docs: deprecated.rst: Update an example

vmalloc() has a 2-factor form. It is vmalloc_array().
So use another function as an example.

Signed-off-by: Christophe JAILLET <[email protected]

docs: deprecated.rst: Update an example

vmalloc() has a 2-factor form. It is vmalloc_array().
So use another function as an example.

Signed-off-by: Christophe JAILLET <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
Link: https://lore.kernel.org/r/3484e46180dd2cf05d993ff1a78b481bc2ad1f71.1687723931.git.christophe.jaillet@wanadoo.fr

show more ...

docs: deprecated.rst: Add note about DECLARE_FLEX_ARRAY() usage

There wasn't any mention of when/where DECLARE_FLEX_ARRAY() should be
used, so add the rationale and an example to the deprecation doc

docs: deprecated.rst: Add note about DECLARE_FLEX_ARRAY() usage

There wasn't any mention of when/where DECLARE_FLEX_ARRAY() should be
used, so add the rationale and an example to the deprecation docs.

Suggested-by: Vincent Mailhol <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
[jc: minor wording tweaks]
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

string: Introduce strtomem() and strtomem_pad()

One of the "legitimate" uses of strncpy() is copying a NUL-terminated
string into a fixed-size non-NUL-terminated character array. To avoid
the weakne

string: Introduce strtomem() and strtomem_pad()

One of the "legitimate" uses of strncpy() is copying a NUL-terminated
string into a fixed-size non-NUL-terminated character array. To avoid
the weaknesses and ambiguity of intent when using strncpy(), provide
replacement functions that explicitly distinguish between trailing
padding and not, and require the destination buffer size be discoverable
by the compiler.

For example:

struct obj {
int foo;
char small[4] __nonstring;
char big[8] __nonstring;
int bar;
};

struct obj p;

/* This will truncate to 4 chars with no trailing NUL */
strncpy(p.small, "hello", sizeof(p.small));
/* p.small contains 'h', 'e', 'l', 'l' */

/* This will NUL pad to 8 chars. */
strncpy(p.big, "hello", sizeof(p.big));
/* p.big contains 'h', 'e', 'l', 'l', 'o', '\0', '\0', '\0' */

When the "__nonstring" attributes are missing, the intent of the
programmer becomes ambiguous for whether the lack of a trailing NUL
in the p.small copy is a bug. Additionally, it's not clear whether
the trailing padding in the p.big copy is _needed_. Both cases
become unambiguous with:

strtomem(p.small, "hello");
strtomem_pad(p.big, "hello", 0);

See also https://github.com/KSPP/linux/issues/90

Expand the memcpy KUnit tests to include these functions.

Cc: Wolfram Sang <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Geert Uytterhoeven <[email protected]>
Cc: Guenter Roeck <[email protected]>
Signed-off-by: Kees Cook <[email protected]>

show more ...

overflow: Implement size_t saturating arithmetic helpers

In order to perform more open-coded replacements of common allocation
size arithmetic, the kernel needs saturating (SIZE_MAX) helpers for
mul

overflow: Implement size_t saturating arithmetic helpers

In order to perform more open-coded replacements of common allocation
size arithmetic, the kernel needs saturating (SIZE_MAX) helpers for
multiplication, addition, and subtraction. For example, it is common in
allocators, especially on realloc, to add to an existing size:

p = krealloc(map->patch,
sizeof(struct reg_sequence) * (map->patch_regs + num_regs),
GFP_KERNEL);

There is no existing saturating replacement for this calculation, and
just leaving the addition open coded inside array_size() could
potentially overflow as well. For example, an overflow in an expression
for a size_t argument might wrap to zero:

array_size(anything, something_at_size_max + 1) == 0

Introduce size_mul(), size_add(), and size_sub() helpers that
implicitly promote arguments to size_t and saturated calculations for
use in allocations. With these helpers it is also possible to redefine
array_size(), array3_size(), flex_array_size(), and struct_size() in
terms of the new helpers.

As with the check_*_overflow() helpers, the new helpers use __must_check,
though what is really desired is a way to make sure that assignment is
only to a size_t lvalue. Without this, it's still possible to introduce
overflow/underflow via type conversion (i.e. from size_t to int).
Enforcing this will currently need to be left to static analysis or
future use of -Wconversion.

Additionally update the overflow unit tests to force runtime evaluation
for the pathological cases.

Cc: Rasmus Villemoes <[email protected]>
Cc: Gustavo A. R. Silva <[email protected]>
Cc: Nathan Chancellor <[email protected]>
Cc: Jason Gunthorpe <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Leon Romanovsky <[email protected]>
Cc: Keith Busch <[email protected]>
Cc: Len Baker <[email protected]>
Signed-off-by: Kees Cook <[email protected]>

show more ...

docs: deprecated.rst: Clarify open-coded arithmetic with literals

Although using literals for size calculation in allocator arguments may
be harmless due to compiler warnings in case of overflows, i

docs: deprecated.rst: Clarify open-coded arithmetic with literals

Although using literals for size calculation in allocator arguments may
be harmless due to compiler warnings in case of overflows, it is better
to refactor the code to avoid the use of open-coded arithmetic.

So, clarify the preferred way in these cases.

Suggested-by: Kees Cook <[email protected]>
Signed-off-by: Len Baker <[email protected]>
Reviewed-by: Gustavo A. R. Silva <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

deprecated.rst: Include details on "no_hash_pointers"

Linus decided a debug toggle for %p was tolerable, so update the
%p deprecation documentation.

Signed-off-by: Kees Cook <[email protected]>

deprecated.rst: Include details on "no_hash_pointers"

Linus decided a debug toggle for %p was tolerable, so update the
%p deprecation documentation.

Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: deprecated.rst: Expand str*cpy() replacement notes

The notes on replacing the deprecated str*cpy() functions didn't call
enough attention to the change in return type. Add these details and
cl

docs: deprecated.rst: Expand str*cpy() replacement notes

The notes on replacing the deprecated str*cpy() functions didn't call
enough attention to the change in return type. Add these details and
clean up the language a bit more.

Signed-off-by: Kees Cook <[email protected]>
Acked-by: Gustavo A. R. Silva <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: deprecated.rst: Update zero-length/one-element arrays section

Update information in the zero-length and one-element arrays section
and illustrate how to make use of the new flex_array_size() h

docs: deprecated.rst: Update zero-length/one-element arrays section

Update information in the zero-length and one-element arrays section
and illustrate how to make use of the new flex_array_size() helper,
together with struct_size() and a flexible-array member.

Signed-off-by: Gustavo A. R. Silva <[email protected]>
Acked-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/20200901010949.GA21398@embeddedor
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

deprecated.rst: Remove now removed uninitialized_var

It's now gone from the kernel so remove it from the deprecated API text.

Signed-off-by: Joe Perches <[email protected]>
Reviewed-by: Nick Desaulni

deprecated.rst: Remove now removed uninitialized_var

It's now gone from the kernel so remove it from the deprecated API text.

Signed-off-by: Joe Perches <[email protected]>
Reviewed-by: Nick Desaulniers <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: Fix function name trailing double-()s

I noticed a double-() in the deprecated.rst rendering today. Fix that
one and two others in the Documentation/ tree.

Acked-by: "Paul E. McKenney" <paulmc

docs: Fix function name trailing double-()s

I noticed a double-() in the deprecated.rst rendering today. Fix that
one and two others in the Documentation/ tree.

Acked-by: "Paul E. McKenney" <[email protected]> # For RCU
Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: deprecated.rst: Add uninitialized_var()

Nothing should be using this macro, and the entire idea of tricking the
compiler into silencing such warnings is a mistake.

Cc: Jonathan Corbet <corbet

docs: deprecated.rst: Add uninitialized_var()

Nothing should be using this macro, and the entire idea of tricking the
compiler into silencing such warnings is a mistake.

Cc: Jonathan Corbet <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: Joe Perches <[email protected]>
Cc: [email protected]
Reviewed-by: Nick Desaulniers <[email protected]>
Signed-off-by: Kees Cook <[email protected]>

show more ...

docs: deprecated.rst: Add zero-length and one-element arrays

Add zero-length and one-element arrays to the list.

While I continue replacing zero-length and one-element arrays with
flexible-array me

docs: deprecated.rst: Add zero-length and one-element arrays

Add zero-length and one-element arrays to the list.

While I continue replacing zero-length and one-element arrays with
flexible-array members, I need a reference to point people to, so
they don't introduce more instances of such arrays. And while here,
add a note to the "open-coded arithmetic in allocator arguments"
section, on the use of struct_size() and the arrays-to-deprecate
mentioned here.

Co-developed-by: Kees Cook <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Gustavo A. R. Silva <[email protected]>
Acked-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/20200608213711.GA22271@embeddedor
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: deprecated.rst: Add BUG()-family

Linus continues to remind[1] people to stop using the BUG()-family of
functions. We should have this better documented (even if checkpatch.pl
has been warning[

docs: deprecated.rst: Add BUG()-family

Linus continues to remind[1] people to stop using the BUG()-family of
functions. We should have this better documented (even if checkpatch.pl
has been warning[2] since 2015), so add more details to deprecated.rst,
as a distinct place to point people to for guidance.

[1] https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/
[2] https://git.kernel.org/linus/9d3e3c705eb395528fd8f17208c87581b134da48

Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/202003141524.59C619B51A@keescook
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: Remove :c:func: from process/deprecated.rst

Documentation/process/deprecated.rst has a lot of uses of :c:func:, which
is, well, deprecated. Emacs query-replace-regexp to the rescue.

Signed-o

docs: Remove :c:func: from process/deprecated.rst

Documentation/process/deprecated.rst has a lot of uses of :c:func:, which
is, well, deprecated. Emacs query-replace-regexp to the rescue.

Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: deprecated.rst: Clean up fall-through details

Add example of fall-through, list-ify the case ending statements, and
adjust the markup for links and readability. While here, adjust
strscpy() de

docs: deprecated.rst: Clean up fall-through details

Add example of fall-through, list-ify the case ending statements, and
adjust the markup for links and readability. While here, adjust
strscpy() details to mention strscpy_pad().

Signed-off-by: Kees Cook <[email protected]>
Acked-by: Gustavo A. R. Silva <[email protected]>
Link: https://lore.kernel.org/r/202003041102.47A4E4B62@keescook
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: deprecated.rst: Add %p to the list

Once in a while %p usage comes up, and I've needed to have a reference
to point people to. Add %p details to deprecated.rst.

Signed-off-by: Kees Cook <keesc

docs: deprecated.rst: Add %p to the list

Once in a while %p usage comes up, and I've needed to have a reference
to point people to. Add %p details to deprecated.rst.

Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/202003042301.F844A8C0EC@keescook
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

Documentation/process: Add fallthrough pseudo-keyword

Describe the fallthrough pseudo-keyword.

Convert the coding-style.rst example to the keyword style.
Add description and links to deprecated.rst

Documentation/process: Add fallthrough pseudo-keyword

Describe the fallthrough pseudo-keyword.

Convert the coding-style.rst example to the keyword style.
Add description and links to deprecated.rst.

Miguel Ojeda comments on the eventual [[fallthrough]] syntax:
"Note that C17/C18 does not have [[fallthrough]].

C++17 introduced it, as it is mentioned above. I would keep the
__attribute__((fallthrough)) -> [[fallthrough]] change you did,
though, since that is indeed the standard syntax (given the paragraph
references C++17).

I was told by Aaron Ballman (who is proposing them for C) that it is
more or less likely that it becomes standardized in C2x. However, it
is still not added to the draft (other attributes are already,
though). See N2268 and N2269:

http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2268.pdf (fallthrough)
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2269.pdf (attributes in general)"

Signed-off-by: Joe Perches <[email protected]>
Acked-by: Nick Desaulniers <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

show more ...

Makefile: Globally enable fall-through warning

Now that all the fall-through warnings have been addressed in the
kernel, enable the fall-through warning globally.

Also, update the deprecated.rst fi

Makefile: Globally enable fall-through warning

Now that all the fall-through warnings have been addressed in the
kernel, enable the fall-through warning globally.

Also, update the deprecated.rst file to include implicit fall-through
as 'deprecated' so people can be pointed to a single location for
justification.

Cc: Masahiro Yamada <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Michal Marek <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: [email protected]
Signed-off-by: Gustavo A. R. Silva <[email protected]>

show more ...

doc:it_IT: translations for documents in process/

Translated documents:
- stable-kernel-rules.rst
- deprecated.rst
- kernel-enforcement-statement.rst
- license-rules.rst

Added document to have vali

doc:it_IT: translations for documents in process/

Translated documents:
- stable-kernel-rules.rst
- deprecated.rst
- kernel-enforcement-statement.rst
- license-rules.rst

Added document to have valid links
- netdev-FAQ.rst

Modifications to main documentation
- add label in deprecated.rst

Signed-off-by: Federico Vaga <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...

docs: Introduce deprecated APIs list

As discussed in the "API replacement/deprecation" thread[1], this makes
an effort to document what things shouldn't get (re)added to the kernel,
by introducing D

docs: Introduce deprecated APIs list

As discussed in the "API replacement/deprecation" thread[1], this makes
an effort to document what things shouldn't get (re)added to the kernel,
by introducing Documentation/process/deprecated.rst.

[1] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2018-September/005282.html

Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>

show more ...