1

I noticed that, in struct pid in pid.h, the member numbers is defined as an array of size 1.

struct pid
{
    refcount_t count;
    unsigned int level;
    spinlock_t lock;
    /* lists of tasks that use this pid */
    struct hlist_head tasks[PIDTYPE_MAX];
    struct hlist_head inodes;
    /* wait queue for pidfd notifications */
    wait_queue_head_t wait_pidfd;
    struct rcu_head rcu;
    struct upid numbers[1];
};

However, in pid.c, the member is accessed with indices other than 0.

pid->numbers[i].nr = nr;

How does this work without writing out of bounds?

Improve this question
2

1 Answer 1

Reset to default
3

This is a variant of flexible arrays, albeit not using the now-standard syntax (which would be struct upid numbers[];). The general idea is that such structs are allocated with enough room for all the fields, plus enough room for the real size of the array at the end of the struct.

The structures are allocated in a cache; you can see the size calculation in create_pid_cachep:

len = sizeof(struct pid) + level * sizeof(struct upid);

This allocates enough room for a struct pid at the given level (starting at 0, so with room for one struct upid).

struct pid itself has room for one element in its numbers array, because the level-0 cache is allocated using KMEM_CACHE, and that expects a single struct representing a complete cache entry.

Work has been going on for the last few years to switch all such array uses to standardised flexible arrays; for more information, see Gustavo A. R. Silva’s recent talk on the Kernel Self-Protection Project at Kernel Recipes 2022.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.