blob: db653774c0b74fe5f3a98598b5b68d6c10a20e34 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -07001
2 Linux kernel coding style
3
4This is a short document describing the preferred coding style for the
5linux kernel. Coding style is very personal, and I won't _force_ my
6views on anybody, but this is what goes for anything that I have to be
7able to maintain, and I'd prefer it for most other things too. Please
8at least consider the points made here.
9
10First off, I'd suggest printing out a copy of the GNU coding standards,
11and NOT read it. Burn them, it's a great symbolic gesture.
12
13Anyway, here goes:
14
15
Pavel Kretov696156f2015-02-16 20:26:17 +030016 Chapter 1: Indentation
Linus Torvalds1da177e2005-04-16 15:20:36 -070017
18Tabs are 8 characters, and thus indentations are also 8 characters.
19There are heretic movements that try to make indentations 4 (or even 2!)
20characters deep, and that is akin to trying to define the value of PI to
21be 3.
22
23Rationale: The whole idea behind indentation is to clearly define where
24a block of control starts and ends. Especially when you've been looking
25at your screen for 20 straight hours, you'll find it a lot easier to see
26how the indentation works if you have large indentations.
27
28Now, some people will claim that having 8-character indentations makes
29the code move too far to the right, and makes it hard to read on a
3080-character terminal screen. The answer to that is that if you need
31more than 3 levels of indentation, you're screwed anyway, and should fix
32your program.
33
34In short, 8-char indents make things easier to read, and have the added
35benefit of warning you when you're nesting your functions too deep.
36Heed that warning.
37
Randy Dunlapb3fc9942006-12-10 02:18:56 -080038The preferred way to ease multiple indentation levels in a switch statement is
39to align the "switch" and its subordinate "case" labels in the same column
40instead of "double-indenting" the "case" labels. E.g.:
41
42 switch (suffix) {
43 case 'G':
44 case 'g':
45 mem <<= 30;
46 break;
47 case 'M':
48 case 'm':
49 mem <<= 20;
50 break;
51 case 'K':
52 case 'k':
53 mem <<= 10;
54 /* fall through */
55 default:
56 break;
57 }
58
Linus Torvalds1da177e2005-04-16 15:20:36 -070059Don't put multiple statements on a single line unless you have
60something to hide:
61
62 if (condition) do_this;
63 do_something_everytime;
64
Randy Dunlapb3fc9942006-12-10 02:18:56 -080065Don't put multiple assignments on a single line either. Kernel coding style
66is super simple. Avoid tricky expressions.
67
Linus Torvalds1da177e2005-04-16 15:20:36 -070068Outside of comments, documentation and except in Kconfig, spaces are never
69used for indentation, and the above example is deliberately broken.
70
71Get a decent editor and don't leave whitespace at the end of lines.
72
73
74 Chapter 2: Breaking long lines and strings
75
76Coding style is all about readability and maintainability using commonly
77available tools.
78
Alan Coxdff49822007-10-16 23:27:33 -070079The limit on the length of lines is 80 columns and this is a strongly
80preferred limit.
Linus Torvalds1da177e2005-04-16 15:20:36 -070081
Josh Triplett6f76b6f2011-08-03 12:19:07 -070082Statements longer than 80 columns will be broken into sensible chunks, unless
83exceeding 80 columns significantly increases readability and does not hide
84information. Descendants are always substantially shorter than the parent and
85are placed substantially to the right. The same applies to function headers
86with a long argument list. However, never break user-visible strings such as
87printk messages, because that breaks the ability to grep for them.
Linus Torvalds1da177e2005-04-16 15:20:36 -070088
Linus Torvalds1da177e2005-04-16 15:20:36 -070089
Randy Dunlapb3fc9942006-12-10 02:18:56 -080090 Chapter 3: Placing Braces and Spaces
Linus Torvalds1da177e2005-04-16 15:20:36 -070091
92The other issue that always comes up in C styling is the placement of
93braces. Unlike the indent size, there are few technical reasons to
94choose one placement strategy over the other, but the preferred way, as
95shown to us by the prophets Kernighan and Ritchie, is to put the opening
96brace last on the line, and put the closing brace first, thusly:
97
98 if (x is true) {
99 we do y
100 }
101
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800102This applies to all non-function statement blocks (if, switch, for,
103while, do). E.g.:
104
105 switch (action) {
106 case KOBJ_ADD:
107 return "add";
108 case KOBJ_REMOVE:
109 return "remove";
110 case KOBJ_CHANGE:
111 return "change";
112 default:
113 return NULL;
114 }
115
Linus Torvalds1da177e2005-04-16 15:20:36 -0700116However, there is one special case, namely functions: they have the
117opening brace at the beginning of the next line, thus:
118
119 int function(int x)
120 {
121 body of function
122 }
123
124Heretic people all over the world have claimed that this inconsistency
125is ... well ... inconsistent, but all right-thinking people know that
126(a) K&R are _right_ and (b) K&R are right. Besides, functions are
127special anyway (you can't nest them in C).
128
129Note that the closing brace is empty on a line of its own, _except_ in
130the cases where it is followed by a continuation of the same statement,
131ie a "while" in a do-statement or an "else" in an if-statement, like
132this:
133
134 do {
135 body of do-loop
136 } while (condition);
137
138and
139
140 if (x == y) {
141 ..
142 } else if (x > y) {
143 ...
144 } else {
145 ....
146 }
147
148Rationale: K&R.
149
150Also, note that this brace-placement also minimizes the number of empty
151(or almost empty) lines, without any loss of readability. Thus, as the
152supply of new-lines on your screen is not a renewable resource (think
15325-line terminal screens here), you have more empty lines to put
154comments on.
155
Oliver Neukume659ba42007-05-08 00:30:34 -0700156Do not unnecessarily use braces where a single statement will do.
157
Pavel Kretov09677e02015-02-16 20:26:18 +0300158 if (condition)
159 action();
Oliver Neukume659ba42007-05-08 00:30:34 -0700160
Harry Wei38829dc2011-03-22 16:35:01 -0700161and
162
Pavel Kretov09677e02015-02-16 20:26:18 +0300163 if (condition)
164 do_this();
165 else
166 do_that();
Harry Wei38829dc2011-03-22 16:35:01 -0700167
Antonio Ospiteb218ab02011-11-04 11:22:19 -0700168This does not apply if only one branch of a conditional statement is a single
169statement; in the latter case use braces in both branches:
Oliver Neukume659ba42007-05-08 00:30:34 -0700170
Pavel Kretov09677e02015-02-16 20:26:18 +0300171 if (condition) {
172 do_this();
173 do_that();
174 } else {
175 otherwise();
176 }
Oliver Neukume659ba42007-05-08 00:30:34 -0700177
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800178 3.1: Spaces
179
180Linux kernel style for use of spaces depends (mostly) on
181function-versus-keyword usage. Use a space after (most) keywords. The
182notable exceptions are sizeof, typeof, alignof, and __attribute__, which look
183somewhat like functions (and are usually used with parentheses in Linux,
184although they are not required in the language, as in: "sizeof info" after
185"struct fileinfo info;" is declared).
186
187So use a space after these keywords:
Pavel Kretov09677e02015-02-16 20:26:18 +0300188
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800189 if, switch, case, for, do, while
Pavel Kretov09677e02015-02-16 20:26:18 +0300190
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800191but not with sizeof, typeof, alignof, or __attribute__. E.g.,
Pavel Kretov09677e02015-02-16 20:26:18 +0300192
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800193 s = sizeof(struct file);
194
195Do not add spaces around (inside) parenthesized expressions. This example is
196*bad*:
197
198 s = sizeof( struct file );
199
200When declaring pointer data or a function that returns a pointer type, the
201preferred use of '*' is adjacent to the data name or function name and not
202adjacent to the type name. Examples:
203
204 char *linux_banner;
205 unsigned long long memparse(char *ptr, char **retptr);
206 char *match_strdup(substring_t *s);
207
208Use one space around (on each side of) most binary and ternary operators,
209such as any of these:
210
211 = + - < > * / % | & ^ <= >= == != ? :
212
213but no space after unary operators:
Pavel Kretov09677e02015-02-16 20:26:18 +0300214
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800215 & * + - ~ ! sizeof typeof alignof __attribute__ defined
216
217no space before the postfix increment & decrement unary operators:
Pavel Kretov09677e02015-02-16 20:26:18 +0300218
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800219 ++ --
220
221no space after the prefix increment & decrement unary operators:
Pavel Kretov09677e02015-02-16 20:26:18 +0300222
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800223 ++ --
224
225and no space around the '.' and "->" structure member operators.
226
Josh Tripletta923fd62007-07-15 23:41:37 -0700227Do not leave trailing whitespace at the ends of lines. Some editors with
228"smart" indentation will insert whitespace at the beginning of new lines as
229appropriate, so you can start typing the next line of code right away.
230However, some such editors do not remove the whitespace if you end up not
231putting a line of code there, such as if you leave a blank line. As a result,
232you end up with lines containing trailing whitespace.
233
234Git will warn you about patches that introduce trailing whitespace, and can
235optionally strip the trailing whitespace for you; however, if applying a series
236of patches, this may make later patches in the series fail by changing their
237context lines.
238
Linus Torvalds1da177e2005-04-16 15:20:36 -0700239
240 Chapter 4: Naming
241
242C is a Spartan language, and so should your naming be. Unlike Modula-2
243and Pascal programmers, C programmers do not use cute names like
244ThisVariableIsATemporaryCounter. A C programmer would call that
245variable "tmp", which is much easier to write, and not the least more
246difficult to understand.
247
248HOWEVER, while mixed-case names are frowned upon, descriptive names for
249global variables are a must. To call a global function "foo" is a
250shooting offense.
251
252GLOBAL variables (to be used only if you _really_ need them) need to
253have descriptive names, as do global functions. If you have a function
254that counts the number of active users, you should call that
255"count_active_users()" or similar, you should _not_ call it "cntusr()".
256
257Encoding the type of a function into the name (so-called Hungarian
258notation) is brain damaged - the compiler knows the types anyway and can
259check those, and it only confuses the programmer. No wonder MicroSoft
260makes buggy programs.
261
262LOCAL variable names should be short, and to the point. If you have
263some random integer loop counter, it should probably be called "i".
264Calling it "loop_counter" is non-productive, if there is no chance of it
265being mis-understood. Similarly, "tmp" can be just about any type of
266variable that is used to hold a temporary value.
267
268If you are afraid to mix up your local variable names, you have another
269problem, which is called the function-growth-hormone-imbalance syndrome.
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800270See chapter 6 (Functions).
Linus Torvalds1da177e2005-04-16 15:20:36 -0700271
272
Randy Dunlap226a6b82006-06-23 02:05:58 -0700273 Chapter 5: Typedefs
274
275Please don't use things like "vps_t".
Randy Dunlap226a6b82006-06-23 02:05:58 -0700276It's a _mistake_ to use typedef for structures and pointers. When you see a
277
278 vps_t a;
279
280in the source, what does it mean?
Randy Dunlap226a6b82006-06-23 02:05:58 -0700281In contrast, if it says
282
283 struct virtual_container *a;
284
285you can actually tell what "a" is.
286
287Lots of people think that typedefs "help readability". Not so. They are
288useful only for:
289
290 (a) totally opaque objects (where the typedef is actively used to _hide_
291 what the object is).
292
293 Example: "pte_t" etc. opaque objects that you can only access using
294 the proper accessor functions.
295
296 NOTE! Opaqueness and "accessor functions" are not good in themselves.
297 The reason we have them for things like pte_t etc. is that there
298 really is absolutely _zero_ portably accessible information there.
299
300 (b) Clear integer types, where the abstraction _helps_ avoid confusion
301 whether it is "int" or "long".
302
303 u8/u16/u32 are perfectly fine typedefs, although they fit into
304 category (d) better than here.
305
306 NOTE! Again - there needs to be a _reason_ for this. If something is
307 "unsigned long", then there's no reason to do
308
309 typedef unsigned long myflags_t;
310
311 but if there is a clear reason for why it under certain circumstances
312 might be an "unsigned int" and under other configurations might be
313 "unsigned long", then by all means go ahead and use a typedef.
314
315 (c) when you use sparse to literally create a _new_ type for
316 type-checking.
317
318 (d) New types which are identical to standard C99 types, in certain
319 exceptional circumstances.
320
321 Although it would only take a short amount of time for the eyes and
322 brain to become accustomed to the standard types like 'uint32_t',
323 some people object to their use anyway.
324
325 Therefore, the Linux-specific 'u8/u16/u32/u64' types and their
326 signed equivalents which are identical to standard types are
327 permitted -- although they are not mandatory in new code of your
328 own.
329
330 When editing existing code which already uses one or the other set
331 of types, you should conform to the existing choices in that code.
332
333 (e) Types safe for use in userspace.
334
335 In certain structures which are visible to userspace, we cannot
336 require C99 types and cannot use the 'u32' form above. Thus, we
337 use __u32 and similar types in all structures which are shared
338 with userspace.
339
340Maybe there are other cases too, but the rule should basically be to NEVER
341EVER use a typedef unless you can clearly match one of those rules.
342
343In general, a pointer, or a struct that has elements that can reasonably
344be directly accessed should _never_ be a typedef.
345
346
347 Chapter 6: Functions
Linus Torvalds1da177e2005-04-16 15:20:36 -0700348
349Functions should be short and sweet, and do just one thing. They should
350fit on one or two screenfuls of text (the ISO/ANSI screen size is 80x24,
351as we all know), and do one thing and do that well.
352
353The maximum length of a function is inversely proportional to the
354complexity and indentation level of that function. So, if you have a
355conceptually simple function that is just one long (but simple)
356case-statement, where you have to do lots of small things for a lot of
357different cases, it's OK to have a longer function.
358
359However, if you have a complex function, and you suspect that a
360less-than-gifted first-year high-school student might not even
361understand what the function is all about, you should adhere to the
362maximum limits all the more closely. Use helper functions with
363descriptive names (you can ask the compiler to in-line them if you think
364it's performance-critical, and it will probably do a better job of it
365than you would have done).
366
367Another measure of the function is the number of local variables. They
368shouldn't exceed 5-10, or you're doing something wrong. Re-think the
369function, and split it into smaller pieces. A human brain can
370generally easily keep track of about 7 different things, anything more
371and it gets confused. You know you're brilliant, but maybe you'd like
372to understand what you did 2 weeks from now.
373
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800374In source files, separate functions with one blank line. If the function is
375exported, the EXPORT* macro for it should follow immediately after the closing
376function brace line. E.g.:
377
Pavel Kretov09677e02015-02-16 20:26:18 +0300378 int system_is_up(void)
379 {
380 return system_state == SYSTEM_RUNNING;
381 }
382 EXPORT_SYMBOL(system_is_up);
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800383
384In function prototypes, include parameter names with their data types.
385Although this is not required by the C language, it is preferred in Linux
386because it is a simple way to add valuable information for the reader.
387
Linus Torvalds1da177e2005-04-16 15:20:36 -0700388
Randy Dunlap226a6b82006-06-23 02:05:58 -0700389 Chapter 7: Centralized exiting of functions
Linus Torvalds1da177e2005-04-16 15:20:36 -0700390
391Albeit deprecated by some people, the equivalent of the goto statement is
392used frequently by compilers in form of the unconditional jump instruction.
393
394The goto statement comes in handy when a function exits from multiple
Dan Carpenterb57a0502013-07-03 15:08:08 -0700395locations and some common work such as cleanup has to be done. If there is no
396cleanup needed then just return directly.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700397
Dan Carpenterea040362014-12-02 11:59:50 +0300398Choose label names which say what the goto does or why the goto exists. An
399example of a good name could be "out_buffer:" if the goto frees "buffer". Avoid
400using GW-BASIC names like "err1:" and "err2:". Also don't name them after the
401goto location like "err_kmalloc_failed:"
402
403The rationale for using gotos is:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700404
405- unconditional statements are easier to understand and follow
406- nesting is reduced
407- errors by not updating individual exit points when making
408 modifications are prevented
409- saves the compiler work to optimize redundant code away ;)
410
Pavel Kretov09677e02015-02-16 20:26:18 +0300411 int fun(int a)
412 {
413 int result = 0;
414 char *buffer;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700415
Pavel Kretov09677e02015-02-16 20:26:18 +0300416 buffer = kmalloc(SIZE, GFP_KERNEL);
417 if (!buffer)
418 return -ENOMEM;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700419
Pavel Kretov09677e02015-02-16 20:26:18 +0300420 if (condition1) {
421 while (loop1) {
422 ...
423 }
424 result = 1;
425 goto out_buffer;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700426 }
Pavel Kretov09677e02015-02-16 20:26:18 +0300427 ...
428 out_buffer:
429 kfree(buffer);
430 return result;
Linus Torvalds1da177e2005-04-16 15:20:36 -0700431 }
Linus Torvalds1da177e2005-04-16 15:20:36 -0700432
Manuel Pégourié-Gonnard9a2885e2015-12-28 11:06:55 +0100433A common type of bug to be aware of is "one err bugs" which look like this:
Dan Carpenterea040362014-12-02 11:59:50 +0300434
Pavel Kretov09677e02015-02-16 20:26:18 +0300435 err:
436 kfree(foo->bar);
437 kfree(foo);
438 return ret;
Dan Carpenterea040362014-12-02 11:59:50 +0300439
440The bug in this code is that on some exit paths "foo" is NULL. Normally the
441fix for this is to split it up into two error labels "err_bar:" and "err_foo:".
442
443
Randy Dunlap226a6b82006-06-23 02:05:58 -0700444 Chapter 8: Commenting
Linus Torvalds1da177e2005-04-16 15:20:36 -0700445
446Comments are good, but there is also a danger of over-commenting. NEVER
447try to explain HOW your code works in a comment: it's much better to
448write the code so that the _working_ is obvious, and it's a waste of
449time to explain badly written code.
450
451Generally, you want your comments to tell WHAT your code does, not HOW.
452Also, try to avoid putting comments inside a function body: if the
453function is so complex that you need to separately comment parts of it,
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800454you should probably go back to chapter 6 for a while. You can make
Linus Torvalds1da177e2005-04-16 15:20:36 -0700455small comments to note or warn about something particularly clever (or
456ugly), but try to avoid excess. Instead, put the comments at the head
457of the function, telling people what it does, and possibly WHY it does
458it.
459
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800460When commenting the kernel API functions, please use the kernel-doc format.
Pekka J Enberge776eba2005-09-10 00:26:44 -0700461See the files Documentation/kernel-doc-nano-HOWTO.txt and scripts/kernel-doc
462for details.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700463
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800464Linux style for comments is the C89 "/* ... */" style.
465Don't use C99-style "// ..." comments.
466
467The preferred style for long (multi-line) comments is:
468
469 /*
470 * This is the preferred style for multi-line
471 * comments in the Linux kernel source code.
472 * Please use it consistently.
473 *
474 * Description: A column of asterisks on the left side,
475 * with beginning and ending almost-blank lines.
476 */
477
Joe Perchesc4ff1b52012-10-04 17:13:36 -0700478For files in net/ and drivers/net/ the preferred style for long (multi-line)
479comments is a little different.
480
481 /* The preferred comment style for files in net/ and drivers/net
482 * looks like this.
483 *
484 * It is nearly the same as the generally preferred comment style,
485 * but there is no initial almost-blank line.
486 */
487
Randy Dunlapb3fc9942006-12-10 02:18:56 -0800488It's also important to comment data, whether they are basic types or derived
489types. To this end, use just one data declaration per line (no commas for
490multiple data declarations). This leaves you room for a small comment on each
491item, explaining its use.
492
493
Randy Dunlap226a6b82006-06-23 02:05:58 -0700494 Chapter 9: You've made a mess of it
Linus Torvalds1da177e2005-04-16 15:20:36 -0700495
496That's OK, we all do. You've probably been told by your long-time Unix
497user helper that "GNU emacs" automatically formats the C sources for
498you, and you've noticed that yes, it does do that, but the defaults it
499uses are less than desirable (in fact, they are worse than random
500typing - an infinite number of monkeys typing into GNU emacs would never
501make a good program).
502
503So, you can either get rid of GNU emacs, or change it to use saner
504values. To do the latter, you can stick the following in your .emacs file:
505
Johannes Weinera7f371e2008-07-25 01:45:51 -0700506(defun c-lineup-arglist-tabs-only (ignored)
507 "Line up argument lists by tabs, not spaces"
508 (let* ((anchor (c-langelem-pos c-syntactic-element))
Pavel Kretov696156f2015-02-16 20:26:17 +0300509 (column (c-langelem-2nd-pos c-syntactic-element))
510 (offset (- (1+ column) anchor))
511 (steps (floor offset c-basic-offset)))
Johannes Weinera7f371e2008-07-25 01:45:51 -0700512 (* (max steps 1)
513 c-basic-offset)))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700514
Teemu Likonen0acbc6c2009-01-29 16:28:16 -0800515(add-hook 'c-mode-common-hook
516 (lambda ()
517 ;; Add kernel style
518 (c-add-style
519 "linux-tabs-only"
520 '("linux" (c-offsets-alist
521 (arglist-cont-nonempty
522 c-lineup-gcc-asm-reg
523 c-lineup-arglist-tabs-only))))))
524
Johannes Weinera7f371e2008-07-25 01:45:51 -0700525(add-hook 'c-mode-hook
526 (lambda ()
527 (let ((filename (buffer-file-name)))
528 ;; Enable kernel mode for the appropriate files
529 (when (and filename
Dan Carpenter70221392009-01-29 16:28:28 -0800530 (string-match (expand-file-name "~/src/linux-trees")
531 filename))
Johannes Weinera7f371e2008-07-25 01:45:51 -0700532 (setq indent-tabs-mode t)
Alison Chaiken039d19a2015-01-25 19:26:01 -0800533 (setq show-trailing-whitespace t)
Teemu Likonen0acbc6c2009-01-29 16:28:16 -0800534 (c-set-style "linux-tabs-only")))))
Linus Torvalds1da177e2005-04-16 15:20:36 -0700535
Johannes Weinera7f371e2008-07-25 01:45:51 -0700536This will make emacs go better with the kernel coding style for C
537files below ~/src/linux-trees.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700538
539But even if you fail in getting emacs to do sane formatting, not
540everything is lost: use "indent".
541
542Now, again, GNU indent has the same brain-dead settings that GNU emacs
543has, which is why you need to give it a few command line options.
544However, that's not too bad, because even the makers of GNU indent
545recognize the authority of K&R (the GNU people aren't evil, they are
546just severely misguided in this matter), so you just give indent the
547options "-kr -i8" (stands for "K&R, 8 character indents"), or use
548"scripts/Lindent", which indents in the latest style.
549
550"indent" has a lot of options, and especially when it comes to comment
551re-formatting you may want to take a look at the man page. But
552remember: "indent" is not a fix for bad programming.
553
554
Robert P. J. Day6754bb42007-05-23 13:57:42 -0700555 Chapter 10: Kconfig configuration files
Linus Torvalds1da177e2005-04-16 15:20:36 -0700556
Robert P. J. Day6754bb42007-05-23 13:57:42 -0700557For all of the Kconfig* configuration files throughout the source tree,
558the indentation is somewhat different. Lines under a "config" definition
559are indented with one tab, while help text is indented an additional two
560spaces. Example:
Linus Torvalds1da177e2005-04-16 15:20:36 -0700561
Robert P. J. Day6754bb42007-05-23 13:57:42 -0700562config AUDIT
563 bool "Auditing support"
564 depends on NET
Linus Torvalds1da177e2005-04-16 15:20:36 -0700565 help
Robert P. J. Day6754bb42007-05-23 13:57:42 -0700566 Enable auditing infrastructure that can be used with another
567 kernel subsystem, such as SELinux (which requires this for
568 logging of avc messages output). Does not do system-call
569 auditing without CONFIG_AUDITSYSCALL.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700570
Kees Cook0335cb42012-10-02 11:16:15 -0700571Seriously dangerous features (such as write support for certain
Robert P. J. Day6754bb42007-05-23 13:57:42 -0700572filesystems) should advertise this prominently in their prompt string:
573
574config ADFS_FS_RW
575 bool "ADFS write support (DANGEROUS)"
576 depends on ADFS_FS
577 ...
578
579For full documentation on the configuration files, see the file
580Documentation/kbuild/kconfig-language.txt.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700581
582
Randy Dunlap226a6b82006-06-23 02:05:58 -0700583 Chapter 11: Data structures
Linus Torvalds1da177e2005-04-16 15:20:36 -0700584
585Data structures that have visibility outside the single-threaded
586environment they are created and destroyed in should always have
587reference counts. In the kernel, garbage collection doesn't exist (and
588outside the kernel garbage collection is slow and inefficient), which
589means that you absolutely _have_ to reference count all your uses.
590
591Reference counting means that you can avoid locking, and allows multiple
592users to have access to the data structure in parallel - and not having
593to worry about the structure suddenly going away from under them just
594because they slept or did something else for a while.
595
596Note that locking is _not_ a replacement for reference counting.
597Locking is used to keep data structures coherent, while reference
598counting is a memory management technique. Usually both are needed, and
599they are not to be confused with each other.
600
601Many data structures can indeed have two levels of reference counting,
602when there are users of different "classes". The subclass count counts
603the number of subclass users, and decrements the global count just once
604when the subclass count goes to zero.
605
606Examples of this kind of "multi-level-reference-counting" can be found in
607memory management ("struct mm_struct": mm_users and mm_count), and in
608filesystem code ("struct super_block": s_count and s_active).
609
610Remember: if another thread can find your data structure, and you don't
611have a reference count on it, you almost certainly have a bug.
612
613
Randy Dunlap226a6b82006-06-23 02:05:58 -0700614 Chapter 12: Macros, Enums and RTL
Linus Torvalds1da177e2005-04-16 15:20:36 -0700615
616Names of macros defining constants and labels in enums are capitalized.
617
Pavel Kretov09677e02015-02-16 20:26:18 +0300618 #define CONSTANT 0x12345
Linus Torvalds1da177e2005-04-16 15:20:36 -0700619
620Enums are preferred when defining several related constants.
621
622CAPITALIZED macro names are appreciated but macros resembling functions
623may be named in lower case.
624
625Generally, inline functions are preferable to macros resembling functions.
626
627Macros with multiple statements should be enclosed in a do - while block:
628
Pavel Kretov09677e02015-02-16 20:26:18 +0300629 #define macrofun(a, b, c) \
630 do { \
631 if (a == 5) \
632 do_this(b, c); \
633 } while (0)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700634
635Things to avoid when using macros:
636
6371) macros that affect control flow:
638
Pavel Kretov09677e02015-02-16 20:26:18 +0300639 #define FOO(x) \
640 do { \
641 if (blah(x) < 0) \
642 return -EBUGGERED; \
643 } while(0)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700644
645is a _very_ bad idea. It looks like a function call but exits the "calling"
646function; don't break the internal parsers of those who will read the code.
647
6482) macros that depend on having a local variable with a magic name:
649
Pavel Kretov09677e02015-02-16 20:26:18 +0300650 #define FOO(val) bar(index, val)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700651
652might look like a good thing, but it's confusing as hell when one reads the
653code and it's prone to breakage from seemingly innocent changes.
654
6553) macros with arguments that are used as l-values: FOO(x) = y; will
656bite you if somebody e.g. turns FOO into an inline function.
657
6584) forgetting about precedence: macros defining constants using expressions
659must enclose the expression in parentheses. Beware of similar issues with
660macros using parameters.
661
Pavel Kretov09677e02015-02-16 20:26:18 +0300662 #define CONSTANT 0x4000
663 #define CONSTEXP (CONSTANT | 3)
Linus Torvalds1da177e2005-04-16 15:20:36 -0700664
Bartosz Golaszewskif2027542015-04-16 12:43:31 -07006655) namespace collisions when defining local variables in macros resembling
666functions:
667
668#define FOO(x) \
669({ \
670 typeof(x) ret; \
671 ret = calc_ret(x); \
672 (ret); \
Baruch Siachdf1027a2015-04-19 06:35:01 +0300673})
Bartosz Golaszewskif2027542015-04-16 12:43:31 -0700674
675ret is a common name for a local variable - __foo_ret is less likely
676to collide with an existing variable.
677
Linus Torvalds1da177e2005-04-16 15:20:36 -0700678The cpp manual deals with macros exhaustively. The gcc internals manual also
679covers RTL which is used frequently with assembly language in the kernel.
680
681
Randy Dunlap226a6b82006-06-23 02:05:58 -0700682 Chapter 13: Printing kernel messages
Linus Torvalds1da177e2005-04-16 15:20:36 -0700683
684Kernel developers like to be seen as literate. Do mind the spelling
685of kernel messages to make a good impression. Do not use crippled
David Brownell6b094482007-07-13 16:32:09 -0700686words like "dont"; use "do not" or "don't" instead. Make the messages
687concise, clear, and unambiguous.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700688
689Kernel messages do not have to be terminated with a period.
690
691Printing numbers in parentheses (%d) adds no value and should be avoided.
692
David Brownell6b094482007-07-13 16:32:09 -0700693There are a number of driver model diagnostic macros in <linux/device.h>
694which you should use to make sure messages are matched to the right device
695and driver, and are tagged with the right level: dev_err(), dev_warn(),
696dev_info(), and so forth. For messages that aren't associated with a
Dan Streetman6e099f52014-06-04 16:11:44 -0700697particular device, <linux/printk.h> defines pr_notice(), pr_info(),
698pr_warn(), pr_err(), etc.
David Brownell6b094482007-07-13 16:32:09 -0700699
700Coming up with good debugging messages can be quite a challenge; and once
Dan Streetman6e099f52014-06-04 16:11:44 -0700701you have them, they can be a huge help for remote troubleshooting. However
702debug message printing is handled differently than printing other non-debug
703messages. While the other pr_XXX() functions print unconditionally,
704pr_debug() does not; it is compiled out by default, unless either DEBUG is
705defined or CONFIG_DYNAMIC_DEBUG is set. That is true for dev_dbg() also,
706and a related convention uses VERBOSE_DEBUG to add dev_vdbg() messages to
707the ones already enabled by DEBUG.
708
709Many subsystems have Kconfig debug options to turn on -DDEBUG in the
710corresponding Makefile; in other cases specific files #define DEBUG. And
711when a debug message should be unconditionally printed, such as if it is
Raymond L. Rivera7c18fd72014-07-24 02:39:44 -0700712already inside a debug-related #ifdef section, printk(KERN_DEBUG ...) can be
Dan Streetman6e099f52014-06-04 16:11:44 -0700713used.
David Brownell6b094482007-07-13 16:32:09 -0700714
Linus Torvalds1da177e2005-04-16 15:20:36 -0700715
Randy Dunlap226a6b82006-06-23 02:05:58 -0700716 Chapter 14: Allocating memory
Pekka J Enbergaf4e5a22005-09-16 19:28:11 -0700717
718The kernel provides the following general purpose memory allocators:
Xi Wang158372942012-05-31 16:26:04 -0700719kmalloc(), kzalloc(), kmalloc_array(), kcalloc(), vmalloc(), and
720vzalloc(). Please refer to the API documentation for further information
721about them.
Pekka J Enbergaf4e5a22005-09-16 19:28:11 -0700722
723The preferred form for passing a size of a struct is the following:
724
725 p = kmalloc(sizeof(*p), ...);
726
727The alternative form where struct name is spelled out hurts readability and
728introduces an opportunity for a bug when the pointer variable type is changed
729but the corresponding sizeof that is passed to a memory allocator is not.
730
731Casting the return value which is a void pointer is redundant. The conversion
732from void pointer to any other pointer type is guaranteed by the C programming
733language.
734
Xi Wang158372942012-05-31 16:26:04 -0700735The preferred form for allocating an array is the following:
736
737 p = kmalloc_array(n, sizeof(...), ...);
738
739The preferred form for allocating a zeroed array is the following:
740
741 p = kcalloc(n, sizeof(...), ...);
742
743Both forms check for overflow on the allocation size n * sizeof(...),
744and return NULL if that occurred.
745
Pekka J Enbergaf4e5a22005-09-16 19:28:11 -0700746
Randy Dunlap226a6b82006-06-23 02:05:58 -0700747 Chapter 15: The inline disease
Arjan van de Vena771f2b2006-01-08 01:05:04 -0800748
749There appears to be a common misperception that gcc has a magic "make me
750faster" speedup option called "inline". While the use of inlines can be
Jesper Juhl53ab97a2007-05-08 00:31:06 -0700751appropriate (for example as a means of replacing macros, see Chapter 12), it
Arjan van de Vena771f2b2006-01-08 01:05:04 -0800752very often is not. Abundant use of the inline keyword leads to a much bigger
753kernel, which in turn slows the system as a whole down, due to a bigger
754icache footprint for the CPU and simply because there is less memory
755available for the pagecache. Just think about it; a pagecache miss causes a
Martin Olsson19af5cd2009-04-23 11:37:37 +0200756disk seek, which easily takes 5 milliseconds. There are a LOT of cpu cycles
757that can go into these 5 milliseconds.
Arjan van de Vena771f2b2006-01-08 01:05:04 -0800758
759A reasonable rule of thumb is to not put inline at functions that have more
760than 3 lines of code in them. An exception to this rule are the cases where
761a parameter is known to be a compiletime constant, and as a result of this
762constantness you *know* the compiler will be able to optimize most of your
763function away at compile time. For a good example of this later case, see
764the kmalloc() inline function.
765
766Often people argue that adding inline to functions that are static and used
767only once is always a win since there is no space tradeoff. While this is
768technically correct, gcc is capable of inlining these automatically without
769help, and the maintenance issue of removing the inline when a second user
770appears outweighs the potential value of the hint that tells gcc to do
771something it would have done anyway.
772
773
Alan Sternc16a02d2006-09-29 02:01:21 -0700774 Chapter 16: Function return values and names
775
776Functions can return values of many different kinds, and one of the
777most common is a value indicating whether the function succeeded or
778failed. Such a value can be represented as an error-code integer
779(-Exxx = failure, 0 = success) or a "succeeded" boolean (0 = failure,
780non-zero = success).
781
782Mixing up these two sorts of representations is a fertile source of
783difficult-to-find bugs. If the C language included a strong distinction
784between integers and booleans then the compiler would find these mistakes
785for us... but it doesn't. To help prevent such bugs, always follow this
786convention:
787
788 If the name of a function is an action or an imperative command,
789 the function should return an error-code integer. If the name
790 is a predicate, the function should return a "succeeded" boolean.
791
792For example, "add work" is a command, and the add_work() function returns 0
793for success or -EBUSY for failure. In the same way, "PCI device present" is
794a predicate, and the pci_dev_present() function returns 1 if it succeeds in
795finding a matching device or 0 if it doesn't.
796
797All EXPORTed functions must respect this convention, and so should all
798public functions. Private (static) functions need not, but it is
799recommended that they do.
800
801Functions whose return value is the actual result of a computation, rather
802than an indication of whether the computation succeeded, are not subject to
803this rule. Generally they indicate failure by returning some out-of-range
804result. Typical examples would be functions that return pointers; they use
805NULL or the ERR_PTR mechanism to report failure.
806
807
Robert P. J. Day58637ec2006-12-22 01:09:11 -0800808 Chapter 17: Don't re-invent the kernel macros
809
810The header file include/linux/kernel.h contains a number of macros that
811you should use, rather than explicitly coding some variant of them yourself.
812For example, if you need to calculate the length of an array, take advantage
813of the macro
814
Pavel Kretov09677e02015-02-16 20:26:18 +0300815 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
Robert P. J. Day58637ec2006-12-22 01:09:11 -0800816
817Similarly, if you need to calculate the size of some structure member, use
818
Pavel Kretov09677e02015-02-16 20:26:18 +0300819 #define FIELD_SIZEOF(t, f) (sizeof(((t*)0)->f))
Robert P. J. Day58637ec2006-12-22 01:09:11 -0800820
821There are also min() and max() macros that do strict type checking if you
822need them. Feel free to peruse that header file to see what else is already
823defined that you shouldn't reproduce in your code.
824
825
Josh Triplett4e7bd662007-07-15 23:41:37 -0700826 Chapter 18: Editor modelines and other cruft
827
828Some editors can interpret configuration information embedded in source files,
829indicated with special markers. For example, emacs interprets lines marked
830like this:
831
Pavel Kretov09677e02015-02-16 20:26:18 +0300832 -*- mode: c -*-
Josh Triplett4e7bd662007-07-15 23:41:37 -0700833
834Or like this:
835
Pavel Kretov09677e02015-02-16 20:26:18 +0300836 /*
837 Local Variables:
838 compile-command: "gcc -DMAGIC_DEBUG_FLAG foo.c"
839 End:
840 */
Josh Triplett4e7bd662007-07-15 23:41:37 -0700841
842Vim interprets markers that look like this:
843
Pavel Kretov09677e02015-02-16 20:26:18 +0300844 /* vim:set sw=8 noet */
Josh Triplett4e7bd662007-07-15 23:41:37 -0700845
846Do not include any of these in source files. People have their own personal
847editor configurations, and your source files should not override them. This
848includes markers for indentation and mode configuration. People may use their
849own custom mode, or may have some other magic method for making indentation
850work correctly.
851
852
Josh Triplett9a7c48b2012-03-30 13:37:10 -0700853 Chapter 19: Inline assembly
854
855In architecture-specific code, you may need to use inline assembly to interface
856with CPU or platform functionality. Don't hesitate to do so when necessary.
857However, don't use inline assembly gratuitously when C can do the job. You can
858and should poke hardware from C when possible.
859
860Consider writing simple helper functions that wrap common bits of inline
861assembly, rather than repeatedly writing them with slight variations. Remember
862that inline assembly can use C parameters.
863
864Large, non-trivial assembly functions should go in .S files, with corresponding
865C prototypes defined in C header files. The C prototypes for assembly
866functions should use "asmlinkage".
867
868You may need to mark your asm statement as volatile, to prevent GCC from
869removing it if GCC doesn't notice any side effects. You don't always need to
870do so, though, and doing so unnecessarily can limit optimization.
871
872When writing a single inline assembly statement containing multiple
873instructions, put each instruction on a separate line in a separate quoted
874string, and end each string except the last with \n\t to properly indent the
875next instruction in the assembly output:
876
877 asm ("magic %reg1, #42\n\t"
878 "more_magic %reg2, %reg3"
879 : /* outputs */ : /* inputs */ : /* clobbers */);
880
881
Josh Triplett21228a12014-10-29 11:15:17 -0700882 Chapter 20: Conditional Compilation
883
884Wherever possible, don't use preprocessor conditionals (#if, #ifdef) in .c
885files; doing so makes code harder to read and logic harder to follow. Instead,
886use such conditionals in a header file defining functions for use in those .c
887files, providing no-op stub versions in the #else case, and then call those
888functions unconditionally from .c files. The compiler will avoid generating
889any code for the stub calls, producing identical results, but the logic will
890remain easy to follow.
891
892Prefer to compile out entire functions, rather than portions of functions or
893portions of expressions. Rather than putting an ifdef in an expression, factor
894out part or all of the expression into a separate helper function and apply the
895conditional to that function.
896
897If you have a function or variable which may potentially go unused in a
898particular configuration, and the compiler would warn about its definition
899going unused, mark the definition as __maybe_unused rather than wrapping it in
900a preprocessor conditional. (However, if a function or variable *always* goes
901unused, delete it.)
902
903Within code, where possible, use the IS_ENABLED macro to convert a Kconfig
904symbol into a C boolean expression, and use it in a normal C conditional:
905
906 if (IS_ENABLED(CONFIG_SOMETHING)) {
907 ...
908 }
909
910The compiler will constant-fold the conditional away, and include or exclude
911the block of code just as with an #ifdef, so this will not add any runtime
912overhead. However, this approach still allows the C compiler to see the code
913inside the block, and check it for correctness (syntax, types, symbol
914references, etc). Thus, you still have to use an #ifdef if the code inside the
915block references symbols that will not exist if the condition is not met.
916
917At the end of any non-trivial #if or #ifdef block (more than a few lines),
918place a comment after the #endif on the same line, noting the conditional
919expression used. For instance:
920
Pavel Kretov09677e02015-02-16 20:26:18 +0300921 #ifdef CONFIG_SOMETHING
922 ...
923 #endif /* CONFIG_SOMETHING */
Josh Triplett21228a12014-10-29 11:15:17 -0700924
Arjan van de Vena771f2b2006-01-08 01:05:04 -0800925
Randy Dunlap226a6b82006-06-23 02:05:58 -0700926 Appendix I: References
Linus Torvalds1da177e2005-04-16 15:20:36 -0700927
928The C Programming Language, Second Edition
929by Brian W. Kernighan and Dennis M. Ritchie.
930Prentice Hall, Inc., 1988.
931ISBN 0-13-110362-8 (paperback), 0-13-110370-9 (hardback).
Linus Torvalds1da177e2005-04-16 15:20:36 -0700932
933The Practice of Programming
934by Brian W. Kernighan and Rob Pike.
935Addison-Wesley, Inc., 1999.
936ISBN 0-201-61586-X.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700937
938GNU manuals - where in compliance with K&R and this text - for cpp, gcc,
Xose Vazquez Perez5b0ed2c2006-01-08 01:02:49 -0800939gcc internals and indent, all available from http://www.gnu.org/manual/
Linus Torvalds1da177e2005-04-16 15:20:36 -0700940
941WG14 is the international standardization working group for the programming
Xose Vazquez Perez5b0ed2c2006-01-08 01:02:49 -0800942language C, URL: http://www.open-std.org/JTC1/SC22/WG14/
943
944Kernel CodingStyle, by greg@kroah.com at OLS 2002:
945http://www.kroah.com/linux/talks/ols_2002_kernel_codingstyle_talk/html/
Linus Torvalds1da177e2005-04-16 15:20:36 -0700946