1 .. _codingstyle:
2
3 Linux kernel coding style
4 =========================
5
6 This is a short document describing the prefer
7 linux kernel. Coding style is very personal,
8 views on anybody, but this is what goes for an
9 able to maintain, and I'd prefer it for most o
10 at least consider the points made here.
11
12 First off, I'd suggest printing out a copy of
13 and NOT read it. Burn them, it's a great symb
14
15 Anyway, here goes:
16
17
18 1) Indentation
19 --------------
20
21 Tabs are 8 characters, and thus indentations a
22 There are heretic movements that try to make i
23 characters deep, and that is akin to trying to
24 be 3.
25
26 Rationale: The whole idea behind indentation i
27 a block of control starts and ends. Especiall
28 at your screen for 20 straight hours, you'll f
29 how the indentation works if you have large in
30
31 Now, some people will claim that having 8-char
32 the code move too far to the right, and makes
33 80-character terminal screen. The answer to t
34 more than 3 levels of indentation, you're scre
35 your program.
36
37 In short, 8-char indents make things easier to
38 benefit of warning you when you're nesting you
39 Heed that warning.
40
41 The preferred way to ease multiple indentation
42 to align the ``switch`` and its subordinate ``
43 instead of ``double-indenting`` the ``case`` l
44
45 .. code-block:: c
46
47 switch (suffix) {
48 case 'G':
49 case 'g':
50 mem <<= 30;
51 break;
52 case 'M':
53 case 'm':
54 mem <<= 20;
55 break;
56 case 'K':
57 case 'k':
58 mem <<= 10;
59 fallthrough;
60 default:
61 break;
62 }
63
64 Don't put multiple statements on a single line
65 something to hide:
66
67 .. code-block:: c
68
69 if (condition) do_this;
70 do_something_everytime;
71
72 Don't use commas to avoid using braces:
73
74 .. code-block:: c
75
76 if (condition)
77 do_this(), do_that();
78
79 Always uses braces for multiple statements:
80
81 .. code-block:: c
82
83 if (condition) {
84 do_this();
85 do_that();
86 }
87
88 Don't put multiple assignments on a single lin
89 is super simple. Avoid tricky expressions.
90
91
92 Outside of comments, documentation and except
93 used for indentation, and the above example is
94
95 Get a decent editor and don't leave whitespace
96
97
98 2) Breaking long lines and strings
99 ----------------------------------
100
101 Coding style is all about readability and main
102 available tools.
103
104 The preferred limit on the length of a single
105
106 Statements longer than 80 columns should be br
107 unless exceeding 80 columns significantly incr
108 not hide information.
109
110 Descendants are always substantially shorter t
111 are placed substantially to the right. A very
112 is to align descendants to a function open par
113
114 These same rules are applied to function heade
115
116 However, never break user-visible strings such
117 that breaks the ability to grep for them.
118
119
120 3) Placing Braces and Spaces
121 ----------------------------
122
123 The other issue that always comes up in C styl
124 braces. Unlike the indent size, there are few
125 choose one placement strategy over the other,
126 shown to us by the prophets Kernighan and Ritc
127 brace last on the line, and put the closing br
128
129 .. code-block:: c
130
131 if (x is true) {
132 we do y
133 }
134
135 This applies to all non-function statement blo
136 while, do). E.g.:
137
138 .. code-block:: c
139
140 switch (action) {
141 case KOBJ_ADD:
142 return "add";
143 case KOBJ_REMOVE:
144 return "remove";
145 case KOBJ_CHANGE:
146 return "change";
147 default:
148 return NULL;
149 }
150
151 However, there is one special case, namely fun
152 opening brace at the beginning of the next lin
153
154 .. code-block:: c
155
156 int function(int x)
157 {
158 body of function
159 }
160
161 Heretic people all over the world have claimed
162 is ... well ... inconsistent, but all right-
163 (a) K&R are **right** and (b) K&R are right.
164 special anyway (you can't nest them in C).
165
166 Note that the closing brace is empty on a line
167 the cases where it is followed by a continuati
168 ie a ``while`` in a do-statement or an ``else`
169 this:
170
171 .. code-block:: c
172
173 do {
174 body of do-loop
175 } while (condition);
176
177 and
178
179 .. code-block:: c
180
181 if (x == y) {
182 ..
183 } else if (x > y) {
184 ...
185 } else {
186 ....
187 }
188
189 Rationale: K&R.
190
191 Also, note that this brace-placement also mini
192 (or almost empty) lines, without any loss of r
193 supply of new-lines on your screen is not a re
194 25-line terminal screens here), you have more
195 comments on.
196
197 Do not unnecessarily use braces where a single
198
199 .. code-block:: c
200
201 if (condition)
202 action();
203
204 and
205
206 .. code-block:: c
207
208 if (condition)
209 do_this();
210 else
211 do_that();
212
213 This does not apply if only one branch of a co
214 statement; in the latter case use braces in bo
215
216 .. code-block:: c
217
218 if (condition) {
219 do_this();
220 do_that();
221 } else {
222 otherwise();
223 }
224
225 Also, use braces when a loop contains more tha
226
227 .. code-block:: c
228
229 while (condition) {
230 if (test)
231 do_something();
232 }
233
234 3.1) Spaces
235 ***********
236
237 Linux kernel style for use of spaces depends (
238 function-versus-keyword usage. Use a space af
239 notable exceptions are sizeof, typeof, alignof
240 somewhat like functions (and are usually used
241 although they are not required in the language
242 ``struct fileinfo info;`` is declared).
243
244 So use a space after these keywords::
245
246 if, switch, case, for, do, while
247
248 but not with sizeof, typeof, alignof, or __att
249
250 .. code-block:: c
251
252
253 s = sizeof(struct file);
254
255 Do not add spaces around (inside) parenthesize
256 **bad**:
257
258 .. code-block:: c
259
260
261 s = sizeof( struct file );
262
263 When declaring pointer data or a function that
264 preferred use of ``*`` is adjacent to the data
265 adjacent to the type name. Examples:
266
267 .. code-block:: c
268
269
270 char *linux_banner;
271 unsigned long long memparse(char *ptr,
272 char *match_strdup(substring_t *s);
273
274 Use one space around (on each side of) most bi
275 such as any of these::
276
277 = + - < > * / % | & ^ <= >
278
279 but no space after unary operators::
280
281 & * + - ~ ! sizeof typeof alig
282
283 no space before the postfix increment & decrem
284
285 ++ --
286
287 no space after the prefix increment & decremen
288
289 ++ --
290
291 and no space around the ``.`` and ``->`` struc
292
293 Do not leave trailing whitespace at the ends o
294 ``smart`` indentation will insert whitespace a
295 appropriate, so you can start typing the next
296 However, some such editors do not remove the w
297 putting a line of code there, such as if you l
298 you end up with lines containing trailing whit
299
300 Git will warn you about patches that introduce
301 optionally strip the trailing whitespace for y
302 of patches, this may make later patches in the
303 context lines.
304
305
306 4) Naming
307 ---------
308
309 C is a Spartan language, and your naming conve
310 Unlike Modula-2 and Pascal programmers, C prog
311 names like ThisVariableIsATemporaryCounter. A
312 variable ``tmp``, which is much easier to writ
313 difficult to understand.
314
315 HOWEVER, while mixed-case names are frowned up
316 global variables are a must. To call a global
317 shooting offense.
318
319 GLOBAL variables (to be used only if you **rea
320 have descriptive names, as do global functions
321 that counts the number of active users, you sh
322 ``count_active_users()`` or similar, you shoul
323
324 Encoding the type of a function into the name
325 notation) is asinine - the compiler knows the
326 those, and it only confuses the programmer.
327
328 LOCAL variable names should be short, and to t
329 some random integer loop counter, it should pr
330 Calling it ``loop_counter`` is non-productive,
331 being mis-understood. Similarly, ``tmp`` can
332 variable that is used to hold a temporary valu
333
334 If you are afraid to mix up your local variabl
335 problem, which is called the function-growth-h
336 See chapter 6 (Functions).
337
338 For symbol names and documentation, avoid intr
339 'master / slave' (or 'slave' independent of 'm
340 whitelist'.
341
342 Recommended replacements for 'master / slave'
343 '{primary,main} / {secondary,replica,subor
344 '{initiator,requester} / {target,responder
345 '{controller,host} / {device,worker,proxy}
346 'leader / follower'
347 'director / performer'
348
349 Recommended replacements for 'blacklist/whitel
350 'denylist / allowlist'
351 'blocklist / passlist'
352
353 Exceptions for introducing new usage is to mai
354 or when updating code for an existing (as of 2
355 specification that mandates those terms. For n
356 translate specification usage of the terminolo
357 standard where possible.
358
359 5) Typedefs
360 -----------
361
362 Please don't use things like ``vps_t``.
363 It's a **mistake** to use typedef for structur
364
365 .. code-block:: c
366
367
368 vps_t a;
369
370 in the source, what does it mean?
371 In contrast, if it says
372
373 .. code-block:: c
374
375 struct virtual_container *a;
376
377 you can actually tell what ``a`` is.
378
379 Lots of people think that typedefs ``help read
380 useful only for:
381
382 (a) totally opaque objects (where the typedef
383 what the object is).
384
385 Example: ``pte_t`` etc. opaque objects th
386 the proper accessor functions.
387
388 .. note::
389
390 Opaqueness and ``accessor functions`` a
391 The reason we have them for things like
392 really is absolutely **zero** portably
393
394 (b) Clear integer types, where the abstractio
395 whether it is ``int`` or ``long``.
396
397 u8/u16/u32 are perfectly fine typedefs, a
398 category (d) better than here.
399
400 .. note::
401
402 Again - there needs to be a **reason**
403 ``unsigned long``, then there's no reas
404
405 typedef unsigned long myflags_t;
406
407 but if there is a clear reason for why it
408 might be an ``unsigned int`` and under ot
409 ``unsigned long``, then by all means go a
410
411 (c) when you use sparse to literally create a
412 type-checking.
413
414 (d) New types which are identical to standard
415 exceptional circumstances.
416
417 Although it would only take a short amoun
418 brain to become accustomed to the standar
419 some people object to their use anyway.
420
421 Therefore, the Linux-specific ``u8/u16/u3
422 signed equivalents which are identical to
423 permitted -- although they are not mandat
424 own.
425
426 When editing existing code which already
427 of types, you should conform to the exist
428
429 (e) Types safe for use in userspace.
430
431 In certain structures which are visible t
432 require C99 types and cannot use the ``u3
433 use __u32 and similar types in all struct
434 with userspace.
435
436 Maybe there are other cases too, but the rule
437 EVER use a typedef unless you can clearly matc
438
439 In general, a pointer, or a struct that has el
440 be directly accessed should **never** be a typ
441
442
443 6) Functions
444 ------------
445
446 Functions should be short and sweet, and do ju
447 fit on one or two screenfuls of text (the ISO/
448 as we all know), and do one thing and do that
449
450 The maximum length of a function is inversely
451 complexity and indentation level of that funct
452 conceptually simple function that is just one
453 case-statement, where you have to do lots of s
454 different cases, it's OK to have a longer func
455
456 However, if you have a complex function, and y
457 less-than-gifted first-year high-school studen
458 understand what the function is all about, you
459 maximum limits all the more closely. Use help
460 descriptive names (you can ask the compiler to
461 it's performance-critical, and it will probabl
462 than you would have done).
463
464 Another measure of the function is the number
465 shouldn't exceed 5-10, or you're doing somethi
466 function, and split it into smaller pieces. A
467 generally easily keep track of about 7 differe
468 and it gets confused. You know you're brillia
469 to understand what you did 2 weeks from now.
470
471 In source files, separate functions with one b
472 exported, the **EXPORT** macro for it should f
473 closing function brace line. E.g.:
474
475 .. code-block:: c
476
477 int system_is_up(void)
478 {
479 return system_state == SYSTEM_
480 }
481 EXPORT_SYMBOL(system_is_up);
482
483 6.1) Function prototypes
484 ************************
485
486 In function prototypes, include parameter name
487 Although this is not required by the C languag
488 because it is a simple way to add valuable inf
489
490 Do not use the ``extern`` keyword with functio
491 lines longer and isn't strictly necessary.
492
493 When writing function prototypes, please keep
494 <https://lore.kernel.org/mm-commits/CAHk-=wiOCL
495 For example, using this function declaration e
496
497 __init void * __must_check action(enum magic
498 char *fmt,
499
500 The preferred order of elements for a function
501
502 - storage class (below, ``static __always_inli
503 is technically an attribute but is treated l
504 - storage class attributes (here, ``__init`` -
505 things like ``__cold``)
506 - return type (here, ``void *``)
507 - return type attributes (here, ``__must_check
508 - function name (here, ``action``)
509 - function parameters (here, ``(enum magic val
510 noting that parameter names should always be
511 - function parameter attributes (here, ``__pri
512 - function behavior attributes (here, ``__mall
513
514 Note that for a function **definition** (i.e.
515 the compiler does not allow function parameter
516 function parameters. In these cases, they shou
517 class attributes (e.g. note the changed positi
518 below, compared to the **declaration** example
519
520 static __always_inline __init __printf(4, 5)
521 size_t size, u8 count, char *f
522 {
523 ...
524 }
525
526 7) Centralized exiting of functions
527 -----------------------------------
528
529 Albeit deprecated by some people, the equivale
530 used frequently by compilers in form of the un
531
532 The goto statement comes in handy when a funct
533 locations and some common work such as cleanup
534 cleanup needed then just return directly.
535
536 Choose label names which say what the goto doe
537 example of a good name could be ``out_free_buf
538 Avoid using GW-BASIC names like ``err1:`` and
539 renumber them if you ever add or remove exit p
540 difficult to verify anyway.
541
542 The rationale for using gotos is:
543
544 - unconditional statements are easier to under
545 - nesting is reduced
546 - errors by not updating individual exit point
547 modifications are prevented
548 - saves the compiler work to optimize redundan
549
550 .. code-block:: c
551
552 int fun(int a)
553 {
554 int result = 0;
555 char *buffer;
556
557 buffer = kmalloc(SIZE, GFP_KER
558 if (!buffer)
559 return -ENOMEM;
560
561 if (condition1) {
562 while (loop1) {
563 ...
564 }
565 result = 1;
566 goto out_free_buffer;
567 }
568 ...
569 out_free_buffer:
570 kfree(buffer);
571 return result;
572 }
573
574 A common type of bug to be aware of is ``one e
575
576 .. code-block:: c
577
578 err:
579 kfree(foo->bar);
580 kfree(foo);
581 return ret;
582
583 The bug in this code is that on some exit path
584 fix for this is to split it up into two error
585 ``err_free_foo:``:
586
587 .. code-block:: c
588
589 err_free_bar:
590 kfree(foo->bar);
591 err_free_foo:
592 kfree(foo);
593 return ret;
594
595 Ideally you should simulate errors to test all
596
597
598 8) Commenting
599 -------------
600
601 Comments are good, but there is also a danger
602 try to explain HOW your code works in a commen
603 write the code so that the **working** is obvi
604 time to explain badly written code.
605
606 Generally, you want your comments to tell WHAT
607 Also, try to avoid putting comments inside a f
608 function is so complex that you need to separa
609 you should probably go back to chapter 6 for a
610 small comments to note or warn about something
611 ugly), but try to avoid excess. Instead, put
612 of the function, telling people what it does,
613 it.
614
615 When commenting the kernel API functions, plea
616 See the files at :ref:`Documentation/doc-guide
617 ``scripts/kernel-doc`` for details.
618
619 The preferred style for long (multi-line) comm
620
621 .. code-block:: c
622
623 /*
624 * This is the preferred style for mul
625 * comments in the Linux kernel source
626 * Please use it consistently.
627 *
628 * Description: A column of asterisks
629 * with beginning and ending almost-bl
630 */
631
632 It's also important to comment data, whether t
633 types. To this end, use just one data declara
634 multiple data declarations). This leaves you
635 item, explaining its use.
636
637
638 9) You've made a mess of it
639 ---------------------------
640
641 That's OK, we all do. You've probably been to
642 user helper that ``GNU emacs`` automatically f
643 you, and you've noticed that yes, it does do t
644 uses are less than desirable (in fact, they ar
645 typing - an infinite number of monkeys typing
646 make a good program).
647
648 So, you can either get rid of GNU emacs, or ch
649 values. To do the latter, you can stick the f
650
651 .. code-block:: elisp
652
653 (defun c-lineup-arglist-tabs-only (ignored)
654 "Line up argument lists by tabs, not space
655 (let* ((anchor (c-langelem-pos c-syntactic
656 (column (c-langelem-2nd-pos c-synta
657 (offset (- (1+ column) anchor))
658 (steps (floor offset c-basic-offset
659 (* (max steps 1)
660 c-basic-offset)))
661
662 (dir-locals-set-class-variables
663 'linux-kernel
664 '((c-mode . (
665 (c-basic-offset . 8)
666 (c-label-minimum-indentation . 0)
667 (c-offsets-alist . (
668 (arglist-close . c-l
669 (arglist-cont-nonempty .
670 (c-lineup-gcc-asm-reg c-
671 (arglist-intro . +)
672 (brace-list-intro . +)
673 (c . c-l
674 (case-label . 0)
675 (comment-intro . c-l
676 (cpp-define-intro . +)
677 (cpp-macro . -10
678 (cpp-macro-cont . +)
679 (defun-block-intro . +)
680 (else-clause . 0)
681 (func-decl-cont . +)
682 (inclass . +)
683 (inher-cont . c-l
684 (knr-argdecl-intro . 0)
685 (label . -10
686 (statement . 0)
687 (statement-block-intro . +)
688 (statement-case-intro . +)
689 (statement-cont . +)
690 (substatement . +)
691 ))
692 (indent-tabs-mode . t)
693 (show-trailing-whitespace . t)
694 ))))
695
696 (dir-locals-set-directory-class
697 (expand-file-name "~/src/linux-trees")
698 'linux-kernel)
699
700 This will make emacs go better with the kernel
701 files below ``~/src/linux-trees``.
702
703 But even if you fail in getting emacs to do sa
704 everything is lost: use ``indent``.
705
706 Now, again, GNU indent has the same brain-dead
707 has, which is why you need to give it a few co
708 However, that's not too bad, because even the
709 recognize the authority of K&R (the GNU people
710 just severely misguided in this matter), so yo
711 options ``-kr -i8`` (stands for ``K&R, 8 chara
712 ``scripts/Lindent``, which indents in the late
713
714 ``indent`` has a lot of options, and especiall
715 re-formatting you may want to take a look at t
716 remember: ``indent`` is not a fix for bad prog
717
718 Note that you can also use the ``clang-format`
719 these rules, to quickly re-format parts of you
720 and to review full files in order to spot codi
721 typos and possible improvements. It is also ha
722 for aligning variables/macros, for reflowing t
723 See the file :ref:`Documentation/dev-tools/cla
724 for more details.
725
726 Some basic editor settings, such as indentatio
727 set automatically if you are using an editor t
728 EditorConfig. See the official EditorConfig we
729 https://editorconfig.org/
730
731 10) Kconfig configuration files
732 -------------------------------
733
734 For all of the Kconfig* configuration files th
735 the indentation is somewhat different. Lines
736 are indented with one tab, while help text is
737 spaces. Example::
738
739 config AUDIT
740 bool "Auditing support"
741 depends on NET
742 help
743 Enable auditing infrastructure that
744 kernel subsystem, such as SELinux (w
745 logging of avc messages output). Do
746 auditing without CONFIG_AUDITSYSCALL
747
748 Seriously dangerous features (such as write su
749 filesystems) should advertise this prominently
750
751 config ADFS_FS_RW
752 bool "ADFS write support (DANGEROUS)"
753 depends on ADFS_FS
754 ...
755
756 For full documentation on the configuration fi
757 Documentation/kbuild/kconfig-language.rst.
758
759
760 11) Data structures
761 -------------------
762
763 Data structures that have visibility outside t
764 environment they are created and destroyed in
765 reference counts. In the kernel, garbage coll
766 outside the kernel garbage collection is slow
767 means that you absolutely **have** to referenc
768
769 Reference counting means that you can avoid lo
770 users to have access to the data structure in
771 to worry about the structure suddenly going aw
772 because they slept or did something else for a
773
774 Note that locking is **not** a replacement for
775 Locking is used to keep data structures cohere
776 counting is a memory management technique. Us
777 they are not to be confused with each other.
778
779 Many data structures can indeed have two level
780 when there are users of different ``classes``.
781 the number of subclass users, and decrements t
782 when the subclass count goes to zero.
783
784 Examples of this kind of ``multi-level-referen
785 memory management (``struct mm_struct``: mm_us
786 filesystem code (``struct super_block``: s_cou
787
788 Remember: if another thread can find your data
789 have a reference count on it, you almost certa
790
791
792 12) Macros, Enums and RTL
793 -------------------------
794
795 Names of macros defining constants and labels
796
797 .. code-block:: c
798
799 #define CONSTANT 0x12345
800
801 Enums are preferred when defining several rela
802
803 CAPITALIZED macro names are appreciated but ma
804 may be named in lower case.
805
806 Generally, inline functions are preferable to
807
808 Macros with multiple statements should be encl
809
810 .. code-block:: c
811
812 #define macrofun(a, b, c)
813 do {
814 if (a == 5)
815 do_this(b, c);
816 } while (0)
817
818 Function-like macros with unused parameters sh
819 inline functions to avoid the issue of unused
820
821 .. code-block:: c
822
823 static inline void fun(struct foo *foo
824 {
825 }
826
827 Due to historical practices, many files still
828 approach to evaluate parameters. However, this
829 Inline functions address the issue of "express
830 evaluated more than once", circumvent unused-v
831 are generally better documented than macros fo
832
833 .. code-block:: c
834
835 /*
836 * Avoid doing this whenever possible
837 * inline functions
838 */
839 #define macrofun(foo) do { (void) (foo
840
841 Things to avoid when using macros:
842
843 1) macros that affect control flow:
844
845 .. code-block:: c
846
847 #define FOO(x)
848 do {
849 if (blah(x) < 0)
850 return -EBUGGE
851 } while (0)
852
853 is a **very** bad idea. It looks like a funct
854 function; don't break the internal parsers of
855
856 2) macros that depend on having a local variab
857
858 .. code-block:: c
859
860 #define FOO(val) bar(index, val)
861
862 might look like a good thing, but it's confusi
863 code and it's prone to breakage from seemingly
864
865 3) macros with arguments that are used as l-va
866 bite you if somebody e.g. turns FOO into an in
867
868 4) forgetting about precedence: macros definin
869 must enclose the expression in parentheses. Be
870 macros using parameters.
871
872 .. code-block:: c
873
874 #define CONSTANT 0x4000
875 #define CONSTEXP (CONSTANT | 3)
876
877 5) namespace collisions when defining local va
878 functions:
879
880 .. code-block:: c
881
882 #define FOO(x)
883 ({
884 typeof(x) ret;
885 ret = calc_ret(x);
886 (ret);
887 })
888
889 ret is a common name for a local variable - __
890 to collide with an existing variable.
891
892 The cpp manual deals with macros exhaustively.
893 covers RTL which is used frequently with assem
894
895
896 13) Printing kernel messages
897 ----------------------------
898
899 Kernel developers like to be seen as literate.
900 of kernel messages to make a good impression.
901 contractions like ``dont``; use ``do not`` or
902 messages concise, clear, and unambiguous.
903
904 Kernel messages do not have to be terminated w
905
906 Printing numbers in parentheses (%d) adds no v
907
908 There are a number of driver model diagnostic
909 which you should use to make sure messages are
910 and driver, and are tagged with the right leve
911 dev_info(), and so forth. For messages that a
912 particular device, <linux/printk.h> defines pr
913 pr_warn(), pr_err(), etc. When drivers are wor
914 so prefer to use dev_dbg/pr_debug unless somet
915
916 Coming up with good debugging messages can be
917 you have them, they can be a huge help for rem
918 debug message printing is handled differently
919 messages. While the other pr_XXX() functions
920 pr_debug() does not; it is compiled out by def
921 defined or CONFIG_DYNAMIC_DEBUG is set. That
922 and a related convention uses VERBOSE_DEBUG to
923 the ones already enabled by DEBUG.
924
925 Many subsystems have Kconfig debug options to
926 corresponding Makefile; in other cases specifi
927 when a debug message should be unconditionally
928 already inside a debug-related #ifdef section,
929 used.
930
931
932 14) Allocating memory
933 ---------------------
934
935 The kernel provides the following general purp
936 kmalloc(), kzalloc(), kmalloc_array(), kcalloc
937 vzalloc(). Please refer to the API documentat
938 about them. :ref:`Documentation/core-api/memo
939 <memory_allocation>`
940
941 The preferred form for passing a size of a str
942
943 .. code-block:: c
944
945 p = kmalloc(sizeof(*p), ...);
946
947 The alternative form where struct name is spel
948 introduces an opportunity for a bug when the p
949 but the corresponding sizeof that is passed to
950
951 Casting the return value which is a void point
952 from void pointer to any other pointer type is
953 language.
954
955 The preferred form for allocating an array is
956
957 .. code-block:: c
958
959 p = kmalloc_array(n, sizeof(...), ...)
960
961 The preferred form for allocating a zeroed arr
962
963 .. code-block:: c
964
965 p = kcalloc(n, sizeof(...), ...);
966
967 Both forms check for overflow on the allocatio
968 and return NULL if that occurred.
969
970 These generic allocation functions all emit a
971 without __GFP_NOWARN so there is no use in emi
972 message when NULL is returned.
973
974 15) The inline disease
975 ----------------------
976
977 There appears to be a common misperception tha
978 faster" speedup option called ``inline``. Whil
979 appropriate (for example as a means of replaci
980 very often is not. Abundant use of the inline
981 kernel, which in turn slows the system as a wh
982 icache footprint for the CPU and simply becaus
983 available for the pagecache. Just think about
984 disk seek, which easily takes 5 milliseconds.
985 that can go into these 5 milliseconds.
986
987 A reasonable rule of thumb is to not put inlin
988 than 3 lines of code in them. An exception to
989 a parameter is known to be a compiletime const
990 constantness you *know* the compiler will be a
991 function away at compile time. For a good exam
992 the kmalloc() inline function.
993
994 Often people argue that adding inline to funct
995 only once is always a win since there is no sp
996 technically correct, gcc is capable of inlinin
997 help, and the maintenance issue of removing th
998 appears outweighs the potential value of the h
999 something it would have done anyway.
1000
1001
1002 16) Function return values and names
1003 ------------------------------------
1004
1005 Functions can return values of many different
1006 most common is a value indicating whether the
1007 failed. Such a value can be represented as a
1008 (-Exxx = failure, 0 = success) or a ``succeed
1009 non-zero = success).
1010
1011 Mixing up these two sorts of representations
1012 difficult-to-find bugs. If the C language in
1013 between integers and booleans then the compil
1014 for us... but it doesn't. To help prevent su
1015 convention::
1016
1017 If the name of a function is an actio
1018 the function should return an error-c
1019 is a predicate, the function should r
1020
1021 For example, ``add work`` is a command, and t
1022 for success or -EBUSY for failure. In the sa
1023 a predicate, and the pci_dev_present() functi
1024 finding a matching device or 0 if it doesn't.
1025
1026 All EXPORTed functions must respect this conv
1027 public functions. Private (static) functions
1028 recommended that they do.
1029
1030 Functions whose return value is the actual re
1031 than an indication of whether the computation
1032 this rule. Generally they indicate failure b
1033 result. Typical examples would be functions
1034 NULL or the ERR_PTR mechanism to report failu
1035
1036
1037 17) Using bool
1038 --------------
1039
1040 The Linux kernel bool type is an alias for th
1041 only evaluate to 0 or 1, and implicit or expl
1042 automatically converts the value to true or f
1043 !! construction is not needed, which eliminat
1044
1045 When working with bool values the true and fa
1046 instead of 1 and 0.
1047
1048 bool function return types and stack variable
1049 appropriate. Use of bool is encouraged to imp
1050 better option than 'int' for storing boolean
1051
1052 Do not use bool if cache line layout or size
1053 and alignment varies based on the compiled ar
1054 optimized for alignment and size should not u
1055
1056 If a structure has many true/false values, co
1057 bitfield with 1 bit members, or using an appr
1058 u8.
1059
1060 Similarly for function arguments, many true/f
1061 into a single bitwise 'flags' argument and 'f
1062 readable alternative if the call-sites have n
1063
1064 Otherwise limited use of bool in structures a
1065 readability.
1066
1067 18) Don't re-invent the kernel macros
1068 -------------------------------------
1069
1070 The header file include/linux/kernel.h contai
1071 you should use, rather than explicitly coding
1072 For example, if you need to calculate the len
1073 of the macro
1074
1075 .. code-block:: c
1076
1077 #define ARRAY_SIZE(x) (sizeof(x) / si
1078
1079 Similarly, if you need to calculate the size
1080
1081 .. code-block:: c
1082
1083 #define sizeof_field(t, f) (sizeof(((
1084
1085 There are also min() and max() macros that do
1086 need them. Feel free to peruse that header f
1087 defined that you shouldn't reproduce in your
1088
1089
1090 19) Editor modelines and other cruft
1091 ------------------------------------
1092
1093 Some editors can interpret configuration info
1094 indicated with special markers. For example,
1095 like this:
1096
1097 .. code-block:: c
1098
1099 -*- mode: c -*-
1100
1101 Or like this:
1102
1103 .. code-block:: c
1104
1105 /*
1106 Local Variables:
1107 compile-command: "gcc -DMAGIC_DEBUG_F
1108 End:
1109 */
1110
1111 Vim interprets markers that look like this:
1112
1113 .. code-block:: c
1114
1115 /* vim:set sw=8 noet */
1116
1117 Do not include any of these in source files.
1118 editor configurations, and your source files
1119 includes markers for indentation and mode con
1120 own custom mode, or may have some other magic
1121 work correctly.
1122
1123
1124 20) Inline assembly
1125 -------------------
1126
1127 In architecture-specific code, you may need t
1128 with CPU or platform functionality. Don't he
1129 However, don't use inline assembly gratuitous
1130 and should poke hardware from C when possible
1131
1132 Consider writing simple helper functions that
1133 assembly, rather than repeatedly writing them
1134 that inline assembly can use C parameters.
1135
1136 Large, non-trivial assembly functions should
1137 C prototypes defined in C header files. The
1138 functions should use ``asmlinkage``.
1139
1140 You may need to mark your asm statement as vo
1141 removing it if GCC doesn't notice any side ef
1142 do so, though, and doing so unnecessarily can
1143
1144 When writing a single inline assembly stateme
1145 instructions, put each instruction on a separ
1146 string, and end each string except the last w
1147 the next instruction in the assembly output:
1148
1149 .. code-block:: c
1150
1151 asm ("magic %reg1, #42\n\t"
1152 "more_magic %reg2, %reg3"
1153 : /* outputs */ : /* inputs */ :
1154
1155
1156 21) Conditional Compilation
1157 ---------------------------
1158
1159 Wherever possible, don't use preprocessor con
1160 files; doing so makes code harder to read and
1161 use such conditionals in a header file defini
1162 files, providing no-op stub versions in the #
1163 functions unconditionally from .c files. The
1164 any code for the stub calls, producing identi
1165 remain easy to follow.
1166
1167 Prefer to compile out entire functions, rathe
1168 portions of expressions. Rather than putting
1169 out part or all of the expression into a sepa
1170 conditional to that function.
1171
1172 If you have a function or variable which may
1173 particular configuration, and the compiler wo
1174 going unused, mark the definition as __maybe_
1175 a preprocessor conditional. (However, if a f
1176 unused, delete it.)
1177
1178 Within code, where possible, use the IS_ENABL
1179 symbol into a C boolean expression, and use i
1180
1181 .. code-block:: c
1182
1183 if (IS_ENABLED(CONFIG_SOMETHING)) {
1184 ...
1185 }
1186
1187 The compiler will constant-fold the condition
1188 the block of code just as with an #ifdef, so
1189 overhead. However, this approach still allow
1190 inside the block, and check it for correctnes
1191 references, etc). Thus, you still have to us
1192 block references symbols that will not exist
1193
1194 At the end of any non-trivial #if or #ifdef b
1195 place a comment after the #endif on the same
1196 expression used. For instance:
1197
1198 .. code-block:: c
1199
1200 #ifdef CONFIG_SOMETHING
1201 ...
1202 #endif /* CONFIG_SOMETHING */
1203
1204
1205 22) Do not crash the kernel
1206 ---------------------------
1207
1208 In general, the decision to crash the kernel
1209 than to the kernel developer.
1210
1211 Avoid panic()
1212 *************
1213
1214 panic() should be used with care and primaril
1215 panic() is, for example, acceptable when runn
1216 not being able to continue.
1217
1218 Use WARN() rather than BUG()
1219 ****************************
1220
1221 Do not add new code that uses any of the BUG(
1222 BUG_ON(), or VM_BUG_ON(). Instead, use a WARN
1223 WARN_ON_ONCE(), and possibly with recovery co
1224 required if there is no reasonable way to at
1225
1226 "I'm too lazy to do error handling" is not an
1227 internal corruptions with no way of continuin
1228 good justification.
1229
1230 Use WARN_ON_ONCE() rather than WARN() or WARN
1231 *********************************************
1232
1233 WARN_ON_ONCE() is generally preferred over WA
1234 is common for a given warning condition, if i
1235 multiple times. This can fill up and wrap the
1236 the system enough that the excessive logging
1237 problem.
1238
1239 Do not WARN lightly
1240 *******************
1241
1242 WARN*() is intended for unexpected, this-shou
1243 WARN*() macros are not to be used for anythin
1244 during normal operation. These are not pre- o
1245 example. Again: WARN*() must not be used for
1246 to trigger easily, for example, by user space
1247 possible alternative, if you need to notify t
1248
1249 Do not worry about panic_on_warn users
1250 **************************************
1251
1252 A few more words about panic_on_warn: Remembe
1253 available kernel option, and that many users
1254 there is a "Do not WARN lightly" writeup, abo
1255 panic_on_warn users is not a valid reason to
1256 WARN*(). That is because, whoever enables pan
1257 asked the kernel to crash if a WARN*() fires,
1258 prepared to deal with the consequences of a s
1259 likely to crash.
1260
1261 Use BUILD_BUG_ON() for compile-time assertion
1262 *********************************************
1263
1264 The use of BUILD_BUG_ON() is acceptable and e
1265 compile-time assertion that has no effect at
1266
1267 Appendix I) References
1268 ----------------------
1269
1270 The C Programming Language, Second Edition
1271 by Brian W. Kernighan and Dennis M. Ritchie.
1272 Prentice Hall, Inc., 1988.
1273 ISBN 0-13-110362-8 (paperback), 0-13-110370-9
1274
1275 The Practice of Programming
1276 by Brian W. Kernighan and Rob Pike.
1277 Addison-Wesley, Inc., 1999.
1278 ISBN 0-201-61586-X.
1279
1280 GNU manuals - where in compliance with K&R an
1281 gcc internals and indent, all available from
1282
1283 WG14 is the international standardization wor
1284 language C, URL: http://www.open-std.org/JTC1
1285
1286 Kernel CodingStyle, by greg@kroah.com at OLS
1287 http://www.kroah.com/linux/talks/ols_2002_ker
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.