1 .. SPDX-License-Identifier: GPL-2.0 1 .. SPDX-License-Identifier: GPL-2.0 2 2 3 .. _deprecated: << 4 << 5 ============================================== 3 ===================================================================== 6 Deprecated Interfaces, Language Features, Attr 4 Deprecated Interfaces, Language Features, Attributes, and Conventions 7 ============================================== 5 ===================================================================== 8 6 9 In a perfect world, it would be possible to co 7 In a perfect world, it would be possible to convert all instances of 10 some deprecated API into the new API and entir 8 some deprecated API into the new API and entirely remove the old API in 11 a single development cycle. However, due to th 9 a single development cycle. However, due to the size of the kernel, the 12 maintainership hierarchy, and timing, it's not 10 maintainership hierarchy, and timing, it's not always feasible to do these 13 kinds of conversions at once. This means that 11 kinds of conversions at once. This means that new instances may sneak into 14 the kernel while old ones are being removed, o 12 the kernel while old ones are being removed, only making the amount of 15 work to remove the API grow. In order to educa 13 work to remove the API grow. In order to educate developers about what 16 has been deprecated and why, this list has bee 14 has been deprecated and why, this list has been created as a place to 17 point when uses of deprecated things are propo 15 point when uses of deprecated things are proposed for inclusion in the 18 kernel. 16 kernel. 19 17 20 __deprecated 18 __deprecated 21 ------------ 19 ------------ 22 While this attribute does visually mark an int 20 While this attribute does visually mark an interface as deprecated, 23 it `does not produce warnings during builds an 21 it `does not produce warnings during builds any more 24 <https://git.kernel.org/linus/771c035372a036f8 22 <https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_ 25 because one of the standing goals of the kerne 23 because one of the standing goals of the kernel is to build without 26 warnings and no one was actually doing anythin 24 warnings and no one was actually doing anything to remove these deprecated 27 interfaces. While using `__deprecated` is nice 25 interfaces. While using `__deprecated` is nice to note an old API in 28 a header file, it isn't the full solution. Suc 26 a header file, it isn't the full solution. Such interfaces must either 29 be fully removed from the kernel, or added to 27 be fully removed from the kernel, or added to this file to discourage 30 others from using them in the future. 28 others from using them in the future. 31 29 32 BUG() and BUG_ON() << 33 ------------------ << 34 Use WARN() and WARN_ON() instead, and handle t << 35 error condition as gracefully as possible. Whi << 36 of APIs were originally designed to act as an << 37 assert and to kill a kernel thread "safely", t << 38 too risky. (e.g. "In what order do locks need << 39 various states been restored?") Very commonly, << 40 destabilize a system or entirely break it, whi << 41 to debug or even get viable crash reports. Lin << 42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVY << 43 feelings `about this << 44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTO << 45 << 46 Note that the WARN()-family should only be use << 47 be unreachable" situations. If you want to war << 48 but undesirable" situations, please use the pr << 49 functions. System owners may have set the *pan << 50 to make sure their systems do not continue run << 51 "unreachable" conditions. (For example, see co << 52 <https://git.kernel.org/linus/d4689846881d160a << 53 << 54 open-coded arithmetic in allocator arguments 30 open-coded arithmetic in allocator arguments 55 -------------------------------------------- 31 -------------------------------------------- 56 Dynamic size calculations (especially multipli 32 Dynamic size calculations (especially multiplication) should not be 57 performed in memory allocator (or similar) fun 33 performed in memory allocator (or similar) function arguments due to the 58 risk of them overflowing. This could lead to v 34 risk of them overflowing. This could lead to values wrapping around and a 59 smaller allocation being made than the caller 35 smaller allocation being made than the caller was expecting. Using those 60 allocations could lead to linear overflows of 36 allocations could lead to linear overflows of heap memory and other 61 misbehaviors. (One exception to this is litera 37 misbehaviors. (One exception to this is literal values where the compiler 62 can warn if they might overflow. However, the !! 38 can warn if they might overflow. Though using literals for arguments as 63 cases is to refactor the code as suggested bel !! 39 suggested below is also harmless.) 64 arithmetic.) << 65 40 66 For example, do not use ``count * size`` as an 41 For example, do not use ``count * size`` as an argument, as in:: 67 42 68 foo = kmalloc(count * size, GFP_KERNEL 43 foo = kmalloc(count * size, GFP_KERNEL); 69 44 70 Instead, the 2-factor form of the allocator sh 45 Instead, the 2-factor form of the allocator should be used:: 71 46 72 foo = kmalloc_array(count, size, GFP_K 47 foo = kmalloc_array(count, size, GFP_KERNEL); 73 48 74 Specifically, kmalloc() can be replaced with k << 75 kzalloc() can be replaced with kcalloc(). << 76 << 77 If no 2-factor form is available, the saturate 49 If no 2-factor form is available, the saturate-on-overflow helpers should 78 be used:: 50 be used:: 79 51 80 bar = dma_alloc_coherent(dev, array_si !! 52 bar = vmalloc(array_size(count, size)); 81 53 82 Another common case to avoid is calculating th 54 Another common case to avoid is calculating the size of a structure with 83 a trailing array of others structures, as in:: 55 a trailing array of others structures, as in:: 84 56 85 header = kzalloc(sizeof(*header) + cou 57 header = kzalloc(sizeof(*header) + count * sizeof(*header->item), 86 GFP_KERNEL); 58 GFP_KERNEL); 87 59 88 Instead, use the helper:: 60 Instead, use the helper:: 89 61 90 header = kzalloc(struct_size(header, i 62 header = kzalloc(struct_size(header, item, count), GFP_KERNEL); 91 63 92 .. note:: If you are using struct_size() on a !! 64 See :c:func:`array_size`, :c:func:`array3_size`, and :c:func:`struct_size`, 93 or a one-element array as a trailing a !! 65 for more details as well as the related :c:func:`check_add_overflow` and 94 array usage and switch to a `flexible !! 66 :c:func:`check_mul_overflow` family of functions. 95 <#zero-length-and-one-element-arrays>` << 96 << 97 For other calculations, please compose the use << 98 size_add(), and size_sub() helpers. For exampl << 99 << 100 foo = krealloc(current_size + chunk_si << 101 << 102 Instead, use the helpers:: << 103 << 104 foo = krealloc(size_add(current_size, << 105 size_mul(chunk << 106 size_ << 107 << 108 For more details, also see array3_size() and f << 109 as well as the related check_mul_overflow(), c << 110 check_sub_overflow(), and check_shl_overflow() << 111 67 112 simple_strtol(), simple_strtoll(), simple_strt 68 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull() 113 ---------------------------------------------- 69 ---------------------------------------------------------------------- 114 The simple_strtol(), simple_strtoll(), !! 70 The :c:func:`simple_strtol`, :c:func:`simple_strtoll`, 115 simple_strtoul(), and simple_strtoull() functi !! 71 :c:func:`simple_strtoul`, and :c:func:`simple_strtoull` functions 116 explicitly ignore overflows, which may lead to 72 explicitly ignore overflows, which may lead to unexpected results 117 in callers. The respective kstrtol(), kstrtoll !! 73 in callers. The respective :c:func:`kstrtol`, :c:func:`kstrtoll`, 118 kstrtoul(), and kstrtoull() functions tend to !! 74 :c:func:`kstrtoul`, and :c:func:`kstrtoull` functions tend to be the 119 correct replacements, though note that those r 75 correct replacements, though note that those require the string to be 120 NUL or newline terminated. 76 NUL or newline terminated. 121 77 122 strcpy() 78 strcpy() 123 -------- 79 -------- 124 strcpy() performs no bounds checking on the de !! 80 :c:func:`strcpy` performs no bounds checking on the destination 125 could result in linear overflows beyond the en !! 81 buffer. This could result in linear overflows beyond the 126 all kinds of misbehaviors. While `CONFIG_FORTI !! 82 end of the buffer, leading to all kinds of misbehaviors. While 127 compiler flags help reduce the risk of using t !! 83 `CONFIG_FORTIFY_SOURCE=y` and various compiler flags help reduce the 128 no good reason to add new uses of this functio !! 84 risk of using this function, there is no good reason to add new uses of 129 is strscpy(), though care must be given to any !! 85 this function. The safe replacement is :c:func:`strscpy`. 130 value of strcpy() was used, since strscpy() do << 131 the destination, but rather a count of non-NUL << 132 errno when it truncates). << 133 86 134 strncpy() on NUL-terminated strings 87 strncpy() on NUL-terminated strings 135 ----------------------------------- 88 ----------------------------------- 136 Use of strncpy() does not guarantee that the d !! 89 Use of :c:func:`strncpy` does not guarantee that the destination buffer 137 be NUL terminated. This can lead to various li !! 90 will be NUL terminated. This can lead to various linear read overflows 138 other misbehavior due to the missing terminati !! 91 and other misbehavior due to the missing termination. It also NUL-pads the 139 the destination buffer if the source contents !! 92 destination buffer if the source contents are shorter than the destination 140 destination buffer size, which may be a needle !! 93 buffer size, which may be a needless performance penalty for callers using 141 for callers using only NUL-terminated strings. !! 94 only NUL-terminated strings. The safe replacement is :c:func:`strscpy`. 142 !! 95 (Users of :c:func:`strscpy` still needing NUL-padding will need an 143 When the destination is required to be NUL-ter !! 96 explicit :c:func:`memset` added.) 144 strscpy(), though care must be given to any ca << 145 of strncpy() was used, since strscpy() does no << 146 destination, but rather a count of non-NUL byt << 147 errno when it truncates). Any cases still need << 148 instead use strscpy_pad(). << 149 97 150 If a caller is using non-NUL-terminated string !! 98 If a caller is using non-NUL-terminated strings, :c:func:`strncpy()` can 151 used, and the destinations should be marked wi !! 99 still be used, but destinations should be marked with the `__nonstring 152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Var 100 <https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_ 153 attribute to avoid future compiler warnings. F !! 101 attribute to avoid future compiler warnings. 154 NUL-padding, strtomem_pad() can be used. << 155 102 156 strlcpy() 103 strlcpy() 157 --------- 104 --------- 158 strlcpy() reads the entire source buffer first !! 105 :c:func:`strlcpy` reads the entire source buffer first, possibly exceeding 159 is meant to match that of strlen()). This read !! 106 the given limit of bytes to copy. This is inefficient and can lead to 160 size limit. This is both inefficient and can l !! 107 linear read overflows if a source string is not NUL-terminated. The 161 if a source string is not NUL-terminated. The !! 108 safe replacement is :c:func:`strscpy`. 162 though care must be given to any cases where t << 163 is used, since strscpy() will return negative << 164 << 165 %p format specifier << 166 ------------------- << 167 Traditionally, using "%p" in format strings wo << 168 exposure flaws in dmesg, proc, sysfs, etc. Ins << 169 be exploitable, all "%p" uses in the kernel ar << 170 value, rendering them unusable for addressing. << 171 be added to the kernel. For text addresses, us << 172 as it produces the more useful symbol name ins << 173 else, just do not add "%p" at all. << 174 << 175 Paraphrasing Linus's current `guidance <https:/ << 176 << 177 - If the hashed "%p" value is pointless, ask y << 178 itself is important. Maybe it should be remo << 179 - If you really think the true pointer value i << 180 system state or user privilege level conside << 181 you can justify it (in comments and commit l << 182 up to Linus's scrutiny, maybe you can use "% << 183 you have sensible permissions. << 184 << 185 If you are debugging something where "%p" hash << 186 you can temporarily boot with the debug flag " << 187 <https://git.kernel.org/linus/5ead723a20e0447b << 188 109 189 Variable Length Arrays (VLAs) 110 Variable Length Arrays (VLAs) 190 ----------------------------- 111 ----------------------------- 191 Using stack VLAs produces much worse machine c 112 Using stack VLAs produces much worse machine code than statically 192 sized stack arrays. While these non-trivial `p 113 sized stack arrays. While these non-trivial `performance issues 193 <https://git.kernel.org/linus/02361bc77888>`_ 114 <https://git.kernel.org/linus/02361bc77888>`_ are reason enough to 194 eliminate VLAs, they are also a security risk. 115 eliminate VLAs, they are also a security risk. Dynamic growth of a stack 195 array may exceed the remaining memory in the s 116 array may exceed the remaining memory in the stack segment. This could 196 lead to a crash, possible overwriting sensitiv 117 lead to a crash, possible overwriting sensitive contents at the end of the 197 stack (when built without `CONFIG_THREAD_INFO_ 118 stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting 198 memory adjacent to the stack (when built witho 119 memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`) 199 << 200 Implicit switch case fall-through << 201 --------------------------------- << 202 The C language allows switch cases to fall thr << 203 when a "break" statement is missing at the end << 204 introduces ambiguity in the code, as it's not << 205 break is intentional or a bug. For example, it << 206 looking at the code if `STATE_ONE` is intentio << 207 through into `STATE_TWO`:: << 208 << 209 switch (value) { << 210 case STATE_ONE: << 211 do_something(); << 212 case STATE_TWO: << 213 do_other(); << 214 break; << 215 default: << 216 WARN("unknown state"); << 217 } << 218 << 219 As there have been a long list of flaws `due t << 220 <https://cwe.mitre.org/data/definitions/484.ht << 221 implicit fall-through. In order to identify in << 222 cases, we have adopted a pseudo-keyword macro << 223 expands to gcc's extension `__attribute__((__f << 224 <https://gcc.gnu.org/onlinedocs/gcc/Statement- << 225 (When the C17/C18 `[[fallthrough]]` syntax is << 226 C compilers, static analyzers, and IDEs, we ca << 227 for the macro pseudo-keyword.) << 228 << 229 All switch/case blocks must end in one of: << 230 << 231 * break; << 232 * fallthrough; << 233 * continue; << 234 * goto <label>; << 235 * return [expression]; << 236 << 237 Zero-length and one-element arrays << 238 ---------------------------------- << 239 There is a regular need in the kernel to provi << 240 a dynamically sized set of trailing elements i << 241 should always use `"flexible array members" <h << 242 for these cases. The older style of one-elemen << 243 no longer be used. << 244 << 245 In older C code, dynamically sized trailing el << 246 a one-element array at the end of a structure: << 247 << 248 struct something { << 249 size_t count; << 250 struct foo items[1]; << 251 }; << 252 << 253 This led to fragile size calculations via size << 254 remove the size of the single trailing element << 255 the "header"). A `GNU C extension <https://gcc << 256 was introduced to allow for zero-length arrays << 257 size problems:: << 258 << 259 struct something { << 260 size_t count; << 261 struct foo items[0]; << 262 }; << 263 << 264 But this led to other problems, and didn't sol << 265 both styles, like not being able to detect whe << 266 being used _not_ at the end of a structure (wh << 267 when such a struct was in unions, structs of s << 268 << 269 C99 introduced "flexible array members", which << 270 the array declaration entirely:: << 271 << 272 struct something { << 273 size_t count; << 274 struct foo items[]; << 275 }; << 276 << 277 This is the way the kernel expects dynamically << 278 to be declared. It allows the compiler to gene << 279 flexible array does not occur last in the stru << 280 some kind of `undefined behavior << 281 <https://git.kernel.org/linus/76497732932f15e7 << 282 bugs from being inadvertently introduced to th << 283 the compiler to correctly analyze array sizes << 284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOU << 285 there is no mechanism that warns us that the f << 286 sizeof() operator to a zero-length array alway << 287 << 288 struct something { << 289 size_t count; << 290 struct foo items[0]; << 291 }; << 292 << 293 struct something *instance; << 294 << 295 instance = kmalloc(struct_size(instanc << 296 instance->count = count; << 297 << 298 size = sizeof(instance->items) * insta << 299 memcpy(instance->items, source, size); << 300 << 301 At the last line of code above, ``size`` turns << 302 have thought it represents the total size in b << 303 allocated for the trailing array ``items``. He << 304 issue: `link 1 << 305 <https://git.kernel.org/linus/f2cd32a443da694a << 306 `link 2 << 307 <https://git.kernel.org/linus/ab91c2a89f86be28 << 308 Instead, `flexible array members have incomple << 309 operator may not be applied <https://gcc.gnu.o << 310 so any misuse of such operators will be immedi << 311 << 312 With respect to one-element arrays, one has to << 313 occupy at least as much space as a single obje << 314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Lengt << 315 hence they contribute to the size of the enclo << 316 to error every time people want to calculate t << 317 to allocate for a structure containing an arra << 318 << 319 struct something { << 320 size_t count; << 321 struct foo items[1]; << 322 }; << 323 << 324 struct something *instance; << 325 << 326 instance = kmalloc(struct_size(instanc << 327 instance->count = count; << 328 << 329 size = sizeof(instance->items) * insta << 330 memcpy(instance->items, source, size); << 331 << 332 In the example above, we had to remember to ca << 333 the struct_size() helper, otherwise we would h << 334 memory for one too many ``items`` objects. The << 335 to implement this is through the use of a `fle << 336 struct_size() and flex_array_size() helpers:: << 337 << 338 struct something { << 339 size_t count; << 340 struct foo items[]; << 341 }; << 342 << 343 struct something *instance; << 344 << 345 instance = kmalloc(struct_size(instanc << 346 instance->count = count; << 347 << 348 memcpy(instance->items, source, flex_a << 349 << 350 There are two special cases of replacement whe << 351 helper needs to be used. (Note that it is name << 352 use in UAPI headers.) Those cases are when the << 353 alone in a struct or is part of a union. These << 354 specification, but for no technical reason (as << 355 existing use of such arrays in those places an << 356 DECLARE_FLEX_ARRAY() uses). For example, to co << 357 << 358 struct something { << 359 ... << 360 union { << 361 struct type1 one[0]; << 362 struct type2 two[0]; << 363 }; << 364 }; << 365 << 366 The helper must be used:: << 367 << 368 struct something { << 369 ... << 370 union { << 371 DECLARE_FLEX_ARRAY(str << 372 DECLARE_FLEX_ARRAY(str << 373 }; << 374 }; <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.