xref: /linux/Documentation/process/deprecated.rst (revision d639d9fa162aadec1ae9980c4dcf6e50bd2f8290) 
1.. SPDX-License-Identifier: GPL-2.0
2
3.. _deprecated:
4
5=====================================================================
6Deprecated Interfaces, Language Features, Attributes, and Conventions
7=====================================================================
8
9In a perfect world, it would be possible to convert all instances of
10some deprecated API into the new API and entirely remove the old API in
11a single development cycle. However, due to the size of the kernel, the
12maintainership hierarchy, and timing, it's not always feasible to do these
13kinds of conversions at once. This means that new instances may sneak into
14the kernel while old ones are being removed, only making the amount of
15work to remove the API grow. In order to educate developers about what
16has been deprecated and why, this list has been created as a place to
17point when uses of deprecated things are proposed for inclusion in the
18kernel.
19
20__deprecated
21------------
22While this attribute does visually mark an interface as deprecated,
23it `does not produce warnings during builds any more
24<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
25because one of the standing goals of the kernel is to build without
26warnings and no one was actually doing anything to remove these deprecated
27interfaces. While using `__deprecated` is nice to note an old API in
28a header file, it isn't the full solution. Such interfaces must either
29be fully removed from the kernel, or added to this file to discourage
30others from using them in the future.
31
32BUG() and BUG_ON()
33------------------
34Use WARN() and WARN_ON() instead, and handle the "impossible"
35error condition as gracefully as possible. While the BUG()-family
36of APIs were originally designed to act as an "impossible situation"
37assert and to kill a kernel thread "safely", they turn out to just be
38too risky. (e.g. "In what order do locks need to be released? Have
39various states been restored?") Very commonly, using BUG() will
40destabilize a system or entirely break it, which makes it impossible
41to debug or even get viable crash reports. Linus has `very strong
42<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
43feelings `about this
44<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.
45
46Note that the WARN()-family should only be used for "expected to
47be unreachable" situations. If you want to warn about "reachable
48but undesirable" situations, please use the pr_warn()-family of
49functions. System owners may have set the *panic_on_warn* sysctl,
50to make sure their systems do not continue running in the face of
51"unreachable" conditions. (For example, see commits like `this one
52<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)
53
54open-coded arithmetic in allocator arguments
55--------------------------------------------
56Dynamic size calculations (especially multiplication) should not be
57performed in memory allocator (or similar) function arguments due to the
58risk of them overflowing. This could lead to values wrapping around and a
59smaller allocation being made than the caller was expecting. Using those
60allocations could lead to linear overflows of heap memory and other
61misbehaviors. (One exception to this is literal values where the compiler
62can warn if they might overflow. However, the preferred way in these
63cases is to refactor the code as suggested below to avoid the open-coded
64arithmetic.)
65
66For example, do not use ``count * size`` as an argument, as in::
67
68	foo = kmalloc(count * size, GFP_KERNEL);
69
70Instead, the 2-factor form of the allocator should be used::
71
72	foo = kmalloc_array(count, size, GFP_KERNEL);
73
74Specifically, kmalloc() can be replaced with kmalloc_array(), and
75kzalloc() can be replaced with kcalloc().
76
77If no 2-factor form is available, the saturate-on-overflow helpers should
78be used::
79
80	bar = dma_alloc_coherent(dev, array_size(count, size), &dma, GFP_KERNEL);
81
82Another common case to avoid is calculating the size of a structure with
83a trailing array of others structures, as in::
84
85	header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
86			 GFP_KERNEL);
87
88Instead, use the helper::
89
90	header = kzalloc(struct_size(header, item, count), GFP_KERNEL);
91
92.. note:: If you are using struct_size() on a structure containing a zero-length
93        or a one-element array as a trailing array member, please refactor such
94        array usage and switch to a `flexible array member
95        <#zero-length-and-one-element-arrays>`_ instead.
96
97For other calculations, please compose the use of the size_mul(),
98size_add(), and size_sub() helpers. For example, in the case of::
99
100	foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);
101
102Instead, use the helpers::
103
104	foo = krealloc(size_add(current_size,
105				size_mul(chunk_size,
106					 size_sub(count, 3))), GFP_KERNEL);
107
108For more details, also see array3_size() and flex_array_size(),
109as well as the related check_mul_overflow(), check_add_overflow(),
110check_sub_overflow(), and check_shl_overflow() family of functions.
111
112simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
113----------------------------------------------------------------------
114The simple_strtol(), simple_strtoll(),
115simple_strtoul(), and simple_strtoull() functions
116explicitly ignore overflows, which may lead to unexpected results
117in callers. The respective kstrtol(), kstrtoll(),
118kstrtoul(), and kstrtoull() functions tend to be the
119correct replacements, though note that those require the string to be
120NUL or newline terminated.
121
122strcpy()
123--------
124strcpy() performs no bounds checking on the destination buffer. This
125could result in linear overflows beyond the end of the buffer, leading to
126all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various
127compiler flags help reduce the risk of using this function, there is
128no good reason to add new uses of this function. The safe replacement
129is strscpy(), though care must be given to any cases where the return
130value of strcpy() was used, since strscpy() does not return a pointer to
131the destination, but rather a count of non-NUL bytes copied (or negative
132errno when it truncates).
133
134strncpy()
135---------
136strncpy() has been removed from the kernel. All former callers have
137been migrated to safer alternatives.
138
139strncpy() did not guarantee NUL-termination of the destination buffer,
140leading to linear read overflows and other misbehavior. It also
141unconditionally NUL-padded the destination, which was a needless
142performance penalty for callers using only NUL-terminated strings. Due
143to its various behaviors, it was an ambiguous API for determining what
144an author's true intent was for the copy.
145
146The replacements for strncpy() are:
147
148- strscpy() when the destination must be NUL-terminated.
149- strscpy_pad() when the destination must be NUL-terminated and
150  zero-padded (e.g., structs crossing privilege boundaries).
151- memtostr() for NUL-terminated destinations from non-NUL-terminated
152  fixed-width sources (with the `__nonstring` attribute on the source).
153- memtostr_pad() for the same, but with zero-padding.
154- strtomem() for non-NUL-terminated fixed-width destinations, with
155  the `__nonstring` attribute on the destination.
156- strtomem_pad() for non-NUL-terminated destinations that also need
157  zero-padding.
158- memcpy_and_pad() for bounded copies from potentially unterminated
159  sources where the destination size is a runtime value.
160
161strlcpy()
162---------
163strlcpy() reads the entire source buffer first (since the return value
164is meant to match that of strlen()). This read may exceed the destination
165size limit. This is both inefficient and can lead to linear read overflows
166if a source string is not NUL-terminated. The safe replacement is strscpy(),
167though care must be given to any cases where the return value of strlcpy()
168is used, since strscpy() will return negative errno values when it truncates.
169
170%p format specifier
171-------------------
172Traditionally, using "%p" in format strings would lead to regular address
173exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
174be exploitable, all "%p" uses in the kernel are being printed as a hashed
175value, rendering them unusable for addressing. New uses of "%p" should not
176be added to the kernel. For text addresses, using "%pS" is likely better,
177as it produces the more useful symbol name instead. For nearly everything
178else, just do not add "%p" at all.
179
180Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:
181
182- If the hashed "%p" value is pointless, ask yourself whether the pointer
183  itself is important. Maybe it should be removed entirely?
184- If you really think the true pointer value is important, why is some
185  system state or user privilege level considered "special"? If you think
186  you can justify it (in comments and commit log) well enough to stand
187  up to Linus's scrutiny, maybe you can use "%px", along with making sure
188  you have sensible permissions.
189
190If you are debugging something where "%p" hashing is causing problems,
191you can temporarily boot with the debug flag "`no_hash_pointers
192<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_".
193
194Variable Length Arrays (VLAs)
195-----------------------------
196Using stack VLAs produces much worse machine code than statically
197sized stack arrays. While these non-trivial `performance issues
198<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
199eliminate VLAs, they are also a security risk. Dynamic growth of a stack
200array may exceed the remaining memory in the stack segment. This could
201lead to a crash, possible overwriting sensitive contents at the end of the
202stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
203memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)
204
205Implicit switch case fall-through
206---------------------------------
207The C language allows switch cases to fall through to the next case
208when a "break" statement is missing at the end of a case. This, however,
209introduces ambiguity in the code, as it's not always clear if the missing
210break is intentional or a bug. For example, it's not obvious just from
211looking at the code if `STATE_ONE` is intentionally designed to fall
212through into `STATE_TWO`::
213
214	switch (value) {
215	case STATE_ONE:
216		do_something();
217	case STATE_TWO:
218		do_other();
219		break;
220	default:
221		WARN("unknown state");
222	}
223
224As there have been a long list of flaws `due to missing "break" statements
225<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
226implicit fall-through. In order to identify intentional fall-through
227cases, we have adopted a pseudo-keyword macro "fallthrough" which
228expands to gcc's extension `__attribute__((__fallthrough__))
229<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
230(When the C17/C18  `[[fallthrough]]` syntax is more commonly supported by
231C compilers, static analyzers, and IDEs, we can switch to using that syntax
232for the macro pseudo-keyword.)
233
234All switch/case blocks must end in one of:
235
236* break;
237* fallthrough;
238* continue;
239* goto <label>;
240* return [expression];
241
242Zero-length and one-element arrays
243----------------------------------
244There is a regular need in the kernel to provide a way to declare having
245a dynamically sized set of trailing elements in a structure. Kernel code
246should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
247for these cases. The older style of one-element or zero-length arrays should
248no longer be used.
249
250In older C code, dynamically sized trailing elements were done by specifying
251a one-element array at the end of a structure::
252
253        struct something {
254                size_t count;
255                struct foo items[1];
256        };
257
258This led to fragile size calculations via sizeof() (which would need to
259remove the size of the single trailing element to get a correct size of
260the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
261was introduced to allow for zero-length arrays, to avoid these kinds of
262size problems::
263
264        struct something {
265                size_t count;
266                struct foo items[0];
267        };
268
269But this led to other problems, and didn't solve some problems shared by
270both styles, like not being able to detect when such an array is accidentally
271being used _not_ at the end of a structure (which could happen directly, or
272when such a struct was in unions, structs of structs, etc).
273
274C99 introduced "flexible array members", which lacks a numeric size for
275the array declaration entirely::
276
277        struct something {
278                size_t count;
279                struct foo items[];
280        };
281
282This is the way the kernel expects dynamically sized trailing elements
283to be declared. It allows the compiler to generate errors when the
284flexible array does not occur last in the structure, which helps to prevent
285some kind of `undefined behavior
286<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
287bugs from being inadvertently introduced to the codebase. It also allows
288the compiler to correctly analyze array sizes (via sizeof(),
289`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
290there is no mechanism that warns us that the following application of the
291sizeof() operator to a zero-length array always results in zero::
292
293        struct something {
294                size_t count;
295                struct foo items[0];
296        };
297
298        struct something *instance;
299
300        instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
301        instance->count = count;
302
303        size = sizeof(instance->items) * instance->count;
304        memcpy(instance->items, source, size);
305
306At the last line of code above, ``size`` turns out to be ``zero``, when one might
307have thought it represents the total size in bytes of the dynamic memory recently
308allocated for the trailing array ``items``. Here are a couple examples of this
309issue: `link 1
310<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
311`link 2
312<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
313Instead, `flexible array members have incomplete type, and so the sizeof()
314operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
315so any misuse of such operators will be immediately noticed at build time.
316
317With respect to one-element arrays, one has to be acutely aware that `such arrays
318occupy at least as much space as a single object of the type
319<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
320hence they contribute to the size of the enclosing structure. This is prone
321to error every time people want to calculate the total size of dynamic memory
322to allocate for a structure containing an array of this kind as a member::
323
324        struct something {
325                size_t count;
326                struct foo items[1];
327        };
328
329        struct something *instance;
330
331        instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
332        instance->count = count;
333
334        size = sizeof(instance->items) * instance->count;
335        memcpy(instance->items, source, size);
336
337In the example above, we had to remember to calculate ``count - 1`` when using
338the struct_size() helper, otherwise we would have --unintentionally-- allocated
339memory for one too many ``items`` objects. The cleanest and least error-prone way
340to implement this is through the use of a `flexible array member`, together with
341struct_size() and flex_array_size() helpers::
342
343        struct something {
344                size_t count;
345                struct foo items[];
346        };
347
348        struct something *instance;
349
350        instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
351        instance->count = count;
352
353        memcpy(instance->items, source, flex_array_size(instance, items, instance->count));
354
355There are two special cases of replacement where the DECLARE_FLEX_ARRAY()
356helper needs to be used. (Note that it is named __DECLARE_FLEX_ARRAY() for
357use in UAPI headers.) Those cases are when the flexible array is either
358alone in a struct or is part of a union. These are disallowed by the C99
359specification, but for no technical reason (as can be seen by both the
360existing use of such arrays in those places and the work-around that
361DECLARE_FLEX_ARRAY() uses). For example, to convert this::
362
363	struct something {
364		...
365		union {
366			struct type1 one[0];
367			struct type2 two[0];
368		};
369	};
370
371The helper must be used::
372
373	struct something {
374		...
375		union {
376			DECLARE_FLEX_ARRAY(struct type1, one);
377			DECLARE_FLEX_ARRAY(struct type2, two);
378		};
379	};
380
381Open-coded kmalloc assignments for struct objects
382-------------------------------------------------
383Performing open-coded kmalloc()-family allocation assignments prevents
384the kernel (and compiler) from being able to examine the type of the
385variable being assigned, which limits any related introspection that
386may help with alignment, wrap-around, or additional hardening. The
387kmalloc_obj()-family of macros provide this introspection, which can be
388used for the common code patterns for single, array, and flexible object
389allocations. For example, these open coded assignments::
390
391	ptr = kmalloc(sizeof(*ptr), gfp);
392	ptr = kzalloc(sizeof(*ptr), gfp);
393	ptr = kmalloc_array(count, sizeof(*ptr), gfp);
394	ptr = kcalloc(count, sizeof(*ptr), gfp);
395	ptr = kmalloc(struct_size(ptr, flex_member, count), gfp);
396	ptr = kmalloc(sizeof(struct foo), gfp);
397
398become, respectively::
399
400	ptr = kmalloc_obj(*ptr [, gfp] );
401	ptr = kzalloc_obj(*ptr [, gfp] );
402	ptr = kmalloc_objs(*ptr, count [, gfp] );
403	ptr = kzalloc_objs(*ptr, count [, gfp] );
404	ptr = kmalloc_flex(*ptr, flex_member, count [, gfp] );
405	__auto_type ptr = kmalloc_obj(struct foo [, gfp] );
406
407The argument gfp is optional, the default value is GFP_KERNEL.
408If `ptr->flex_member` is annotated with __counted_by(), the allocation
409will automatically fail if `count` is larger than the maximum
410representable value that can be stored in the counter member associated
411with `flex_member`.
412