On Fri, Nov 14, 2025 at 01:38:55AM +0530, Nirbhay Sharma wrote:
> GCC warns about potential out-of-bounds access when the test provides
> a buffer smaller than struct iommu_test_hw_info:
>
> iommufd_utils.h:817:37: warning: array subscript 'struct
> iommu_test_hw_info[0]' is partly outside array bounds of 'struct
> iommu_test_hw_info_buffer_smaller[1]'
> [-Warray-bounds=]
> 817 | assert(!info->flags);
> | ~~~~^~~~~~~
>
> The warning occurs because 'info' is cast to a pointer to the full
> 8-byte struct at the top of the function, but the buffer_smaller test
> case passes only a 4-byte buffer. While the code correctly checks
> data_len before accessing each field, GCC's flow analysis with inlining
> doesn't recognize that the size check protects the access.
>
> Fix this by accessing fields through appropriately-typed pointers that
> match the actual field sizes (__u32), declared only after the bounds
> check. This makes the relationship between the size check and memory
> access explicit to the compiler.
>
> Signed-off-by: Nirbhay Sharma <[email protected]>
> ---
> tools/testing/selftests/iommu/iommufd_utils.h | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/tools/testing/selftests/iommu/iommufd_utils.h
> b/tools/testing/selftests/iommu/iommufd_utils.h
> index 9f472c20c190..37c1b994008c 100644
> --- a/tools/testing/selftests/iommu/iommufd_utils.h
> +++ b/tools/testing/selftests/iommu/iommufd_utils.h
> @@ -770,7 +770,6 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id,
> __u32 data_type,
> void *data, size_t data_len,
> uint32_t *capabilities, uint8_t *max_pasid)
> {
> - struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data;
> struct iommu_hw_info cmd = {
> .size = sizeof(cmd),
> .dev_id = device_id,
> @@ -810,11 +809,19 @@ static int _test_cmd_get_hw_info(int fd, __u32
> device_id, __u32 data_type,
> }
> }
>
> - if (info) {
> - if (data_len >= offsetofend(struct iommu_test_hw_info,
> test_reg))
> - assert(info->test_reg == IOMMU_HW_INFO_SELFTEST_REGVAL);
> - if (data_len >= offsetofend(struct iommu_test_hw_info, flags))
> - assert(!info->flags);
> + if (data) {
> + if (data_len >= offsetofend(struct iommu_test_hw_info,
> + test_reg)) {
> + __u32 *test_reg = (__u32 *)data + 1;
This seems too obfuscated, can't we keep the struct somehow and still
remove the warning?
I also feel like you have a compiler bug here, if gcc has inlined
enough to know the size of data then it surely should know the
constant value of data_len?
Failing that, how about just change the caller, maybe like this:
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -760,6 +760,7 @@ TEST_F(iommufd_ioas, get_hw_info)
} buffer_larger;
struct iommu_test_hw_info_buffer_smaller {
__u32 flags;
+ struct iommu_test_hw_info dummy;
} buffer_smaller;
if (self->device_id) {
@@ -791,9 +792,11 @@ TEST_F(iommufd_ioas, get_hw_info)
* Provide a user_buffer with size smaller than the exact size
to check if
* the fields within the size range still gets updated.
*/
- test_cmd_get_hw_info(self->device_id,
- IOMMU_HW_INFO_TYPE_DEFAULT,
- &buffer_smaller, sizeof(buffer_smaller));
+ test_cmd_get_hw_info(
+ self->device_id, IOMMU_HW_INFO_TYPE_DEFAULT,
+ &buffer_smaller,
+ offsetofend(struct iommu_test_hw_info_buffer_smaller,
+ flags));
test_cmd_get_hw_info_pasid(self->device_id, &max_pasid);
ASSERT_EQ(0, max_pasid);
if (variant->pasid_capable) {
Jason
