1 .. SPDX-License-Identifier: GPL-2.0 1 .. SPDX-License-Identifier: GPL-2.0
2 2
3 .. _deprecated: 3 .. _deprecated:
4 4
5 ============================================== 5 =====================================================================
6 Deprecated Interfaces, Language Features, Attr 6 Deprecated Interfaces, Language Features, Attributes, and Conventions
7 ============================================== 7 =====================================================================
8 8
9 In a perfect world, it would be possible to co 9 In a perfect world, it would be possible to convert all instances of
10 some deprecated API into the new API and entir 10 some deprecated API into the new API and entirely remove the old API in
11 a single development cycle. However, due to th 11 a single development cycle. However, due to the size of the kernel, the
12 maintainership hierarchy, and timing, it's not 12 maintainership hierarchy, and timing, it's not always feasible to do these
13 kinds of conversions at once. This means that 13 kinds of conversions at once. This means that new instances may sneak into
14 the kernel while old ones are being removed, o 14 the kernel while old ones are being removed, only making the amount of
15 work to remove the API grow. In order to educa 15 work to remove the API grow. In order to educate developers about what
16 has been deprecated and why, this list has bee 16 has been deprecated and why, this list has been created as a place to
17 point when uses of deprecated things are propo 17 point when uses of deprecated things are proposed for inclusion in the
18 kernel. 18 kernel.
19 19
20 __deprecated 20 __deprecated
21 ------------ 21 ------------
22 While this attribute does visually mark an int 22 While this attribute does visually mark an interface as deprecated,
23 it `does not produce warnings during builds an 23 it `does not produce warnings during builds any more
24 <https://git.kernel.org/linus/771c035372a036f8 24 <https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
25 because one of the standing goals of the kerne 25 because one of the standing goals of the kernel is to build without
26 warnings and no one was actually doing anythin 26 warnings and no one was actually doing anything to remove these deprecated
27 interfaces. While using `__deprecated` is nice 27 interfaces. While using `__deprecated` is nice to note an old API in
28 a header file, it isn't the full solution. Suc 28 a header file, it isn't the full solution. Such interfaces must either
29 be fully removed from the kernel, or added to 29 be fully removed from the kernel, or added to this file to discourage
30 others from using them in the future. 30 others from using them in the future.
31 31
32 BUG() and BUG_ON() 32 BUG() and BUG_ON()
33 ------------------ 33 ------------------
34 Use WARN() and WARN_ON() instead, and handle t 34 Use WARN() and WARN_ON() instead, and handle the "impossible"
35 error condition as gracefully as possible. Whi 35 error condition as gracefully as possible. While the BUG()-family
36 of APIs were originally designed to act as an 36 of APIs were originally designed to act as an "impossible situation"
37 assert and to kill a kernel thread "safely", t 37 assert and to kill a kernel thread "safely", they turn out to just be
38 too risky. (e.g. "In what order do locks need 38 too risky. (e.g. "In what order do locks need to be released? Have
39 various states been restored?") Very commonly, 39 various states been restored?") Very commonly, using BUG() will
40 destabilize a system or entirely break it, whi 40 destabilize a system or entirely break it, which makes it impossible
41 to debug or even get viable crash reports. Lin 41 to debug or even get viable crash reports. Linus has `very strong
42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVY 42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
43 feelings `about this 43 feelings `about this
44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTO 44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/">https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.
45 45
46 Note that the WARN()-family should only be use 46 Note that the WARN()-family should only be used for "expected to
47 be unreachable" situations. If you want to war 47 be unreachable" situations. If you want to warn about "reachable
48 but undesirable" situations, please use the pr 48 but undesirable" situations, please use the pr_warn()-family of
49 functions. System owners may have set the *pan 49 functions. System owners may have set the *panic_on_warn* sysctl,
50 to make sure their systems do not continue run 50 to make sure their systems do not continue running in the face of
51 "unreachable" conditions. (For example, see co 51 "unreachable" conditions. (For example, see commits like `this one
52 <https://git.kernel.org/linus/d4689846881d160a 52 <https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)
53 53
>> 54 uninitialized_var()
>> 55 -------------------
>> 56 For any compiler warnings about uninitialized variables, just add
>> 57 an initializer. Using the uninitialized_var() macro (or similar
>> 58 warning-silencing tricks) is dangerous as it papers over `real bugs
>> 59 <https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/">https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/>`_
>> 60 (or can in the future), and suppresses unrelated compiler warnings
>> 61 (e.g. "unused variable"). If the compiler thinks it is uninitialized,
>> 62 either simply initialize the variable or make compiler changes. Keep in
>> 63 mind that in most cases, if an initialization is obviously redundant,
>> 64 the compiler's dead-store elimination pass will make sure there are no
>> 65 needless variable writes.
>> 66
>> 67 As Linus has said, this macro
>> 68 `must <https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/>`_
>> 69 `be <https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/>`_
>> 70 `removed <https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/>`_.
>> 71
54 open-coded arithmetic in allocator arguments 72 open-coded arithmetic in allocator arguments
55 -------------------------------------------- 73 --------------------------------------------
56 Dynamic size calculations (especially multipli 74 Dynamic size calculations (especially multiplication) should not be
57 performed in memory allocator (or similar) fun 75 performed in memory allocator (or similar) function arguments due to the
58 risk of them overflowing. This could lead to v 76 risk of them overflowing. This could lead to values wrapping around and a
59 smaller allocation being made than the caller 77 smaller allocation being made than the caller was expecting. Using those
60 allocations could lead to linear overflows of 78 allocations could lead to linear overflows of heap memory and other
61 misbehaviors. (One exception to this is litera 79 misbehaviors. (One exception to this is literal values where the compiler
62 can warn if they might overflow. However, the !! 80 can warn if they might overflow. Though using literals for arguments as
63 cases is to refactor the code as suggested bel !! 81 suggested below is also harmless.)
64 arithmetic.) <<
65 82
66 For example, do not use ``count * size`` as an 83 For example, do not use ``count * size`` as an argument, as in::
67 84
68 foo = kmalloc(count * size, GFP_KERNEL 85 foo = kmalloc(count * size, GFP_KERNEL);
69 86
70 Instead, the 2-factor form of the allocator sh 87 Instead, the 2-factor form of the allocator should be used::
71 88
72 foo = kmalloc_array(count, size, GFP_K 89 foo = kmalloc_array(count, size, GFP_KERNEL);
73 90
74 Specifically, kmalloc() can be replaced with k <<
75 kzalloc() can be replaced with kcalloc(). <<
76 <<
77 If no 2-factor form is available, the saturate 91 If no 2-factor form is available, the saturate-on-overflow helpers should
78 be used:: 92 be used::
79 93
80 bar = dma_alloc_coherent(dev, array_si !! 94 bar = vmalloc(array_size(count, size));
81 95
82 Another common case to avoid is calculating th 96 Another common case to avoid is calculating the size of a structure with
83 a trailing array of others structures, as in:: 97 a trailing array of others structures, as in::
84 98
85 header = kzalloc(sizeof(*header) + cou 99 header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
86 GFP_KERNEL); 100 GFP_KERNEL);
87 101
88 Instead, use the helper:: 102 Instead, use the helper::
89 103
90 header = kzalloc(struct_size(header, i 104 header = kzalloc(struct_size(header, item, count), GFP_KERNEL);
91 105
92 .. note:: If you are using struct_size() on a 106 .. note:: If you are using struct_size() on a structure containing a zero-length
93 or a one-element array as a trailing a 107 or a one-element array as a trailing array member, please refactor such
94 array usage and switch to a `flexible 108 array usage and switch to a `flexible array member
95 <#zero-length-and-one-element-arrays>` 109 <#zero-length-and-one-element-arrays>`_ instead.
96 110
97 For other calculations, please compose the use !! 111 See array_size(), array3_size(), and struct_size(),
98 size_add(), and size_sub() helpers. For exampl !! 112 for more details as well as the related check_add_overflow() and
99 !! 113 check_mul_overflow() family of functions.
100 foo = krealloc(current_size + chunk_si <<
101 <<
102 Instead, use the helpers:: <<
103 <<
104 foo = krealloc(size_add(current_size, <<
105 size_mul(chunk <<
106 size_ <<
107 <<
108 For more details, also see array3_size() and f <<
109 as well as the related check_mul_overflow(), c <<
110 check_sub_overflow(), and check_shl_overflow() <<
111 114
112 simple_strtol(), simple_strtoll(), simple_strt 115 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
113 ---------------------------------------------- 116 ----------------------------------------------------------------------
114 The simple_strtol(), simple_strtoll(), 117 The simple_strtol(), simple_strtoll(),
115 simple_strtoul(), and simple_strtoull() functi 118 simple_strtoul(), and simple_strtoull() functions
116 explicitly ignore overflows, which may lead to 119 explicitly ignore overflows, which may lead to unexpected results
117 in callers. The respective kstrtol(), kstrtoll 120 in callers. The respective kstrtol(), kstrtoll(),
118 kstrtoul(), and kstrtoull() functions tend to 121 kstrtoul(), and kstrtoull() functions tend to be the
119 correct replacements, though note that those r 122 correct replacements, though note that those require the string to be
120 NUL or newline terminated. 123 NUL or newline terminated.
121 124
122 strcpy() 125 strcpy()
123 -------- 126 --------
124 strcpy() performs no bounds checking on the de !! 127 strcpy() performs no bounds checking on the destination
125 could result in linear overflows beyond the en !! 128 buffer. This could result in linear overflows beyond the
126 all kinds of misbehaviors. While `CONFIG_FORTI !! 129 end of the buffer, leading to all kinds of misbehaviors. While
127 compiler flags help reduce the risk of using t !! 130 `CONFIG_FORTIFY_SOURCE=y` and various compiler flags help reduce the
128 no good reason to add new uses of this functio !! 131 risk of using this function, there is no good reason to add new uses of
129 is strscpy(), though care must be given to any !! 132 this function. The safe replacement is strscpy().
130 value of strcpy() was used, since strscpy() do <<
131 the destination, but rather a count of non-NUL <<
132 errno when it truncates). <<
133 133
134 strncpy() on NUL-terminated strings 134 strncpy() on NUL-terminated strings
135 ----------------------------------- 135 -----------------------------------
136 Use of strncpy() does not guarantee that the d !! 136 Use of strncpy() does not guarantee that the destination buffer
137 be NUL terminated. This can lead to various li !! 137 will be NUL terminated. This can lead to various linear read overflows
138 other misbehavior due to the missing terminati !! 138 and other misbehavior due to the missing termination. It also NUL-pads the
139 the destination buffer if the source contents !! 139 destination buffer if the source contents are shorter than the destination
140 destination buffer size, which may be a needle !! 140 buffer size, which may be a needless performance penalty for callers using
141 for callers using only NUL-terminated strings. !! 141 only NUL-terminated strings. The safe replacement is strscpy().
142 !! 142 (Users of strscpy() still needing NUL-padding should instead
143 When the destination is required to be NUL-ter !! 143 use strscpy_pad().)
144 strscpy(), though care must be given to any ca <<
145 of strncpy() was used, since strscpy() does no <<
146 destination, but rather a count of non-NUL byt <<
147 errno when it truncates). Any cases still need <<
148 instead use strscpy_pad(). <<
149 144
150 If a caller is using non-NUL-terminated string !! 145 If a caller is using non-NUL-terminated strings, strncpy() can
151 used, and the destinations should be marked wi !! 146 still be used, but destinations should be marked with the `__nonstring
152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Var 147 <https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_
153 attribute to avoid future compiler warnings. F !! 148 attribute to avoid future compiler warnings.
154 NUL-padding, strtomem_pad() can be used. <<
155 149
156 strlcpy() 150 strlcpy()
157 --------- 151 ---------
158 strlcpy() reads the entire source buffer first !! 152 strlcpy() reads the entire source buffer first, possibly exceeding
159 is meant to match that of strlen()). This read !! 153 the given limit of bytes to copy. This is inefficient and can lead to
160 size limit. This is both inefficient and can l !! 154 linear read overflows if a source string is not NUL-terminated. The
161 if a source string is not NUL-terminated. The !! 155 safe replacement is strscpy().
162 though care must be given to any cases where t <<
163 is used, since strscpy() will return negative <<
164 156
165 %p format specifier 157 %p format specifier
166 ------------------- 158 -------------------
167 Traditionally, using "%p" in format strings wo 159 Traditionally, using "%p" in format strings would lead to regular address
168 exposure flaws in dmesg, proc, sysfs, etc. Ins 160 exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
169 be exploitable, all "%p" uses in the kernel ar 161 be exploitable, all "%p" uses in the kernel are being printed as a hashed
170 value, rendering them unusable for addressing. 162 value, rendering them unusable for addressing. New uses of "%p" should not
171 be added to the kernel. For text addresses, us 163 be added to the kernel. For text addresses, using "%pS" is likely better,
172 as it produces the more useful symbol name ins 164 as it produces the more useful symbol name instead. For nearly everything
173 else, just do not add "%p" at all. 165 else, just do not add "%p" at all.
174 166
175 Paraphrasing Linus's current `guidance <https:/ 167 Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:
176 168
177 - If the hashed "%p" value is pointless, ask y 169 - If the hashed "%p" value is pointless, ask yourself whether the pointer
178 itself is important. Maybe it should be remo 170 itself is important. Maybe it should be removed entirely?
179 - If you really think the true pointer value i 171 - If you really think the true pointer value is important, why is some
180 system state or user privilege level conside 172 system state or user privilege level considered "special"? If you think
181 you can justify it (in comments and commit l 173 you can justify it (in comments and commit log) well enough to stand
182 up to Linus's scrutiny, maybe you can use "% 174 up to Linus's scrutiny, maybe you can use "%px", along with making sure
183 you have sensible permissions. 175 you have sensible permissions.
184 176
185 If you are debugging something where "%p" hash !! 177 And finally, know that a toggle for "%p" hashing will `not be accepted <https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@mail.gmail.com/>`_.
186 you can temporarily boot with the debug flag " <<
187 <https://git.kernel.org/linus/5ead723a20e0447b <<
188 178
189 Variable Length Arrays (VLAs) 179 Variable Length Arrays (VLAs)
190 ----------------------------- 180 -----------------------------
191 Using stack VLAs produces much worse machine c 181 Using stack VLAs produces much worse machine code than statically
192 sized stack arrays. While these non-trivial `p 182 sized stack arrays. While these non-trivial `performance issues
193 <https://git.kernel.org/linus/02361bc77888>`_ 183 <https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
194 eliminate VLAs, they are also a security risk. 184 eliminate VLAs, they are also a security risk. Dynamic growth of a stack
195 array may exceed the remaining memory in the s 185 array may exceed the remaining memory in the stack segment. This could
196 lead to a crash, possible overwriting sensitiv 186 lead to a crash, possible overwriting sensitive contents at the end of the
197 stack (when built without `CONFIG_THREAD_INFO_ 187 stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
198 memory adjacent to the stack (when built witho 188 memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)
199 189
200 Implicit switch case fall-through 190 Implicit switch case fall-through
201 --------------------------------- 191 ---------------------------------
202 The C language allows switch cases to fall thr 192 The C language allows switch cases to fall through to the next case
203 when a "break" statement is missing at the end 193 when a "break" statement is missing at the end of a case. This, however,
204 introduces ambiguity in the code, as it's not 194 introduces ambiguity in the code, as it's not always clear if the missing
205 break is intentional or a bug. For example, it 195 break is intentional or a bug. For example, it's not obvious just from
206 looking at the code if `STATE_ONE` is intentio 196 looking at the code if `STATE_ONE` is intentionally designed to fall
207 through into `STATE_TWO`:: 197 through into `STATE_TWO`::
208 198
209 switch (value) { 199 switch (value) {
210 case STATE_ONE: 200 case STATE_ONE:
211 do_something(); 201 do_something();
212 case STATE_TWO: 202 case STATE_TWO:
213 do_other(); 203 do_other();
214 break; 204 break;
215 default: 205 default:
216 WARN("unknown state"); 206 WARN("unknown state");
217 } 207 }
218 208
219 As there have been a long list of flaws `due t 209 As there have been a long list of flaws `due to missing "break" statements
220 <https://cwe.mitre.org/data/definitions/484.ht 210 <https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
221 implicit fall-through. In order to identify in 211 implicit fall-through. In order to identify intentional fall-through
222 cases, we have adopted a pseudo-keyword macro 212 cases, we have adopted a pseudo-keyword macro "fallthrough" which
223 expands to gcc's extension `__attribute__((__f 213 expands to gcc's extension `__attribute__((__fallthrough__))
224 <https://gcc.gnu.org/onlinedocs/gcc/Statement- 214 <https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
225 (When the C17/C18 `[[fallthrough]]` syntax is 215 (When the C17/C18 `[[fallthrough]]` syntax is more commonly supported by
226 C compilers, static analyzers, and IDEs, we ca 216 C compilers, static analyzers, and IDEs, we can switch to using that syntax
227 for the macro pseudo-keyword.) 217 for the macro pseudo-keyword.)
228 218
229 All switch/case blocks must end in one of: 219 All switch/case blocks must end in one of:
230 220
231 * break; 221 * break;
232 * fallthrough; 222 * fallthrough;
233 * continue; 223 * continue;
234 * goto <label>; 224 * goto <label>;
235 * return [expression]; 225 * return [expression];
236 226
237 Zero-length and one-element arrays 227 Zero-length and one-element arrays
238 ---------------------------------- 228 ----------------------------------
239 There is a regular need in the kernel to provi 229 There is a regular need in the kernel to provide a way to declare having
240 a dynamically sized set of trailing elements i 230 a dynamically sized set of trailing elements in a structure. Kernel code
241 should always use `"flexible array members" <h 231 should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
242 for these cases. The older style of one-elemen 232 for these cases. The older style of one-element or zero-length arrays should
243 no longer be used. 233 no longer be used.
244 234
245 In older C code, dynamically sized trailing el 235 In older C code, dynamically sized trailing elements were done by specifying
246 a one-element array at the end of a structure: 236 a one-element array at the end of a structure::
247 237
248 struct something { 238 struct something {
249 size_t count; 239 size_t count;
250 struct foo items[1]; 240 struct foo items[1];
251 }; 241 };
252 242
253 This led to fragile size calculations via size 243 This led to fragile size calculations via sizeof() (which would need to
254 remove the size of the single trailing element 244 remove the size of the single trailing element to get a correct size of
255 the "header"). A `GNU C extension <https://gcc 245 the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
256 was introduced to allow for zero-length arrays 246 was introduced to allow for zero-length arrays, to avoid these kinds of
257 size problems:: 247 size problems::
258 248
259 struct something { 249 struct something {
260 size_t count; 250 size_t count;
261 struct foo items[0]; 251 struct foo items[0];
262 }; 252 };
263 253
264 But this led to other problems, and didn't sol 254 But this led to other problems, and didn't solve some problems shared by
265 both styles, like not being able to detect whe 255 both styles, like not being able to detect when such an array is accidentally
266 being used _not_ at the end of a structure (wh 256 being used _not_ at the end of a structure (which could happen directly, or
267 when such a struct was in unions, structs of s 257 when such a struct was in unions, structs of structs, etc).
268 258
269 C99 introduced "flexible array members", which 259 C99 introduced "flexible array members", which lacks a numeric size for
270 the array declaration entirely:: 260 the array declaration entirely::
271 261
272 struct something { 262 struct something {
273 size_t count; 263 size_t count;
274 struct foo items[]; 264 struct foo items[];
275 }; 265 };
276 266
277 This is the way the kernel expects dynamically 267 This is the way the kernel expects dynamically sized trailing elements
278 to be declared. It allows the compiler to gene 268 to be declared. It allows the compiler to generate errors when the
279 flexible array does not occur last in the stru 269 flexible array does not occur last in the structure, which helps to prevent
280 some kind of `undefined behavior 270 some kind of `undefined behavior
281 <https://git.kernel.org/linus/76497732932f15e7 271 <https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
282 bugs from being inadvertently introduced to th 272 bugs from being inadvertently introduced to the codebase. It also allows
283 the compiler to correctly analyze array sizes 273 the compiler to correctly analyze array sizes (via sizeof(),
284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOU 274 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
285 there is no mechanism that warns us that the f 275 there is no mechanism that warns us that the following application of the
286 sizeof() operator to a zero-length array alway 276 sizeof() operator to a zero-length array always results in zero::
287 277
288 struct something { 278 struct something {
289 size_t count; 279 size_t count;
290 struct foo items[0]; 280 struct foo items[0];
291 }; 281 };
292 282
293 struct something *instance; 283 struct something *instance;
294 284
295 instance = kmalloc(struct_size(instanc 285 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
296 instance->count = count; 286 instance->count = count;
297 287
298 size = sizeof(instance->items) * insta 288 size = sizeof(instance->items) * instance->count;
299 memcpy(instance->items, source, size); 289 memcpy(instance->items, source, size);
300 290
301 At the last line of code above, ``size`` turns 291 At the last line of code above, ``size`` turns out to be ``zero``, when one might
302 have thought it represents the total size in b 292 have thought it represents the total size in bytes of the dynamic memory recently
303 allocated for the trailing array ``items``. He 293 allocated for the trailing array ``items``. Here are a couple examples of this
304 issue: `link 1 294 issue: `link 1
305 <https://git.kernel.org/linus/f2cd32a443da694a 295 <https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
306 `link 2 296 `link 2
307 <https://git.kernel.org/linus/ab91c2a89f86be28 297 <https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
308 Instead, `flexible array members have incomple 298 Instead, `flexible array members have incomplete type, and so the sizeof()
309 operator may not be applied <https://gcc.gnu.o 299 operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
310 so any misuse of such operators will be immedi 300 so any misuse of such operators will be immediately noticed at build time.
311 301
312 With respect to one-element arrays, one has to 302 With respect to one-element arrays, one has to be acutely aware that `such arrays
313 occupy at least as much space as a single obje 303 occupy at least as much space as a single object of the type
314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Lengt 304 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
315 hence they contribute to the size of the enclo 305 hence they contribute to the size of the enclosing structure. This is prone
316 to error every time people want to calculate t 306 to error every time people want to calculate the total size of dynamic memory
317 to allocate for a structure containing an arra 307 to allocate for a structure containing an array of this kind as a member::
318 308
319 struct something { 309 struct something {
320 size_t count; 310 size_t count;
321 struct foo items[1]; 311 struct foo items[1];
322 }; 312 };
323 313
324 struct something *instance; 314 struct something *instance;
325 315
326 instance = kmalloc(struct_size(instanc 316 instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
327 instance->count = count; 317 instance->count = count;
328 318
329 size = sizeof(instance->items) * insta 319 size = sizeof(instance->items) * instance->count;
330 memcpy(instance->items, source, size); 320 memcpy(instance->items, source, size);
331 321
332 In the example above, we had to remember to ca 322 In the example above, we had to remember to calculate ``count - 1`` when using
333 the struct_size() helper, otherwise we would h 323 the struct_size() helper, otherwise we would have --unintentionally-- allocated
334 memory for one too many ``items`` objects. The 324 memory for one too many ``items`` objects. The cleanest and least error-prone way
335 to implement this is through the use of a `fle !! 325 to implement this is through the use of a `flexible array member`::
336 struct_size() and flex_array_size() helpers:: <<
337 326
338 struct something { 327 struct something {
339 size_t count; 328 size_t count;
340 struct foo items[]; 329 struct foo items[];
341 }; 330 };
342 331
343 struct something *instance; 332 struct something *instance;
344 333
345 instance = kmalloc(struct_size(instanc 334 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
346 instance->count = count; 335 instance->count = count;
347 336
348 memcpy(instance->items, source, flex_a !! 337 size = sizeof(instance->items[0]) * instance->count;
349 !! 338 memcpy(instance->items, source, size);
350 There are two special cases of replacement whe <<
351 helper needs to be used. (Note that it is name <<
352 use in UAPI headers.) Those cases are when the <<
353 alone in a struct or is part of a union. These <<
354 specification, but for no technical reason (as <<
355 existing use of such arrays in those places an <<
356 DECLARE_FLEX_ARRAY() uses). For example, to co <<
357 <<
358 struct something { <<
359 ... <<
360 union { <<
361 struct type1 one[0]; <<
362 struct type2 two[0]; <<
363 }; <<
364 }; <<
365 <<
366 The helper must be used:: <<
367 <<
368 struct something { <<
369 ... <<
370 union { <<
371 DECLARE_FLEX_ARRAY(str <<
372 DECLARE_FLEX_ARRAY(str <<
373 }; <<
374 }; <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.