checkuapi.rst 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477
  1. .. SPDX-License-Identifier: GPL-2.0-only
  2. ============
  3. UAPI Checker
  4. ============
  5. The UAPI checker (``scripts/check-uapi.sh``) is a shell script which
  6. checks UAPI header files for userspace backwards-compatibility across
  7. the git tree.
  8. Options
  9. =======
  10. This section will describe the options with which ``check-uapi.sh``
  11. can be run.
  12. Usage::
  13. check-uapi.sh [-b BASE_REF] [-p PAST_REF] [-j N] [-l ERROR_LOG] [-i] [-q] [-v]
  14. Available options::
  15. -b BASE_REF Base git reference to use for comparison. If unspecified or empty,
  16. will use any dirty changes in tree to UAPI files. If there are no
  17. dirty changes, HEAD will be used.
  18. -p PAST_REF Compare BASE_REF to PAST_REF (e.g. -p v6.1). If unspecified or empty,
  19. will use BASE_REF^1. Must be an ancestor of BASE_REF. Only headers
  20. that exist on PAST_REF will be checked for compatibility.
  21. -j JOBS Number of checks to run in parallel (default: number of CPU cores).
  22. -l ERROR_LOG Write error log to file (default: no error log is generated).
  23. -i Ignore ambiguous changes that may or may not break UAPI compatibility.
  24. -q Quiet operation.
  25. -v Verbose operation (print more information about each header being checked).
  26. Environmental args::
  27. ABIDIFF Custom path to abidiff binary
  28. CC C compiler (default is "gcc")
  29. ARCH Target architecture of C compiler (default is host arch)
  30. Exit codes::
  31. 0) Success
  32. 1) ABI difference detected
  33. 2) Prerequisite not met
  34. Examples
  35. ========
  36. Basic Usage
  37. -----------
  38. First, let's try making a change to a UAPI header file that obviously
  39. won't break userspace::
  40. cat << 'EOF' | patch -l -p1
  41. --- a/include/uapi/linux/acct.h
  42. +++ b/include/uapi/linux/acct.h
  43. @@ -21,7 +21,9 @@
  44. #include <asm/param.h>
  45. #include <asm/byteorder.h>
  46. -/*
  47. +#define FOO
  48. +
  49. +/*
  50. * comp_t is a 16-bit "floating" point number with a 3-bit base 8
  51. * exponent and a 13-bit fraction.
  52. * comp2_t is 24-bit with 5-bit base 2 exponent and 20 bit fraction
  53. diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
  54. EOF
  55. Now, let's use the script to validate::
  56. % ./scripts/check-uapi.sh
  57. Installing user-facing UAPI headers from dirty tree... OK
  58. Installing user-facing UAPI headers from HEAD... OK
  59. Checking changes to UAPI headers between HEAD and dirty tree...
  60. All 912 UAPI headers compatible with x86 appear to be backwards compatible
  61. Let's add another change that *might* break userspace::
  62. cat << 'EOF' | patch -l -p1
  63. --- a/include/uapi/linux/bpf.h
  64. +++ b/include/uapi/linux/bpf.h
  65. @@ -74,7 +74,7 @@ struct bpf_insn {
  66. __u8 dst_reg:4; /* dest register */
  67. __u8 src_reg:4; /* source register */
  68. __s16 off; /* signed offset */
  69. - __s32 imm; /* signed immediate constant */
  70. + __u32 imm; /* unsigned immediate constant */
  71. };
  72. /* Key of an a BPF_MAP_TYPE_LPM_TRIE entry */
  73. EOF
  74. The script will catch this::
  75. % ./scripts/check-uapi.sh
  76. Installing user-facing UAPI headers from dirty tree... OK
  77. Installing user-facing UAPI headers from HEAD... OK
  78. Checking changes to UAPI headers between HEAD and dirty tree...
  79. ==== ABI differences detected in include/linux/bpf.h from HEAD -> dirty tree ====
  80. [C] 'struct bpf_insn' changed:
  81. type size hasn't changed
  82. 1 data member change:
  83. type of '__s32 imm' changed:
  84. typedef name changed from __s32 to __u32 at int-ll64.h:27:1
  85. underlying type 'int' changed:
  86. type name changed from 'int' to 'unsigned int'
  87. type size hasn't changed
  88. ==================================================================================
  89. error - 1/912 UAPI headers compatible with x86 appear _not_ to be backwards compatible
  90. In this case, the script is reporting the type change because it could
  91. break a userspace program that passes in a negative number. Now, let's
  92. say you know that no userspace program could possibly be using a negative
  93. value in ``imm``, so changing to an unsigned type there shouldn't hurt
  94. anything. You can pass the ``-i`` flag to the script to ignore changes
  95. in which the userspace backwards compatibility is ambiguous::
  96. % ./scripts/check-uapi.sh -i
  97. Installing user-facing UAPI headers from dirty tree... OK
  98. Installing user-facing UAPI headers from HEAD... OK
  99. Checking changes to UAPI headers between HEAD and dirty tree...
  100. All 912 UAPI headers compatible with x86 appear to be backwards compatible
  101. Now, let's make a similar change that *will* break userspace::
  102. cat << 'EOF' | patch -l -p1
  103. --- a/include/uapi/linux/bpf.h
  104. +++ b/include/uapi/linux/bpf.h
  105. @@ -71,8 +71,8 @@ enum {
  106. struct bpf_insn {
  107. __u8 code; /* opcode */
  108. - __u8 dst_reg:4; /* dest register */
  109. __u8 src_reg:4; /* source register */
  110. + __u8 dst_reg:4; /* dest register */
  111. __s16 off; /* signed offset */
  112. __s32 imm; /* signed immediate constant */
  113. };
  114. EOF
  115. Since we're re-ordering an existing struct member, there's no ambiguity,
  116. and the script will report the breakage even if you pass ``-i``::
  117. % ./scripts/check-uapi.sh -i
  118. Installing user-facing UAPI headers from dirty tree... OK
  119. Installing user-facing UAPI headers from HEAD... OK
  120. Checking changes to UAPI headers between HEAD and dirty tree...
  121. ==== ABI differences detected in include/linux/bpf.h from HEAD -> dirty tree ====
  122. [C] 'struct bpf_insn' changed:
  123. type size hasn't changed
  124. 2 data member changes:
  125. '__u8 dst_reg' offset changed from 8 to 12 (in bits) (by +4 bits)
  126. '__u8 src_reg' offset changed from 12 to 8 (in bits) (by -4 bits)
  127. ==================================================================================
  128. error - 1/912 UAPI headers compatible with x86 appear _not_ to be backwards compatible
  129. Let's commit the breaking change, then commit the innocuous change::
  130. % git commit -m 'Breaking UAPI change' include/uapi/linux/bpf.h
  131. [detached HEAD f758e574663a] Breaking UAPI change
  132. 1 file changed, 1 insertion(+), 1 deletion(-)
  133. % git commit -m 'Innocuous UAPI change' include/uapi/linux/acct.h
  134. [detached HEAD 2e87df769081] Innocuous UAPI change
  135. 1 file changed, 3 insertions(+), 1 deletion(-)
  136. Now, let's run the script again with no arguments::
  137. % ./scripts/check-uapi.sh
  138. Installing user-facing UAPI headers from HEAD... OK
  139. Installing user-facing UAPI headers from HEAD^1... OK
  140. Checking changes to UAPI headers between HEAD^1 and HEAD...
  141. All 912 UAPI headers compatible with x86 appear to be backwards compatible
  142. It doesn't catch any breaking change because, by default, it only
  143. compares ``HEAD`` to ``HEAD^1``. The breaking change was committed on
  144. ``HEAD~2``. If we wanted the search scope to go back further, we'd have to
  145. use the ``-p`` option to pass a different past reference. In this case,
  146. let's pass ``-p HEAD~2`` to the script so it checks UAPI changes between
  147. ``HEAD~2`` and ``HEAD``::
  148. % ./scripts/check-uapi.sh -p HEAD~2
  149. Installing user-facing UAPI headers from HEAD... OK
  150. Installing user-facing UAPI headers from HEAD~2... OK
  151. Checking changes to UAPI headers between HEAD~2 and HEAD...
  152. ==== ABI differences detected in include/linux/bpf.h from HEAD~2 -> HEAD ====
  153. [C] 'struct bpf_insn' changed:
  154. type size hasn't changed
  155. 2 data member changes:
  156. '__u8 dst_reg' offset changed from 8 to 12 (in bits) (by +4 bits)
  157. '__u8 src_reg' offset changed from 12 to 8 (in bits) (by -4 bits)
  158. ==============================================================================
  159. error - 1/912 UAPI headers compatible with x86 appear _not_ to be backwards compatible
  160. Alternatively, we could have also run with ``-b HEAD~``. This would set the
  161. base reference to ``HEAD~`` so then the script would compare it to ``HEAD~^1``.
  162. Architecture-specific Headers
  163. -----------------------------
  164. Consider this change::
  165. cat << 'EOF' | patch -l -p1
  166. --- a/arch/arm64/include/uapi/asm/sigcontext.h
  167. +++ b/arch/arm64/include/uapi/asm/sigcontext.h
  168. @@ -70,6 +70,7 @@ struct sigcontext {
  169. struct _aarch64_ctx {
  170. __u32 magic;
  171. __u32 size;
  172. + __u32 new_var;
  173. };
  174. #define FPSIMD_MAGIC 0x46508001
  175. EOF
  176. This is a change to an arm64-specific UAPI header file. In this example, I'm
  177. running the script from an x86 machine with an x86 compiler, so, by default,
  178. the script only checks x86-compatible UAPI header files::
  179. % ./scripts/check-uapi.sh
  180. Installing user-facing UAPI headers from dirty tree... OK
  181. Installing user-facing UAPI headers from HEAD... OK
  182. No changes to UAPI headers were applied between HEAD and dirty tree
  183. With an x86 compiler, we can't check header files in ``arch/arm64``, so the
  184. script doesn't even try.
  185. If we want to check the header file, we'll have to use an arm64 compiler and
  186. set ``ARCH`` accordingly::
  187. % CC=aarch64-linux-gnu-gcc ARCH=arm64 ./scripts/check-uapi.sh
  188. Installing user-facing UAPI headers from dirty tree... OK
  189. Installing user-facing UAPI headers from HEAD... OK
  190. Checking changes to UAPI headers between HEAD and dirty tree...
  191. ==== ABI differences detected in include/asm/sigcontext.h from HEAD -> dirty tree ====
  192. [C] 'struct _aarch64_ctx' changed:
  193. type size changed from 64 to 96 (in bits)
  194. 1 data member insertion:
  195. '__u32 new_var', at offset 64 (in bits) at sigcontext.h:73:1
  196. -- snip --
  197. [C] 'struct zt_context' changed:
  198. type size changed from 128 to 160 (in bits)
  199. 2 data member changes (1 filtered):
  200. '__u16 nregs' offset changed from 64 to 96 (in bits) (by +32 bits)
  201. '__u16 __reserved[3]' offset changed from 80 to 112 (in bits) (by +32 bits)
  202. =======================================================================================
  203. error - 1/884 UAPI headers compatible with arm64 appear _not_ to be backwards compatible
  204. We can see with ``ARCH`` and ``CC`` set properly for the file, the ABI
  205. change is reported properly. Also notice that the total number of UAPI
  206. header files checked by the script changes. This is because the number
  207. of headers installed for arm64 platforms is different than x86.
  208. Cross-Dependency Breakages
  209. --------------------------
  210. Consider this change::
  211. cat << 'EOF' | patch -l -p1
  212. --- a/include/uapi/linux/types.h
  213. +++ b/include/uapi/linux/types.h
  214. @@ -52,7 +52,7 @@ typedef __u32 __bitwise __wsum;
  215. #define __aligned_be64 __be64 __attribute__((aligned(8)))
  216. #define __aligned_le64 __le64 __attribute__((aligned(8)))
  217. -typedef unsigned __bitwise __poll_t;
  218. +typedef unsigned short __bitwise __poll_t;
  219. #endif /* __ASSEMBLY__ */
  220. #endif /* _UAPI_LINUX_TYPES_H */
  221. EOF
  222. Here, we're changing a ``typedef`` in ``types.h``. This doesn't break
  223. a UAPI in ``types.h``, but other UAPIs in the tree may break due to
  224. this change::
  225. % ./scripts/check-uapi.sh
  226. Installing user-facing UAPI headers from dirty tree... OK
  227. Installing user-facing UAPI headers from HEAD... OK
  228. Checking changes to UAPI headers between HEAD and dirty tree...
  229. ==== ABI differences detected in include/linux/eventpoll.h from HEAD -> dirty tree ====
  230. [C] 'struct epoll_event' changed:
  231. type size changed from 96 to 80 (in bits)
  232. 2 data member changes:
  233. type of '__poll_t events' changed:
  234. underlying type 'unsigned int' changed:
  235. type name changed from 'unsigned int' to 'unsigned short int'
  236. type size changed from 32 to 16 (in bits)
  237. '__u64 data' offset changed from 32 to 16 (in bits) (by -16 bits)
  238. ========================================================================================
  239. include/linux/eventpoll.h did not change between HEAD and dirty tree...
  240. It's possible a change to one of the headers it includes caused this error:
  241. #include <linux/fcntl.h>
  242. #include <linux/types.h>
  243. Note that the script noticed the failing header file did not change,
  244. so it assumes one of its includes must have caused the breakage. Indeed,
  245. we can see ``linux/types.h`` is used from ``eventpoll.h``.
  246. UAPI Header Removals
  247. --------------------
  248. Consider this change::
  249. cat << 'EOF' | patch -l -p1
  250. diff --git a/include/uapi/asm-generic/Kbuild b/include/uapi/asm-generic/Kbuild
  251. index ebb180aac74e..a9c88b0a8b3b 100644
  252. --- a/include/uapi/asm-generic/Kbuild
  253. +++ b/include/uapi/asm-generic/Kbuild
  254. @@ -31,6 +31,6 @@ mandatory-y += stat.h
  255. mandatory-y += statfs.h
  256. mandatory-y += swab.h
  257. mandatory-y += termbits.h
  258. -mandatory-y += termios.h
  259. +#mandatory-y += termios.h
  260. mandatory-y += types.h
  261. mandatory-y += unistd.h
  262. EOF
  263. This script removes a UAPI header file from the install list. Let's run
  264. the script::
  265. % ./scripts/check-uapi.sh
  266. Installing user-facing UAPI headers from dirty tree... OK
  267. Installing user-facing UAPI headers from HEAD... OK
  268. Checking changes to UAPI headers between HEAD and dirty tree...
  269. ==== UAPI header include/asm/termios.h was removed between HEAD and dirty tree ====
  270. error - 1/912 UAPI headers compatible with x86 appear _not_ to be backwards compatible
  271. Removing a UAPI header is considered a breaking change, and the script
  272. will flag it as such.
  273. Checking Historic UAPI Compatibility
  274. ------------------------------------
  275. You can use the ``-b`` and ``-p`` options to examine different chunks of your
  276. git tree. For example, to check all changed UAPI header files between tags
  277. v6.0 and v6.1, you'd run::
  278. % ./scripts/check-uapi.sh -b v6.1 -p v6.0
  279. Installing user-facing UAPI headers from v6.1... OK
  280. Installing user-facing UAPI headers from v6.0... OK
  281. Checking changes to UAPI headers between v6.0 and v6.1...
  282. --- snip ---
  283. error - 37/907 UAPI headers compatible with x86 appear _not_ to be backwards compatible
  284. Note: Before v5.3, a header file needed by the script is not present,
  285. so the script is unable to check changes before then.
  286. You'll notice that the script detected many UAPI changes that are not
  287. backwards compatible. Knowing that kernel UAPIs are supposed to be stable
  288. forever, this is an alarming result. This brings us to the next section:
  289. caveats.
  290. Caveats
  291. =======
  292. The UAPI checker makes no assumptions about the author's intention, so some
  293. types of changes may be flagged even though they intentionally break UAPI.
  294. Removals For Refactoring or Deprecation
  295. ---------------------------------------
  296. Sometimes drivers for very old hardware are removed, such as in this example::
  297. % ./scripts/check-uapi.sh -b ba47652ba655
  298. Installing user-facing UAPI headers from ba47652ba655... OK
  299. Installing user-facing UAPI headers from ba47652ba655^1... OK
  300. Checking changes to UAPI headers between ba47652ba655^1 and ba47652ba655...
  301. ==== UAPI header include/linux/meye.h was removed between ba47652ba655^1 and ba47652ba655 ====
  302. error - 1/910 UAPI headers compatible with x86 appear _not_ to be backwards compatible
  303. The script will always flag removals (even if they're intentional).
  304. Struct Expansions
  305. -----------------
  306. Depending on how a structure is handled in kernelspace, a change which
  307. expands a struct could be non-breaking.
  308. If a struct is used as the argument to an ioctl, then the kernel driver
  309. must be able to handle ioctl commands of any size. Beyond that, you need
  310. to be careful when copying data from the user. Say, for example, that
  311. ``struct foo`` is changed like this::
  312. struct foo {
  313. __u64 a; /* added in version 1 */
  314. + __u32 b; /* added in version 2 */
  315. + __u32 c; /* added in version 2 */
  316. }
  317. By default, the script will flag this kind of change for further review::
  318. [C] 'struct foo' changed:
  319. type size changed from 64 to 128 (in bits)
  320. 2 data member insertions:
  321. '__u32 b', at offset 64 (in bits)
  322. '__u32 c', at offset 96 (in bits)
  323. However, it is possible that this change was made safely.
  324. If a userspace program was built with version 1, it will think
  325. ``sizeof(struct foo)`` is 8. That size will be encoded in the
  326. ioctl value that gets sent to the kernel. If the kernel is built
  327. with version 2, it will think the ``sizeof(struct foo)`` is 16.
  328. The kernel can use the ``_IOC_SIZE`` macro to get the size encoded
  329. in the ioctl code that the user passed in and then use
  330. ``copy_struct_from_user()`` to safely copy the value::
  331. int handle_ioctl(unsigned long cmd, unsigned long arg)
  332. {
  333. switch _IOC_NR(cmd) {
  334. 0x01: {
  335. struct foo my_cmd; /* size 16 in the kernel */
  336. ret = copy_struct_from_user(&my_cmd, arg, sizeof(struct foo), _IOC_SIZE(cmd));
  337. ...
  338. ``copy_struct_from_user`` will zero the struct in the kernel and then copy
  339. only the bytes passed in from the user (leaving new members zeroized).
  340. If the user passed in a larger struct, the extra members are ignored.
  341. If you know this situation is accounted for in the kernel code, you can
  342. pass ``-i`` to the script, and struct expansions like this will be ignored.
  343. Flex Array Migration
  344. --------------------
  345. While the script handles expansion into an existing flex array, it does
  346. still flag initial migration to flex arrays from 1-element fake flex
  347. arrays. For example::
  348. struct foo {
  349. __u32 x;
  350. - __u32 flex[1]; /* fake flex */
  351. + __u32 flex[]; /* real flex */
  352. };
  353. This change would be flagged by the script::
  354. [C] 'struct foo' changed:
  355. type size changed from 64 to 32 (in bits)
  356. 1 data member change:
  357. type of '__u32 flex[1]' changed:
  358. type name changed from '__u32[1]' to '__u32[]'
  359. array type size changed from 32 to 'unknown'
  360. array type subrange 1 changed length from 1 to 'unknown'
  361. At this time, there's no way to filter these types of changes, so be
  362. aware of this possible false positive.
  363. Summary
  364. -------
  365. While many types of false positives are filtered out by the script,
  366. it's possible there are some cases where the script flags a change
  367. which does not break UAPI. It's also possible a change which *does*
  368. break userspace would not be flagged by this script. While the script
  369. has been run on much of the kernel history, there could still be corner
  370. cases that are not accounted for.
  371. The intention is for this script to be used as a quick check for
  372. maintainers or automated tooling, not as the end-all authority on
  373. patch compatibility. It's best to remember: use your best judgment
  374. (and ideally a unit test in userspace) to make sure your UAPI changes
  375. are backwards-compatible!