€•Ðá      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ&/translations/zh_CN/process/deprecated”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/zh_TW/process/deprecated”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/it_IT/process/deprecated”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/ja_JP/process/deprecated”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/ko_KR/process/deprecated”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ&/translations/sp_SP/process/deprecated”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒ@/var/lib/git/docbuild/linux/Documentation/process/deprecated.rst”h KubhŒtarget”“”)”}”(hŒ.. _deprecated:”h]”h}”(h]”h ]”h"]”h$]”h&]”Œrefid”Œ
deprecated”uh1h´h KhhhžhhŸh³ubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒEDeprecated Interfaces, Language Features, Attributes, and Conventions”h]”hŒEDeprecated Interfaces, Language Features, Attributes, and Conventions”…””}”(hhÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhÄhžhhŸh³h KubhŒ	paragraph”“”)”}”(hX  In a perfect world, it would be possible to convert all instances of
some deprecated API into the new API and entirely remove the old API in
a single development cycle. However, due to the size of the kernel, the
maintainership hierarchy, and timing, it's not always feasible to do these
kinds of conversions at once. This means that new instances may sneak into
the kernel while old ones are being removed, only making the amount of
work to remove the API grow. In order to educate developers about what
has been deprecated and why, this list has been created as a place to
point when uses of deprecated things are proposed for inclusion in the
kernel.”h]”hX  In a perfect world, it would be possible to convert all instances of
some deprecated API into the new API and entirely remove the old API in
a single development cycle. However, due to the size of the kernel, the
maintainership hierarchy, and timing, itâ€™s not always feasible to do these
kinds of conversions at once. This means that new instances may sneak into
the kernel while old ones are being removed, only making the amount of
work to remove the API grow. In order to educate developers about what
has been deprecated and why, this list has been created as a place to
point when uses of deprecated things are proposed for inclusion in the
kernel.”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K	hhÄhžhubhÃ)”}”(hhh]”(hÈ)”}”(hŒ__deprecated”h]”hŒ__deprecated”…””}”(hhêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhçhžhhŸh³h KubhØ)”}”(hXI  While this attribute does visually mark an interface as deprecated,
it `does not produce warnings during builds any more
<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_
because one of the standing goals of the kernel is to build without
warnings and no one was actually doing anything to remove these deprecated
interfaces. While using `__deprecated` is nice to note an old API in
a header file, it isn't the full solution. Such interfaces must either
be fully removed from the kernel, or added to this file to discourage
others from using them in the future.”h]”(hŒGWhile this attribute does visually mark an interface as deprecated,
it ”…””}”(hhøhžhhŸNh NubhŒ	reference”“”)”}”(hŒ{`does not produce warnings during builds any more
<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>`_”h]”hŒ0does not produce warnings during builds any more”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ0does not produce warnings during builds any more”Œrefuri”ŒEhttps://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234”uh1j   hhøubhµ)”}”(hŒH
<https://git.kernel.org/linus/771c035372a036f83353eef46dbb829780330234>”h]”h}”(h]”Œ0does-not-produce-warnings-during-builds-any-more”ah ]”h"]”Œ0does not produce warnings during builds any more”ah$]”h&]”Œrefuri”j  uh1h´Œ
referenced”KhhøubhŒ¨
because one of the standing goals of the kernel is to build without
warnings and no one was actually doing anything to remove these deprecated
interfaces. While using ”…””}”(hhøhžhhŸNh NubhŒtitle_reference”“”)”}”(hŒ`__deprecated`”h]”hŒ__deprecated”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hhøubhŒÓ is nice to note an old API in
a header file, it isnâ€™t the full solution. Such interfaces must either
be fully removed from the kernel, or added to this file to discourage
others from using them in the future.”…””}”(hhøhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khhçhžhubeh}”(h]”Œid1”ah ]”h"]”Œ__deprecated”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KubhÃ)”}”(hhh]”(hÈ)”}”(hŒBUG() and BUG_ON()”h]”hŒBUG() and BUG_ON()”…””}”(hjK  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjH  hžhhŸh³h K!ubhØ)”}”(hXô  Use WARN() and WARN_ON() instead, and handle the "impossible"
error condition as gracefully as possible. While the BUG()-family
of APIs were originally designed to act as an "impossible situation"
assert and to kill a kernel thread "safely", they turn out to just be
too risky. (e.g. "In what order do locks need to be released? Have
various states been restored?") Very commonly, using BUG() will
destabilize a system or entirely break it, which makes it impossible
to debug or even get viable crash reports. Linus has `very strong
<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_
feelings `about this
<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_.”h]”(hX  Use WARN() and WARN_ON() instead, and handle the â€œimpossibleâ€
error condition as gracefully as possible. While the BUG()-family
of APIs were originally designed to act as an â€œimpossible situationâ€
assert and to kill a kernel thread â€œsafelyâ€, they turn out to just be
too risky. (e.g. â€œIn what order do locks need to be released? Have
various states been restored?â€) Very commonly, using BUG() will
destabilize a system or entirely break it, which makes it impossible
to debug or even get viable crash reports. Linus has ”…””}”(hjY  hžhhŸNh Nubj  )”}”(hŒq`very strong
<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>`_”h]”hŒvery strong”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œvery strong”j  Œ`https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/”uh1j   hjY  ubhµ)”}”(hŒc
<https://lore.kernel.org/lkml/CA+55aFy6jNLsywVYdGp83AMrXBo_P-pkjkphPGrO=82SPKCpLQ@mail.gmail.com/>”h]”h}”(h]”Œvery-strong”ah ]”h"]”Œvery strong”ah$]”h&]”Œrefuri”jq  uh1h´j!  KhjY  ubhŒ

feelings ”…””}”(hjY  hžhhŸNh Nubj  )”}”(hŒp`about this
<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>`_”h]”hŒ
about this”…””}”(hjƒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ
about this”j  Œ`https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/”uh1j   hjY  ubhµ)”}”(hŒc
<https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/>”h]”h}”(h]”Œ
about-this”ah ]”h"]”Œ
about this”ah$]”h&]”Œrefuri”j“  uh1h´j!  KhjY  ubhŒ.”…””}”(hjY  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K"hjH  hžhubhØ)”}”(hXÔ  Note that the WARN()-family should only be used for "expected to
be unreachable" situations. If you want to warn about "reachable
but undesirable" situations, please use the pr_warn()-family of
functions. System owners may have set the *panic_on_warn* sysctl,
to make sure their systems do not continue running in the face of
"unreachable" conditions. (For example, see commits like `this one
<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_.)”h]”(hŒôNote that the WARN()-family should only be used for â€œexpected to
be unreachableâ€ situations. If you want to warn about â€œreachable
but undesirableâ€ situations, please use the pr_warn()-family of
functions. System owners may have set the ”…””}”(hj«  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ*panic_on_warn*”h]”hŒpanic_on_warn”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j³  hj«  ubhŒˆ sysctl,
to make sure their systems do not continue running in the face of
â€œunreachableâ€ conditions. (For example, see commits like ”…””}”(hj«  hžhhŸNh Nubj  )”}”(hŒS`this one
<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>`_”h]”hŒthis one”…””}”(hjÇ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œthis one”j  ŒEhttps://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a”uh1j   hj«  ubhµ)”}”(hŒH
<https://git.kernel.org/linus/d4689846881d160a4d12a514e991a740bcb5d65a>”h]”h}”(h]”Œthis-one”ah ]”h"]”Œthis one”ah$]”h&]”Œrefuri”j×  uh1h´j!  Khj«  ubhŒ.)”…””}”(hj«  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K.hjH  hžhubeh}”(h]”Œbug-and-bug-on”ah ]”h"]”Œbug() and bug_on()”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K!ubhÃ)”}”(hhh]”(hÈ)”}”(hŒ,open-coded arithmetic in allocator arguments”h]”hŒ,open-coded arithmetic in allocator arguments”…””}”(hjú  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj÷  hžhhŸh³h K7ubhØ)”}”(hXH  Dynamic size calculations (especially multiplication) should not be
performed in memory allocator (or similar) function arguments due to the
risk of them overflowing. This could lead to values wrapping around and a
smaller allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors. (One exception to this is literal values where the compiler
can warn if they might overflow. However, the preferred way in these
cases is to refactor the code as suggested below to avoid the open-coded
arithmetic.)”h]”hXH  Dynamic size calculations (especially multiplication) should not be
performed in memory allocator (or similar) function arguments due to the
risk of them overflowing. This could lead to values wrapping around and a
smaller allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors. (One exception to this is literal values where the compiler
can warn if they might overflow. However, the preferred way in these
cases is to refactor the code as suggested below to avoid the open-coded
arithmetic.)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K8hj÷  hžhubhØ)”}”(hŒ@For example, do not use ``count * size`` as an argument, as in::”h]”(hŒFor example, do not use ”…””}”(hj  hžhhŸNh NubhŒliteral”“”)”}”(hŒ``count * size``”h]”hŒcount * size”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ as an argument, as in:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KBhj÷  hžhubhŒliteral_block”“”)”}”(hŒ(foo = kmalloc(count * size, GFP_KERNEL);”h]”hŒ(foo = kmalloc(count * size, GFP_KERNEL);”…””}”hj:  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h KDhj÷  hžhubhØ)”}”(hŒ<Instead, the 2-factor form of the allocator should be used::”h]”hŒ;Instead, the 2-factor form of the allocator should be used:”…””}”(hjH  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KFhj÷  hžhubj9  )”}”(hŒ-foo = kmalloc_array(count, size, GFP_KERNEL);”h]”hŒ-foo = kmalloc_array(count, size, GFP_KERNEL);”…””}”hjV  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h KHhj÷  hžhubhØ)”}”(hŒkSpecifically, kmalloc() can be replaced with kmalloc_array(), and
kzalloc() can be replaced with kcalloc().”h]”hŒkSpecifically, kmalloc() can be replaced with kmalloc_array(), and
kzalloc() can be replaced with kcalloc().”…””}”(hjd  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KJhj÷  hžhubhØ)”}”(hŒSIf no 2-factor form is available, the saturate-on-overflow helpers should
be used::”h]”hŒRIf no 2-factor form is available, the saturate-on-overflow helpers should
be used:”…””}”(hjr  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KMhj÷  hžhubj9  )”}”(hŒIbar = dma_alloc_coherent(dev, array_size(count, size), &dma, GFP_KERNEL);”h]”hŒIbar = dma_alloc_coherent(dev, array_size(count, size), &dma, GFP_KERNEL);”…””}”hj€  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h KPhj÷  hžhubhØ)”}”(hŒwAnother common case to avoid is calculating the size of a structure with
a trailing array of others structures, as in::”h]”hŒvAnother common case to avoid is calculating the size of a structure with
a trailing array of others structures, as in:”…””}”(hjŽ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KRhj÷  hžhubj9  )”}”(hŒ_header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
                 GFP_KERNEL);”h]”hŒ_header = kzalloc(sizeof(*header) + count * sizeof(*header->item),
                 GFP_KERNEL);”…””}”hjœ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h KUhj÷  hžhubhØ)”}”(hŒInstead, use the helper::”h]”hŒInstead, use the helper:”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KXhj÷  hžhubj9  )”}”(hŒ?header = kzalloc(struct_size(header, item, count), GFP_KERNEL);”h]”hŒ?header = kzalloc(struct_size(header, item, count), GFP_KERNEL);”…””}”hj¸  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h KZhj÷  hžhubhŒnote”“”)”}”(hŒòIf you are using struct_size() on a structure containing a zero-length
or a one-element array as a trailing array member, please refactor such
array usage and switch to a `flexible array member
<#zero-length-and-one-element-arrays>`_ instead.”h]”hØ)”}”(hŒòIf you are using struct_size() on a structure containing a zero-length
or a one-element array as a trailing array member, please refactor such
array usage and switch to a `flexible array member
<#zero-length-and-one-element-arrays>`_ instead.”h]”(hŒ«If you are using struct_size() on a structure containing a zero-length
or a one-element array as a trailing array member, please refactor such
array usage and switch to a ”…””}”(hjÌ  hžhhŸNh Nubj  )”}”(hŒ>`flexible array member
<#zero-length-and-one-element-arrays>`_”h]”hŒflexible array member”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œflexible array member”j  Œ##zero-length-and-one-element-arrays”uh1j   hjÌ  ubhµ)”}”(hŒ&
<#zero-length-and-one-element-arrays>”h]”h}”(h]”Œflexible-array-member”ah ]”h"]”Œflexible array member”ah$]”h&]”Œrefuri”jä  uh1h´j!  KhjÌ  ubhŒ	 instead.”…””}”(hjÌ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K\hjÈ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÆ  hj÷  hžhhŸh³h NubhØ)”}”(hŒƒFor other calculations, please compose the use of the size_mul(),
size_add(), and size_sub() helpers. For example, in the case of::”h]”hŒ‚For other calculations, please compose the use of the size_mul(),
size_add(), and size_sub() helpers. For example, in the case of:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kahj÷  hžhubj9  )”}”(hŒDfoo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);”h]”hŒDfoo = krealloc(current_size + chunk_size * (count - 3), GFP_KERNEL);”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Kdhj÷  hžhubhØ)”}”(hŒInstead, use the helpers::”h]”hŒInstead, use the helpers:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kfhj÷  hžhubj9  )”}”(hŒ–foo = krealloc(size_add(current_size,
                        size_mul(chunk_size,
                                 size_sub(count, 3))), GFP_KERNEL);”h]”hŒ–foo = krealloc(size_add(current_size,
                        size_mul(chunk_size,
                                 size_sub(count, 3))), GFP_KERNEL);”…””}”hj,  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Khhj÷  hžhubhØ)”}”(hŒÆFor more details, also see array3_size() and flex_array_size(),
as well as the related check_mul_overflow(), check_add_overflow(),
check_sub_overflow(), and check_shl_overflow() family of functions.”h]”hŒÆFor more details, also see array3_size() and flex_array_size(),
as well as the related check_mul_overflow(), check_add_overflow(),
check_sub_overflow(), and check_shl_overflow() family of functions.”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Klhj÷  hžhubeh}”(h]”Œ,open-coded-arithmetic-in-allocator-arguments”ah ]”h"]”Œ,open-coded arithmetic in allocator arguments”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K7ubhÃ)”}”(hhh]”(hÈ)”}”(hŒFsimple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()”h]”hŒFsimple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()”…””}”(hjS  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjP  hžhhŸh³h KqubhØ)”}”(hXb  The simple_strtol(), simple_strtoll(),
simple_strtoul(), and simple_strtoull() functions
explicitly ignore overflows, which may lead to unexpected results
in callers. The respective kstrtol(), kstrtoll(),
kstrtoul(), and kstrtoull() functions tend to be the
correct replacements, though note that those require the string to be
NUL or newline terminated.”h]”hXb  The simple_strtol(), simple_strtoll(),
simple_strtoul(), and simple_strtoull() functions
explicitly ignore overflows, which may lead to unexpected results
in callers. The respective kstrtol(), kstrtoll(),
kstrtoul(), and kstrtoull() functions tend to be the
correct replacements, though note that those require the string to be
NUL or newline terminated.”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KrhjP  hžhubeh}”(h]”Œ;simple-strtol-simple-strtoll-simple-strtoul-simple-strtoull”ah ]”h"]”ŒFsimple_strtol(), simple_strtoll(), simple_strtoul(), simple_strtoull()”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KqubhÃ)”}”(hhh]”(hÈ)”}”(hŒstrcpy()”h]”hŒstrcpy()”…””}”(hjz  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjw  hžhhŸh³h K{ubhØ)”}”(hXR  strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading to
all kinds of misbehaviors. While `CONFIG_FORTIFY_SOURCE=y` and various
compiler flags help reduce the risk of using this function, there is
no good reason to add new uses of this function. The safe replacement
is strscpy(), though care must be given to any cases where the return
value of strcpy() was used, since strscpy() does not return a pointer to
the destination, but rather a count of non-NUL bytes copied (or negative
errno when it truncates).”h]”(hŒ°strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading to
all kinds of misbehaviors. While ”…””}”(hjˆ  hžhhŸNh Nubj'  )”}”(hŒ`CONFIG_FORTIFY_SOURCE=y`”h]”hŒCONFIG_FORTIFY_SOURCE=y”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hjˆ  ubhX‰   and various
compiler flags help reduce the risk of using this function, there is
no good reason to add new uses of this function. The safe replacement
is strscpy(), though care must be given to any cases where the return
value of strcpy() was used, since strscpy() does not return a pointer to
the destination, but rather a count of non-NUL bytes copied (or negative
errno when it truncates).”…””}”(hjˆ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K|hjw  hžhubeh}”(h]”Œstrcpy”ah ]”h"]”Œstrcpy()”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K{ubhÃ)”}”(hhh]”(hÈ)”}”(hŒ#strncpy() on NUL-terminated strings”h]”hŒ#strncpy() on NUL-terminated strings”…””}”(hj³  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj°  hžhhŸh³h K‡ubhØ)”}”(hX„  Use of strncpy() does not guarantee that the destination buffer will
be NUL terminated. This can lead to various linear read overflows and
other misbehavior due to the missing termination. It also NUL-pads
the destination buffer if the source contents are shorter than the
destination buffer size, which may be a needless performance penalty
for callers using only NUL-terminated strings.”h]”hX„  Use of strncpy() does not guarantee that the destination buffer will
be NUL terminated. This can lead to various linear read overflows and
other misbehavior due to the missing termination. It also NUL-pads
the destination buffer if the source contents are shorter than the
destination buffer size, which may be a needless performance penalty
for callers using only NUL-terminated strings.”…””}”(hjÁ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kˆhj°  hžhubhØ)”}”(hX  When the destination is required to be NUL-terminated, the replacement is
strscpy(), though care must be given to any cases where the return value
of strncpy() was used, since strscpy() does not return a pointer to the
destination, but rather a count of non-NUL bytes copied (or negative
errno when it truncates). Any cases still needing NUL-padding should
instead use strscpy_pad().”h]”hX  When the destination is required to be NUL-terminated, the replacement is
strscpy(), though care must be given to any cases where the return value
of strncpy() was used, since strscpy() does not return a pointer to the
destination, but rather a count of non-NUL bytes copied (or negative
errno when it truncates). Any cases still needing NUL-padding should
instead use strscpy_pad().”…””}”(hjÏ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khj°  hžhubhØ)”}”(hX<  If a caller is using non-NUL-terminated strings, strtomem() should be
used, and the destinations should be marked with the `__nonstring
<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_
attribute to avoid future compiler warnings. For cases still needing
NUL-padding, strtomem_pad() can be used.”h]”(hŒ{If a caller is using non-NUL-terminated strings, strtomem() should be
used, and the destinations should be marked with the ”…””}”(hjÝ  hžhhŸNh Nubj  )”}”(hŒS`__nonstring
<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>`_”h]”hŒ__nonstring”…””}”(hjå  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ__nonstring”j  ŒBhttps://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html”uh1j   hjÝ  ubhµ)”}”(hŒE
<https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html>”h]”h}”(h]”Œ	nonstring”ah ]”h"]”Œ__nonstring”ah$]”h&]”Œrefuri”jõ  uh1h´j!  KhjÝ  ubhŒn
attribute to avoid future compiler warnings. For cases still needing
NUL-padding, strtomem_pad() can be used.”…””}”(hjÝ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K–hj°  hžhubeh}”(h]”Œ!strncpy-on-nul-terminated-strings”ah ]”h"]”Œ#strncpy() on nul-terminated strings”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K‡ubhÃ)”}”(hhh]”(hÈ)”}”(hŒ	strlcpy()”h]”hŒ	strlcpy()”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj  hžhhŸh³h KubhØ)”}”(hXÁ  strlcpy() reads the entire source buffer first (since the return value
is meant to match that of strlen()). This read may exceed the destination
size limit. This is both inefficient and can lead to linear read overflows
if a source string is not NUL-terminated. The safe replacement is strscpy(),
though care must be given to any cases where the return value of strlcpy()
is used, since strscpy() will return negative errno values when it truncates.”h]”hXÁ  strlcpy() reads the entire source buffer first (since the return value
is meant to match that of strlen()). This read may exceed the destination
size limit. This is both inefficient and can lead to linear read overflows
if a source string is not NUL-terminated. The safe replacement is strscpy(),
though care must be given to any cases where the return value of strlcpy()
is used, since strscpy() will return negative errno values when it truncates.”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kžhj  hžhubeh}”(h]”Œstrlcpy”ah ]”h"]”Œ	strlcpy()”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KubhÃ)”}”(hhh]”(hÈ)”}”(hŒ%p format specifier”h]”hŒ%p format specifier”…””}”(hj?  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj<  hžhhŸh³h K¦ubhØ)”}”(hXÜ  Traditionally, using "%p" in format strings would lead to regular address
exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
be exploitable, all "%p" uses in the kernel are being printed as a hashed
value, rendering them unusable for addressing. New uses of "%p" should not
be added to the kernel. For text addresses, using "%pS" is likely better,
as it produces the more useful symbol name instead. For nearly everything
else, just do not add "%p" at all.”h]”hXð  Traditionally, using â€œ%pâ€ in format strings would lead to regular address
exposure flaws in dmesg, proc, sysfs, etc. Instead of leaving these to
be exploitable, all â€œ%pâ€ uses in the kernel are being printed as a hashed
value, rendering them unusable for addressing. New uses of â€œ%pâ€ should not
be added to the kernel. For text addresses, using â€œ%pSâ€ is likely better,
as it produces the more useful symbol name instead. For nearly everything
else, just do not add â€œ%pâ€ at all.”…””}”(hjM  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K§hj<  hžhubhØ)”}”(hŒŒParaphrasing Linus's current `guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_:”h]”(hŒParaphrasing Linusâ€™s current ”…””}”(hj[  hžhhŸNh Nubj  )”}”(hŒn`guidance <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>`_”h]”hŒguidance”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œguidance”j  Œ`https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/”uh1j   hj[  ubhµ)”}”(hŒc <https://lore.kernel.org/lkml/CA+55aFwQEd_d40g4mUCSsVRZzrFPUJt74vc6PPpb675hYNXcKw@mail.gmail.com/>”h]”h}”(h]”Œguidance”ah ]”h"]”Œguidance”ah$]”h&]”Œrefuri”js  uh1h´j!  Khj[  ubhŒ:”…””}”(hj[  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K¯hj<  hžhubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒIf the hashed "%p" value is pointless, ask yourself whether the pointer
itself is important. Maybe it should be removed entirely?”h]”hØ)”}”(hŒIf the hashed "%p" value is pointless, ask yourself whether the pointer
itself is important. Maybe it should be removed entirely?”h]”hŒ…If the hashed â€œ%pâ€ value is pointless, ask yourself whether the pointer
itself is important. Maybe it should be removed entirely?”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K±hj’  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  hžhhŸh³h Nubj‘  )”}”(hX9  If you really think the true pointer value is important, why is some
system state or user privilege level considered "special"? If you think
you can justify it (in comments and commit log) well enough to stand
up to Linus's scrutiny, maybe you can use "%px", along with making sure
you have sensible permissions.
”h]”hØ)”}”(hX8  If you really think the true pointer value is important, why is some
system state or user privilege level considered "special"? If you think
you can justify it (in comments and commit log) well enough to stand
up to Linus's scrutiny, maybe you can use "%px", along with making sure
you have sensible permissions.”h]”hXB  If you really think the true pointer value is important, why is some
system state or user privilege level considered â€œspecialâ€? If you think
you can justify it (in comments and commit log) well enough to stand
up to Linusâ€™s scrutiny, maybe you can use â€œ%pxâ€, along with making sure
you have sensible permissions.”…””}”(hj®  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K³hjª  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j‹  hŸh³h K±hj<  hžhubhØ)”}”(hŒÒIf you are debugging something where "%p" hashing is causing problems,
you can temporarily boot with the debug flag "`no_hash_pointers
<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_".”h]”(hŒ{If you are debugging something where â€œ%pâ€ hashing is causing problems,
you can temporarily boot with the debug flag â€œ”…””}”(hjÊ  hžhhŸNh Nubj  )”}”(hŒ[`no_hash_pointers
<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>`_”h]”hŒno_hash_pointers”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œno_hash_pointers”j  ŒEhttps://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6”uh1j   hjÊ  ubhµ)”}”(hŒH
<https://git.kernel.org/linus/5ead723a20e0447bc7db33dc3070b420e5f80aa6>”h]”h}”(h]”Œno-hash-pointers”ah ]”h"]”Œno_hash_pointers”ah$]”h&]”Œrefuri”jâ  uh1h´j!  KhjÊ  ubhŒâ€.”…””}”(hjÊ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K¹hj<  hžhubeh}”(h]”Œp-format-specifier”ah ]”h"]”Œ%p format specifier”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K¦ubhÃ)”}”(hhh]”(hÈ)”}”(hŒVariable Length Arrays (VLAs)”h]”hŒVariable Length Arrays (VLAs)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj  hžhhŸh³h K¾ubhØ)”}”(hX1  Using stack VLAs produces much worse machine code than statically
sized stack arrays. While these non-trivial `performance issues
<https://git.kernel.org/linus/02361bc77888>`_ are reason enough to
eliminate VLAs, they are also a security risk. Dynamic growth of a stack
array may exceed the remaining memory in the stack segment. This could
lead to a crash, possible overwriting sensitive contents at the end of the
stack (when built without `CONFIG_THREAD_INFO_IN_TASK=y`), or overwriting
memory adjacent to the stack (when built without `CONFIG_VMAP_STACK=y`)”h]”(hŒnUsing stack VLAs produces much worse machine code than statically
sized stack arrays. While these non-trivial ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒA`performance issues
<https://git.kernel.org/linus/02361bc77888>`_”h]”hŒperformance issues”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œperformance issues”j  Œ)https://git.kernel.org/linus/02361bc77888”uh1j   hj  ubhµ)”}”(hŒ,
<https://git.kernel.org/linus/02361bc77888>”h]”h}”(h]”Œperformance-issues”ah ]”h"]”Œperformance issues”ah$]”h&]”Œrefuri”j+  uh1h´j!  Khj  ubhX   are reason enough to
eliminate VLAs, they are also a security risk. Dynamic growth of a stack
array may exceed the remaining memory in the stack segment. This could
lead to a crash, possible overwriting sensitive contents at the end of the
stack (when built without ”…””}”(hj  hžhhŸNh Nubj'  )”}”(hŒ`CONFIG_THREAD_INFO_IN_TASK=y`”h]”hŒCONFIG_THREAD_INFO_IN_TASK=y”…””}”(hj=  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj  ubhŒC), or overwriting
memory adjacent to the stack (when built without ”…””}”(hj  hžhhŸNh Nubj'  )”}”(hŒ`CONFIG_VMAP_STACK=y`”h]”hŒCONFIG_VMAP_STACK=y”…””}”(hjO  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj  ubhŒ)”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K¿hj  hžhubeh}”(h]”Œvariable-length-arrays-vlas”ah ]”h"]”Œvariable length arrays (vlas)”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K¾ubhÃ)”}”(hhh]”(hÈ)”}”(hŒ!Implicit switch case fall-through”h]”hŒ!Implicit switch case fall-through”…””}”(hjr  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjo  hžhhŸh³h KÉubhØ)”}”(hX}  The C language allows switch cases to fall through to the next case
when a "break" statement is missing at the end of a case. This, however,
introduces ambiguity in the code, as it's not always clear if the missing
break is intentional or a bug. For example, it's not obvious just from
looking at the code if `STATE_ONE` is intentionally designed to fall
through into `STATE_TWO`::”h]”(hX=  The C language allows switch cases to fall through to the next case
when a â€œbreakâ€ statement is missing at the end of a case. This, however,
introduces ambiguity in the code, as itâ€™s not always clear if the missing
break is intentional or a bug. For example, itâ€™s not obvious just from
looking at the code if ”…””}”(hj€  hžhhŸNh Nubj'  )”}”(hŒ`STATE_ONE`”h]”hŒ	STATE_ONE”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj€  ubhŒ0 is intentionally designed to fall
through into ”…””}”(hj€  hžhhŸNh Nubj'  )”}”(hŒ`STATE_TWO`”h]”hŒ	STATE_TWO”…””}”(hjš  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj€  ubhŒ:”…””}”(hj€  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KÊhjo  hžhubj9  )”}”(hŒ•switch (value) {
case STATE_ONE:
        do_something();
case STATE_TWO:
        do_other();
        break;
default:
        WARN("unknown state");
}”h]”hŒ•switch (value) {
case STATE_ONE:
        do_something();
case STATE_TWO:
        do_other();
        break;
default:
        WARN("unknown state");
}”…””}”hj²  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h KÑhjo  hžhubhØ)”}”(hXM  As there have been a long list of flaws `due to missing "break" statements
<https://cwe.mitre.org/data/definitions/484.html>`_, we no longer allow
implicit fall-through. In order to identify intentional fall-through
cases, we have adopted a pseudo-keyword macro "fallthrough" which
expands to gcc's extension `__attribute__((__fallthrough__))
<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_.
(When the C17/C18  `[[fallthrough]]` syntax is more commonly supported by
C compilers, static analyzers, and IDEs, we can switch to using that syntax
for the macro pseudo-keyword.)”h]”(hŒ(As there have been a long list of flaws ”…””}”(hjÀ  hžhhŸNh Nubj  )”}”(hŒV`due to missing "break" statements
<https://cwe.mitre.org/data/definitions/484.html>`_”h]”hŒ%due to missing â€œbreakâ€ statements”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ!due to missing "break" statements”j  Œ/https://cwe.mitre.org/data/definitions/484.html”uh1j   hjÀ  ubhµ)”}”(hŒ2
<https://cwe.mitre.org/data/definitions/484.html>”h]”h}”(h]”Œdue-to-missing-break-statements”ah ]”h"]”Œ!due to missing "break" statements”ah$]”h&]”Œrefuri”jØ  uh1h´j!  KhjÀ  ubhŒ½, we no longer allow
implicit fall-through. In order to identify intentional fall-through
cases, we have adopted a pseudo-keyword macro â€œfallthroughâ€ which
expands to gccâ€™s extension ”…””}”(hjÀ  hžhhŸNh Nubj  )”}”(hŒb`__attribute__((__fallthrough__))
<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>`_”h]”hŒ __attribute__((__fallthrough__))”…””}”(hjê  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ __attribute__((__fallthrough__))”j  Œ<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html”uh1j   hjÀ  ubhµ)”}”(hŒ?
<https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html>”h]”h}”(h]”Œattribute-fallthrough”ah ]”h"]”Œ __attribute__((__fallthrough__))”ah$]”h&]”Œrefuri”jú  uh1h´j!  KhjÀ  ubhŒ.
(When the C17/C18  ”…””}”(hjÀ  hžhhŸNh Nubj'  )”}”(hŒ`[[fallthrough]]`”h]”hŒ[[fallthrough]]”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hjÀ  ubhŒ syntax is more commonly supported by
C compilers, static analyzers, and IDEs, we can switch to using that syntax
for the macro pseudo-keyword.)”…””}”(hjÀ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KÛhjo  hžhubhØ)”}”(hŒ*All switch/case blocks must end in one of:”h]”hŒ*All switch/case blocks must end in one of:”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kåhjo  hžhubjŒ  )”}”(hhh]”(j‘  )”}”(hŒbreak;”h]”hØ)”}”(hj7  h]”hŒbreak;”…””}”(hj9  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kçhj5  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj2  hžhhŸh³h Nubj‘  )”}”(hŒfallthrough;”h]”hØ)”}”(hjN  h]”hŒfallthrough;”…””}”(hjP  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KèhjL  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj2  hžhhŸh³h Nubj‘  )”}”(hŒ	continue;”h]”hØ)”}”(hje  h]”hŒ	continue;”…””}”(hjg  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kéhjc  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj2  hžhhŸh³h Nubj‘  )”}”(hŒgoto <label>;”h]”hØ)”}”(hj|  h]”hŒgoto <label>;”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kêhjz  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj2  hžhhŸh³h Nubj‘  )”}”(hŒreturn [expression];
”h]”hØ)”}”(hŒreturn [expression];”h]”hŒreturn [expression];”…””}”(hj•  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Këhj‘  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj2  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jÈ  Œ*”uh1j‹  hŸh³h Kçhjo  hžhubeh}”(h]”Œ!implicit-switch-case-fall-through”ah ]”h"]”Œ!implicit switch case fall-through”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KÉubhÃ)”}”(hhh]”(hÈ)”}”(hŒ"Zero-length and one-element arrays”h]”hŒ"Zero-length and one-element arrays”…””}”(hj»  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj¸  hžhhŸh³h KîubhØ)”}”(hXU  There is a regular need in the kernel to provide a way to declare having
a dynamically sized set of trailing elements in a structure. Kernel code
should always use `"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_
for these cases. The older style of one-element or zero-length arrays should
no longer be used.”h]”(hŒ¤There is a regular need in the kernel to provide a way to declare having
a dynamically sized set of trailing elements in a structure. Kernel code
should always use ”…””}”(hjÉ  hžhhŸNh Nubj  )”}”(hŒQ`"flexible array members" <https://en.wikipedia.org/wiki/Flexible_array_member>`_”h]”hŒâ€œflexible array membersâ€”…””}”(hjÑ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ"flexible array members"”j  Œ3https://en.wikipedia.org/wiki/Flexible_array_member”uh1j   hjÉ  ubhµ)”}”(hŒ6 <https://en.wikipedia.org/wiki/Flexible_array_member>”h]”h}”(h]”Œflexible-array-members”ah ]”h"]”Œ"flexible array members"”ah$]”h&]”Œrefuri”já  uh1h´j!  KhjÉ  ubhŒ`
for these cases. The older style of one-element or zero-length arrays should
no longer be used.”…””}”(hjÉ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kïhj¸  hžhubhØ)”}”(hŒ|In older C code, dynamically sized trailing elements were done by specifying
a one-element array at the end of a structure::”h]”hŒ{In older C code, dynamically sized trailing elements were done by specifying
a one-element array at the end of a structure:”…””}”(hjù  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kõhj¸  hžhubj9  )”}”(hŒHstruct something {
        size_t count;
        struct foo items[1];
};”h]”hŒHstruct something {
        size_t count;
        struct foo items[1];
};”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Køhj¸  hžhubhØ)”}”(hXA  This led to fragile size calculations via sizeof() (which would need to
remove the size of the single trailing element to get a correct size of
the "header"). A `GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_
was introduced to allow for zero-length arrays, to avoid these kinds of
size problems::”h]”(hŒ¥This led to fragile size calculations via sizeof() (which would need to
remove the size of the single trailing element to get a correct size of
the â€œheaderâ€). A ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒH`GNU C extension <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_”h]”hŒGNU C extension”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒGNU C extension”j  Œ3https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html”uh1j   hj  ubhµ)”}”(hŒ6 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>”h]”h}”(h]”Œgnu-c-extension”ah ]”h"]”Œgnu c extension”ah$]”h&]”Œrefuri”j-  uh1h´j!  Khj  ubhŒW
was introduced to allow for zero-length arrays, to avoid these kinds of
size problems:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kýhj¸  hžhubj9  )”}”(hŒHstruct something {
        size_t count;
        struct foo items[0];
};”h]”hŒHstruct something {
        size_t count;
        struct foo items[0];
};”…””}”hjE  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Mhj¸  hžhubhØ)”}”(hX  But this led to other problems, and didn't solve some problems shared by
both styles, like not being able to detect when such an array is accidentally
being used _not_ at the end of a structure (which could happen directly, or
when such a struct was in unions, structs of structs, etc).”h]”hX   But this led to other problems, and didnâ€™t solve some problems shared by
both styles, like not being able to detect when such an array is accidentally
being used _not_ at the end of a structure (which could happen directly, or
when such a struct was in unions, structs of structs, etc).”…””}”(hjS  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Mhj¸  hžhubhØ)”}”(hŒhC99 introduced "flexible array members", which lacks a numeric size for
the array declaration entirely::”h]”hŒkC99 introduced â€œflexible array membersâ€, which lacks a numeric size for
the array declaration entirely:”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Mhj¸  hžhubj9  )”}”(hŒGstruct something {
        size_t count;
        struct foo items[];
};”h]”hŒGstruct something {
        size_t count;
        struct foo items[];
};”…””}”hjo  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Mhj¸  hžhubhØ)”}”(hX•  This is the way the kernel expects dynamically sized trailing elements
to be declared. It allows the compiler to generate errors when the
flexible array does not occur last in the structure, which helps to prevent
some kind of `undefined behavior
<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_
bugs from being inadvertently introduced to the codebase. It also allows
the compiler to correctly analyze array sizes (via sizeof(),
`CONFIG_FORTIFY_SOURCE`, and `CONFIG_UBSAN_BOUNDS`). For instance,
there is no mechanism that warns us that the following application of the
sizeof() operator to a zero-length array always results in zero::”h]”(hŒãThis is the way the kernel expects dynamically sized trailing elements
to be declared. It allows the compiler to generate errors when the
flexible array does not occur last in the structure, which helps to prevent
some kind of ”…””}”(hj}  hžhhŸNh Nubj  )”}”(hŒ]`undefined behavior
<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>`_”h]”hŒundefined behavior”…””}”(hj…  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œundefined behavior”j  ŒEhttps://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf”uh1j   hj}  ubhµ)”}”(hŒH
<https://git.kernel.org/linus/76497732932f15e7323dc805e8ea8dc11bb587cf>”h]”h}”(h]”Œundefined-behavior”ah ]”h"]”Œundefined behavior”ah$]”h&]”Œrefuri”j•  uh1h´j!  Khj}  ubhŒ‡
bugs from being inadvertently introduced to the codebase. It also allows
the compiler to correctly analyze array sizes (via sizeof(),
”…””}”(hj}  hžhhŸNh Nubj'  )”}”(hŒ`CONFIG_FORTIFY_SOURCE`”h]”hŒCONFIG_FORTIFY_SOURCE”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj}  ubhŒ, and ”…””}”(hj}  hžhhŸNh Nubj'  )”}”(hŒ`CONFIG_UBSAN_BOUNDS`”h]”hŒCONFIG_UBSAN_BOUNDS”…””}”(hj¹  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hj}  ubhŒ›). For instance,
there is no mechanism that warns us that the following application of the
sizeof() operator to a zero-length array always results in zero:”…””}”(hj}  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Mhj¸  hžhubj9  )”}”(hX  struct something {
        size_t count;
        struct foo items[0];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items) * instance->count;
memcpy(instance->items, source, size);”h]”hX  struct something {
        size_t count;
        struct foo items[0];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items) * instance->count;
memcpy(instance->items, source, size);”…””}”hjÑ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h M hj¸  hžhubhØ)”}”(hXŠ  At the last line of code above, ``size`` turns out to be ``zero``, when one might
have thought it represents the total size in bytes of the dynamic memory recently
allocated for the trailing array ``items``. Here are a couple examples of this
issue: `link 1
<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_,
`link 2
<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_.
Instead, `flexible array members have incomplete type, and so the sizeof()
operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
so any misuse of such operators will be immediately noticed at build time.”h]”(hŒ At the last line of code above, ”…””}”(hjß  hžhhŸNh Nubj  )”}”(hŒ``size``”h]”hŒsize”…””}”(hjç  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjß  ubhŒ turns out to be ”…””}”(hjß  hžhhŸNh Nubj  )”}”(hŒ``zero``”h]”hŒzero”…””}”(hjù  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjß  ubhŒ„, when one might
have thought it represents the total size in bytes of the dynamic memory recently
allocated for the trailing array ”…””}”(hjß  hžhhŸNh Nubj  )”}”(hŒ	``items``”h]”hŒitems”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjß  ubhŒ,. Here are a couple examples of this
issue: ”…””}”(hjß  hžhhŸNh Nubj  )”}”(hŒQ`link 1
<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>`_”h]”hŒlink 1”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œlink 1”j  ŒEhttps://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539”uh1j   hjß  ubhµ)”}”(hŒH
<https://git.kernel.org/linus/f2cd32a443da694ac4e28fbf4ac6f9d5cc63a539>”h]”h}”(h]”Œlink-1”ah ]”h"]”Œlink 1”ah$]”h&]”Œrefuri”j-  uh1h´j!  Khjß  ubhŒ,
”…””}”(hjß  hžhhŸNh Nubj  )”}”(hŒQ`link 2
<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>`_”h]”hŒlink 2”…””}”(hj?  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œlink 2”j  ŒEhttps://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf”uh1j   hjß  ubhµ)”}”(hŒH
<https://git.kernel.org/linus/ab91c2a89f86be2898cee208d492816ec238b2cf>”h]”h}”(h]”Œlink-2”ah ]”h"]”Œlink 2”ah$]”h&]”Œrefuri”jO  uh1h´j!  Khjß  ubhŒ.
Instead, ”…””}”(hjß  hžhhŸNh Nubj  )”}”(hŒ•`flexible array members have incomplete type, and so the sizeof()
operator may not be applied <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_”h]”hŒ\flexible array members have incomplete type, and so the sizeof()
operator may not be applied”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ\flexible array members have incomplete type, and so the sizeof() operator may not be applied”j  Œ3https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html”uh1j   hjß  ubhµ)”}”(hŒ6 <https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>”h]”h}”(h]”ŒYflexible-array-members-have-incomplete-type-and-so-the-sizeof-operator-may-not-be-applied”ah ]”h"]”Œ\flexible array members have incomplete type, and so the sizeof() operator may not be applied”ah$]”h&]”Œrefuri”jq  uh1h´j!  Khjß  ubhŒL,
so any misuse of such operators will be immediately noticed at build time.”…””}”(hjß  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h M-hj¸  hžhubhØ)”}”(hX¬  With respect to one-element arrays, one has to be acutely aware that `such arrays
occupy at least as much space as a single object of the type
<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_,
hence they contribute to the size of the enclosing structure. This is prone
to error every time people want to calculate the total size of dynamic memory
to allocate for a structure containing an array of this kind as a member::”h]”(hŒEWith respect to one-element arrays, one has to be acutely aware that ”…””}”(hj‰  hžhhŸNh Nubj  )”}”(hŒ`such arrays
occupy at least as much space as a single object of the type
<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>`_”h]”hŒHsuch arrays
occupy at least as much space as a single object of the type”…””}”(hj‘  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒHsuch arrays occupy at least as much space as a single object of the type”j  Œ3https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html”uh1j   hj‰  ubhµ)”}”(hŒ6
<https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html>”h]”h}”(h]”ŒHsuch-arrays-occupy-at-least-as-much-space-as-a-single-object-of-the-type”ah ]”h"]”ŒHsuch arrays occupy at least as much space as a single object of the type”ah$]”h&]”Œrefuri”j¡  uh1h´j!  Khj‰  ubhŒå,
hence they contribute to the size of the enclosing structure. This is prone
to error every time people want to calculate the total size of dynamic memory
to allocate for a structure containing an array of this kind as a member:”…””}”(hj‰  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h M8hj¸  hžhubj9  )”}”(hX"  struct something {
        size_t count;
        struct foo items[1];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items) * instance->count;
memcpy(instance->items, source, size);”h]”hX"  struct something {
        size_t count;
        struct foo items[1];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count - 1), GFP_KERNEL);
instance->count = count;

size = sizeof(instance->items) * instance->count;
memcpy(instance->items, source, size);”…””}”hj¹  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h M?hj¸  hžhubhØ)”}”(hXo  In the example above, we had to remember to calculate ``count - 1`` when using
the struct_size() helper, otherwise we would have --unintentionally-- allocated
memory for one too many ``items`` objects. The cleanest and least error-prone way
to implement this is through the use of a `flexible array member`, together with
struct_size() and flex_array_size() helpers::”h]”(hŒ6In the example above, we had to remember to calculate ”…””}”(hjÇ  hžhhŸNh Nubj  )”}”(hŒ``count - 1``”h]”hŒ	count - 1”…””}”(hjÏ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÇ  ubhŒt when using
the struct_size() helper, otherwise we would have --unintentionally-- allocated
memory for one too many ”…””}”(hjÇ  hžhhŸNh Nubj  )”}”(hŒ	``items``”h]”hŒitems”…””}”(hjá  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÇ  ubhŒ[ objects. The cleanest and least error-prone way
to implement this is through the use of a ”…””}”(hjÇ  hžhhŸNh Nubj'  )”}”(hŒ`flexible array member`”h]”hŒflexible array member”…””}”(hjó  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j&  hjÇ  ubhŒ<, together with
struct_size() and flex_array_size() helpers:”…””}”(hjÇ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h MLhj¸  hžhubj9  )”}”(hX  struct something {
        size_t count;
        struct foo items[];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
instance->count = count;

memcpy(instance->items, source, flex_array_size(instance, items, instance->count));”h]”hX  struct something {
        size_t count;
        struct foo items[];
};

struct something *instance;

instance = kmalloc(struct_size(instance, items, count), GFP_KERNEL);
instance->count = count;

memcpy(instance->items, source, flex_array_size(instance, items, instance->count));”…””}”hj	  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h MRhj¸  hžhubhØ)”}”(hXì  There are two special cases of replacement where the DECLARE_FLEX_ARRAY()
helper needs to be used. (Note that it is named __DECLARE_FLEX_ARRAY() for
use in UAPI headers.) Those cases are when the flexible array is either
alone in a struct or is part of a union. These are disallowed by the C99
specification, but for no technical reason (as can be seen by both the
existing use of such arrays in those places and the work-around that
DECLARE_FLEX_ARRAY() uses). For example, to convert this::”h]”hXë  There are two special cases of replacement where the DECLARE_FLEX_ARRAY()
helper needs to be used. (Note that it is named __DECLARE_FLEX_ARRAY() for
use in UAPI headers.) Those cases are when the flexible array is either
alone in a struct or is part of a union. These are disallowed by the C99
specification, but for no technical reason (as can be seen by both the
existing use of such arrays in those places and the work-around that
DECLARE_FLEX_ARRAY() uses). For example, to convert this:”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h M^hj¸  hžhubj9  )”}”(hŒ†struct something {
        ...
        union {
                struct type1 one[0];
                struct type2 two[0];
        };
};”h]”hŒ†struct something {
        ...
        union {
                struct type1 one[0];
                struct type2 two[0];
        };
};”…””}”hj'	  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Mfhj¸  hžhubhØ)”}”(hŒThe helper must be used::”h]”hŒThe helper must be used:”…””}”(hj5	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Mnhj¸  hžhubj9  )”}”(hŒªstruct something {
        ...
        union {
                DECLARE_FLEX_ARRAY(struct type1, one);
                DECLARE_FLEX_ARRAY(struct type2, two);
        };
};”h]”hŒªstruct something {
        ...
        union {
                DECLARE_FLEX_ARRAY(struct type1, one);
                DECLARE_FLEX_ARRAY(struct type2, two);
        };
};”…””}”hjC	  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j8  hŸh³h Mphj¸  hžhubeh}”(h]”Œ"zero-length-and-one-element-arrays”ah ]”h"]”Œ"zero-length and one-element arrays”ah$]”h&]”uh1hÂhhÄhžhhŸh³h Kîubeh}”(h]”(ŒBdeprecated-interfaces-language-features-attributes-and-conventions”hÁeh ]”h"]”(ŒEdeprecated interfaces, language features, attributes, and conventions”Œ
deprecated”eh$]”h&]”uh1hÂhhhžhhŸh³h KŒexpect_referenced_by_name”}”j_	  h¶sŒexpect_referenced_by_id”}”hÁh¶subeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÇNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j‰	  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”hÁ]”h¶asŒnameids”}”(j_	  hÁj^	  j[	  jE  jB  j  j  jô  jñ  j{  jx  j  jš  já  jÞ  jM  jJ  jî  jë  jt  jq  j­  jª  j  j  jÿ  jü  j9  j6  jÿ  jü  j}  jz  jì  jé  jl  ji  j5  j2  jµ  j²  jâ  jß  j  j  jV	  jS	  jë  jè  j7  j4  jŸ  jœ  j7  j4  jY  jV  j{  jx  j«  j¨  uŒ	nametypes”}”(j_	  ˆj^	  ‰jE  ‰j  ˆjô  ‰j{  ˆj  ˆjá  ˆjM  ‰jî  ˆjt  ‰j­  ‰j  ‰jÿ  ˆj9  ‰jÿ  ‰j}  ˆjì  ˆjl  ‰j5  ˆjµ  ‰jâ  ˆj  ˆjV	  ‰jë  ˆj7  ˆjŸ  ˆj7  ˆjY  ˆj{  ˆj«  ˆuh}”(hÁhÄj[	  hÄjB  hçj  j  jñ  jH  jx  jr  jš  j”  jÞ  jØ  jJ  j÷  jë  jå  jq  jP  jª  jw  j  j°  jü  jö  j6  j  jü  j<  jz  jt  jé  jã  ji  j  j2  j,  j²  jo  jß  jÙ  j  jû  jS	  j¸  jè  jâ  j4  j.  jœ  j–  j4  j.  jV  jP  jx  jr  j¨  j¢  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”j—	  Ks…”R”Œparse_messages”]”Œtransform_messages”]”hŒsystem_message”“”)”}”(hhh]”hØ)”}”(hhh]”hŒ0Hyperlink target "deprecated" is not referenced.”…””}”hjó	  sbah}”(h]”h ]”h"]”h$]”h&]”uh1h×hjð	  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”h³Œline”Kuh1jî	  ubaŒtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.