1.. SPDX-License-Identifier: GPL-2.0 2 3.. _deprecated: 4 5===================================================================== 6Deprecated Interfaces, Language Features, Attributes, and Conventions 7===================================================================== 8 9In a perfect world, it would be possible to convert all instances of 10some deprecated API into the new API and entirely remove the old API in 11a single development cycle. However, due to the size of the kernel, the 12maintainership hierarchy, and timing, it's not always feasible to do these 13kinds of conversions at once. This means that new instances may sneak into 14the kernel while old ones are being removed, only making the amount of 15work to remove the API grow. In order to educate developers about what 16has been deprecated and why, this list has been created as a place to 17point when uses of deprecated things are proposed for inclusion in the 18kernel. 19 20__deprecated 21------------ 22While this attribute does visually mark an interface as deprecated, 23it `does not produce warnings during builds any more 24<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_ 25because one of the standing goals of the kernel is to build without 26warnings and no one was actually doing anything to remove these deprecated 27interfaces. While using `__deprecated` is nice to note an old API in 28a header file, it isn't the full solution. Such interfaces must either 29be fully removed from the kernel, or added to this file to discourage 30others from using them in the future. 31 32BUG() and BUG_ON() 33------------------ 34Use WARN() and WARN_ON() instead, and handle the "impossible" 35error condition as gracefully as possible. While the BUG()-family 36of APIs were originally designed to act as an "impossible situation" 37assert and to kill a kernel thread "safely", they turn out to just be 38too risky. (e.g. "In what order do locks need to be released? Have 39various states been restored?") Very commonly, using BUG() will 40destabilize a system or entirely break it, which makes it impossible 41to debug or even get viable crash reports. Linus has `very strong 42<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_ 43feelings `about this 44<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_. 45 46Note that the WARN()-family should only be used for "expected to 47be unreachable" situations. If you want to warn about "reachable 48but undesirable" situations, please use the pr_warn()-family of 49functions. System owners may have set the *panic_on_warn* sysctl, 50to make sure their systems do not continue running in the face of 51"unreachable" conditions. (For example, see commits like `this one 52<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.) 53 54open-coded arithmetic in allocator arguments 55-------------------------------------------- 56Dynamic size calculations (especially multiplication) should not be 57performed in memory allocator (or similar) function arguments due to the 58risk of them overflowing. This could lead to values wrapping around and a 59smaller allocation being made than the caller was expecting. Using those 60allocations could lead to linear overflows of heap memory and other 61misbehaviors. (One exception to this is literal values where the compiler 62can warn if they might overflow. However, the preferred way in these 63cases is to refactor the code as suggested below to avoid the open-coded 64arithmetic.) 65 66For example, do not use ``count * size`` as an argument, as in:: 67 68 foo = kmalloc(count * size, GFP_KERNEL); 69 70Instead, the 2-factor form of the allocator should be used:: 71 72 foo = kmalloc_array(count, size, GFP_KERNEL); 73 74Specifically, kmalloc() can be replaced with kmalloc_array(), and 75kzalloc() can be replaced with kcalloc(). 76 77If no 2-factor form is available, the saturate-on-overflow helpers should 78be used:: 79 80 bar = vmalloc(array_size(count, size)); 81 82Another common case to avoid is calculating the size of a structure with 83a trailing array of others structures, as in:: 84 85 header = kzalloc(sizeof(*header) + count * sizeof(*header->item), 86 GFP_KERNEL); 87 88Instead, use the helper:: 89 90 header = kzalloc(struct_size(header, item, count), GFP_KERNEL); 91 92.. note:: If you are using struct_size() on a structure containing a zero-length 93 or a one-element array as a trailing array member, please refactor such 94 array usage and switch to a `flexible array member 95 <#zero-length-and-one-element-arrays>`_ instead. 96 97For other calculations, please compose the use of the size_mul(), 98size_add(), and size_sub() helpers. For example, in the case of:: 99 100 foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL); 101 102Instead, use the helpers:: 103 104 foo = krealloc(size_add(current_size, 105 size_mul(chunk_size, 106 size_sub(count, 3))), GFP_KERNEL); 107 108For more details, also see array3_size() and flex_array_size(), 109as well as the related check_mul_overflow(), check_add_overflow(), 110check_sub_overflow(), and check_shl_overflow() family of functions. 111 112simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull() 113---------------------------------------------------------------------- 114The simple_strtol(), simple_strtoll(), 115simple_strtoul(), and simple_strtoull() functions 116explicitly ignore overflows, which may lead to unexpected results 117in callers. The respective kstrtol(), kstrtoll(), 118kstrtoul(), and kstrtoull() functions tend to be the 119correct replacements, though note that those require the string to be 120NUL or newline terminated. 121 122strcpy() 123-------- 124strcpy() performs no bounds checking on the destination buffer. This 125could result in linear overflows beyond the end of the buffer, leading to 126all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various 127compiler flags help reduce the risk of using this function, there is 128no good reason to add new uses of this function. The safe replacement 129is strscpy(), though care must be given to any cases where the return 130value of strcpy() was used, since strscpy() does not return a pointer to 131the destination, but rather a count of non-NUL bytes copied (or negative 132errno when it truncates). 133 134strncpy() on NUL-terminated strings 135----------------------------------- 136Use of strncpy() does not guarantee that the destination buffer will 137be NUL terminated. This can lead to various linear read overflows and 138other misbehavior due to the missing termination. It also NUL-pads 139the destination buffer if the source contents are shorter than the 140destination buffer size, which may be a needless performance penalty 141for callers using only NUL-terminated strings. The safe replacement is 142strscpy(), though care must be given to any cases where the return value 143of strncpy() was used, since strscpy() does not return a pointer to the 144destination, but rather a count of non-NUL bytes copied (or negative 145errno when it truncates). Any cases still needing NUL-padding should 146instead use strscpy_pad(). 147 148If a caller is using non-NUL-terminated strings, strncpy() can 149still be used, but destinations should be marked with the `__nonstring 150<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_ 151attribute to avoid future compiler warnings. 152 153strlcpy() 154--------- 155strlcpy() reads the entire source buffer first (since the return value 156is meant to match that of strlen()). This read may exceed the destination 157size limit. This is both inefficient and can lead to linear read overflows 158if a source string is not NUL-terminated. The safe replacement is strscpy(), 159though care must be given to any cases where the return value of strlcpy() 160is used, since strscpy() will return negative errno values when it truncates. 161 162%p format specifier 163------------------- 164Traditionally, using "%p" in format strings would lead to regular address 165exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to 166be exploitable, all "%p" uses in the kernel are being printed as a hashed 167value, rendering them unusable for addressing. New uses of "%p" should not 168be added to the kernel. For text addresses, using "%pS" is likely better, 169as it produces the more useful symbol name instead. For nearly everything 170else, just do not add "%p" at all. 171 172Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_: 173 174- If the hashed "%p" value is pointless, ask yourself whether the pointer 175 itself is important. Maybe it should be removed entirely? 176- If you really think the true pointer value is important, why is some 177 system state or user privilege level considered "special"? If you think 178 you can justify it (in comments and commit log) well enough to stand 179 up to Linus's scrutiny, maybe you can use "%px", along with making sure 180 you have sensible permissions. 181 182If you are debugging something where "%p" hashing is causing problems, 183you can temporarily boot with the debug flag "`no_hash_pointers 184<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_". 185 186Variable Length Arrays (VLAs) 187----------------------------- 188Using stack VLAs produces much worse machine code than statically 189sized stack arrays. While these non-trivial `performance issues 190<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to 191eliminate VLAs, they are also a security risk. Dynamic growth of a stack 192array may exceed the remaining memory in the stack segment. This could 193lead to a crash, possible overwriting sensitive contents at the end of the 194stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting 195memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`) 196 197Implicit switch case fall-through 198--------------------------------- 199The C language allows switch cases to fall through to the next case 200when a "break" statement is missing at the end of a case. This, however, 201introduces ambiguity in the code, as it's not always clear if the missing 202break is intentional or a bug. For example, it's not obvious just from 203looking at the code if `STATE_ONE` is intentionally designed to fall 204through into `STATE_TWO`:: 205 206 switch (value) { 207 case STATE_ONE: 208 do_something(); 209 case STATE_TWO: 210 do_other(); 211 break; 212 default: 213 WARN("unknown state"); 214 } 215 216As there have been a long list of flaws `due to missing "break" statements 217<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow 218implicit fall-through. In order to identify intentional fall-through 219cases, we have adopted a pseudo-keyword macro "fallthrough" which 220expands to gcc's extension `__attribute__((__fallthrough__)) 221<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_. 222(When the C17/C18 `[[fallthrough]]` syntax is more commonly supported by 223C compilers, static analyzers, and IDEs, we can switch to using that syntax 224for the macro pseudo-keyword.) 225 226All switch/case blocks must end in one of: 227 228* break; 229* fallthrough; 230* continue; 231* goto <label>; 232* return [expression]; 233 234Zero-length and one-element arrays 235---------------------------------- 236There is a regular need in the kernel to provide a way to declare having 237a dynamically sized set of trailing elements in a structure. Kernel code 238should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_ 239for these cases. The older style of one-element or zero-length arrays should 240no longer be used. 241 242In older C code, dynamically sized trailing elements were done by specifying 243a one-element array at the end of a structure:: 244 245 struct something { 246 size_t count; 247 struct foo items[1]; 248 }; 249 250This led to fragile size calculations via sizeof() (which would need to 251remove the size of the single trailing element to get a correct size of 252the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_ 253was introduced to allow for zero-length arrays, to avoid these kinds of 254size problems:: 255 256 struct something { 257 size_t count; 258 struct foo items[0]; 259 }; 260 261But this led to other problems, and didn't solve some problems shared by 262both styles, like not being able to detect when such an array is accidentally 263being used _not_ at the end of a structure (which could happen directly, or 264when such a struct was in unions, structs of structs, etc). 265 266C99 introduced "flexible array members", which lacks a numeric size for 267the array declaration entirely:: 268 269 struct something { 270 size_t count; 271 struct foo items[]; 272 }; 273 274This is the way the kernel expects dynamically sized trailing elements 275to be declared. It allows the compiler to generate errors when the 276flexible array does not occur last in the structure, which helps to prevent 277some kind of `undefined behavior 278<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_ 279bugs from being inadvertently introduced to the codebase. It also allows 280the compiler to correctly analyze array sizes (via sizeof(), 281`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance, 282there is no mechanism that warns us that the following application of the 283sizeof() operator to a zero-length array always results in zero:: 284 285 struct something { 286 size_t count; 287 struct foo items[0]; 288 }; 289 290 struct something *instance; 291 292 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL); 293 instance->count = count; 294 295 size = sizeof(instance->items) * instance->count; 296 memcpy(instance->items, source, size); 297 298At the last line of code above, ``size`` turns out to be ``zero``, when one might 299have thought it represents the total size in bytes of the dynamic memory recently 300allocated for the trailing array ``items``. Here are a couple examples of this 301issue: `link 1 302<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_, 303`link 2 304<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_. 305Instead, `flexible array members have incomplete type, and so the sizeof() 306operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_, 307so any misuse of such operators will be immediately noticed at build time. 308 309With respect to one-element arrays, one has to be acutely aware that `such arrays 310occupy at least as much space as a single object of the type 311<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_, 312hence they contribute to the size of the enclosing structure. This is prone 313to error every time people want to calculate the total size of dynamic memory 314to allocate for a structure containing an array of this kind as a member:: 315 316 struct something { 317 size_t count; 318 struct foo items[1]; 319 }; 320 321 struct something *instance; 322 323 instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL); 324 instance->count = count; 325 326 size = sizeof(instance->items) * instance->count; 327 memcpy(instance->items, source, size); 328 329In the example above, we had to remember to calculate ``count - 1`` when using 330the struct_size() helper, otherwise we would have --unintentionally-- allocated 331memory for one too many ``items`` objects. The cleanest and least error-prone way 332to implement this is through the use of a `flexible array member`, together with 333struct_size() and flex_array_size() helpers:: 334 335 struct something { 336 size_t count; 337 struct foo items[]; 338 }; 339 340 struct something *instance; 341 342 instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL); 343 instance->count = count; 344 345 memcpy(instance->items, source, flex_array_size(instance, items, instance->count)); 346