__deprecated¶

While this attribute does visually mark an interface as deprecated,itdoes not produce warnings during builds any morebecause one of the standing goals of the kernel is to build withoutwarnings and no one was actually doing anything to remove these deprecatedinterfaces. While using__deprecated is nice to note an old API ina header file, it isn’t the full solution. Such interfaces must eitherbe fully removed from the kernel, or added to this file to discourageothers from using them in the future.

BUG() and BUG_ON()¶

UseWARN() andWARN_ON() instead, and handle the “impossible”error condition as gracefully as possible. While theBUG()-familyof APIs were originally designed to act as an “impossible situation”assert and to kill a kernel thread “safely”, they turn out to just betoo risky. (e.g. “In what order do locks need to be released? Havevarious states been restored?”) Very commonly, usingBUG() willdestabilize a system or entirely break it, which makes it impossibleto debug or even get viable crash reports. Linus hasvery strongfeelingsabout this.

Note that theWARN()-family should only be used for “expected tobe unreachable” situations. If you want to warn about “reachablebut undesirable” situations, please use thepr_warn()-family offunctions. System owners may have set thepanic_on_warn sysctl,to make sure their systems do not continue running in the face of“unreachable” conditions. (For example, see commits likethis one.)

open-coded arithmetic in allocator arguments¶

Dynamic size calculations (especially multiplication) should not beperformed in memory allocator (or similar) function arguments due to therisk of them overflowing. This could lead to values wrapping around and asmaller allocation being made than the caller was expecting. Using thoseallocations could lead to linear overflows of heap memory and othermisbehaviors. (One exception to this is literal values where the compilercan warn if they might overflow. However, the preferred way in thesecases is to refactor the code as suggested below to avoid the open-codedarithmetic.)

For example, do not usecount*size as an argument, as in:

foo = kmalloc(count * size, GFP_KERNEL);

Instead, the 2-factor form of the allocator should be used:

foo = kmalloc_array(count, size, GFP_KERNEL);

Specifically,kmalloc() can be replaced withkmalloc_array(), andkzalloc() can be replaced withkcalloc().

If no 2-factor form is available, the saturate-on-overflow helpers shouldbe used:

bar = dma_alloc_coherent(dev, array_size(count, size), &dma, GFP_KERNEL);

Another common case to avoid is calculating the size of a structure witha trailing array of others structures, as in:

header = kzalloc(sizeof(*header) + count * sizeof(*header->item),                 GFP_KERNEL);

Instead, use the helper:

header = kzalloc(struct_size(header, item, count), GFP_KERNEL);

For other calculations, please compose the use of thesize_mul(),size_add(), andsize_sub() helpers. For example, in the case of:

foo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);

Instead, use the helpers:

foo = krealloc(size_add(current_size,                        size_mul(chunk_size,                                 size_sub(count, 3))), GFP_KERNEL);

For more details, also seearray3_size() andflex_array_size(),as well as the relatedcheck_mul_overflow(),check_add_overflow(),check_sub_overflow(), andcheck_shl_overflow() family of functions.

simple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()¶

Thesimple_strtol(),simple_strtoll(),simple_strtoul(), andsimple_strtoull() functionsexplicitly ignore overflows, which may lead to unexpected resultsin callers. The respectivekstrtol(),kstrtoll(),kstrtoul(), andkstrtoull() functions tend to be thecorrect replacements, though note that those require the string to beNUL or newline terminated.

strcpy()¶

strcpy() performs no bounds checking on the destination buffer. Thiscould result in linear overflows beyond the end of the buffer, leading toall kinds of misbehaviors. WhileCONFIG_FORTIFY_SOURCE=y and variouscompiler flags help reduce the risk of using this function, there isno good reason to add new uses of this function. The safe replacementisstrscpy(), though care must be given to any cases where the returnvalue ofstrcpy() was used, sincestrscpy() does not return a pointer tothe destination, but rather a count of non-NUL bytes copied (or negativeerrno when it truncates).

strncpy() on NUL-terminated strings¶

Use ofstrncpy() does not guarantee that the destination buffer willbe NUL terminated. This can lead to various linear read overflows andother misbehavior due to the missing termination. It also NUL-padsthe destination buffer if the source contents are shorter than thedestination buffer size, which may be a needless performance penaltyfor callers using only NUL-terminated strings.

When the destination is required to be NUL-terminated, the replacement isstrscpy(), though care must be given to any cases where the return valueofstrncpy() was used, sincestrscpy() does not return a pointer to thedestination, but rather a count of non-NUL bytes copied (or negativeerrno when it truncates). Any cases still needing NUL-padding shouldinstead usestrscpy_pad().

If a caller is using non-NUL-terminated strings,strtomem() should beused, and the destinations should be marked with the__nonstringattribute to avoid future compiler warnings. For cases still needingNUL-padding,strtomem_pad() can be used.

strlcpy()¶

strlcpy() reads the entire source buffer first (since the return valueis meant to match that ofstrlen()). This read may exceed the destinationsize limit. This is both inefficient and can lead to linear read overflowsif a source string is not NUL-terminated. The safe replacement isstrscpy(),though care must be given to any cases where the return value ofstrlcpy()is used, sincestrscpy() will return negative errno values when it truncates.

%p format specifier¶

Traditionally, using “%p” in format strings would lead to regular addressexposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these tobe exploitable, all “%p” uses in the kernel are being printed as a hashedvalue, rendering them unusable for addressing. New uses of “%p” should notbe added to the kernel. For text addresses, using “%pS” is likely better,as it produces the more useful symbol name instead. For nearly everythingelse, just do not add “%p” at all.

Paraphrasing Linus’s currentguidance:

• If the hashed “%p” value is pointless, ask yourself whether the pointeritself is important. Maybe it should be removed entirely?

• If you really think the true pointer value is important, why is somesystem state or user privilege level considered “special”? If you thinkyou can justify it (in comments and commit log) well enough to standup to Linus’s scrutiny, maybe you can use “%px”, along with making sureyou have sensible permissions.

If you are debugging something where “%p” hashing is causing problems,you can temporarily boot with the debug flag “no_hash_pointers”.

Variable Length Arrays (VLAs)¶

Using stack VLAs produces much worse machine code than staticallysized stack arrays. While these non-trivialperformance issues are reason enough toeliminate VLAs, they are also a security risk. Dynamic growth of a stackarray may exceed the remaining memory in the stack segment. This couldlead to a crash, possible overwriting sensitive contents at the end of thestack (when built withoutCONFIG_THREAD_INFO_IN_TASK=y), or overwritingmemory adjacent to the stack (when built withoutCONFIG_VMAP_STACK=y)

Implicit switch case fall-through¶

The C language allows switch cases to fall through to the next casewhen a “break” statement is missing at the end of a case. This, however,introduces ambiguity in the code, as it’s not always clear if the missingbreak is intentional or a bug. For example, it’s not obvious just fromlooking at the code ifSTATE_ONE is intentionally designed to fallthrough intoSTATE_TWO:

switch (value) {case STATE_ONE:        do_something();case STATE_TWO:        do_other();        break;default:        WARN("unknown state");}

As there have been a long list of flawsdue to missing “break” statements, we no longer allowimplicit fall-through. In order to identify intentional fall-throughcases, we have adopted a pseudo-keyword macro “fallthrough” whichexpands to gcc’s extension__attribute__((__fallthrough__)).(When the C17/C18[[fallthrough]] syntax is more commonly supported byC compilers, static analyzers, and IDEs, we can switch to using that syntaxfor the macro pseudo-keyword.)

All switch/case blocks must end in one of:

• break;

• fallthrough;

• continue;

• goto <label>;

• return [expression];

Zero-length and one-element arrays¶

There is a regular need in the kernel to provide a way to declare havinga dynamically sized set of trailing elements in a structure. Kernel codeshould always use“flexible array members”for these cases. The older style of one-element or zero-length arrays shouldno longer be used.

In older C code, dynamically sized trailing elements were done by specifyinga one-element array at the end of a structure:

struct something {        size_t count;        struct foo items[1];};

This led to fragile size calculations via sizeof() (which would need toremove the size of the single trailing element to get a correct size ofthe “header”). AGNU C extensionwas introduced to allow for zero-length arrays, to avoid these kinds ofsize problems:

struct something {        size_t count;        struct foo items[0];};

But this led to other problems, and didn’t solve some problems shared byboth styles, like not being able to detect when such an array is accidentallybeing used _not_ at the end of a structure (which could happen directly, orwhen such astructwas in unions, structs of structs, etc).

C99 introduced “flexible array members”, which lacks a numeric size forthe array declaration entirely:

struct something {        size_t count;        struct foo items[];};

This is the way the kernel expects dynamically sized trailing elementsto be declared. It allows the compiler to generate errors when theflexible array does not occur last in the structure, which helps to preventsome kind ofundefined behaviorbugs from being inadvertently introduced to the codebase. It also allowsthe compiler to correctly analyze array sizes (via sizeof(),CONFIG_FORTIFY_SOURCE, andCONFIG_UBSAN_BOUNDS). For instance,there is no mechanism that warns us that the following application of thesizeof() operator to a zero-length array always results in zero:

struct something {        size_t count;        struct foo items[0];};struct something *instance;instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);instance->count = count;size = sizeof(instance->items) * instance->count;memcpy(instance->items, source, size);

At the last line of code above,size turns out to bezero, when one mighthave thought it represents the total size in bytes of the dynamic memory recentlyallocated for the trailing arrayitems. Here are a couple examples of thisissue:link 1,link 2.Instead,flexible array members have incomplete type, and so the sizeof()operator may not be applied,so any misuse of such operators will be immediately noticed at build time.

With respect to one-element arrays, one has to be acutely aware thatsuch arraysoccupy at least as much space as a single object of the type,hence they contribute to the size of the enclosing structure. This is proneto error every time people want to calculate the total size of dynamic memoryto allocate for a structure containing an array of this kind as a member:

struct something {        size_t count;        struct foo items[1];};struct something *instance;instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);instance->count = count;size = sizeof(instance->items) * instance->count;memcpy(instance->items, source, size);

In the example above, we had to remember to calculatecount-1 when usingthestruct_size() helper, otherwise we would have --unintentionally-- allocatedmemory for one too manyitems objects. The cleanest and least error-prone wayto implement this is through the use of aflexible array member, together withstruct_size() andflex_array_size() helpers:

struct something {        size_t count;        struct foo items[];};struct something *instance;instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);instance->count = count;memcpy(instance->items, source, flex_array_size(instance, items, instance->count));

There are two special cases of replacement where theDECLARE_FLEX_ARRAY()helper needs to be used. (Note that it is named__DECLARE_FLEX_ARRAY() foruse in UAPI headers.) Those cases are when the flexible array is eitheralone in astructor is part of a union. These are disallowed by the C99specification, but for no technical reason (as can be seen by both theexisting use of such arrays in those places and the work-around thatDECLARE_FLEX_ARRAY() uses). For example, to convert this:

struct something {        ...        union {                struct type1 one[0];                struct type2 two[0];        };};

The helper must be used:

struct something {        ...        union {                DECLARE_FLEX_ARRAY(struct type1, one);                DECLARE_FLEX_ARRAY(struct type2, two);        };};