~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/process/deprecated.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/process/deprecated.rst (Version linux-6.12-rc7) and /Documentation/process/deprecated.rst (Version linux-5.14.21)


  1 .. SPDX-License-Identifier: GPL-2.0                 1 .. SPDX-License-Identifier: GPL-2.0
  2                                                     2 
  3 .. _deprecated:                                     3 .. _deprecated:
  4                                                     4 
  5 ==============================================      5 =====================================================================
  6 Deprecated Interfaces, Language Features, Attr      6 Deprecated Interfaces, Language Features, Attributes, and Conventions
  7 ==============================================      7 =====================================================================
  8                                                     8 
  9 In a perfect world, it would be possible to co      9 In a perfect world, it would be possible to convert all instances of
 10 some deprecated API into the new API and entir     10 some deprecated API into the new API and entirely remove the old API in
 11 a single development cycle. However, due to th     11 a single development cycle. However, due to the size of the kernel, the
 12 maintainership hierarchy, and timing, it's not     12 maintainership hierarchy, and timing, it's not always feasible to do these
 13 kinds of conversions at once. This means that      13 kinds of conversions at once. This means that new instances may sneak into
 14 the kernel while old ones are being removed, o     14 the kernel while old ones are being removed, only making the amount of
 15 work to remove the API grow. In order to educa     15 work to remove the API grow. In order to educate developers about what
 16 has been deprecated and why, this list has bee     16 has been deprecated and why, this list has been created as a place to
 17 point when uses of deprecated things are propo     17 point when uses of deprecated things are proposed for inclusion in the
 18 kernel.                                            18 kernel.
 19                                                    19 
 20 __deprecated                                       20 __deprecated
 21 ------------                                       21 ------------
 22 While this attribute does visually mark an int     22 While this attribute does visually mark an interface as deprecated,
 23 it `does not produce warnings during builds an     23 it `does not produce warnings during builds any more
 24 <https://git.kernel.org/linus/771c035372a036f8     24 <https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
 25 because one of the standing goals of the kerne     25 because one of the standing goals of the kernel is to build without
 26 warnings and no one was actually doing anythin     26 warnings and no one was actually doing anything to remove these deprecated
 27 interfaces. While using `__deprecated` is nice     27 interfaces. While using `__deprecated` is nice to note an old API in
 28 a header file, it isn't the full solution. Suc     28 a header file, it isn't the full solution. Such interfaces must either
 29 be fully removed from the kernel, or added to      29 be fully removed from the kernel, or added to this file to discourage
 30 others from using them in the future.              30 others from using them in the future.
 31                                                    31 
 32 BUG() and BUG_ON()                                 32 BUG() and BUG_ON()
 33 ------------------                                 33 ------------------
 34 Use WARN() and WARN_ON() instead, and handle t     34 Use WARN() and WARN_ON() instead, and handle the "impossible"
 35 error condition as gracefully as possible. Whi     35 error condition as gracefully as possible. While the BUG()-family
 36 of APIs were originally designed to act as an      36 of APIs were originally designed to act as an "impossible situation"
 37 assert and to kill a kernel thread "safely", t     37 assert and to kill a kernel thread "safely", they turn out to just be
 38 too risky. (e.g. "In what order do locks need      38 too risky. (e.g. "In what order do locks need to be released? Have
 39 various states been restored?") Very commonly,     39 various states been restored?") Very commonly, using BUG() will
 40 destabilize a system or entirely break it, whi     40 destabilize a system or entirely break it, which makes it impossible
 41 to debug or even get viable crash reports. Lin     41 to debug or even get viable crash reports. Linus has `very strong
 42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVY     42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
 43 feelings `about this                               43 feelings `about this
 44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTO     44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/">https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.
 45                                                    45 
 46 Note that the WARN()-family should only be use     46 Note that the WARN()-family should only be used for "expected to
 47 be unreachable" situations. If you want to war     47 be unreachable" situations. If you want to warn about "reachable
 48 but undesirable" situations, please use the pr     48 but undesirable" situations, please use the pr_warn()-family of
 49 functions. System owners may have set the *pan     49 functions. System owners may have set the *panic_on_warn* sysctl,
 50 to make sure their systems do not continue run     50 to make sure their systems do not continue running in the face of
 51 "unreachable" conditions. (For example, see co     51 "unreachable" conditions. (For example, see commits like `this one
 52 <https://git.kernel.org/linus/d4689846881d160a     52 <https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)
 53                                                    53 
 54 open-coded arithmetic in allocator arguments       54 open-coded arithmetic in allocator arguments
 55 --------------------------------------------       55 --------------------------------------------
 56 Dynamic size calculations (especially multipli     56 Dynamic size calculations (especially multiplication) should not be
 57 performed in memory allocator (or similar) fun     57 performed in memory allocator (or similar) function arguments due to the
 58 risk of them overflowing. This could lead to v     58 risk of them overflowing. This could lead to values wrapping around and a
 59 smaller allocation being made than the caller      59 smaller allocation being made than the caller was expecting. Using those
 60 allocations could lead to linear overflows of      60 allocations could lead to linear overflows of heap memory and other
 61 misbehaviors. (One exception to this is litera     61 misbehaviors. (One exception to this is literal values where the compiler
 62 can warn if they might overflow. However, the  !!  62 can warn if they might overflow. Though using literals for arguments as
 63 cases is to refactor the code as suggested bel !!  63 suggested below is also harmless.)
 64 arithmetic.)                                   << 
 65                                                    64 
 66 For example, do not use ``count * size`` as an     65 For example, do not use ``count * size`` as an argument, as in::
 67                                                    66 
 68         foo = kmalloc(count * size, GFP_KERNEL     67         foo = kmalloc(count * size, GFP_KERNEL);
 69                                                    68 
 70 Instead, the 2-factor form of the allocator sh     69 Instead, the 2-factor form of the allocator should be used::
 71                                                    70 
 72         foo = kmalloc_array(count, size, GFP_K     71         foo = kmalloc_array(count, size, GFP_KERNEL);
 73                                                    72 
 74 Specifically, kmalloc() can be replaced with k << 
 75 kzalloc() can be replaced with kcalloc().      << 
 76                                                << 
 77 If no 2-factor form is available, the saturate     73 If no 2-factor form is available, the saturate-on-overflow helpers should
 78 be used::                                          74 be used::
 79                                                    75 
 80         bar = dma_alloc_coherent(dev, array_si !!  76         bar = vmalloc(array_size(count, size));
 81                                                    77 
 82 Another common case to avoid is calculating th     78 Another common case to avoid is calculating the size of a structure with
 83 a trailing array of others structures, as in::     79 a trailing array of others structures, as in::
 84                                                    80 
 85         header = kzalloc(sizeof(*header) + cou     81         header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
 86                          GFP_KERNEL);              82                          GFP_KERNEL);
 87                                                    83 
 88 Instead, use the helper::                          84 Instead, use the helper::
 89                                                    85 
 90         header = kzalloc(struct_size(header, i     86         header = kzalloc(struct_size(header, item, count), GFP_KERNEL);
 91                                                    87 
 92 .. note:: If you are using struct_size() on a      88 .. note:: If you are using struct_size() on a structure containing a zero-length
 93         or a one-element array as a trailing a     89         or a one-element array as a trailing array member, please refactor such
 94         array usage and switch to a `flexible      90         array usage and switch to a `flexible array member
 95         <#zero-length-and-one-element-arrays>`     91         <#zero-length-and-one-element-arrays>`_ instead.
 96                                                    92 
 97 For other calculations, please compose the use !!  93 See array_size(), array3_size(), and struct_size(),
 98 size_add(), and size_sub() helpers. For exampl !!  94 for more details as well as the related check_add_overflow() and
 99                                                !!  95 check_mul_overflow() family of functions.
100         foo = krealloc(current_size + chunk_si << 
101                                                << 
102 Instead, use the helpers::                     << 
103                                                << 
104         foo = krealloc(size_add(current_size,  << 
105                                 size_mul(chunk << 
106                                          size_ << 
107                                                << 
108 For more details, also see array3_size() and f << 
109 as well as the related check_mul_overflow(), c << 
110 check_sub_overflow(), and check_shl_overflow() << 
111                                                    96 
112 simple_strtol(), simple_strtoll(), simple_strt     97 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
113 ----------------------------------------------     98 ----------------------------------------------------------------------
114 The simple_strtol(), simple_strtoll(),             99 The simple_strtol(), simple_strtoll(),
115 simple_strtoul(), and simple_strtoull() functi    100 simple_strtoul(), and simple_strtoull() functions
116 explicitly ignore overflows, which may lead to    101 explicitly ignore overflows, which may lead to unexpected results
117 in callers. The respective kstrtol(), kstrtoll    102 in callers. The respective kstrtol(), kstrtoll(),
118 kstrtoul(), and kstrtoull() functions tend to     103 kstrtoul(), and kstrtoull() functions tend to be the
119 correct replacements, though note that those r    104 correct replacements, though note that those require the string to be
120 NUL or newline terminated.                        105 NUL or newline terminated.
121                                                   106 
122 strcpy()                                          107 strcpy()
123 --------                                          108 --------
124 strcpy() performs no bounds checking on the de    109 strcpy() performs no bounds checking on the destination buffer. This
125 could result in linear overflows beyond the en    110 could result in linear overflows beyond the end of the buffer, leading to
126 all kinds of misbehaviors. While `CONFIG_FORTI    111 all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various
127 compiler flags help reduce the risk of using t    112 compiler flags help reduce the risk of using this function, there is
128 no good reason to add new uses of this functio    113 no good reason to add new uses of this function. The safe replacement
129 is strscpy(), though care must be given to any    114 is strscpy(), though care must be given to any cases where the return
130 value of strcpy() was used, since strscpy() do    115 value of strcpy() was used, since strscpy() does not return a pointer to
131 the destination, but rather a count of non-NUL    116 the destination, but rather a count of non-NUL bytes copied (or negative
132 errno when it truncates).                         117 errno when it truncates).
133                                                   118 
134 strncpy() on NUL-terminated strings               119 strncpy() on NUL-terminated strings
135 -----------------------------------               120 -----------------------------------
136 Use of strncpy() does not guarantee that the d    121 Use of strncpy() does not guarantee that the destination buffer will
137 be NUL terminated. This can lead to various li    122 be NUL terminated. This can lead to various linear read overflows and
138 other misbehavior due to the missing terminati    123 other misbehavior due to the missing termination. It also NUL-pads
139 the destination buffer if the source contents     124 the destination buffer if the source contents are shorter than the
140 destination buffer size, which may be a needle    125 destination buffer size, which may be a needless performance penalty
141 for callers using only NUL-terminated strings. !! 126 for callers using only NUL-terminated strings. The safe replacement is
142                                                << 
143 When the destination is required to be NUL-ter << 
144 strscpy(), though care must be given to any ca    127 strscpy(), though care must be given to any cases where the return value
145 of strncpy() was used, since strscpy() does no    128 of strncpy() was used, since strscpy() does not return a pointer to the
146 destination, but rather a count of non-NUL byt    129 destination, but rather a count of non-NUL bytes copied (or negative
147 errno when it truncates). Any cases still need    130 errno when it truncates). Any cases still needing NUL-padding should
148 instead use strscpy_pad().                        131 instead use strscpy_pad().
149                                                   132 
150 If a caller is using non-NUL-terminated string !! 133 If a caller is using non-NUL-terminated strings, strncpy() can
151 used, and the destinations should be marked wi !! 134 still be used, but destinations should be marked with the `__nonstring
152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Var    135 <https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_
153 attribute to avoid future compiler warnings. F !! 136 attribute to avoid future compiler warnings.
154 NUL-padding, strtomem_pad() can be used.       << 
155                                                   137 
156 strlcpy()                                         138 strlcpy()
157 ---------                                         139 ---------
158 strlcpy() reads the entire source buffer first    140 strlcpy() reads the entire source buffer first (since the return value
159 is meant to match that of strlen()). This read    141 is meant to match that of strlen()). This read may exceed the destination
160 size limit. This is both inefficient and can l    142 size limit. This is both inefficient and can lead to linear read overflows
161 if a source string is not NUL-terminated. The     143 if a source string is not NUL-terminated. The safe replacement is strscpy(),
162 though care must be given to any cases where t    144 though care must be given to any cases where the return value of strlcpy()
163 is used, since strscpy() will return negative     145 is used, since strscpy() will return negative errno values when it truncates.
164                                                   146 
165 %p format specifier                               147 %p format specifier
166 -------------------                               148 -------------------
167 Traditionally, using "%p" in format strings wo    149 Traditionally, using "%p" in format strings would lead to regular address
168 exposure flaws in dmesg, proc, sysfs, etc. Ins    150 exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
169 be exploitable, all "%p" uses in the kernel ar    151 be exploitable, all "%p" uses in the kernel are being printed as a hashed
170 value, rendering them unusable for addressing.    152 value, rendering them unusable for addressing. New uses of "%p" should not
171 be added to the kernel. For text addresses, us    153 be added to the kernel. For text addresses, using "%pS" is likely better,
172 as it produces the more useful symbol name ins    154 as it produces the more useful symbol name instead. For nearly everything
173 else, just do not add "%p" at all.                155 else, just do not add "%p" at all.
174                                                   156 
175 Paraphrasing Linus's current `guidance <https:/    157 Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:
176                                                   158 
177 - If the hashed "%p" value is pointless, ask y    159 - If the hashed "%p" value is pointless, ask yourself whether the pointer
178   itself is important. Maybe it should be remo    160   itself is important. Maybe it should be removed entirely?
179 - If you really think the true pointer value i    161 - If you really think the true pointer value is important, why is some
180   system state or user privilege level conside    162   system state or user privilege level considered "special"? If you think
181   you can justify it (in comments and commit l    163   you can justify it (in comments and commit log) well enough to stand
182   up to Linus's scrutiny, maybe you can use "%    164   up to Linus's scrutiny, maybe you can use "%px", along with making sure
183   you have sensible permissions.                  165   you have sensible permissions.
184                                                   166 
185 If you are debugging something where "%p" hash !! 167 And finally, know that a toggle for "%p" hashing will `not be accepted <https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@mail.gmail.com/>`_.
186 you can temporarily boot with the debug flag " << 
187 <https://git.kernel.org/linus/5ead723a20e0447b << 
188                                                   168 
189 Variable Length Arrays (VLAs)                     169 Variable Length Arrays (VLAs)
190 -----------------------------                     170 -----------------------------
191 Using stack VLAs produces much worse machine c    171 Using stack VLAs produces much worse machine code than statically
192 sized stack arrays. While these non-trivial `p    172 sized stack arrays. While these non-trivial `performance issues
193 <https://git.kernel.org/linus/02361bc77888>`_     173 <https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
194 eliminate VLAs, they are also a security risk.    174 eliminate VLAs, they are also a security risk. Dynamic growth of a stack
195 array may exceed the remaining memory in the s    175 array may exceed the remaining memory in the stack segment. This could
196 lead to a crash, possible overwriting sensitiv    176 lead to a crash, possible overwriting sensitive contents at the end of the
197 stack (when built without `CONFIG_THREAD_INFO_    177 stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
198 memory adjacent to the stack (when built witho    178 memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)
199                                                   179 
200 Implicit switch case fall-through                 180 Implicit switch case fall-through
201 ---------------------------------                 181 ---------------------------------
202 The C language allows switch cases to fall thr    182 The C language allows switch cases to fall through to the next case
203 when a "break" statement is missing at the end    183 when a "break" statement is missing at the end of a case. This, however,
204 introduces ambiguity in the code, as it's not     184 introduces ambiguity in the code, as it's not always clear if the missing
205 break is intentional or a bug. For example, it    185 break is intentional or a bug. For example, it's not obvious just from
206 looking at the code if `STATE_ONE` is intentio    186 looking at the code if `STATE_ONE` is intentionally designed to fall
207 through into `STATE_TWO`::                        187 through into `STATE_TWO`::
208                                                   188 
209         switch (value) {                          189         switch (value) {
210         case STATE_ONE:                           190         case STATE_ONE:
211                 do_something();                   191                 do_something();
212         case STATE_TWO:                           192         case STATE_TWO:
213                 do_other();                       193                 do_other();
214                 break;                            194                 break;
215         default:                                  195         default:
216                 WARN("unknown state");            196                 WARN("unknown state");
217         }                                         197         }
218                                                   198 
219 As there have been a long list of flaws `due t    199 As there have been a long list of flaws `due to missing "break" statements
220 <https://cwe.mitre.org/data/definitions/484.ht    200 <https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
221 implicit fall-through. In order to identify in    201 implicit fall-through. In order to identify intentional fall-through
222 cases, we have adopted a pseudo-keyword macro     202 cases, we have adopted a pseudo-keyword macro "fallthrough" which
223 expands to gcc's extension `__attribute__((__f    203 expands to gcc's extension `__attribute__((__fallthrough__))
224 <https://gcc.gnu.org/onlinedocs/gcc/Statement-    204 <https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
225 (When the C17/C18  `[[fallthrough]]` syntax is    205 (When the C17/C18  `[[fallthrough]]` syntax is more commonly supported by
226 C compilers, static analyzers, and IDEs, we ca    206 C compilers, static analyzers, and IDEs, we can switch to using that syntax
227 for the macro pseudo-keyword.)                    207 for the macro pseudo-keyword.)
228                                                   208 
229 All switch/case blocks must end in one of:        209 All switch/case blocks must end in one of:
230                                                   210 
231 * break;                                          211 * break;
232 * fallthrough;                                    212 * fallthrough;
233 * continue;                                       213 * continue;
234 * goto <label>;                                   214 * goto <label>;
235 * return [expression];                            215 * return [expression];
236                                                   216 
237 Zero-length and one-element arrays                217 Zero-length and one-element arrays
238 ----------------------------------                218 ----------------------------------
239 There is a regular need in the kernel to provi    219 There is a regular need in the kernel to provide a way to declare having
240 a dynamically sized set of trailing elements i    220 a dynamically sized set of trailing elements in a structure. Kernel code
241 should always use `"flexible array members" <h    221 should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
242 for these cases. The older style of one-elemen    222 for these cases. The older style of one-element or zero-length arrays should
243 no longer be used.                                223 no longer be used.
244                                                   224 
245 In older C code, dynamically sized trailing el    225 In older C code, dynamically sized trailing elements were done by specifying
246 a one-element array at the end of a structure:    226 a one-element array at the end of a structure::
247                                                   227 
248         struct something {                        228         struct something {
249                 size_t count;                     229                 size_t count;
250                 struct foo items[1];              230                 struct foo items[1];
251         };                                        231         };
252                                                   232 
253 This led to fragile size calculations via size    233 This led to fragile size calculations via sizeof() (which would need to
254 remove the size of the single trailing element    234 remove the size of the single trailing element to get a correct size of
255 the "header"). A `GNU C extension <https://gcc    235 the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
256 was introduced to allow for zero-length arrays    236 was introduced to allow for zero-length arrays, to avoid these kinds of
257 size problems::                                   237 size problems::
258                                                   238 
259         struct something {                        239         struct something {
260                 size_t count;                     240                 size_t count;
261                 struct foo items[0];              241                 struct foo items[0];
262         };                                        242         };
263                                                   243 
264 But this led to other problems, and didn't sol    244 But this led to other problems, and didn't solve some problems shared by
265 both styles, like not being able to detect whe    245 both styles, like not being able to detect when such an array is accidentally
266 being used _not_ at the end of a structure (wh    246 being used _not_ at the end of a structure (which could happen directly, or
267 when such a struct was in unions, structs of s    247 when such a struct was in unions, structs of structs, etc).
268                                                   248 
269 C99 introduced "flexible array members", which    249 C99 introduced "flexible array members", which lacks a numeric size for
270 the array declaration entirely::                  250 the array declaration entirely::
271                                                   251 
272         struct something {                        252         struct something {
273                 size_t count;                     253                 size_t count;
274                 struct foo items[];               254                 struct foo items[];
275         };                                        255         };
276                                                   256 
277 This is the way the kernel expects dynamically    257 This is the way the kernel expects dynamically sized trailing elements
278 to be declared. It allows the compiler to gene    258 to be declared. It allows the compiler to generate errors when the
279 flexible array does not occur last in the stru    259 flexible array does not occur last in the structure, which helps to prevent
280 some kind of `undefined behavior                  260 some kind of `undefined behavior
281 <https://git.kernel.org/linus/76497732932f15e7    261 <https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
282 bugs from being inadvertently introduced to th    262 bugs from being inadvertently introduced to the codebase. It also allows
283 the compiler to correctly analyze array sizes     263 the compiler to correctly analyze array sizes (via sizeof(),
284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOU    264 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
285 there is no mechanism that warns us that the f    265 there is no mechanism that warns us that the following application of the
286 sizeof() operator to a zero-length array alway    266 sizeof() operator to a zero-length array always results in zero::
287                                                   267 
288         struct something {                        268         struct something {
289                 size_t count;                     269                 size_t count;
290                 struct foo items[0];              270                 struct foo items[0];
291         };                                        271         };
292                                                   272 
293         struct something *instance;               273         struct something *instance;
294                                                   274 
295         instance = kmalloc(struct_size(instanc    275         instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
296         instance->count = count;                  276         instance->count = count;
297                                                   277 
298         size = sizeof(instance->items) * insta    278         size = sizeof(instance->items) * instance->count;
299         memcpy(instance->items, source, size);    279         memcpy(instance->items, source, size);
300                                                   280 
301 At the last line of code above, ``size`` turns    281 At the last line of code above, ``size`` turns out to be ``zero``, when one might
302 have thought it represents the total size in b    282 have thought it represents the total size in bytes of the dynamic memory recently
303 allocated for the trailing array ``items``. He    283 allocated for the trailing array ``items``. Here are a couple examples of this
304 issue: `link 1                                    284 issue: `link 1
305 <https://git.kernel.org/linus/f2cd32a443da694a    285 <https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
306 `link 2                                           286 `link 2
307 <https://git.kernel.org/linus/ab91c2a89f86be28    287 <https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
308 Instead, `flexible array members have incomple    288 Instead, `flexible array members have incomplete type, and so the sizeof()
309 operator may not be applied <https://gcc.gnu.o    289 operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
310 so any misuse of such operators will be immedi    290 so any misuse of such operators will be immediately noticed at build time.
311                                                   291 
312 With respect to one-element arrays, one has to    292 With respect to one-element arrays, one has to be acutely aware that `such arrays
313 occupy at least as much space as a single obje    293 occupy at least as much space as a single object of the type
314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Lengt    294 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
315 hence they contribute to the size of the enclo    295 hence they contribute to the size of the enclosing structure. This is prone
316 to error every time people want to calculate t    296 to error every time people want to calculate the total size of dynamic memory
317 to allocate for a structure containing an arra    297 to allocate for a structure containing an array of this kind as a member::
318                                                   298 
319         struct something {                        299         struct something {
320                 size_t count;                     300                 size_t count;
321                 struct foo items[1];              301                 struct foo items[1];
322         };                                        302         };
323                                                   303 
324         struct something *instance;               304         struct something *instance;
325                                                   305 
326         instance = kmalloc(struct_size(instanc    306         instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
327         instance->count = count;                  307         instance->count = count;
328                                                   308 
329         size = sizeof(instance->items) * insta    309         size = sizeof(instance->items) * instance->count;
330         memcpy(instance->items, source, size);    310         memcpy(instance->items, source, size);
331                                                   311 
332 In the example above, we had to remember to ca    312 In the example above, we had to remember to calculate ``count - 1`` when using
333 the struct_size() helper, otherwise we would h    313 the struct_size() helper, otherwise we would have --unintentionally-- allocated
334 memory for one too many ``items`` objects. The    314 memory for one too many ``items`` objects. The cleanest and least error-prone way
335 to implement this is through the use of a `fle    315 to implement this is through the use of a `flexible array member`, together with
336 struct_size() and flex_array_size() helpers::     316 struct_size() and flex_array_size() helpers::
337                                                   317 
338         struct something {                        318         struct something {
339                 size_t count;                     319                 size_t count;
340                 struct foo items[];               320                 struct foo items[];
341         };                                        321         };
342                                                   322 
343         struct something *instance;               323         struct something *instance;
344                                                   324 
345         instance = kmalloc(struct_size(instanc    325         instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
346         instance->count = count;                  326         instance->count = count;
347                                                   327 
348         memcpy(instance->items, source, flex_a    328         memcpy(instance->items, source, flex_array_size(instance, items, instance->count));
349                                                << 
350 There are two special cases of replacement whe << 
351 helper needs to be used. (Note that it is name << 
352 use in UAPI headers.) Those cases are when the << 
353 alone in a struct or is part of a union. These << 
354 specification, but for no technical reason (as << 
355 existing use of such arrays in those places an << 
356 DECLARE_FLEX_ARRAY() uses). For example, to co << 
357                                                << 
358         struct something {                     << 
359                 ...                            << 
360                 union {                        << 
361                         struct type1 one[0];   << 
362                         struct type2 two[0];   << 
363                 };                             << 
364         };                                     << 
365                                                << 
366 The helper must be used::                      << 
367                                                << 
368         struct something {                     << 
369                 ...                            << 
370                 union {                        << 
371                         DECLARE_FLEX_ARRAY(str << 
372                         DECLARE_FLEX_ARRAY(str << 
373                 };                             << 
374         };                                     << 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php