xref: /linux/Documentation/process/deprecated.rst (revision dec1c62e91ba268ab2a6e339d4d7a59287d5eba1)
1.. SPDX-License-Identifier: GPL-2.0
2
3.. _deprecated:
4
5=====================================================================
6Deprecated Interfaces, Language Features, Attributes, and Conventions
7=====================================================================
8
9In a perfect world, it would be possible to convert all instances of
10some deprecated API into the new API and entirely remove the old API in
11a single development cycle. However, due to the size of the kernel, the
12maintainership hierarchy, and timing, it's not always feasible to do these
13kinds of conversions at once. This means that new instances may sneak into
14the kernel while old ones are being removed, only making the amount of
15work to remove the API grow. In order to educate developers about what
16has been deprecated and why, this list has been created as a place to
17point when uses of deprecated things are proposed for inclusion in the
18kernel.
19
20__deprecated
21------------
22While this attribute does visually mark an interface as deprecated,
23it `does not produce warnings during builds any more
24<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
25because one of the standing goals of the kernel is to build without
26warnings and no one was actually doing anything to remove these deprecated
27interfaces. While using `__deprecated` is nice to note an old API in
28a header file, it isn't the full solution. Such interfaces must either
29be fully removed from the kernel, or added to this file to discourage
30others from using them in the future.
31
32BUG() and BUG_ON()
33------------------
34Use WARN() and WARN_ON() instead, and handle the "impossible"
35error condition as gracefully as possible. While the BUG()-family
36of APIs were originally designed to act as an "impossible situation"
37assert and to kill a kernel thread "safely", they turn out to just be
38too risky. (e.g. "In what order do locks need to be released? Have
39various states been restored?") Very commonly, using BUG() will
40destabilize a system or entirely break it, which makes it impossible
41to debug or even get viable crash reports. Linus has `very strong
42<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
43feelings `about this
44<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.
45
46Note that the WARN()-family should only be used for "expected to
47be unreachable" situations. If you want to warn about "reachable
48but undesirable" situations, please use the pr_warn()-family of
49functions. System owners may have set the *panic_on_warn* sysctl,
50to make sure their systems do not continue running in the face of
51"unreachable" conditions. (For example, see commits like `this one
52<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)
53
54open-coded arithmetic in allocator arguments
55--------------------------------------------
56Dynamic size calculations (especially multiplication) should not be
57performed in memory allocator (or similar) function arguments due to the
58risk of them overflowing. This could lead to values wrapping around and a
59smaller allocation being made than the caller was expecting. Using those
60allocations could lead to linear overflows of heap memory and other
61misbehaviors. (One exception to this is literal values where the compiler
62can warn if they might overflow. However, the preferred way in these
63cases is to refactor the code as suggested below to avoid the open-coded
64arithmetic.)
65
66For example, do not use ``count * size`` as an argument, as in::
67
68	foo = kmalloc(count * size, GFP_KERNEL);
69
70Instead, the 2-factor form of the allocator should be used::
71
72	foo = kmalloc_array(count, size, GFP_KERNEL);
73
74Specifically, kmalloc() can be replaced with kmalloc_array(), and
75kzalloc() can be replaced with kcalloc().
76
77If no 2-factor form is available, the saturate-on-overflow helpers should
78be used::
79
80	bar = vmalloc(array_size(count, size));
81
82Another common case to avoid is calculating the size of a structure with
83a trailing array of others structures, as in::
84
85	header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
86			 GFP_KERNEL);
87
88Instead, use the helper::
89
90	header = kzalloc(struct_size(header, item, count), GFP_KERNEL);
91
92.. note:: If you are using struct_size() on a structure containing a zero-length
93        or a one-element array as a trailing array member, please refactor such
94        array usage and switch to a `flexible array member
95        <#zero-length-and-one-element-arrays>`_ instead.
96
97For other calculations, please compose the use of the size_mul(),
98size_add(), and size_sub() helpers. For example, in the case of::
99
100	foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);
101
102Instead, use the helpers::
103
104	foo = krealloc(size_add(current_size,
105				size_mul(chunk_size,
106					 size_sub(count, 3))), GFP_KERNEL);
107
108For more details, also see array3_size() and flex_array_size(),
109as well as the related check_mul_overflow(), check_add_overflow(),
110check_sub_overflow(), and check_shl_overflow() family of functions.
111
112simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
113----------------------------------------------------------------------
114The simple_strtol(), simple_strtoll(),
115simple_strtoul(), and simple_strtoull() functions
116explicitly ignore overflows, which may lead to unexpected results
117in callers. The respective kstrtol(), kstrtoll(),
118kstrtoul(), and kstrtoull() functions tend to be the
119correct replacements, though note that those require the string to be
120NUL or newline terminated.
121
122strcpy()
123--------
124strcpy() performs no bounds checking on the destination buffer. This
125could result in linear overflows beyond the end of the buffer, leading to
126all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various
127compiler flags help reduce the risk of using this function, there is
128no good reason to add new uses of this function. The safe replacement
129is strscpy(), though care must be given to any cases where the return
130value of strcpy() was used, since strscpy() does not return a pointer to
131the destination, but rather a count of non-NUL bytes copied (or negative
132errno when it truncates).
133
134strncpy() on NUL-terminated strings
135-----------------------------------
136Use of strncpy() does not guarantee that the destination buffer will
137be NUL terminated. This can lead to various linear read overflows and
138other misbehavior due to the missing termination. It also NUL-pads
139the destination buffer if the source contents are shorter than the
140destination buffer size, which may be a needless performance penalty
141for callers using only NUL-terminated strings. The safe replacement is
142strscpy(), though care must be given to any cases where the return value
143of strncpy() was used, since strscpy() does not return a pointer to the
144destination, but rather a count of non-NUL bytes copied (or negative
145errno when it truncates). Any cases still needing NUL-padding should
146instead use strscpy_pad().
147
148If a caller is using non-NUL-terminated strings, strncpy() can
149still be used, but destinations should be marked with the `__nonstring
150<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_
151attribute to avoid future compiler warnings.
152
153strlcpy()
154---------
155strlcpy() reads the entire source buffer first (since the return value
156is meant to match that of strlen()). This read may exceed the destination
157size limit. This is both inefficient and can lead to linear read overflows
158if a source string is not NUL-terminated. The safe replacement is strscpy(),
159though care must be given to any cases where the return value of strlcpy()
160is used, since strscpy() will return negative errno values when it truncates.
161
162%p format specifier
163-------------------
164Traditionally, using "%p" in format strings would lead to regular address
165exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
166be exploitable, all "%p" uses in the kernel are being printed as a hashed
167value, rendering them unusable for addressing. New uses of "%p" should not
168be added to the kernel. For text addresses, using "%pS" is likely better,
169as it produces the more useful symbol name instead. For nearly everything
170else, just do not add "%p" at all.
171
172Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:
173
174- If the hashed "%p" value is pointless, ask yourself whether the pointer
175  itself is important. Maybe it should be removed entirely?
176- If you really think the true pointer value is important, why is some
177  system state or user privilege level considered "special"? If you think
178  you can justify it (in comments and commit log) well enough to stand
179  up to Linus's scrutiny, maybe you can use "%px", along with making sure
180  you have sensible permissions.
181
182If you are debugging something where "%p" hashing is causing problems,
183you can temporarily boot with the debug flag "`no_hash_pointers
184<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_".
185
186Variable Length Arrays (VLAs)
187-----------------------------
188Using stack VLAs produces much worse machine code than statically
189sized stack arrays. While these non-trivial `performance issues
190<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
191eliminate VLAs, they are also a security risk. Dynamic growth of a stack
192array may exceed the remaining memory in the stack segment. This could
193lead to a crash, possible overwriting sensitive contents at the end of the
194stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
195memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)
196
197Implicit switch case fall-through
198---------------------------------
199The C language allows switch cases to fall through to the next case
200when a "break" statement is missing at the end of a case. This, however,
201introduces ambiguity in the code, as it's not always clear if the missing
202break is intentional or a bug. For example, it's not obvious just from
203looking at the code if `STATE_ONE` is intentionally designed to fall
204through into `STATE_TWO`::
205
206	switch (value) {
207	case STATE_ONE:
208		do_something();
209	case STATE_TWO:
210		do_other();
211		break;
212	default:
213		WARN("unknown state");
214	}
215
216As there have been a long list of flaws `due to missing "break" statements
217<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
218implicit fall-through. In order to identify intentional fall-through
219cases, we have adopted a pseudo-keyword macro "fallthrough" which
220expands to gcc's extension `__attribute__((__fallthrough__))
221<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
222(When the C17/C18  `[[fallthrough]]` syntax is more commonly supported by
223C compilers, static analyzers, and IDEs, we can switch to using that syntax
224for the macro pseudo-keyword.)
225
226All switch/case blocks must end in one of:
227
228* break;
229* fallthrough;
230* continue;
231* goto <label>;
232* return [expression];
233
234Zero-length and one-element arrays
235----------------------------------
236There is a regular need in the kernel to provide a way to declare having
237a dynamically sized set of trailing elements in a structure. Kernel code
238should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
239for these cases. The older style of one-element or zero-length arrays should
240no longer be used.
241
242In older C code, dynamically sized trailing elements were done by specifying
243a one-element array at the end of a structure::
244
245        struct something {
246                size_t count;
247                struct foo items[1];
248        };
249
250This led to fragile size calculations via sizeof() (which would need to
251remove the size of the single trailing element to get a correct size of
252the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
253was introduced to allow for zero-length arrays, to avoid these kinds of
254size problems::
255
256        struct something {
257                size_t count;
258                struct foo items[0];
259        };
260
261But this led to other problems, and didn't solve some problems shared by
262both styles, like not being able to detect when such an array is accidentally
263being used _not_ at the end of a structure (which could happen directly, or
264when such a struct was in unions, structs of structs, etc).
265
266C99 introduced "flexible array members", which lacks a numeric size for
267the array declaration entirely::
268
269        struct something {
270                size_t count;
271                struct foo items[];
272        };
273
274This is the way the kernel expects dynamically sized trailing elements
275to be declared. It allows the compiler to generate errors when the
276flexible array does not occur last in the structure, which helps to prevent
277some kind of `undefined behavior
278<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
279bugs from being inadvertently introduced to the codebase. It also allows
280the compiler to correctly analyze array sizes (via sizeof(),
281`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
282there is no mechanism that warns us that the following application of the
283sizeof() operator to a zero-length array always results in zero::
284
285        struct something {
286                size_t count;
287                struct foo items[0];
288        };
289
290        struct something *instance;
291
292        instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
293        instance->count = count;
294
295        size = sizeof(instance->items) * instance->count;
296        memcpy(instance->items, source, size);
297
298At the last line of code above, ``size`` turns out to be ``zero``, when one might
299have thought it represents the total size in bytes of the dynamic memory recently
300allocated for the trailing array ``items``. Here are a couple examples of this
301issue: `link 1
302<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
303`link 2
304<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
305Instead, `flexible array members have incomplete type, and so the sizeof()
306operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
307so any misuse of such operators will be immediately noticed at build time.
308
309With respect to one-element arrays, one has to be acutely aware that `such arrays
310occupy at least as much space as a single object of the type
311<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
312hence they contribute to the size of the enclosing structure. This is prone
313to error every time people want to calculate the total size of dynamic memory
314to allocate for a structure containing an array of this kind as a member::
315
316        struct something {
317                size_t count;
318                struct foo items[1];
319        };
320
321        struct something *instance;
322
323        instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
324        instance->count = count;
325
326        size = sizeof(instance->items) * instance->count;
327        memcpy(instance->items, source, size);
328
329In the example above, we had to remember to calculate ``count - 1`` when using
330the struct_size() helper, otherwise we would have --unintentionally-- allocated
331memory for one too many ``items`` objects. The cleanest and least error-prone way
332to implement this is through the use of a `flexible array member`, together with
333struct_size() and flex_array_size() helpers::
334
335        struct something {
336                size_t count;
337                struct foo items[];
338        };
339
340        struct something *instance;
341
342        instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
343        instance->count = count;
344
345        memcpy(instance->items, source, flex_array_size(instance, items, instance->count));
346