lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <aR5_a1tD9KKp363I@kspp>
Date: Thu, 20 Nov 2025 11:39:39 +0900
From: "Gustavo A. R. Silva" <gustavoars@...nel.org>
To: Jakub Kicinski <kuba@...nel.org>, Simon Horman <horms@...nel.org>,
	Andrew Lunn <andrew+netdev@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>
Cc: oss-drivers@...igine.com, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@...nel.org>,
	linux-hardening@...r.kernel.org
Subject: [PATCH][next] nfp: tls: Avoid -Wflex-array-member-not-at-end warnings

-Wflex-array-member-not-at-end was introduced in GCC-14, and we are
getting ready to enable it, globally.

So, in order to avoid ending up with flexible-array members in the
middle of other structs, we use the `struct_group_tagged()` helper
to separate the flexible array from the rest of the members in the
flexible structure. We then use the newly created tagged `struct
nfp_crypto_req_add_front_hdr` to replace the type of the objects
causing trouble in a couple of structures.

We also want to ensure that when new members need to be added to the
flexible structure, they are always included within the newly created
tagged struct. For this, we use `static_assert()`. This ensures that the
memory layout for both the flexible structure and the new tagged struct
is the same after any changes.

Lastly, use container_of() to retrieve a pointer to the flexible
structure and, through that, access the flexible-array member when
needed.

So, with these changes, fix the following warnings:

drivers/net/ethernet/netronome/nfp/nfdk/../crypto/fw.h:65:41: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
drivers/net/ethernet/netronome/nfp/nfdk/../crypto/fw.h:58:41: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
drivers/net/ethernet/netronome/nfp/nfd3/../crypto/fw.h:58:41: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
drivers/net/ethernet/netronome/nfp/nfd3/../crypto/fw.h:65:41: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]

Signed-off-by: Gustavo A. R. Silva <gustavoars@...nel.org>
---
 .../net/ethernet/netronome/nfp/crypto/fw.h    | 24 ++++++++++++-------
 .../net/ethernet/netronome/nfp/crypto/tls.c   |  6 +++--
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ethernet/netronome/nfp/crypto/fw.h b/drivers/net/ethernet/netronome/nfp/crypto/fw.h
index dcb67c2b5e5e..1e869599febb 100644
--- a/drivers/net/ethernet/netronome/nfp/crypto/fw.h
+++ b/drivers/net/ethernet/netronome/nfp/crypto/fw.h
@@ -32,16 +32,22 @@ struct nfp_crypto_req_reset {
 #define NFP_NET_TLS_VLAN_UNUSED			4095
 
 struct nfp_crypto_req_add_front {
-	struct nfp_ccm_hdr hdr;
-	__be32 ep_id;
-	u8 resv[3];
-	u8 opcode;
-	u8 key_len;
-	__be16 ipver_vlan __packed;
-	u8 l4_proto;
+	/* New members MUST be added within the struct_group() macro below. */
+	struct_group_tagged(nfp_crypto_req_add_front_hdr, __hdr,
+		struct nfp_ccm_hdr hdr;
+		__be32 ep_id;
+		u8 resv[3];
+		u8 opcode;
+		u8 key_len;
+		__be16 ipver_vlan __packed;
+		u8 l4_proto;
+	);
 #define NFP_NET_TLS_NON_ADDR_KEY_LEN	8
 	u8 l3_addrs[];
 };
+static_assert(offsetof(struct nfp_crypto_req_add_front, l3_addrs) ==
+	      sizeof(struct nfp_crypto_req_add_front_hdr),
+	      "struct member likely outside of struct_group_tagged()");
 
 struct nfp_crypto_req_add_back {
 	__be16 src_port;
@@ -55,14 +61,14 @@ struct nfp_crypto_req_add_back {
 };
 
 struct nfp_crypto_req_add_v4 {
-	struct nfp_crypto_req_add_front front;
+	struct nfp_crypto_req_add_front_hdr front;
 	__be32 src_ip;
 	__be32 dst_ip;
 	struct nfp_crypto_req_add_back back;
 };
 
 struct nfp_crypto_req_add_v6 {
-	struct nfp_crypto_req_add_front front;
+	struct nfp_crypto_req_add_front_hdr front;
 	__be32 src_ip[4];
 	__be32 dst_ip[4];
 	struct nfp_crypto_req_add_back back;
diff --git a/drivers/net/ethernet/netronome/nfp/crypto/tls.c b/drivers/net/ethernet/netronome/nfp/crypto/tls.c
index f252ecdcd2cd..a6d6a334c84b 100644
--- a/drivers/net/ethernet/netronome/nfp/crypto/tls.c
+++ b/drivers/net/ethernet/netronome/nfp/crypto/tls.c
@@ -180,7 +180,8 @@ nfp_net_tls_set_ipv4(struct nfp_net *nn, struct nfp_crypto_req_add_v4 *req,
 	req->front.key_len += sizeof(__be32) * 2;
 
 	if (direction == TLS_OFFLOAD_CTX_DIR_TX) {
-		nfp_net_tls_assign_conn_id(nn, &req->front);
+		nfp_net_tls_assign_conn_id(nn,
+			container_of(&req->front, struct nfp_crypto_req_add_front, __hdr));
 	} else {
 		req->src_ip = inet->inet_daddr;
 		req->dst_ip = inet->inet_saddr;
@@ -199,7 +200,8 @@ nfp_net_tls_set_ipv6(struct nfp_net *nn, struct nfp_crypto_req_add_v6 *req,
 	req->front.key_len += sizeof(struct in6_addr) * 2;
 
 	if (direction == TLS_OFFLOAD_CTX_DIR_TX) {
-		nfp_net_tls_assign_conn_id(nn, &req->front);
+		nfp_net_tls_assign_conn_id(nn,
+			container_of(&req->front, struct nfp_crypto_req_add_front, __hdr));
 	} else {
 		memcpy(req->src_ip, &sk->sk_v6_daddr, sizeof(req->src_ip));
 		memcpy(req->dst_ip, &np->saddr, sizeof(req->dst_ip));
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ