GCC warns about potential out-of-bounds access when the test provides a buffer smaller than struct iommu_test_hw_info:
iommufd_utils.h:817:37: warning: array subscript 'struct iommu_test_hw_info[0]' is partly outside array bounds of 'struct iommu_test_hw_info_buffer_smaller[1]' [-Warray-bounds=] 817 | assert(!info->flags); | ~~~~^~~~~~~
The warning occurs because 'info' is cast to a pointer to the full 8-byte struct at the top of the function, but the buffer_smaller test case passes only a 4-byte buffer. While the code correctly checks data_len before accessing each field, GCC's flow analysis with inlining doesn't recognize that the size check protects the access.
Fix this by accessing fields through appropriately-typed pointers that match the actual field sizes (__u32), declared only after the bounds check. This makes the relationship between the size check and memory access explicit to the compiler.
Signed-off-by: Nirbhay Sharma nirbhay.lkd@gmail.com --- tools/testing/selftests/iommu/iommufd_utils.h | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h index 9f472c20c190..37c1b994008c 100644 --- a/tools/testing/selftests/iommu/iommufd_utils.h +++ b/tools/testing/selftests/iommu/iommufd_utils.h @@ -770,7 +770,6 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type, void *data, size_t data_len, uint32_t *capabilities, uint8_t *max_pasid) { - struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data; struct iommu_hw_info cmd = { .size = sizeof(cmd), .dev_id = device_id, @@ -810,11 +809,19 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type, } }
- if (info) { - if (data_len >= offsetofend(struct iommu_test_hw_info, test_reg)) - assert(info->test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL); - if (data_len >= offsetofend(struct iommu_test_hw_info, flags)) - assert(!info->flags); + if (data) { + if (data_len >= offsetofend(struct iommu_test_hw_info, + test_reg)) { + __u32 *test_reg = (__u32 *)data + 1; + + assert(*test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL); + } + if (data_len >= offsetofend(struct iommu_test_hw_info, + flags)) { + __u32 *flags = data; + + assert(!*flags); + } }
if (max_pasid)
On Fri, Nov 14, 2025 at 01:38:55AM +0530, Nirbhay Sharma wrote:
GCC warns about potential out-of-bounds access when the test provides a buffer smaller than struct iommu_test_hw_info:
iommufd_utils.h:817:37: warning: array subscript 'struct iommu_test_hw_info[0]' is partly outside array bounds of 'struct iommu_test_hw_info_buffer_smaller[1]' [-Warray-bounds=] 817 | assert(!info->flags); | ~~~~^~~~~~~
The warning occurs because 'info' is cast to a pointer to the full 8-byte struct at the top of the function, but the buffer_smaller test case passes only a 4-byte buffer. While the code correctly checks data_len before accessing each field, GCC's flow analysis with inlining doesn't recognize that the size check protects the access.
Fix this by accessing fields through appropriately-typed pointers that match the actual field sizes (__u32), declared only after the bounds check. This makes the relationship between the size check and memory access explicit to the compiler.
Signed-off-by: Nirbhay Sharma nirbhay.lkd@gmail.com
tools/testing/selftests/iommu/iommufd_utils.h | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h index 9f472c20c190..37c1b994008c 100644 --- a/tools/testing/selftests/iommu/iommufd_utils.h +++ b/tools/testing/selftests/iommu/iommufd_utils.h @@ -770,7 +770,6 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type, void *data, size_t data_len, uint32_t *capabilities, uint8_t *max_pasid) {
- struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data; struct iommu_hw_info cmd = { .size = sizeof(cmd), .dev_id = device_id,
@@ -810,11 +809,19 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type, } }
- if (info) {
if (data_len >= offsetofend(struct iommu_test_hw_info, test_reg))assert(info->test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL);if (data_len >= offsetofend(struct iommu_test_hw_info, flags))assert(!info->flags);
- if (data) {
if (data_len >= offsetofend(struct iommu_test_hw_info,test_reg)) {__u32 *test_reg = (__u32 *)data + 1;
This seems too obfuscated, can't we keep the struct somehow and still remove the warning?
I also feel like you have a compiler bug here, if gcc has inlined enough to know the size of data then it surely should know the constant value of data_len?
Failing that, how about just change the caller, maybe like this:
--- a/tools/testing/selftests/iommu/iommufd.c +++ b/tools/testing/selftests/iommu/iommufd.c @@ -760,6 +760,7 @@ TEST_F(iommufd_ioas, get_hw_info) } buffer_larger; struct iommu_test_hw_info_buffer_smaller { __u32 flags; + struct iommu_test_hw_info dummy; } buffer_smaller;
if (self->device_id) { @@ -791,9 +792,11 @@ TEST_F(iommufd_ioas, get_hw_info) * Provide a user_buffer with size smaller than the exact size to check if * the fields within the size range still gets updated. */ - test_cmd_get_hw_info(self->device_id, - IOMMU_HW_INFO_TYPE_DEFAULT, - &buffer_smaller, sizeof(buffer_smaller)); + test_cmd_get_hw_info( + self->device_id, IOMMU_HW_INFO_TYPE_DEFAULT, + &buffer_smaller, + offsetofend(struct iommu_test_hw_info_buffer_smaller, + flags)); test_cmd_get_hw_info_pasid(self->device_id, &max_pasid); ASSERT_EQ(0, max_pasid); if (variant->pasid_capable) {
Jason
linux-kselftest-mirror@lists.linaro.org
-
Jason Gunthorpe -
Nirbhay Sharma