1 .. SPDX-License-Identifier: GPL-2.0
2
3 .. _deprecated:
4
5 ==============================================
6 Deprecated Interfaces, Language Features, Attr
7 ==============================================
8
9 In a perfect world, it would be possible to co
10 some deprecated API into the new API and entir
11 a single development cycle. However, due to th
12 maintainership hierarchy, and timing, it's not
13 kinds of conversions at once. This means that
14 the kernel while old ones are being removed, o
15 work to remove the API grow. In order to educa
16 has been deprecated and why, this list has bee
17 point when uses of deprecated things are propo
18 kernel.
19
20 __deprecated
21 ------------
22 While this attribute does visually mark an int
23 it `does not produce warnings during builds an
24 <https://git.kernel.org/linus/771c035372a036f8
25 because one of the standing goals of the kerne
26 warnings and no one was actually doing anythin
27 interfaces. While using `__deprecated` is nice
28 a header file, it isn't the full solution. Suc
29 be fully removed from the kernel, or added to
30 others from using them in the future.
31
32 BUG() and BUG_ON()
33 ------------------
34 Use WARN() and WARN_ON() instead, and handle t
35 error condition as gracefully as possible. Whi
36 of APIs were originally designed to act as an
37 assert and to kill a kernel thread "safely", t
38 too risky. (e.g. "In what order do locks need
39 various states been restored?") Very commonly,
40 destabilize a system or entirely break it, whi
41 to debug or even get viable crash reports. Lin
42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVY
43 feelings `about this
44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTO
45
46 Note that the WARN()-family should only be use
47 be unreachable" situations. If you want to war
48 but undesirable" situations, please use the pr
49 functions. System owners may have set the *pan
50 to make sure their systems do not continue run
51 "unreachable" conditions. (For example, see co
52 <https://git.kernel.org/linus/d4689846881d160a
53
54 open-coded arithmetic in allocator arguments
55 --------------------------------------------
56 Dynamic size calculations (especially multipli
57 performed in memory allocator (or similar) fun
58 risk of them overflowing. This could lead to v
59 smaller allocation being made than the caller
60 allocations could lead to linear overflows of
61 misbehaviors. (One exception to this is litera
62 can warn if they might overflow. However, the
63 cases is to refactor the code as suggested bel
64 arithmetic.)
65
66 For example, do not use ``count * size`` as an
67
68 foo = kmalloc(count * size, GFP_KERNEL
69
70 Instead, the 2-factor form of the allocator sh
71
72 foo = kmalloc_array(count, size, GFP_K
73
74 Specifically, kmalloc() can be replaced with k
75 kzalloc() can be replaced with kcalloc().
76
77 If no 2-factor form is available, the saturate
78 be used::
79
80 bar = dma_alloc_coherent(dev, array_si
81
82 Another common case to avoid is calculating th
83 a trailing array of others structures, as in::
84
85 header = kzalloc(sizeof(*header) + cou
86 GFP_KERNEL);
87
88 Instead, use the helper::
89
90 header = kzalloc(struct_size(header, i
91
92 .. note:: If you are using struct_size() on a
93 or a one-element array as a trailing a
94 array usage and switch to a `flexible
95 <#zero-length-and-one-element-arrays>`
96
97 For other calculations, please compose the use
98 size_add(), and size_sub() helpers. For exampl
99
100 foo = krealloc(current_size + chunk_si
101
102 Instead, use the helpers::
103
104 foo = krealloc(size_add(current_size,
105 size_mul(chunk
106 size_
107
108 For more details, also see array3_size() and f
109 as well as the related check_mul_overflow(), c
110 check_sub_overflow(), and check_shl_overflow()
111
112 simple_strtol(), simple_strtoll(), simple_strt
113 ----------------------------------------------
114 The simple_strtol(), simple_strtoll(),
115 simple_strtoul(), and simple_strtoull() functi
116 explicitly ignore overflows, which may lead to
117 in callers. The respective kstrtol(), kstrtoll
118 kstrtoul(), and kstrtoull() functions tend to
119 correct replacements, though note that those r
120 NUL or newline terminated.
121
122 strcpy()
123 --------
124 strcpy() performs no bounds checking on the de
125 could result in linear overflows beyond the en
126 all kinds of misbehaviors. While `CONFIG_FORTI
127 compiler flags help reduce the risk of using t
128 no good reason to add new uses of this functio
129 is strscpy(), though care must be given to any
130 value of strcpy() was used, since strscpy() do
131 the destination, but rather a count of non-NUL
132 errno when it truncates).
133
134 strncpy() on NUL-terminated strings
135 -----------------------------------
136 Use of strncpy() does not guarantee that the d
137 be NUL terminated. This can lead to various li
138 other misbehavior due to the missing terminati
139 the destination buffer if the source contents
140 destination buffer size, which may be a needle
141 for callers using only NUL-terminated strings.
142
143 When the destination is required to be NUL-ter
144 strscpy(), though care must be given to any ca
145 of strncpy() was used, since strscpy() does no
146 destination, but rather a count of non-NUL byt
147 errno when it truncates). Any cases still need
148 instead use strscpy_pad().
149
150 If a caller is using non-NUL-terminated string
151 used, and the destinations should be marked wi
152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Var
153 attribute to avoid future compiler warnings. F
154 NUL-padding, strtomem_pad() can be used.
155
156 strlcpy()
157 ---------
158 strlcpy() reads the entire source buffer first
159 is meant to match that of strlen()). This read
160 size limit. This is both inefficient and can l
161 if a source string is not NUL-terminated. The
162 though care must be given to any cases where t
163 is used, since strscpy() will return negative
164
165 %p format specifier
166 -------------------
167 Traditionally, using "%p" in format strings wo
168 exposure flaws in dmesg, proc, sysfs, etc. Ins
169 be exploitable, all "%p" uses in the kernel ar
170 value, rendering them unusable for addressing.
171 be added to the kernel. For text addresses, us
172 as it produces the more useful symbol name ins
173 else, just do not add "%p" at all.
174
175 Paraphrasing Linus's current `guidance <https:/
176
177 - If the hashed "%p" value is pointless, ask y
178 itself is important. Maybe it should be remo
179 - If you really think the true pointer value i
180 system state or user privilege level conside
181 you can justify it (in comments and commit l
182 up to Linus's scrutiny, maybe you can use "%
183 you have sensible permissions.
184
185 If you are debugging something where "%p" hash
186 you can temporarily boot with the debug flag "
187 <https://git.kernel.org/linus/5ead723a20e0447b
188
189 Variable Length Arrays (VLAs)
190 -----------------------------
191 Using stack VLAs produces much worse machine c
192 sized stack arrays. While these non-trivial `p
193 <https://git.kernel.org/linus/02361bc77888>`_
194 eliminate VLAs, they are also a security risk.
195 array may exceed the remaining memory in the s
196 lead to a crash, possible overwriting sensitiv
197 stack (when built without `CONFIG_THREAD_INFO_
198 memory adjacent to the stack (when built witho
199
200 Implicit switch case fall-through
201 ---------------------------------
202 The C language allows switch cases to fall thr
203 when a "break" statement is missing at the end
204 introduces ambiguity in the code, as it's not
205 break is intentional or a bug. For example, it
206 looking at the code if `STATE_ONE` is intentio
207 through into `STATE_TWO`::
208
209 switch (value) {
210 case STATE_ONE:
211 do_something();
212 case STATE_TWO:
213 do_other();
214 break;
215 default:
216 WARN("unknown state");
217 }
218
219 As there have been a long list of flaws `due t
220 <https://cwe.mitre.org/data/definitions/484.ht
221 implicit fall-through. In order to identify in
222 cases, we have adopted a pseudo-keyword macro
223 expands to gcc's extension `__attribute__((__f
224 <https://gcc.gnu.org/onlinedocs/gcc/Statement-
225 (When the C17/C18 `[[fallthrough]]` syntax is
226 C compilers, static analyzers, and IDEs, we ca
227 for the macro pseudo-keyword.)
228
229 All switch/case blocks must end in one of:
230
231 * break;
232 * fallthrough;
233 * continue;
234 * goto <label>;
235 * return [expression];
236
237 Zero-length and one-element arrays
238 ----------------------------------
239 There is a regular need in the kernel to provi
240 a dynamically sized set of trailing elements i
241 should always use `"flexible array members" <h
242 for these cases. The older style of one-elemen
243 no longer be used.
244
245 In older C code, dynamically sized trailing el
246 a one-element array at the end of a structure:
247
248 struct something {
249 size_t count;
250 struct foo items[1];
251 };
252
253 This led to fragile size calculations via size
254 remove the size of the single trailing element
255 the "header"). A `GNU C extension <https://gcc
256 was introduced to allow for zero-length arrays
257 size problems::
258
259 struct something {
260 size_t count;
261 struct foo items[0];
262 };
263
264 But this led to other problems, and didn't sol
265 both styles, like not being able to detect whe
266 being used _not_ at the end of a structure (wh
267 when such a struct was in unions, structs of s
268
269 C99 introduced "flexible array members", which
270 the array declaration entirely::
271
272 struct something {
273 size_t count;
274 struct foo items[];
275 };
276
277 This is the way the kernel expects dynamically
278 to be declared. It allows the compiler to gene
279 flexible array does not occur last in the stru
280 some kind of `undefined behavior
281 <https://git.kernel.org/linus/76497732932f15e7
282 bugs from being inadvertently introduced to th
283 the compiler to correctly analyze array sizes
284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOU
285 there is no mechanism that warns us that the f
286 sizeof() operator to a zero-length array alway
287
288 struct something {
289 size_t count;
290 struct foo items[0];
291 };
292
293 struct something *instance;
294
295 instance = kmalloc(struct_size(instanc
296 instance->count = count;
297
298 size = sizeof(instance->items) * insta
299 memcpy(instance->items, source, size);
300
301 At the last line of code above, ``size`` turns
302 have thought it represents the total size in b
303 allocated for the trailing array ``items``. He
304 issue: `link 1
305 <https://git.kernel.org/linus/f2cd32a443da694a
306 `link 2
307 <https://git.kernel.org/linus/ab91c2a89f86be28
308 Instead, `flexible array members have incomple
309 operator may not be applied <https://gcc.gnu.o
310 so any misuse of such operators will be immedi
311
312 With respect to one-element arrays, one has to
313 occupy at least as much space as a single obje
314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Lengt
315 hence they contribute to the size of the enclo
316 to error every time people want to calculate t
317 to allocate for a structure containing an arra
318
319 struct something {
320 size_t count;
321 struct foo items[1];
322 };
323
324 struct something *instance;
325
326 instance = kmalloc(struct_size(instanc
327 instance->count = count;
328
329 size = sizeof(instance->items) * insta
330 memcpy(instance->items, source, size);
331
332 In the example above, we had to remember to ca
333 the struct_size() helper, otherwise we would h
334 memory for one too many ``items`` objects. The
335 to implement this is through the use of a `fle
336 struct_size() and flex_array_size() helpers::
337
338 struct something {
339 size_t count;
340 struct foo items[];
341 };
342
343 struct something *instance;
344
345 instance = kmalloc(struct_size(instanc
346 instance->count = count;
347
348 memcpy(instance->items, source, flex_a
349
350 There are two special cases of replacement whe
351 helper needs to be used. (Note that it is name
352 use in UAPI headers.) Those cases are when the
353 alone in a struct or is part of a union. These
354 specification, but for no technical reason (as
355 existing use of such arrays in those places an
356 DECLARE_FLEX_ARRAY() uses). For example, to co
357
358 struct something {
359 ...
360 union {
361 struct type1 one[0];
362 struct type2 two[0];
363 };
364 };
365
366 The helper must be used::
367
368 struct something {
369 ...
370 union {
371 DECLARE_FLEX_ARRAY(str
372 DECLARE_FLEX_ARRAY(str
373 };
374 };
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.