On Mon, May 13, 2024 at 09:33:57PM -0700, Kees Cook wrote: > Hi! > > While working on testing an improved -Warray-bounds in GCC, I encountered > this, which seems to be reasonable: Eek. I think you're right. This is a bad interaction between the page dumping code and the fixed fake head code. I will need to think about this (and LSFMM is happening right now, so I don't necessarily have a lot of time to think). I'll get back to you as soon as I can. > In file included from ./arch/x86/include/generated/asm/rwonce.h:1, > from ../include/linux/compiler.h:299, > from ../include/linux/array_size.h:5, > from ../include/linux/kernel.h:16, > from ../mm/debug.c:9: > In function 'page_fixed_fake_head', > inlined from '_compound_head' at ../include/linux/page-flags.h:251:24, > inlined from '__dump_page' at ../mm/debug.c:123:11: > ../include/asm-generic/rwonce.h:44:26: warning: array subscript 9 is outside array bounds of 'struct page[1]' [-Warray-bounds=] > 44 | #define __READ_ONCE(x) (*(const volatile __unqual_scalar_typeof(x) *)&(x)) > | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../include/asm-generic/rwonce.h:50:9: note: in expansion of macro '__READ_ONCE' > 50 | __READ_ONCE(x); \ > | ^~~~~~~~~~~ > ../include/linux/page-flags.h:226:38: note: in expansion of macro 'READ_ONCE' > 226 | unsigned long head = READ_ONCE(page[1].compound_head); > | ^~~~~~~~~ > ../mm/debug.c: In function '__dump_page': > ../mm/debug.c:116:21: note: at offset 72 into object 'precise' of size 64 > 116 | struct page precise; > | ^~~~~~~ > > (Not noted in this warning is that the code passes through page_folio() > _Generic macro.) > > It doesn't like that it can see that "precise" is exactly one page, so > looking at page[1] later is going to freak out. I suspect this may be > "impossible" at run-time, but I'm not 100% sure. Regardless, the compiler > can't tell. > > I suspect just making precise be a 2 page array would make this happy, > but it wasn't clear to me how such a page should be initialized. > > -Kees > > -- > Kees Cook
