1.. SPDX-License-Identifier: GPL-2.0 2 3.. _deprecated: 4 5===================================================================== 6Deprecated Interfaces, Language Features, Attributes, and Conventions 7===================================================================== 8 9In a perfect world, it would be possible to convert all instances of 10some deprecated API into the new API and entirely remove the old API in 11a single development cycle. However, due to the size of the kernel, the 12maintainership hierarchy, and timing, it's not always feasible to do these 13kinds of conversions at once. This means that new instances may sneak into 14the kernel while old ones are being removed, only making the amount of 15work to remove the API grow. In order to educate developers about what 16has been deprecated and why, this list has been created as a place to 17point when uses of deprecated things are proposed for inclusion in the 18kernel. 19 20__deprecated 21------------ 22While this attribute does visually mark an interface as deprecated, 23it `does not produce warnings during builds any more 24<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_ 25because one of the standing goals of the kernel is to build without 26warnings and no one was actually doing anything to remove these deprecated 27interfaces. While using `__deprecated` is nice to note an old API in 28a header file, it isn't the full solution. Such interfaces must either 29be fully removed from the kernel, or added to this file to discourage 30others from using them in the future. 31 32BUG() and BUG_ON() 33------------------ 34Use WARN() and WARN_ON() instead, and handle the "impossible" 35error condition as gracefully as possible. While the BUG()-family 36of APIs were originally designed to act as an "impossible situation" 37assert and to kill a kernel thread "safely", they turn out to just be 38too risky. (e.g. "In what order do locks need to be released? Have 39various states been restored?") Very commonly, using BUG() will 40destabilize a system or entirely break it, which makes it impossible 41to debug or even get viable crash reports. Linus has `very strong 42<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_ 43feelings `about this 44<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_. 45 46Note that the WARN()-family should only be used for "expected to 47be unreachable" situations. If you want to warn about "reachable 48but undesirable" situations, please use the pr_warn()-family of 49functions. System owners may have set the *panic_on_warn* sysctl, 50to make sure their systems do not continue running in the face of 51"unreachable" conditions. (For example, see commits like `this one 52<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.) 53 54uninitialized_var() 55------------------- 56For any compiler warnings about uninitialized variables, just add 57an initializer. Using the uninitialized_var() macro (or similar 58warning-silencing tricks) is dangerous as it papers over `real bugs 59<https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/>`_ 60(or can in the future), and suppresses unrelated compiler warnings 61(e.g. "unused variable"). If the compiler thinks it is uninitialized, 62either simply initialize the variable or make compiler changes. Keep in 63mind that in most cases, if an initialization is obviously redundant, 64the compiler's dead-store elimination pass will make sure there are no 65needless variable writes. 66 67As Linus has said, this macro 68`must <https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/>`_ 69`be <https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/>`_ 70`removed <https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/>`_. 71 72open-coded arithmetic in allocator arguments 73-------------------------------------------- 74Dynamic size calculations (especially multiplication) should not be 75performed in memory allocator (or similar) function arguments due to the 76risk of them overflowing. This could lead to values wrapping around and a 77smaller allocation being made than the caller was expecting. Using those 78allocations could lead to linear overflows of heap memory and other 79misbehaviors. (One exception to this is literal values where the compiler 80can warn if they might overflow. Though using literals for arguments as 81suggested below is also harmless.) 82 83For example, do not use ``count * size`` as an argument, as in:: 84 85 foo = kmalloc(count * size, GFP_KERNEL); 86 87Instead, the 2-factor form of the allocator should be used:: 88 89 foo = kmalloc_array(count, size, GFP_KERNEL); 90 91If no 2-factor form is available, the saturate-on-overflow helpers should 92be used:: 93 94 bar = vmalloc(array_size(count, size)); 95 96Another common case to avoid is calculating the size of a structure with 97a trailing array of others structures, as in:: 98 99 header = kzalloc(sizeof(*header) + count * sizeof(*header->item), 100 GFP_KERNEL); 101 102Instead, use the helper:: 103 104 header = kzalloc(struct_size(header, item, count), GFP_KERNEL); 105 106.. note:: If you are using struct_size() on a structure containing a zero-length 107 or a one-element array as a trailing array member, please refactor such 108 array usage and switch to a `flexible array member 109 <#zero-length-and-one-element-arrays>`_ instead. 110 111See array_size(), array3_size(), and struct_size(), 112for more details as well as the related check_add_overflow() and 113check_mul_overflow() family of functions. 114 115simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull() 116---------------------------------------------------------------------- 117The simple_strtol(), simple_strtoll(), 118simple_strtoul(), and simple_strtoull() functions 119explicitly ignore overflows, which may lead to unexpected results 120in callers. The respective kstrtol(), kstrtoll(), 121kstrtoul(), and kstrtoull() functions tend to be the 122correct replacements, though note that those require the string to be 123NUL or newline terminated. 124 125strcpy() 126-------- 127strcpy() performs no bounds checking on the destination 128buffer. This could result in linear overflows beyond the 129end of the buffer, leading to all kinds of misbehaviors. While 130`CONFIG_FORTIFY_SOURCE=y` and various compiler flags help reduce the 131risk of using this function, there is no good reason to add new uses of 132this function. The safe replacement is strscpy(). 133 134strncpy() on NUL-terminated strings 135----------------------------------- 136Use of strncpy() does not guarantee that the destination buffer 137will be NUL terminated. This can lead to various linear read overflows 138and other misbehavior due to the missing termination. It also NUL-pads the 139destination buffer if the source contents are shorter than the destination 140buffer size, which may be a needless performance penalty for callers using 141only NUL-terminated strings. The safe replacement is strscpy(). 142(Users of strscpy() still needing NUL-padding should instead 143use strscpy_pad().) 144 145If a caller is using non-NUL-terminated strings, strncpy()() can 146still be used, but destinations should be marked with the `__nonstring 147<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_ 148attribute to avoid future compiler warnings. 149 150strlcpy() 151--------- 152strlcpy() reads the entire source buffer first, possibly exceeding 153the given limit of bytes to copy. This is inefficient and can lead to 154linear read overflows if a source string is not NUL-terminated. The 155safe replacement is strscpy(). 156 157%p format specifier 158------------------- 159Traditionally, using "%p" in format strings would lead to regular address 160exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to 161be exploitable, all "%p" uses in the kernel are being printed as a hashed 162value, rendering them unusable for addressing. New uses of "%p" should not 163be added to the kernel. For text addresses, using "%pS" is likely better, 164as it produces the more useful symbol name instead. For nearly everything 165else, just do not add "%p" at all. 166 167Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_: 168 169- If the hashed "%p" value is pointless, ask yourself whether the pointer 170 itself is important. Maybe it should be removed entirely? 171- If you really think the true pointer value is important, why is some 172 system state or user privilege level considered "special"? If you think 173 you can justify it (in comments and commit log) well enough to stand 174 up to Linus's scrutiny, maybe you can use "%px", along with making sure 175 you have sensible permissions. 176 177And finally, know that a toggle for "%p" hashing will `not be accepted <https://lore.kernel.org/lkml/CA+55aFwieC1-nAs+NFq9RTwaR8ef9hWa4MjNBWL41F-8wM49eA@mail.gmail.com/>`_. 178 179Variable Length Arrays (VLAs) 180----------------------------- 181Using stack VLAs produces much worse machine code than statically 182sized stack arrays. While these non-trivial `performance issues 183<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to 184eliminate VLAs, they are also a security risk. Dynamic growth of a stack 185array may exceed the remaining memory in the stack segment. This could 186lead to a crash, possible overwriting sensitive contents at the end of the 187stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting 188memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`) 189 190Implicit switch case fall-through 191--------------------------------- 192The C language allows switch cases to fall through to the next case 193when a "break" statement is missing at the end of a case. This, however, 194introduces ambiguity in the code, as it's not always clear if the missing 195break is intentional or a bug. For example, it's not obvious just from 196looking at the code if `STATE_ONE` is intentionally designed to fall 197through into `STATE_TWO`:: 198 199 switch (value) { 200 case STATE_ONE: 201 do_something(); 202 case STATE_TWO: 203 do_other(); 204 break; 205 default: 206 WARN("unknown state"); 207 } 208 209As there have been a long list of flaws `due to missing "break" statements 210<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow 211implicit fall-through. In order to identify intentional fall-through 212cases, we have adopted a pseudo-keyword macro "fallthrough" which 213expands to gcc's extension `__attribute__((__fallthrough__)) 214<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_. 215(When the C17/C18 `[[fallthrough]]` syntax is more commonly supported by 216C compilers, static analyzers, and IDEs, we can switch to using that syntax 217for the macro pseudo-keyword.) 218 219All switch/case blocks must end in one of: 220 221* break; 222* fallthrough; 223* continue; 224* goto <label>; 225* return [expression]; 226 227Zero-length and one-element arrays 228---------------------------------- 229There is a regular need in the kernel to provide a way to declare having 230a dynamically sized set of trailing elements in a structure. Kernel code 231should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_ 232for these cases. The older style of one-element or zero-length arrays should 233no longer be used. 234 235In older C code, dynamically sized trailing elements were done by specifying 236a one-element array at the end of a structure:: 237 238 struct something { 239 size_t count; 240 struct foo items[1]; 241 }; 242 243This led to fragile size calculations via sizeof() (which would need to 244remove the size of the single trailing element to get a correct size of 245the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_ 246was introduced to allow for zero-length arrays, to avoid these kinds of 247size problems:: 248 249 struct something { 250 size_t count; 251 struct foo items[0]; 252 }; 253 254But this led to other problems, and didn't solve some problems shared by 255both styles, like not being able to detect when such an array is accidentally 256being used _not_ at the end of a structure (which could happen directly, or 257when such a struct was in unions, structs of structs, etc). 258 259C99 introduced "flexible array members", which lacks a numeric size for 260the array declaration entirely:: 261 262 struct something { 263 size_t count; 264 struct foo items[]; 265 }; 266 267This is the way the kernel expects dynamically sized trailing elements 268to be declared. It allows the compiler to generate errors when the 269flexible array does not occur last in the structure, which helps to prevent 270some kind of `undefined behavior 271<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_ 272bugs from being inadvertently introduced to the codebase. It also allows 273the compiler to correctly analyze array sizes (via sizeof(), 274`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance, 275there is no mechanism that warns us that the following application of the 276sizeof() operator to a zero-length array always results in zero:: 277 278 struct something { 279 size_t count; 280 struct foo items[0]; 281 }; 282 283 struct something *instance; 284 285 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL); 286 instance->count = count; 287 288 size = sizeof(instance->items) * instance->count; 289 memcpy(instance->items, source, size); 290 291At the last line of code above, ``size`` turns out to be ``zero``, when one might 292have thought it represents the total size in bytes of the dynamic memory recently 293allocated for the trailing array ``items``. Here are a couple examples of this 294issue: `link 1 295<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_, 296`link 2 297<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_. 298Instead, `flexible array members have incomplete type, and so the sizeof() 299operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_, 300so any misuse of such operators will be immediately noticed at build time. 301 302With respect to one-element arrays, one has to be acutely aware that `such arrays 303occupy at least as much space as a single object of the type 304<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_, 305hence they contribute to the size of the enclosing structure. This is prone 306to error every time people want to calculate the total size of dynamic memory 307to allocate for a structure containing an array of this kind as a member:: 308 309 struct something { 310 size_t count; 311 struct foo items[1]; 312 }; 313 314 struct something *instance; 315 316 instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL); 317 instance->count = count; 318 319 size = sizeof(instance->items) * instance->count; 320 memcpy(instance->items, source, size); 321 322In the example above, we had to remember to calculate ``count - 1`` when using 323the struct_size() helper, otherwise we would have --unintentionally-- allocated 324memory for one too many ``items`` objects. The cleanest and least error-prone way 325to implement this is through the use of a `flexible array member`:: 326 327 struct something { 328 size_t count; 329 struct foo items[]; 330 }; 331 332 struct something *instance; 333 334 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL); 335 instance->count = count; 336 337 size = sizeof(instance->items[0]) * instance->count; 338 memcpy(instance->items, source, size); 339