1 .. SPDX-License-Identifier: GPL-2.0 1 .. SPDX-License-Identifier: GPL-2.0 2 2 3 .. _deprecated: 3 .. _deprecated: 4 4 5 ============================================== 5 ===================================================================== 6 Deprecated Interfaces, Language Features, Attr 6 Deprecated Interfaces, Language Features, Attributes, and Conventions 7 ============================================== 7 ===================================================================== 8 8 9 In a perfect world, it would be possible to co 9 In a perfect world, it would be possible to convert all instances of 10 some deprecated API into the new API and entir 10 some deprecated API into the new API and entirely remove the old API in 11 a single development cycle. However, due to th 11 a single development cycle. However, due to the size of the kernel, the 12 maintainership hierarchy, and timing, it's not 12 maintainership hierarchy, and timing, it's not always feasible to do these 13 kinds of conversions at once. This means that 13 kinds of conversions at once. This means that new instances may sneak into 14 the kernel while old ones are being removed, o 14 the kernel while old ones are being removed, only making the amount of 15 work to remove the API grow. In order to educa 15 work to remove the API grow. In order to educate developers about what 16 has been deprecated and why, this list has bee 16 has been deprecated and why, this list has been created as a place to 17 point when uses of deprecated things are propo 17 point when uses of deprecated things are proposed for inclusion in the 18 kernel. 18 kernel. 19 19 20 __deprecated 20 __deprecated 21 ------------ 21 ------------ 22 While this attribute does visually mark an int 22 While this attribute does visually mark an interface as deprecated, 23 it `does not produce warnings during builds an 23 it `does not produce warnings during builds any more 24 <https://git.kernel.org/linus/771c035372a036f8 24 <https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_ 25 because one of the standing goals of the kerne 25 because one of the standing goals of the kernel is to build without 26 warnings and no one was actually doing anythin 26 warnings and no one was actually doing anything to remove these deprecated 27 interfaces. While using `__deprecated` is nice 27 interfaces. While using `__deprecated` is nice to note an old API in 28 a header file, it isn't the full solution. Suc 28 a header file, it isn't the full solution. Such interfaces must either 29 be fully removed from the kernel, or added to 29 be fully removed from the kernel, or added to this file to discourage 30 others from using them in the future. 30 others from using them in the future. 31 31 32 BUG() and BUG_ON() 32 BUG() and BUG_ON() 33 ------------------ 33 ------------------ 34 Use WARN() and WARN_ON() instead, and handle t 34 Use WARN() and WARN_ON() instead, and handle the "impossible" 35 error condition as gracefully as possible. Whi 35 error condition as gracefully as possible. While the BUG()-family 36 of APIs were originally designed to act as an 36 of APIs were originally designed to act as an "impossible situation" 37 assert and to kill a kernel thread "safely", t 37 assert and to kill a kernel thread "safely", they turn out to just be 38 too risky. (e.g. "In what order do locks need 38 too risky. (e.g. "In what order do locks need to be released? Have 39 various states been restored?") Very commonly, 39 various states been restored?") Very commonly, using BUG() will 40 destabilize a system or entirely break it, whi 40 destabilize a system or entirely break it, which makes it impossible 41 to debug or even get viable crash reports. Lin 41 to debug or even get viable crash reports. Linus has `very strong 42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVY 42 <https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_ 43 feelings `about this 43 feelings `about this 44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTO 44 <https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/">https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_. 45 45 46 Note that the WARN()-family should only be use 46 Note that the WARN()-family should only be used for "expected to 47 be unreachable" situations. If you want to war 47 be unreachable" situations. If you want to warn about "reachable 48 but undesirable" situations, please use the pr 48 but undesirable" situations, please use the pr_warn()-family of 49 functions. System owners may have set the *pan 49 functions. System owners may have set the *panic_on_warn* sysctl, 50 to make sure their systems do not continue run 50 to make sure their systems do not continue running in the face of 51 "unreachable" conditions. (For example, see co 51 "unreachable" conditions. (For example, see commits like `this one 52 <https://git.kernel.org/linus/d4689846881d160a 52 <https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.) 53 53 54 open-coded arithmetic in allocator arguments 54 open-coded arithmetic in allocator arguments 55 -------------------------------------------- 55 -------------------------------------------- 56 Dynamic size calculations (especially multipli 56 Dynamic size calculations (especially multiplication) should not be 57 performed in memory allocator (or similar) fun 57 performed in memory allocator (or similar) function arguments due to the 58 risk of them overflowing. This could lead to v 58 risk of them overflowing. This could lead to values wrapping around and a 59 smaller allocation being made than the caller 59 smaller allocation being made than the caller was expecting. Using those 60 allocations could lead to linear overflows of 60 allocations could lead to linear overflows of heap memory and other 61 misbehaviors. (One exception to this is litera 61 misbehaviors. (One exception to this is literal values where the compiler 62 can warn if they might overflow. However, the 62 can warn if they might overflow. However, the preferred way in these 63 cases is to refactor the code as suggested bel 63 cases is to refactor the code as suggested below to avoid the open-coded 64 arithmetic.) 64 arithmetic.) 65 65 66 For example, do not use ``count * size`` as an 66 For example, do not use ``count * size`` as an argument, as in:: 67 67 68 foo = kmalloc(count * size, GFP_KERNEL 68 foo = kmalloc(count * size, GFP_KERNEL); 69 69 70 Instead, the 2-factor form of the allocator sh 70 Instead, the 2-factor form of the allocator should be used:: 71 71 72 foo = kmalloc_array(count, size, GFP_K 72 foo = kmalloc_array(count, size, GFP_KERNEL); 73 73 74 Specifically, kmalloc() can be replaced with k 74 Specifically, kmalloc() can be replaced with kmalloc_array(), and 75 kzalloc() can be replaced with kcalloc(). 75 kzalloc() can be replaced with kcalloc(). 76 76 77 If no 2-factor form is available, the saturate 77 If no 2-factor form is available, the saturate-on-overflow helpers should 78 be used:: 78 be used:: 79 79 80 bar = dma_alloc_coherent(dev, array_si !! 80 bar = vmalloc(array_size(count, size)); 81 81 82 Another common case to avoid is calculating th 82 Another common case to avoid is calculating the size of a structure with 83 a trailing array of others structures, as in:: 83 a trailing array of others structures, as in:: 84 84 85 header = kzalloc(sizeof(*header) + cou 85 header = kzalloc(sizeof(*header) + count * sizeof(*header->item), 86 GFP_KERNEL); 86 GFP_KERNEL); 87 87 88 Instead, use the helper:: 88 Instead, use the helper:: 89 89 90 header = kzalloc(struct_size(header, i 90 header = kzalloc(struct_size(header, item, count), GFP_KERNEL); 91 91 92 .. note:: If you are using struct_size() on a 92 .. note:: If you are using struct_size() on a structure containing a zero-length 93 or a one-element array as a trailing a 93 or a one-element array as a trailing array member, please refactor such 94 array usage and switch to a `flexible 94 array usage and switch to a `flexible array member 95 <#zero-length-and-one-element-arrays>` 95 <#zero-length-and-one-element-arrays>`_ instead. 96 96 97 For other calculations, please compose the use 97 For other calculations, please compose the use of the size_mul(), 98 size_add(), and size_sub() helpers. For exampl 98 size_add(), and size_sub() helpers. For example, in the case of:: 99 99 100 foo = krealloc(current_size + chunk_si 100 foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL); 101 101 102 Instead, use the helpers:: 102 Instead, use the helpers:: 103 103 104 foo = krealloc(size_add(current_size, 104 foo = krealloc(size_add(current_size, 105 size_mul(chunk 105 size_mul(chunk_size, 106 size_ 106 size_sub(count, 3))), GFP_KERNEL); 107 107 108 For more details, also see array3_size() and f 108 For more details, also see array3_size() and flex_array_size(), 109 as well as the related check_mul_overflow(), c 109 as well as the related check_mul_overflow(), check_add_overflow(), 110 check_sub_overflow(), and check_shl_overflow() 110 check_sub_overflow(), and check_shl_overflow() family of functions. 111 111 112 simple_strtol(), simple_strtoll(), simple_strt 112 simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull() 113 ---------------------------------------------- 113 ---------------------------------------------------------------------- 114 The simple_strtol(), simple_strtoll(), 114 The simple_strtol(), simple_strtoll(), 115 simple_strtoul(), and simple_strtoull() functi 115 simple_strtoul(), and simple_strtoull() functions 116 explicitly ignore overflows, which may lead to 116 explicitly ignore overflows, which may lead to unexpected results 117 in callers. The respective kstrtol(), kstrtoll 117 in callers. The respective kstrtol(), kstrtoll(), 118 kstrtoul(), and kstrtoull() functions tend to 118 kstrtoul(), and kstrtoull() functions tend to be the 119 correct replacements, though note that those r 119 correct replacements, though note that those require the string to be 120 NUL or newline terminated. 120 NUL or newline terminated. 121 121 122 strcpy() 122 strcpy() 123 -------- 123 -------- 124 strcpy() performs no bounds checking on the de 124 strcpy() performs no bounds checking on the destination buffer. This 125 could result in linear overflows beyond the en 125 could result in linear overflows beyond the end of the buffer, leading to 126 all kinds of misbehaviors. While `CONFIG_FORTI 126 all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various 127 compiler flags help reduce the risk of using t 127 compiler flags help reduce the risk of using this function, there is 128 no good reason to add new uses of this functio 128 no good reason to add new uses of this function. The safe replacement 129 is strscpy(), though care must be given to any 129 is strscpy(), though care must be given to any cases where the return 130 value of strcpy() was used, since strscpy() do 130 value of strcpy() was used, since strscpy() does not return a pointer to 131 the destination, but rather a count of non-NUL 131 the destination, but rather a count of non-NUL bytes copied (or negative 132 errno when it truncates). 132 errno when it truncates). 133 133 134 strncpy() on NUL-terminated strings 134 strncpy() on NUL-terminated strings 135 ----------------------------------- 135 ----------------------------------- 136 Use of strncpy() does not guarantee that the d 136 Use of strncpy() does not guarantee that the destination buffer will 137 be NUL terminated. This can lead to various li 137 be NUL terminated. This can lead to various linear read overflows and 138 other misbehavior due to the missing terminati 138 other misbehavior due to the missing termination. It also NUL-pads 139 the destination buffer if the source contents 139 the destination buffer if the source contents are shorter than the 140 destination buffer size, which may be a needle 140 destination buffer size, which may be a needless performance penalty 141 for callers using only NUL-terminated strings. 141 for callers using only NUL-terminated strings. 142 142 143 When the destination is required to be NUL-ter 143 When the destination is required to be NUL-terminated, the replacement is 144 strscpy(), though care must be given to any ca 144 strscpy(), though care must be given to any cases where the return value 145 of strncpy() was used, since strscpy() does no 145 of strncpy() was used, since strscpy() does not return a pointer to the 146 destination, but rather a count of non-NUL byt 146 destination, but rather a count of non-NUL bytes copied (or negative 147 errno when it truncates). Any cases still need 147 errno when it truncates). Any cases still needing NUL-padding should 148 instead use strscpy_pad(). 148 instead use strscpy_pad(). 149 149 150 If a caller is using non-NUL-terminated string 150 If a caller is using non-NUL-terminated strings, strtomem() should be 151 used, and the destinations should be marked wi 151 used, and the destinations should be marked with the `__nonstring 152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Var 152 <https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_ 153 attribute to avoid future compiler warnings. F 153 attribute to avoid future compiler warnings. For cases still needing 154 NUL-padding, strtomem_pad() can be used. 154 NUL-padding, strtomem_pad() can be used. 155 155 156 strlcpy() 156 strlcpy() 157 --------- 157 --------- 158 strlcpy() reads the entire source buffer first 158 strlcpy() reads the entire source buffer first (since the return value 159 is meant to match that of strlen()). This read 159 is meant to match that of strlen()). This read may exceed the destination 160 size limit. This is both inefficient and can l 160 size limit. This is both inefficient and can lead to linear read overflows 161 if a source string is not NUL-terminated. The 161 if a source string is not NUL-terminated. The safe replacement is strscpy(), 162 though care must be given to any cases where t 162 though care must be given to any cases where the return value of strlcpy() 163 is used, since strscpy() will return negative 163 is used, since strscpy() will return negative errno values when it truncates. 164 164 165 %p format specifier 165 %p format specifier 166 ------------------- 166 ------------------- 167 Traditionally, using "%p" in format strings wo 167 Traditionally, using "%p" in format strings would lead to regular address 168 exposure flaws in dmesg, proc, sysfs, etc. Ins 168 exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to 169 be exploitable, all "%p" uses in the kernel ar 169 be exploitable, all "%p" uses in the kernel are being printed as a hashed 170 value, rendering them unusable for addressing. 170 value, rendering them unusable for addressing. New uses of "%p" should not 171 be added to the kernel. For text addresses, us 171 be added to the kernel. For text addresses, using "%pS" is likely better, 172 as it produces the more useful symbol name ins 172 as it produces the more useful symbol name instead. For nearly everything 173 else, just do not add "%p" at all. 173 else, just do not add "%p" at all. 174 174 175 Paraphrasing Linus's current `guidance <https:/ 175 Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/">https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_: 176 176 177 - If the hashed "%p" value is pointless, ask y 177 - If the hashed "%p" value is pointless, ask yourself whether the pointer 178 itself is important. Maybe it should be remo 178 itself is important. Maybe it should be removed entirely? 179 - If you really think the true pointer value i 179 - If you really think the true pointer value is important, why is some 180 system state or user privilege level conside 180 system state or user privilege level considered "special"? If you think 181 you can justify it (in comments and commit l 181 you can justify it (in comments and commit log) well enough to stand 182 up to Linus's scrutiny, maybe you can use "% 182 up to Linus's scrutiny, maybe you can use "%px", along with making sure 183 you have sensible permissions. 183 you have sensible permissions. 184 184 185 If you are debugging something where "%p" hash 185 If you are debugging something where "%p" hashing is causing problems, 186 you can temporarily boot with the debug flag " 186 you can temporarily boot with the debug flag "`no_hash_pointers 187 <https://git.kernel.org/linus/5ead723a20e0447b 187 <https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_". 188 188 189 Variable Length Arrays (VLAs) 189 Variable Length Arrays (VLAs) 190 ----------------------------- 190 ----------------------------- 191 Using stack VLAs produces much worse machine c 191 Using stack VLAs produces much worse machine code than statically 192 sized stack arrays. While these non-trivial `p 192 sized stack arrays. While these non-trivial `performance issues 193 <https://git.kernel.org/linus/02361bc77888>`_ 193 <https://git.kernel.org/linus/02361bc77888>`_ are reason enough to 194 eliminate VLAs, they are also a security risk. 194 eliminate VLAs, they are also a security risk. Dynamic growth of a stack 195 array may exceed the remaining memory in the s 195 array may exceed the remaining memory in the stack segment. This could 196 lead to a crash, possible overwriting sensitiv 196 lead to a crash, possible overwriting sensitive contents at the end of the 197 stack (when built without `CONFIG_THREAD_INFO_ 197 stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting 198 memory adjacent to the stack (when built witho 198 memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`) 199 199 200 Implicit switch case fall-through 200 Implicit switch case fall-through 201 --------------------------------- 201 --------------------------------- 202 The C language allows switch cases to fall thr 202 The C language allows switch cases to fall through to the next case 203 when a "break" statement is missing at the end 203 when a "break" statement is missing at the end of a case. This, however, 204 introduces ambiguity in the code, as it's not 204 introduces ambiguity in the code, as it's not always clear if the missing 205 break is intentional or a bug. For example, it 205 break is intentional or a bug. For example, it's not obvious just from 206 looking at the code if `STATE_ONE` is intentio 206 looking at the code if `STATE_ONE` is intentionally designed to fall 207 through into `STATE_TWO`:: 207 through into `STATE_TWO`:: 208 208 209 switch (value) { 209 switch (value) { 210 case STATE_ONE: 210 case STATE_ONE: 211 do_something(); 211 do_something(); 212 case STATE_TWO: 212 case STATE_TWO: 213 do_other(); 213 do_other(); 214 break; 214 break; 215 default: 215 default: 216 WARN("unknown state"); 216 WARN("unknown state"); 217 } 217 } 218 218 219 As there have been a long list of flaws `due t 219 As there have been a long list of flaws `due to missing "break" statements 220 <https://cwe.mitre.org/data/definitions/484.ht 220 <https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow 221 implicit fall-through. In order to identify in 221 implicit fall-through. In order to identify intentional fall-through 222 cases, we have adopted a pseudo-keyword macro 222 cases, we have adopted a pseudo-keyword macro "fallthrough" which 223 expands to gcc's extension `__attribute__((__f 223 expands to gcc's extension `__attribute__((__fallthrough__)) 224 <https://gcc.gnu.org/onlinedocs/gcc/Statement- 224 <https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_. 225 (When the C17/C18 `[[fallthrough]]` syntax is 225 (When the C17/C18 `[[fallthrough]]` syntax is more commonly supported by 226 C compilers, static analyzers, and IDEs, we ca 226 C compilers, static analyzers, and IDEs, we can switch to using that syntax 227 for the macro pseudo-keyword.) 227 for the macro pseudo-keyword.) 228 228 229 All switch/case blocks must end in one of: 229 All switch/case blocks must end in one of: 230 230 231 * break; 231 * break; 232 * fallthrough; 232 * fallthrough; 233 * continue; 233 * continue; 234 * goto <label>; 234 * goto <label>; 235 * return [expression]; 235 * return [expression]; 236 236 237 Zero-length and one-element arrays 237 Zero-length and one-element arrays 238 ---------------------------------- 238 ---------------------------------- 239 There is a regular need in the kernel to provi 239 There is a regular need in the kernel to provide a way to declare having 240 a dynamically sized set of trailing elements i 240 a dynamically sized set of trailing elements in a structure. Kernel code 241 should always use `"flexible array members" <h 241 should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_ 242 for these cases. The older style of one-elemen 242 for these cases. The older style of one-element or zero-length arrays should 243 no longer be used. 243 no longer be used. 244 244 245 In older C code, dynamically sized trailing el 245 In older C code, dynamically sized trailing elements were done by specifying 246 a one-element array at the end of a structure: 246 a one-element array at the end of a structure:: 247 247 248 struct something { 248 struct something { 249 size_t count; 249 size_t count; 250 struct foo items[1]; 250 struct foo items[1]; 251 }; 251 }; 252 252 253 This led to fragile size calculations via size 253 This led to fragile size calculations via sizeof() (which would need to 254 remove the size of the single trailing element 254 remove the size of the single trailing element to get a correct size of 255 the "header"). A `GNU C extension <https://gcc 255 the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_ 256 was introduced to allow for zero-length arrays 256 was introduced to allow for zero-length arrays, to avoid these kinds of 257 size problems:: 257 size problems:: 258 258 259 struct something { 259 struct something { 260 size_t count; 260 size_t count; 261 struct foo items[0]; 261 struct foo items[0]; 262 }; 262 }; 263 263 264 But this led to other problems, and didn't sol 264 But this led to other problems, and didn't solve some problems shared by 265 both styles, like not being able to detect whe 265 both styles, like not being able to detect when such an array is accidentally 266 being used _not_ at the end of a structure (wh 266 being used _not_ at the end of a structure (which could happen directly, or 267 when such a struct was in unions, structs of s 267 when such a struct was in unions, structs of structs, etc). 268 268 269 C99 introduced "flexible array members", which 269 C99 introduced "flexible array members", which lacks a numeric size for 270 the array declaration entirely:: 270 the array declaration entirely:: 271 271 272 struct something { 272 struct something { 273 size_t count; 273 size_t count; 274 struct foo items[]; 274 struct foo items[]; 275 }; 275 }; 276 276 277 This is the way the kernel expects dynamically 277 This is the way the kernel expects dynamically sized trailing elements 278 to be declared. It allows the compiler to gene 278 to be declared. It allows the compiler to generate errors when the 279 flexible array does not occur last in the stru 279 flexible array does not occur last in the structure, which helps to prevent 280 some kind of `undefined behavior 280 some kind of `undefined behavior 281 <https://git.kernel.org/linus/76497732932f15e7 281 <https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_ 282 bugs from being inadvertently introduced to th 282 bugs from being inadvertently introduced to the codebase. It also allows 283 the compiler to correctly analyze array sizes 283 the compiler to correctly analyze array sizes (via sizeof(), 284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOU 284 `CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance, 285 there is no mechanism that warns us that the f 285 there is no mechanism that warns us that the following application of the 286 sizeof() operator to a zero-length array alway 286 sizeof() operator to a zero-length array always results in zero:: 287 287 288 struct something { 288 struct something { 289 size_t count; 289 size_t count; 290 struct foo items[0]; 290 struct foo items[0]; 291 }; 291 }; 292 292 293 struct something *instance; 293 struct something *instance; 294 294 295 instance = kmalloc(struct_size(instanc 295 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL); 296 instance->count = count; 296 instance->count = count; 297 297 298 size = sizeof(instance->items) * insta 298 size = sizeof(instance->items) * instance->count; 299 memcpy(instance->items, source, size); 299 memcpy(instance->items, source, size); 300 300 301 At the last line of code above, ``size`` turns 301 At the last line of code above, ``size`` turns out to be ``zero``, when one might 302 have thought it represents the total size in b 302 have thought it represents the total size in bytes of the dynamic memory recently 303 allocated for the trailing array ``items``. He 303 allocated for the trailing array ``items``. Here are a couple examples of this 304 issue: `link 1 304 issue: `link 1 305 <https://git.kernel.org/linus/f2cd32a443da694a 305 <https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_, 306 `link 2 306 `link 2 307 <https://git.kernel.org/linus/ab91c2a89f86be28 307 <https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_. 308 Instead, `flexible array members have incomple 308 Instead, `flexible array members have incomplete type, and so the sizeof() 309 operator may not be applied <https://gcc.gnu.o 309 operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_, 310 so any misuse of such operators will be immedi 310 so any misuse of such operators will be immediately noticed at build time. 311 311 312 With respect to one-element arrays, one has to 312 With respect to one-element arrays, one has to be acutely aware that `such arrays 313 occupy at least as much space as a single obje 313 occupy at least as much space as a single object of the type 314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Lengt 314 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_, 315 hence they contribute to the size of the enclo 315 hence they contribute to the size of the enclosing structure. This is prone 316 to error every time people want to calculate t 316 to error every time people want to calculate the total size of dynamic memory 317 to allocate for a structure containing an arra 317 to allocate for a structure containing an array of this kind as a member:: 318 318 319 struct something { 319 struct something { 320 size_t count; 320 size_t count; 321 struct foo items[1]; 321 struct foo items[1]; 322 }; 322 }; 323 323 324 struct something *instance; 324 struct something *instance; 325 325 326 instance = kmalloc(struct_size(instanc 326 instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL); 327 instance->count = count; 327 instance->count = count; 328 328 329 size = sizeof(instance->items) * insta 329 size = sizeof(instance->items) * instance->count; 330 memcpy(instance->items, source, size); 330 memcpy(instance->items, source, size); 331 331 332 In the example above, we had to remember to ca 332 In the example above, we had to remember to calculate ``count - 1`` when using 333 the struct_size() helper, otherwise we would h 333 the struct_size() helper, otherwise we would have --unintentionally-- allocated 334 memory for one too many ``items`` objects. The 334 memory for one too many ``items`` objects. The cleanest and least error-prone way 335 to implement this is through the use of a `fle 335 to implement this is through the use of a `flexible array member`, together with 336 struct_size() and flex_array_size() helpers:: 336 struct_size() and flex_array_size() helpers:: 337 337 338 struct something { 338 struct something { 339 size_t count; 339 size_t count; 340 struct foo items[]; 340 struct foo items[]; 341 }; 341 }; 342 342 343 struct something *instance; 343 struct something *instance; 344 344 345 instance = kmalloc(struct_size(instanc 345 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL); 346 instance->count = count; 346 instance->count = count; 347 347 348 memcpy(instance->items, source, flex_a 348 memcpy(instance->items, source, flex_array_size(instance, items, instance->count)); 349 << 350 There are two special cases of replacement whe << 351 helper needs to be used. (Note that it is name << 352 use in UAPI headers.) Those cases are when the << 353 alone in a struct or is part of a union. These << 354 specification, but for no technical reason (as << 355 existing use of such arrays in those places an << 356 DECLARE_FLEX_ARRAY() uses). For example, to co << 357 << 358 struct something { << 359 ... << 360 union { << 361 struct type1 one[0]; << 362 struct type2 two[0]; << 363 }; << 364 }; << 365 << 366 The helper must be used:: << 367 << 368 struct something { << 369 ... << 370 union { << 371 DECLARE_FLEX_ARRAY(str << 372 DECLARE_FLEX_ARRAY(str << 373 }; << 374 }; <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.