~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/process/deprecated.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/process/deprecated.rst (Version linux-6.12-rc7) and /Documentation/process/deprecated.rst (Version unix-v6-master)


  1 .. SPDX-License-Identifier: GPL-2.0               
  2                                                   
  3 .. _deprecated:                                   
  4                                                   
  5 ==============================================    
  6 Deprecated Interfaces, Language Features, Attr    
  7 ==============================================    
  8                                                   
  9 In a perfect world, it would be possible to co    
 10 some deprecated API into the new API and entir    
 11 a single development cycle. However, due to th    
 12 maintainership hierarchy, and timing, it's not    
 13 kinds of conversions at once. This means that     
 14 the kernel while old ones are being removed, o    
 15 work to remove the API grow. In order to educa    
 16 has been deprecated and why, this list has bee    
 17 point when uses of deprecated things are propo    
 18 kernel.                                           
 19                                                   
 20 __deprecated                                      
 21 ------------                                      
 22 While this attribute does visually mark an int    
 23 it `does not produce warnings during builds an    
 24 <https://git.kernel.org/linus/771c035372a036f8    
 25 because one of the standing goals of the kerne    
 26 warnings and no one was actually doing anythin    
 27 interfaces. While using `__deprecated` is nice    
 28 a header file, it isn't the full solution. Suc    
 29 be fully removed from the kernel, or added to     
 30 others from using them in the future.             
 31                                                   
 32 BUG() and BUG_ON()                                
 33 ------------------                                
 34 Use WARN() and WARN_ON() instead, and handle t    
 35 error condition as gracefully as possible. Whi    
 36 of APIs were originally designed to act as an     
 37 assert and to kill a kernel thread "safely", t    
 38 too risky. (e.g. "In what order do locks need     
 39 various states been restored?") Very commonly,    
 40 destabilize a system or entirely break it, whi    
 41 to debug or even get viable crash reports. Lin    
 42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVY    
 43 feelings `about this                              
 44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTO    
 45                                                   
 46 Note that the WARN()-family should only be use    
 47 be unreachable" situations. If you want to war    
 48 but undesirable" situations, please use the pr    
 49 functions. System owners may have set the *pan    
 50 to make sure their systems do not continue run    
 51 "unreachable" conditions. (For example, see co    
 52 <https://git.kernel.org/linus/d4689846881d160a    
 53                                                   
 54 open-coded arithmetic in allocator arguments      
 55 --------------------------------------------      
 56 Dynamic size calculations (especially multipli    
 57 performed in memory allocator (or similar) fun    
 58 risk of them overflowing. This could lead to v    
 59 smaller allocation being made than the caller     
 60 allocations could lead to linear overflows of     
 61 misbehaviors. (One exception to this is litera    
 62 can warn if they might overflow. However, the     
 63 cases is to refactor the code as suggested bel    
 64 arithmetic.)                                      
 65                                                   
 66 For example, do not use ``count * size`` as an    
 67                                                   
 68         foo = kmalloc(count * size, GFP_KERNEL    
 69                                                   
 70 Instead, the 2-factor form of the allocator sh    
 71                                                   
 72         foo = kmalloc_array(count, size, GFP_K    
 73                                                   
 74 Specifically, kmalloc() can be replaced with k    
 75 kzalloc() can be replaced with kcalloc().         
 76                                                   
 77 If no 2-factor form is available, the saturate    
 78 be used::                                         
 79                                                   
 80         bar = dma_alloc_coherent(dev, array_si    
 81                                                   
 82 Another common case to avoid is calculating th    
 83 a trailing array of others structures, as in::    
 84                                                   
 85         header = kzalloc(sizeof(*header) + cou    
 86                          GFP_KERNEL);             
 87                                                   
 88 Instead, use the helper::                         
 89                                                   
 90         header = kzalloc(struct_size(header, i    
 91                                                   
 92 .. note:: If you are using struct_size() on a     
 93         or a one-element array as a trailing a    
 94         array usage and switch to a `flexible     
 95         <#zero-length-and-one-element-arrays>`    
 96                                                   
 97 For other calculations, please compose the use    
 98 size_add(), and size_sub() helpers. For exampl    
 99                                                   
100         foo = krealloc(current_size + chunk_si    
101                                                   
102 Instead, use the helpers::                        
103                                                   
104         foo = krealloc(size_add(current_size,     
105                                 size_mul(chunk    
106                                          size_    
107                                                   
108 For more details, also see array3_size() and f    
109 as well as the related check_mul_overflow(), c    
110 check_sub_overflow(), and check_shl_overflow()    
111                                                   
112 simple_strtol(), simple_strtoll(), simple_strt    
113 ----------------------------------------------    
114 The simple_strtol(), simple_strtoll(),            
115 simple_strtoul(), and simple_strtoull() functi    
116 explicitly ignore overflows, which may lead to    
117 in callers. The respective kstrtol(), kstrtoll    
118 kstrtoul(), and kstrtoull() functions tend to     
119 correct replacements, though note that those r    
120 NUL or newline terminated.                        
121                                                   
122 strcpy()                                          
123 --------                                          
124 strcpy() performs no bounds checking on the de    
125 could result in linear overflows beyond the en    
126 all kinds of misbehaviors. While `CONFIG_FORTI    
127 compiler flags help reduce the risk of using t    
128 no good reason to add new uses of this functio    
129 is strscpy(), though care must be given to any    
130 value of strcpy() was used, since strscpy() do    
131 the destination, but rather a count of non-NUL    
132 errno when it truncates).                         
133                                                   
134 strncpy() on NUL-terminated strings               
135 -----------------------------------               
136 Use of strncpy() does not guarantee that the d    
137 be NUL terminated. This can lead to various li    
138 other misbehavior due to the missing terminati    
139 the destination buffer if the source contents     
140 destination buffer size, which may be a needle    
141 for callers using only NUL-terminated strings.    
142                                                   
143 When the destination is required to be NUL-ter    
144 strscpy(), though care must be given to any ca    
145 of strncpy() was used, since strscpy() does no    
146 destination, but rather a count of non-NUL byt    
147 errno when it truncates). Any cases still need    
148 instead use strscpy_pad().                        
149                                                   
150 If a caller is using non-NUL-terminated string    
151 used, and the destinations should be marked wi    
152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Var    
153 attribute to avoid future compiler warnings. F    
154 NUL-padding, strtomem_pad() can be used.          
155                                                   
156 strlcpy()                                         
157 ---------                                         
158 strlcpy() reads the entire source buffer first    
159 is meant to match that of strlen()). This read    
160 size limit. This is both inefficient and can l    
161 if a source string is not NUL-terminated. The     
162 though care must be given to any cases where t    
163 is used, since strscpy() will return negative     
164                                                   
165 %p format specifier                               
166 -------------------                               
167 Traditionally, using "%p" in format strings wo    
168 exposure flaws in dmesg, proc, sysfs, etc. Ins    
169 be exploitable, all "%p" uses in the kernel ar    
170 value, rendering them unusable for addressing.    
171 be added to the kernel. For text addresses, us    
172 as it produces the more useful symbol name ins    
173 else, just do not add "%p" at all.                
174                                                   
175 Paraphrasing Linus's current `guidance <https:/    
176                                                   
177 - If the hashed "%p" value is pointless, ask y    
178   itself is important. Maybe it should be remo    
179 - If you really think the true pointer value i    
180   system state or user privilege level conside    
181   you can justify it (in comments and commit l    
182   up to Linus's scrutiny, maybe you can use "%    
183   you have sensible permissions.                  
184                                                   
185 If you are debugging something where "%p" hash    
186 you can temporarily boot with the debug flag "    
187 <https://git.kernel.org/linus/5ead723a20e0447b    
188                                                   
189 Variable Length Arrays (VLAs)                     
190 -----------------------------                     
191 Using stack VLAs produces much worse machine c    
192 sized stack arrays. While these non-trivial `p    
193 <https://git.kernel.org/linus/02361bc77888>`_     
194 eliminate VLAs, they are also a security risk.    
195 array may exceed the remaining memory in the s    
196 lead to a crash, possible overwriting sensitiv    
197 stack (when built without `CONFIG_THREAD_INFO_    
198 memory adjacent to the stack (when built witho    
199                                                   
200 Implicit switch case fall-through                 
201 ---------------------------------                 
202 The C language allows switch cases to fall thr    
203 when a "break" statement is missing at the end    
204 introduces ambiguity in the code, as it's not     
205 break is intentional or a bug. For example, it    
206 looking at the code if `STATE_ONE` is intentio    
207 through into `STATE_TWO`::                        
208                                                   
209         switch (value) {                          
210         case STATE_ONE:                           
211                 do_something();                   
212         case STATE_TWO:                           
213                 do_other();                       
214                 break;                            
215         default:                                  
216                 WARN("unknown state");            
217         }                                         
218                                                   
219 As there have been a long list of flaws `due t    
220 <https://cwe.mitre.org/data/definitions/484.ht    
221 implicit fall-through. In order to identify in    
222 cases, we have adopted a pseudo-keyword macro     
223 expands to gcc's extension `__attribute__((__f    
224 <https://gcc.gnu.org/onlinedocs/gcc/Statement-    
225 (When the C17/C18  `[[fallthrough]]` syntax is    
226 C compilers, static analyzers, and IDEs, we ca    
227 for the macro pseudo-keyword.)                    
228                                                   
229 All switch/case blocks must end in one of:        
230                                                   
231 * break;                                          
232 * fallthrough;                                    
233 * continue;                                       
234 * goto <label>;                                   
235 * return [expression];                            
236                                                   
237 Zero-length and one-element arrays                
238 ----------------------------------                
239 There is a regular need in the kernel to provi    
240 a dynamically sized set of trailing elements i    
241 should always use `"flexible array members" <h    
242 for these cases. The older style of one-elemen    
243 no longer be used.                                
244                                                   
245 In older C code, dynamically sized trailing el    
246 a one-element array at the end of a structure:    
247                                                   
248         struct something {                        
249                 size_t count;                     
250                 struct foo items[1];              
251         };                                        
252                                                   
253 This led to fragile size calculations via size    
254 remove the size of the single trailing element    
255 the "header"). A `GNU C extension <https://gcc    
256 was introduced to allow for zero-length arrays    
257 size problems::                                   
258                                                   
259         struct something {                        
260                 size_t count;                     
261                 struct foo items[0];              
262         };                                        
263                                                   
264 But this led to other problems, and didn't sol    
265 both styles, like not being able to detect whe    
266 being used _not_ at the end of a structure (wh    
267 when such a struct was in unions, structs of s    
268                                                   
269 C99 introduced "flexible array members", which    
270 the array declaration entirely::                  
271                                                   
272         struct something {                        
273                 size_t count;                     
274                 struct foo items[];               
275         };                                        
276                                                   
277 This is the way the kernel expects dynamically    
278 to be declared. It allows the compiler to gene    
279 flexible array does not occur last in the stru    
280 some kind of `undefined behavior                  
281 <https://git.kernel.org/linus/76497732932f15e7    
282 bugs from being inadvertently introduced to th    
283 the compiler to correctly analyze array sizes     
284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOU    
285 there is no mechanism that warns us that the f    
286 sizeof() operator to a zero-length array alway    
287                                                   
288         struct something {                        
289                 size_t count;                     
290                 struct foo items[0];              
291         };                                        
292                                                   
293         struct something *instance;               
294                                                   
295         instance = kmalloc(struct_size(instanc    
296         instance->count = count;                  
297                                                   
298         size = sizeof(instance->items) * insta    
299         memcpy(instance->items, source, size);    
300                                                   
301 At the last line of code above, ``size`` turns    
302 have thought it represents the total size in b    
303 allocated for the trailing array ``items``. He    
304 issue: `link 1                                    
305 <https://git.kernel.org/linus/f2cd32a443da694a    
306 `link 2                                           
307 <https://git.kernel.org/linus/ab91c2a89f86be28    
308 Instead, `flexible array members have incomple    
309 operator may not be applied <https://gcc.gnu.o    
310 so any misuse of such operators will be immedi    
311                                                   
312 With respect to one-element arrays, one has to    
313 occupy at least as much space as a single obje    
314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Lengt    
315 hence they contribute to the size of the enclo    
316 to error every time people want to calculate t    
317 to allocate for a structure containing an arra    
318                                                   
319         struct something {                        
320                 size_t count;                     
321                 struct foo items[1];              
322         };                                        
323                                                   
324         struct something *instance;               
325                                                   
326         instance = kmalloc(struct_size(instanc    
327         instance->count = count;                  
328                                                   
329         size = sizeof(instance->items) * insta    
330         memcpy(instance->items, source, size);    
331                                                   
332 In the example above, we had to remember to ca    
333 the struct_size() helper, otherwise we would h    
334 memory for one too many ``items`` objects. The    
335 to implement this is through the use of a `fle    
336 struct_size() and flex_array_size() helpers::     
337                                                   
338         struct something {                        
339                 size_t count;                     
340                 struct foo items[];               
341         };                                        
342                                                   
343         struct something *instance;               
344                                                   
345         instance = kmalloc(struct_size(instanc    
346         instance->count = count;                  
347                                                   
348         memcpy(instance->items, source, flex_a    
349                                                   
350 There are two special cases of replacement whe    
351 helper needs to be used. (Note that it is name    
352 use in UAPI headers.) Those cases are when the    
353 alone in a struct or is part of a union. These    
354 specification, but for no technical reason (as    
355 existing use of such arrays in those places an    
356 DECLARE_FLEX_ARRAY() uses). For example, to co    
357                                                   
358         struct something {                        
359                 ...                               
360                 union {                           
361                         struct type1 one[0];      
362                         struct type2 two[0];      
363                 };                                
364         };                                        
365                                                   
366 The helper must be used::                         
367                                                   
368         struct something {                        
369                 ...                               
370                 union {                           
371                         DECLARE_FLEX_ARRAY(str    
372                         DECLARE_FLEX_ARRAY(str    
373                 };                                
374         };                                        
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php