[linux-block.git] / Documentation / process / deprecated.rst

.. SPDX-License-Identifier: GPL-2.0

.. _deprecated:

=====================================================================
Deprecated Interfaces, Language Features, Attributes, and Conventions
=====================================================================

In a perfect world, it would be possible to convert all instances of
some deprecated API into the new API and entirely remove the old API in
a single development cycle. However, due to the size of the kernel, the
maintainership hierarchy, and timing, it's not always feasible to do these
kinds of conversions at once. This means that new instances may sneak into
the kernel while old ones are being removed, only making the amount of
work to remove the API grow. In order to educate developers about what
has been deprecated and why, this list has been created as a place to
point when uses of deprecated things are proposed for inclusion in the
kernel.

__deprecated
------------
While this attribute does visually mark an interface as deprecated,
it `does not produce warnings during builds any more
<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
because one of the standing goals of the kernel is to build without
warnings and no one was actually doing anything to remove these deprecated
interfaces. While using `__deprecated` is nice to note an old API in
a header file, it isn't the full solution. Such interfaces must either
be fully removed from the kernel, or added to this file to discourage
others from using them in the future.

BUG() and BUG_ON()
------------------
Use WARN() and WARN_ON() instead, and handle the "impossible"
error condition as gracefully as possible. While the BUG()-family
of APIs were originally designed to act as an "impossible situation"
assert and to kill a kernel thread "safely", they turn out to just be
too risky. (e.g. "In what order do locks need to be released? Have
various states been restored?") Very commonly, using BUG() will
destabilize a system or entirely break it, which makes it impossible
to debug or even get viable crash reports. Linus has `very strong
<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
feelings `about this
<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.

Note that the WARN()-family should only be used for "expected to
be unreachable" situations. If you want to warn about "reachable
but undesirable" situations, please use the pr_warn()-family of
functions. System owners may have set the *panic_on_warn* sysctl,
to make sure their systems do not continue running in the face of
"unreachable" conditions. (For example, see commits like `this one
<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)

open-coded arithmetic in allocator arguments
--------------------------------------------
Dynamic size calculations (especially multiplication) should not be
performed in memory allocator (or similar) function arguments due to the
risk of them overflowing. This could lead to values wrapping around and a
smaller allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors. (One exception to this is literal values where the compiler
can warn if they might overflow. However, the preferred way in these
cases is to refactor the code as suggested below to avoid the open-coded
arithmetic.)

For example, do not use ``count * size`` as an argument, as in::

	foo = kmalloc(count * size, GFP_KERNEL);

Instead, the 2-factor form of the allocator should be used::

	foo = kmalloc_array(count, size, GFP_KERNEL);

Specifically, kmalloc() can be replaced with kmalloc_array(), and
kzalloc() can be replaced with kcalloc().

If no 2-factor form is available, the saturate-on-overflow helpers should
be used::

	bar = vmalloc(array_size(count, size));

Another common case to avoid is calculating the size of a structure with
a trailing array of others structures, as in::

	header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
			 GFP_KERNEL);

Instead, use the helper::

	header = kzalloc(struct_size(header, item, count), GFP_KERNEL);

.. note:: If you are using struct_size() on a structure containing a zero-length
        or a one-element array as a trailing array member, please refactor such
        array usage and switch to a `flexible array member
        <#zero-length-and-one-element-arrays>`_ instead.

For other calculations, please compose the use of the size_mul(),
size_add(), and size_sub() helpers. For example, in the case of::

	foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);

Instead, use the helpers::

	foo = krealloc(size_add(current_size,
				size_mul(chunk_size,
					 size_sub(count, 3))), GFP_KERNEL);

For more details, also see array3_size() and flex_array_size(),
as well as the related check_mul_overflow(), check_add_overflow(),
check_sub_overflow(), and check_shl_overflow() family of functions.

simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
----------------------------------------------------------------------
The simple_strtol(), simple_strtoll(),
simple_strtoul(), and simple_strtoull() functions
explicitly ignore overflows, which may lead to unexpected results
in callers. The respective kstrtol(), kstrtoll(),
kstrtoul(), and kstrtoull() functions tend to be the
correct replacements, though note that those require the string to be
NUL or newline terminated.

strcpy()
--------
strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading to
all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various
compiler flags help reduce the risk of using this function, there is
no good reason to add new uses of this function. The safe replacement
is strscpy(), though care must be given to any cases where the return
value of strcpy() was used, since strscpy() does not return a pointer to
the destination, but rather a count of non-NUL bytes copied (or negative
errno when it truncates).

strncpy() on NUL-terminated strings
-----------------------------------
Use of strncpy() does not guarantee that the destination buffer will
be NUL terminated. This can lead to various linear read overflows and
other misbehavior due to the missing termination. It also NUL-pads
the destination buffer if the source contents are shorter than the
destination buffer size, which may be a needless performance penalty
for callers using only NUL-terminated strings.

When the destination is required to be NUL-terminated, the replacement is
strscpy(), though care must be given to any cases where the return value
of strncpy() was used, since strscpy() does not return a pointer to the
destination, but rather a count of non-NUL bytes copied (or negative
errno when it truncates). Any cases still needing NUL-padding should
instead use strscpy_pad().

If a caller is using non-NUL-terminated strings, strtomem() should be
used, and the destinations should be marked with the `__nonstring
<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_
attribute to avoid future compiler warnings. For cases still needing
NUL-padding, strtomem_pad() can be used.

strlcpy()
---------
strlcpy() reads the entire source buffer first (since the return value
is meant to match that of strlen()). This read may exceed the destination
size limit. This is both inefficient and can lead to linear read overflows
if a source string is not NUL-terminated. The safe replacement is strscpy(),
though care must be given to any cases where the return value of strlcpy()
is used, since strscpy() will return negative errno values when it truncates.

%p format specifier
-------------------
Traditionally, using "%p" in format strings would lead to regular address
exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
be exploitable, all "%p" uses in the kernel are being printed as a hashed
value, rendering them unusable for addressing. New uses of "%p" should not
be added to the kernel. For text addresses, using "%pS" is likely better,
as it produces the more useful symbol name instead. For nearly everything
else, just do not add "%p" at all.

Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:

- If the hashed "%p" value is pointless, ask yourself whether the pointer
  itself is important. Maybe it should be removed entirely?
- If you really think the true pointer value is important, why is some
  system state or user privilege level considered "special"? If you think
  you can justify it (in comments and commit log) well enough to stand
  up to Linus's scrutiny, maybe you can use "%px", along with making sure
  you have sensible permissions.

If you are debugging something where "%p" hashing is causing problems,
you can temporarily boot with the debug flag "`no_hash_pointers
<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_".

Variable Length Arrays (VLAs)
-----------------------------
Using stack VLAs produces much worse machine code than statically
sized stack arrays. While these non-trivial `performance issues
<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
eliminate VLAs, they are also a security risk. Dynamic growth of a stack
array may exceed the remaining memory in the stack segment. This could
lead to a crash, possible overwriting sensitive contents at the end of the
stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)

Implicit switch case fall-through
---------------------------------
The C language allows switch cases to fall through to the next case
when a "break" statement is missing at the end of a case. This, however,
introduces ambiguity in the code, as it's not always clear if the missing
break is intentional or a bug. For example, it's not obvious just from
looking at the code if `STATE_ONE` is intentionally designed to fall
through into `STATE_TWO`::

	switch (value) {
	case STATE_ONE:
		do_something();
	case STATE_TWO:
		do_other();
		break;
	default:
		WARN("unknown state");
	}

As there have been a long list of flaws `due to missing "break" statements
<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
implicit fall-through. In order to identify intentional fall-through
cases, we have adopted a pseudo-keyword macro "fallthrough" which
expands to gcc's extension `__attribute__((__fallthrough__))
<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
(When the C17/C18  `[[fallthrough]]` syntax is more commonly supported by
C compilers, static analyzers, and IDEs, we can switch to using that syntax
for the macro pseudo-keyword.)

All switch/case blocks must end in one of:

* break;
* fallthrough;
* continue;
* goto <label>;
* return [expression];

Zero-length and one-element arrays
----------------------------------
There is a regular need in the kernel to provide a way to declare having
a dynamically sized set of trailing elements in a structure. Kernel code
should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
for these cases. The older style of one-element or zero-length arrays should
no longer be used.

In older C code, dynamically sized trailing elements were done by specifying
a one-element array at the end of a structure::

        struct something {
                size_t count;
                struct foo items[1];
        };

This led to fragile size calculations via sizeof() (which would need to
remove the size of the single trailing element to get a correct size of
the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
was introduced to allow for zero-length arrays, to avoid these kinds of
size problems::

        struct something {
                size_t count;
                struct foo items[0];
        };

But this led to other problems, and didn't solve some problems shared by
both styles, like not being able to detect when such an array is accidentally
being used _not_ at the end of a structure (which could happen directly, or
when such a struct was in unions, structs of structs, etc).

C99 introduced "flexible array members", which lacks a numeric size for
the array declaration entirely::

        struct something {
                size_t count;
                struct foo items[];
        };

This is the way the kernel expects dynamically sized trailing elements
to be declared. It allows the compiler to generate errors when the
flexible array does not occur last in the structure, which helps to prevent
some kind of `undefined behavior
<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
bugs from being inadvertently introduced to the codebase. It also allows
the compiler to correctly analyze array sizes (via sizeof(),
`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
there is no mechanism that warns us that the following application of the
sizeof() operator to a zero-length array always results in zero::

        struct something {
                size_t count;
                struct foo items[0];
        };

        struct something *instance;

        instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
        instance->count = count;

        size = sizeof(instance->items) * instance->count;
        memcpy(instance->items, source, size);

At the last line of code above, ``size`` turns out to be ``zero``, when one might
have thought it represents the total size in bytes of the dynamic memory recently
allocated for the trailing array ``items``. Here are a couple examples of this
issue: `link 1
<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
`link 2
<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
Instead, `flexible array members have incomplete type, and so the sizeof()
operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
so any misuse of such operators will be immediately noticed at build time.

With respect to one-element arrays, one has to be acutely aware that `such arrays
occupy at least as much space as a single object of the type
<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
hence they contribute to the size of the enclosing structure. This is prone
to error every time people want to calculate the total size of dynamic memory
to allocate for a structure containing an array of this kind as a member::

        struct something {
                size_t count;
                struct foo items[1];
        };

        struct something *instance;

        instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
        instance->count = count;

        size = sizeof(instance->items) * instance->count;
        memcpy(instance->items, source, size);

In the example above, we had to remember to calculate ``count - 1`` when using
the struct_size() helper, otherwise we would have --unintentionally-- allocated
memory for one too many ``items`` objects. The cleanest and least error-prone way
to implement this is through the use of a `flexible array member`, together with
struct_size() and flex_array_size() helpers::

        struct something {
                size_t count;
                struct foo items[];
        };

        struct something *instance;

        instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
        instance->count = count;

        memcpy(instance->items, source, flex_array_size(instance, items, instance->count));

There are two special cases of replacement where the DECLARE_FLEX_ARRAY()
helper needs to be used. (Note that it is named __DECLARE_FLEX_ARRAY() for
use in UAPI headers.) Those cases are when the flexible array is either
alone in a struct or is part of a union. These are disallowed by the C99
specification, but for no technical reason (as can be seen by both the
existing use of such arrays in those places and the work-around that
DECLARE_FLEX_ARRAY() uses). For example, to convert this::

	struct something {
		...
		union {
			struct type1 one[0];
			struct type2 two[0];
		};
	};

The helper must be used::

	struct something {
		...
		union {
			DECLARE_FLEX_ARRAY(struct type1, one);
			DECLARE_FLEX_ARRAY(struct type2, two);
		};
	};
Commit	Line	Data
84253c8b KC	1	.. SPDX-License-Identifier: GPL-2.0
84253c8b KC	2
98348577 FV	3	.. _deprecated:
98348577 FV	4
84253c8b KC	5	=====================================================================
	6	Deprecated Interfaces, Language Features, Attributes, and Conventions
	7	=====================================================================
	8
	9	In a perfect world, it would be possible to convert all instances of
	10	some deprecated API into the new API and entirely remove the old API in
	11	a single development cycle. However, due to the size of the kernel, the
	12	maintainership hierarchy, and timing, it's not always feasible to do these
	13	kinds of conversions at once. This means that new instances may sneak into
	14	the kernel while old ones are being removed, only making the amount of
	15	work to remove the API grow. In order to educate developers about what
	16	has been deprecated and why, this list has been created as a place to
	17	point when uses of deprecated things are proposed for inclusion in the
	18	kernel.
	19
	20	__deprecated
	21	------------
	22	While this attribute does visually mark an interface as deprecated,
	23	it `does not produce warnings during builds any more
	24	<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
	25	because one of the standing goals of the kernel is to build without
	26	warnings and no one was actually doing anything to remove these deprecated
	27	interfaces. While using `__deprecated` is nice to note an old API in
	28	a header file, it isn't the full solution. Such interfaces must either
	29	be fully removed from the kernel, or added to this file to discourage
	30	others from using them in the future.
	31
7af51678 KC	32	BUG() and BUG_ON()
	33	------------------
	34	Use WARN() and WARN_ON() instead, and handle the "impossible"
	35	error condition as gracefully as possible. While the BUG()-family
	36	of APIs were originally designed to act as an "impossible situation"
	37	assert and to kill a kernel thread "safely", they turn out to just be
	38	too risky. (e.g. "In what order do locks need to be released? Have
	39	various states been restored?") Very commonly, using BUG() will
	40	destabilize a system or entirely break it, which makes it impossible
	41	to debug or even get viable crash reports. Linus has `very strong
	42	<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
	43	feelings `about this
	44	<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.
	45
	46	Note that the WARN()-family should only be used for "expected to
	47	be unreachable" situations. If you want to warn about "reachable
	48	but undesirable" situations, please use the pr_warn()-family of
	49	functions. System owners may have set the panic_on_warn sysctl,
	50	to make sure their systems do not continue running in the face of
	51	"unreachable" conditions. (For example, see commits like `this one
	52	<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)
	53
84253c8b KC	54	open-coded arithmetic in allocator arguments
	55	--------------------------------------------
	56	Dynamic size calculations (especially multiplication) should not be
	57	performed in memory allocator (or similar) function arguments due to the
	58	risk of them overflowing. This could lead to values wrapping around and a
	59	smaller allocation being made than the caller was expecting. Using those
	60	allocations could lead to linear overflows of heap memory and other
	61	misbehaviors. (One exception to this is literal values where the compiler
3577cdb2 LB	62	can warn if they might overflow. However, the preferred way in these
	63	cases is to refactor the code as suggested below to avoid the open-coded
	64	arithmetic.)
84253c8b KC	65
	66	For example, do not use ``count * size`` as an argument, as in::
	67
	68	foo = kmalloc(count * size, GFP_KERNEL);
	69
	70	Instead, the 2-factor form of the allocator should be used::
	71
	72	foo = kmalloc_array(count, size, GFP_KERNEL);
	73
e1be43d9 KC	74	Specifically, kmalloc() can be replaced with kmalloc_array(), and
	75	kzalloc() can be replaced with kcalloc().
	76
84253c8b KC	77	If no 2-factor form is available, the saturate-on-overflow helpers should
	78	be used::
	79
	80	bar = vmalloc(array_size(count, size));
	81
	82	Another common case to avoid is calculating the size of a structure with
	83	a trailing array of others structures, as in::
	84
	85	header = kzalloc(sizeof(header) + count sizeof(*header->item),
	86	GFP_KERNEL);
	87
	88	Instead, use the helper::
	89
	90	header = kzalloc(struct_size(header, item, count), GFP_KERNEL);
	91
68e4cd17 GS	92	.. note:: If you are using struct_size() on a structure containing a zero-length
	93	or a one-element array as a trailing array member, please refactor such
	94	array usage and switch to a `flexible array member
	95	<#zero-length-and-one-element-arrays>`_ instead.
	96
e1be43d9 KC	97	For other calculations, please compose the use of the size_mul(),
	98	size_add(), and size_sub() helpers. For example, in the case of::
	99
	100	foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);
	101
	102	Instead, use the helpers::
	103
	104	foo = krealloc(size_add(current_size,
	105	size_mul(chunk_size,
	106	size_sub(count, 3))), GFP_KERNEL);
	107
	108	For more details, also see array3_size() and flex_array_size(),
	109	as well as the related check_mul_overflow(), check_add_overflow(),
	110	check_sub_overflow(), and check_shl_overflow() family of functions.
84253c8b KC	111
	112	simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()
	113	----------------------------------------------------------------------
7929b983 JC	114	The simple_strtol(), simple_strtoll(),
7929b983 JC	115	simple_strtoul(), and simple_strtoull() functions
84253c8b	116	explicitly ignore overflows, which may lead to unexpected results
7929b983 JC	117	in callers. The respective kstrtol(), kstrtoll(),
7929b983 JC	118	kstrtoul(), and kstrtoull() functions tend to be the
84253c8b KC	119	correct replacements, though note that those require the string to be
	120	NUL or newline terminated.
	121
	122	strcpy()
	123	--------
27def953 KC	124	strcpy() performs no bounds checking on the destination buffer. This
	125	could result in linear overflows beyond the end of the buffer, leading to
	126	all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various
	127	compiler flags help reduce the risk of using this function, there is
	128	no good reason to add new uses of this function. The safe replacement
	129	is strscpy(), though care must be given to any cases where the return
	130	value of strcpy() was used, since strscpy() does not return a pointer to
	131	the destination, but rather a count of non-NUL bytes copied (or negative
	132	errno when it truncates).
84253c8b KC	133
	134	strncpy() on NUL-terminated strings
	135	-----------------------------------
27def953 KC	136	Use of strncpy() does not guarantee that the destination buffer will
	137	be NUL terminated. This can lead to various linear read overflows and
	138	other misbehavior due to the missing termination. It also NUL-pads
	139	the destination buffer if the source contents are shorter than the
	140	destination buffer size, which may be a needless performance penalty
dfbafa70 KC	141	for callers using only NUL-terminated strings.
	142
	143	When the destination is required to be NUL-terminated, the replacement is
27def953 KC	144	strscpy(), though care must be given to any cases where the return value
	145	of strncpy() was used, since strscpy() does not return a pointer to the
	146	destination, but rather a count of non-NUL bytes copied (or negative
	147	errno when it truncates). Any cases still needing NUL-padding should
	148	instead use strscpy_pad().
84253c8b	149
dfbafa70 KC	150	If a caller is using non-NUL-terminated strings, strtomem() should be
dfbafa70 KC	151	used, and the destinations should be marked with the `__nonstring
84253c8b	152	<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_
dfbafa70 KC	153	attribute to avoid future compiler warnings. For cases still needing
dfbafa70 KC	154	NUL-padding, strtomem_pad() can be used.
84253c8b KC	155
	156	strlcpy()
	157	---------
27def953 KC	158	strlcpy() reads the entire source buffer first (since the return value
	159	is meant to match that of strlen()). This read may exceed the destination
	160	size limit. This is both inefficient and can lead to linear read overflows
	161	if a source string is not NUL-terminated. The safe replacement is strscpy(),
	162	though care must be given to any cases where the return value of strlcpy()
	163	is used, since strscpy() will return negative errno values when it truncates.
84253c8b	164
d8401f50 KC	165	%p format specifier
	166	-------------------
	167	Traditionally, using "%p" in format strings would lead to regular address
	168	exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
	169	be exploitable, all "%p" uses in the kernel are being printed as a hashed
	170	value, rendering them unusable for addressing. New uses of "%p" should not
	171	be added to the kernel. For text addresses, using "%pS" is likely better,
	172	as it produces the more useful symbol name instead. For nearly everything
	173	else, just do not add "%p" at all.
	174
	175	Paraphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:
	176
	177	- If the hashed "%p" value is pointless, ask yourself whether the pointer
	178	itself is important. Maybe it should be removed entirely?
	179	- If you really think the true pointer value is important, why is some
	180	system state or user privilege level considered "special"? If you think
	181	you can justify it (in comments and commit log) well enough to stand
	182	up to Linus's scrutiny, maybe you can use "%px", along with making sure
	183	you have sensible permissions.
	184
6ab0493d KC	185	If you are debugging something where "%p" hashing is causing problems,
	186	you can temporarily boot with the debug flag "`no_hash_pointers
	187	<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_".
d8401f50	188
84253c8b KC	189	Variable Length Arrays (VLAs)
	190	-----------------------------
	191	Using stack VLAs produces much worse machine code than statically
	192	sized stack arrays. While these non-trivial `performance issues
	193	<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
	194	eliminate VLAs, they are also a security risk. Dynamic growth of a stack
	195	array may exceed the remaining memory in the stack segment. This could
	196	lead to a crash, possible overwriting sensitive contents at the end of the
	197	stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
	198	memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)
a035d552 GS	199
	200	Implicit switch case fall-through
	201	---------------------------------
76136e02 KC	202	The C language allows switch cases to fall through to the next case
	203	when a "break" statement is missing at the end of a case. This, however,
	204	introduces ambiguity in the code, as it's not always clear if the missing
	205	break is intentional or a bug. For example, it's not obvious just from
	206	looking at the code if `STATE_ONE` is intentionally designed to fall
	207	through into `STATE_TWO`::
	208
	209	switch (value) {
	210	case STATE_ONE:
	211	do_something();
	212	case STATE_TWO:
	213	do_other();
	214	break;
	215	default:
	216	WARN("unknown state");
	217	}
b9918bdc JP	218
b9918bdc JP	219	As there have been a long list of flaws `due to missing "break" statements
a035d552	220	<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
76136e02 KC	221	implicit fall-through. In order to identify intentional fall-through
	222	cases, we have adopted a pseudo-keyword macro "fallthrough" which
	223	expands to gcc's extension `__attribute__((__fallthrough__))
	224	<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
	225	(When the C17/C18 `[[fallthrough]]` syntax is more commonly supported by
b9918bdc	226	C compilers, static analyzers, and IDEs, we can switch to using that syntax
76136e02	227	for the macro pseudo-keyword.)
b9918bdc JP	228
	229	All switch/case blocks must end in one of:
	230
76136e02 KC	231	* break;
	232	* fallthrough;
	233	* continue;
	234	* goto <label>;
	235	* return [expression];
68e4cd17 GS	236
	237	Zero-length and one-element arrays
	238	----------------------------------
	239	There is a regular need in the kernel to provide a way to declare having
	240	a dynamically sized set of trailing elements in a structure. Kernel code
	241	should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
	242	for these cases. The older style of one-element or zero-length arrays should
	243	no longer be used.
	244
	245	In older C code, dynamically sized trailing elements were done by specifying
	246	a one-element array at the end of a structure::
	247
	248	struct something {
	249	size_t count;
	250	struct foo items[1];
	251	};
	252
	253	This led to fragile size calculations via sizeof() (which would need to
	254	remove the size of the single trailing element to get a correct size of
	255	the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
	256	was introduced to allow for zero-length arrays, to avoid these kinds of
	257	size problems::
	258
	259	struct something {
	260	size_t count;
	261	struct foo items[0];
	262	};
	263
	264	But this led to other problems, and didn't solve some problems shared by
	265	both styles, like not being able to detect when such an array is accidentally
	266	being used _not_ at the end of a structure (which could happen directly, or
	267	when such a struct was in unions, structs of structs, etc).
	268
	269	C99 introduced "flexible array members", which lacks a numeric size for
	270	the array declaration entirely::
	271
	272	struct something {
	273	size_t count;
	274	struct foo items[];
	275	};
	276
	277	This is the way the kernel expects dynamically sized trailing elements
	278	to be declared. It allows the compiler to generate errors when the
	279	flexible array does not occur last in the structure, which helps to prevent
	280	some kind of `undefined behavior
	281	<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
	282	bugs from being inadvertently introduced to the codebase. It also allows
	283	the compiler to correctly analyze array sizes (via sizeof(),
	284	`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
	285	there is no mechanism that warns us that the following application of the
	286	sizeof() operator to a zero-length array always results in zero::
	287
	288	struct something {
	289	size_t count;
	290	struct foo items[0];
	291	};
	292
	293	struct something *instance;
	294
	295	instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
	296	instance->count = count;
	297
	298	size = sizeof(instance->items) * instance->count;
	299	memcpy(instance->items, source, size);
300
301	At the last line of code above, ``size`` turns out to be ``zero``, when one might
302	have thought it represents the total size in bytes of the dynamic memory recently
303	allocated for the trailing array ``items``. Here are a couple examples of this
304	issue: `link 1
305	<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
306	`link 2
307	<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
308	Instead, `flexible array members have incomplete type, and so the sizeof()
309	operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
310	so any misuse of such operators will be immediately noticed at build time.
311
312	With respect to one-element arrays, one has to be acutely aware that `such arrays
313	occupy at least as much space as a single object of the type
314	<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
315	hence they contribute to the size of the enclosing structure. This is prone
316	to error every time people want to calculate the total size of dynamic memory
317	to allocate for a structure containing an array of this kind as a member::
318
319	struct something {
320	size_t count;
321	struct foo items[1];
322	};
323
324	struct something *instance;
325
326	instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
327	instance->count = count;
328
329	size = sizeof(instance->items) * instance->count;
330	memcpy(instance->items, source, size);
331
332	In the example above, we had to remember to calculate ``count - 1`` when using
333	the struct_size() helper, otherwise we would have --unintentionally-- allocated
334	memory for one too many ``items`` objects. The cleanest and least error-prone way
17dca050 GS	335	to implement this is through the use of a `flexible array member`, together with
17dca050 GS	336	struct_size() and flex_array_size() helpers::
68e4cd17 GS	337
	338	struct something {
	339	size_t count;
	340	struct foo items[];
	341	};
	342
	343	struct something *instance;
	344
	345	instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
	346	instance->count = count;
	347
17dca050	348	memcpy(instance->items, source, flex_array_size(instance, items, instance->count));
8763a30b KC	349
	350	There are two special cases of replacement where the DECLARE_FLEX_ARRAY()
	351	helper needs to be used. (Note that it is named __DECLARE_FLEX_ARRAY() for
	352	use in UAPI headers.) Those cases are when the flexible array is either
	353	alone in a struct or is part of a union. These are disallowed by the C99
	354	specification, but for no technical reason (as can be seen by both the
	355	existing use of such arrays in those places and the work-around that
	356	DECLARE_FLEX_ARRAY() uses). For example, to convert this::
	357
	358	struct something {
	359	...
	360	union {
	361	struct type1 one[0];
	362	struct type2 two[0];
	363	};
	364	};
	365
	366	The helper must be used::
	367
	368	struct something {
	369	...
	370	union {
	371	DECLARE_FLEX_ARRAY(struct type1, one);
	372	DECLARE_FLEX_ARRAY(struct type2, two);
	373	};
	374	};