{"id":2221232,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2221232/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/adbIKC0cZcK7VcCF@kspp/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<adbIKC0cZcK7VcCF@kspp>","date":"2026-04-08T21:27:04","name":"[next] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings","commit_ref":null,"pull_url":null,"state":"superseded","archived":true,"hash":"7a0cefdabf4fe00bf5ae6250296cee3c204f6c65","submitter":{"id":79098,"url":"http://patchwork.ozlabs.org/api/1.1/people/79098/?format=json","name":"Gustavo A. R. Silva","email":"gustavoars@kernel.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/adbIKC0cZcK7VcCF@kspp/mbox/","series":[{"id":499214,"url":"http://patchwork.ozlabs.org/api/1.1/series/499214/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499214","date":"2026-04-08T21:27:04","name":"[next] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings","version":1,"mbox":"http://patchwork.ozlabs.org/series/499214/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2221232/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2221232/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-11748-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=llybHSbR;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11748-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"llybHSbR\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frblm1N5pz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 09 Apr 2026 07:28:36 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 1DDA230241A0\n\tfor <incoming@patchwork.ozlabs.org>; Wed,  8 Apr 2026 21:28:18 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7B6E939FCB3;\n\tWed,  8 Apr 2026 21:28:11 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0400439DBDF;\n\tWed,  8 Apr 2026 21:28:11 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id 255A7C19421;\n\tWed,  8 Apr 2026 21:28:09 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775683691; cv=none;\n b=sckh4MV9ud54V+o8wu98G3Qz/IdPBPdBotJFDe/HsvpjCxWafh+Ok/97Al+lqMrNzxkp2sDSR5VToQ72Lra6XJ2O4GmpHxkV2MrE+ZgMg2xVjymDaVRRDYAAWm3kd7QEArz8M7NEDNBCU9CgqQ885UhnHGOMUt6ycLq6hhneeWg=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775683691; c=relaxed/simple;\n\tbh=WpE0MYfaSpWNmYLrKupwzmNe/zhoMgBoUNCb8zcFtzM=;\n\th=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:\n\t Content-Disposition;\n b=X4E92H1KmgPzPRfFBBgFkhhracD/OIJpRRGwHQHklGmxhFWkC+CVU3u1zP8MKEdTxb0M4OGikoLqurZvRDiWjF4/t5X7E8ymLWblRlPpnqvwjwNf3WOcd9cug4VncqcuROCx1JpCbuEH4UvOa63hdeypBB6m8V8Dfbyi0u+dMfU=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=llybHSbR; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1775683690;\n\tbh=WpE0MYfaSpWNmYLrKupwzmNe/zhoMgBoUNCb8zcFtzM=;\n\th=Date:From:To:Cc:Subject:From;\n\tb=llybHSbRhF0IyGzCiVkubRm6jznBYSJKm41Is2adPV68oSVITizRNvt4u0qfNvig0\n\t nGCGlPd2WKRsvxlirftnlfXF6UdpbKqg7y44STD3RFBepBvnQ/PmjXCbnr6J5wj+HG\n\t /T1IBIhUJA6MGraadSUCIbeGE90GXpC/ltH0Xz4atoobzu7QGhBIbTTyAAfHmiI/bH\n\t CE4V15DY/RgcqIAbqnyu3+e8Rq4JHHhF09KT6lRZKbCI2UtMH/IC64Vyi8cyuj+3nA\n\t 8GO7gbEtUBA3d+4DiWzgxuiv+F6ppXJyaAoUr2ye2oMa9pIpLGFp7/w1TLEFCRODCI\n\t I2SLx2sXaWacA==","Date":"Wed, 8 Apr 2026 15:27:04 -0600","From":"\"Gustavo A. R. Silva\" <gustavoars@kernel.org>","To":"Pablo Neira Ayuso <pablo@netfilter.org>,\n\tFlorian Westphal <fw@strlen.de>, Phil Sutter <phil@nwl.cc>,\n\t\"David S. Miller\" <davem@davemloft.net>,\n\tEric Dumazet <edumazet@google.com>,\n\tJakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,\n\tSimon Horman <horms@kernel.org>","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tnetdev@vger.kernel.org, linux-kernel@vger.kernel.org,\n\t\"Gustavo A. R. Silva\" <gustavoars@kernel.org>,\n\tlinux-hardening@vger.kernel.org","Subject":"[PATCH][next] netfilter: x_tables: Avoid a couple\n -Wflex-array-member-not-at-end warnings","Message-ID":"<adbIKC0cZcK7VcCF@kspp>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline"},"content":"-Wflex-array-member-not-at-end was introduced in GCC-14, and we are\ngetting ready to enable it, globally.\n\nstruct compat_xt_standard_target and struct compat_xt_error_target are\nonly used in xt_compat_check_entry_offsets(). Remove these structs and\ninstead define the same memory layout on the stack via flexible struct\ncompat_xt_entry_target and DEFINE_RAW_FLEX(). Adjust the rest of the\ncode accordingly.\n\nWith these changes, fix the following warnings:\n\n1 net/netfilter/x_tables.c:816:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n1 net/netfilter/x_tables.c:811:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nSigned-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>\n---\n net/netfilter/x_tables.c | 30 +++++++++++++-----------------\n 1 file changed, 13 insertions(+), 17 deletions(-)","diff":"diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c\nindex b39017c80548..a58107038a24 100644\n--- a/net/netfilter/x_tables.c\n+++ b/net/netfilter/x_tables.c\n@@ -817,17 +817,6 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,\n }\n EXPORT_SYMBOL_GPL(xt_compat_match_to_user);\n \n-/* non-compat version may have padding after verdict */\n-struct compat_xt_standard_target {\n-\tstruct compat_xt_entry_target t;\n-\tcompat_uint_t verdict;\n-};\n-\n-struct compat_xt_error_target {\n-\tstruct compat_xt_entry_target t;\n-\tchar errorname[XT_FUNCTION_MAXNAMELEN];\n-};\n-\n int xt_compat_check_entry_offsets(const void *base, const char *elems,\n \t\t\t\t  unsigned int target_offset,\n \t\t\t\t  unsigned int next_offset)\n@@ -850,18 +839,25 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,\n \t\treturn -EINVAL;\n \n \tif (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {\n-\t\tconst struct compat_xt_standard_target *st = (const void *)t;\n+\t\tDEFINE_RAW_FLEX(const struct compat_xt_entry_target, st, data,\n+\t\t\t\tsizeof(compat_uint_t));\n+\t\tcompat_uint_t *verdict = (compat_uint_t *)st->data;\n \n-\t\tif (COMPAT_XT_ALIGN(target_offset + sizeof(*st)) != next_offset)\n+\t\tst = (const void *)t;\n+\n+\t\tif (COMPAT_XT_ALIGN(target_offset + __struct_size(st)) !=\n+\t\t\t\tnext_offset)\n \t\t\treturn -EINVAL;\n \n-\t\tif (!verdict_ok(st->verdict))\n+\t\tif (!verdict_ok(*verdict))\n \t\t\treturn -EINVAL;\n \t} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {\n-\t\tconst struct compat_xt_error_target *et = (const void *)t;\n+\t\tDEFINE_RAW_FLEX(const struct compat_xt_entry_target, et, data,\n+\t\t\t\tXT_FUNCTION_MAXNAMELEN);\n+\t\tet = (const void *)t;\n \n-\t\tif (!error_tg_ok(t->u.target_size, sizeof(*et),\n-\t\t\t\t et->errorname, sizeof(et->errorname)))\n+\t\tif (!error_tg_ok(t->u.target_size, __struct_size(et),\n+\t\t\t\t et->data, __member_size(et->data)))\n \t\t\treturn -EINVAL;\n \t}\n \n","prefixes":["next"]}