrays.

We will explore the different mechanisms being used to harden key APIs like memcpy() against buffer overflows, which includes the use of some interesting built-in compiler functions. We will also talk about a couple of recent compiler options like -fstrict-flex-arrays and -Wflex-array-member-not-at-end, as well as the new counted_by attribute released in Clang-18 a year ago, which helps us gain run-time bounds-checking coverage on flexible arrays.

Overall, we will discuss how various challenges have been overcome, and highlight the innovations developed to solve the problem of array bounds-checking in both C and the Linux kernel once and for all.

See the slides below.

uniadl2025

See the video of the presentation below.

Speaking at Everything Open 2025

Earlier this year, I traveled to Australia 🇦🇺 to present for the second consecutive year at the Everything Open conference in Adelaide. I was so happy to be back in Australia – it was a great experience to travel to the other side of the world once again to speak about upstream Linux kernel hardening and share the work we do in the Kernel Self-Protection Project. ⚔️🛡️🐧

Huge thanks to the organizers for inviting me to present! 🙂🙌🏽

Enhancing spatial safety in the Linux kernel: Fixing thousands of -Wfamnae warnings

The introduction of the new -Wflex-array-member-not-at-end compiler option, released in GCC-14, has revealed approximately 60,000 warnings in the Linux kernel. Among them, some legitimate bugs have been uncovered.

In this presentation, we will explore in detail the different strategies we are employing to resolve all these warnings. These methods have already helped us resolve about 30% of them. Our ultimate goal in the Kernel Self-Protection Project is to globally enable this option in mainline, further enhancing the security of the upstream Linux kernel in the spatial safety domain.

Additionally, we will briefly review the recent history of hardening efforts that have led to the unveiling of these tens of thousands of warnings. This process illustrates the extensive and gradual nature of hardening the kernel, highlighting the challenges and persistence required to enhance its security. Looking ahead, after enabling this compiler option in mainline, I will briefly discuss the next challenge the Kernel Self-Protection Project will likely focus on.

See the slides below.

eo2025

The video of the presentation will be available at the link below once it’s finally published.

My first time presenting at Lund Linux Conference (LLC)

This year I had the amazing experience of traveling to Sweden 🇸🇪 (and Denmark 🇩🇰 ) for the first time to present at the Lund Linux Conference (https://lundlinuxcon.org/?page=current). 🐧 🗣️ 🎙️

It’s a small but very neat conference. Both the audience and the organizers were awesome, they made me feel right at home, and I even made some cool new friends! I really hope to return next year. 😃

The videos of the presentations were uploaded a few days ago, so here’s my talk about upstream Linux kernel hardening. 🐧 ⚔️ 🛡️ Thanks!

Yet another memory corruption bug in the Linux kernel

Yet another memory corruption bug caught thanks to -Wflex-array-member-not-at-end! 🐛🪲🐧



The maintainer has already taken this patch, and it will soon land in mainline and a couple of stable trees. 😃🐧

Here’s a link to the slides and video from my latest presentation at Linux Plumbers Conference, where I discuss the ongoing efforts to globally enable the -Wflex-array-member-not-at-end compiler option in the upstream Linux kernel:


This work aims to eradicate these types of memory corruption vulnerabilities from the kernel once and for all. 😀🙌🏽

Kernel Self-Protection Project ⚔️🛡️🐧

Back to Australia to present at Everything Open 2025

I’m really excited to share that my first presentation of 2025 will be in Adelaide, Australia. 🙌🏽😃

This will be my second time speaking at the Everything Open conference, and I’m really happy to be invited back. As always, feel free to say hi if you see me around!

I’ll be speaking about some of the recent progress on upstream Linux kernel hardening. ⚔️🛡️🐧

Here is the link to the details of my session: https://2025.everythingopen.au/schedule/presentation/87/

Check out the whole schedule here: https://2025.everythingopen.au/schedule/

Memory corruption bug in the Wireless subsystem

-Wflex-array-member-not-at-end continues to catch memory corruption bugs in the Linux kernel 🐛🪲🐧:



Here’s a link to the slides and video from my latest presentation on the ongoing efforts to globally enable the -Wflex-array-member-not-at-end compiler option in the upstream Linux kernel:


This work aims to eliminate these types of memory corruption bugs from the kernel once and for all. 😀🙌🏽

Kernel Self-Protection Project ⚔️🛡️🐧

My talk at Linux Plumbers Conference 2024 in Vienna

I presented at Linux Plumbers Conference in Vienna this year. 🗣️🎙️🇦🇹

I really enjoyed the session and had a great audience. They asked good questions and made interesting comments. Here is the video of the presentation.

Slides: https://embeddedor.com/slides/2024/lpceu/lpceu2024.pdf (pdf)

I hope you find it useful. Thanks!

Kernel Self-Protection Project ⚔️🛡️🐧

My talk at SSTIC 2024 in Rennes

A few months ago, I had the wonderful experience of presenting as an invited speaker at Symposium sur la Sécurité des Technologies de l’Information et des Communications (SSTIC) in Rennes, France. 🇨🇵

From what my French friends have told me, this is one of the largest and most relevant information security conferences in France, and this year marked its 22nd edition.

The conference is typically held in French, with mine being the only talk in English this year. So, I’m really excited to share the video of the presentation with you all. 🙂 🙌🏽🐧

Enhancing spatial safety: Better array-bounds checking in C (and Linux) — Gustavo A. R. Silva

The C language has historically suffered from a lack of proper bounds-checking on all kinds of arrays. The Kernel Self-Protection Project has been addressing this issue for several years. In this presentation, we will learn about the most recent hardening efforts to resolve the problem of bounds-checking, particularly for fixed-size and flexible arrays.

We will explore the different mechanisms being used to harden key APIs like memcpy() against buffer overflows, which includes the use of some interesting built-in compiler functions. We will also talk about a couple of recent compiler options like -fstrict-flex-arrays and -Wflex-array-member-not-at-end, as well as the new __counted_by__ attribute released in Clang-18 a few weeks ago, which helps us gain run-time bounds-checking coverage on flexible arrays.

Overall, we will discuss how various challenges have been overcome and highlight the innovations developed to solve the problem of array bounds-checking in both C and the Linux kernel once and for all.


Here is a link to the full presentation and slides: https://www.sstic.org/2024/presentation/invite_2024_2/

Thank you!

Here are some photos I took while I was in beautiful Rennes for the conference. 🙂