From: Petr Mladek <pmladek@suse.com>
To: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Steven Rostedt <rostedt@goodmis.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Will Deacon <will@kernel.org>,
Boqun Feng <boqun@kernel.org>, Waiman Long <longman@redhat.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Clark Williams <clrkwllms@kernel.org>,
Kees Cook <kees@kernel.org>,
linux-kernel@vger.kernel.org, linux-rt-devel@lists.linux.dev
Subject: Re: [PATCH v3 3/5] lib/vsprintf: Validate spinlock context during restricted pointer formatting
Date: Wed, 27 May 2026 17:38:36 +0200 [thread overview]
Message-ID: <ahcP_G9bD9M1_JrC@pathway.suse.cz> (raw)
In-Reply-To: <20260520-restricted-pointers-final-v3-3-76bca6a6ab3f@linutronix.de>
On Wed 2026-05-20 10:40:02, Thomas Weißschuh wrote:
> Depending on the system configuration, the restricted pointer formatting
> might call into the security subsystem which takes spinlocks, which
> might sleep under PREEMPT_RT. As %pK is intended to be only used from
> read handlers of virtual files, which always run in task context,
> this should not be a problem in practice.
> However, developers have used %pK before from atomic context without
> realizing this restriction. While all existing user of %pK through
> printk() have been removed, new ones might be reintroduced accidentally
> in the future.
>
> Add a lockdep annotation to unconditionally introduce a fake spinlock in
> restricted_pointer(), so lockdep can detect misuse even if the current
> test system configuration would not exhibit the issue.
>
> Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
> Link: https://lore.kernel.org/lkml/20241217142032.55793-1-acarmina@redhat.com/
> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
> ---
> lib/vsprintf.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> index 9f359b31c8d1..021db95087fe 100644
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -29,6 +29,7 @@
> #include <linux/hex.h>
> #include <linux/kernel.h>
> #include <linux/kallsyms.h>
> +#include <linux/lockdep.h>
> #include <linux/math64.h>
> #include <linux/uaccess.h>
> #include <linux/ioport.h>
> @@ -862,6 +863,14 @@ static noinline_for_stack
> char *restricted_pointer(char *buf, char *end, const void *ptr,
> struct printf_spec spec)
> {
> + /*
> + * has_capability_noaudit() may use spinlocks.
> + * Make sure %pK is only used from valid contexts.
> + */
> + static DEFINE_WAIT_ASSERT_MAP(vsprintf_restricted_pointer_map, LD_WAIT_CONFIG);
> +
> + guard(lock_map_acquire)(&vsprintf_restricted_pointer_map);
Here is Sashiko AI review from
https://sashiko.dev/#/patchset/20260520-restricted-pointers-final-v3-0-76bca6a6ab3f%40linutronix.de
<paste>
Will this single global lockdep map create false dependencies and
inconsistent IRQ usage splats?
Because lock_map_acquire() acquires the fake lock with trylock=0, lockdep
fully tracks it in the dependency graph. Since this is a single global
static map, it acts as a central bottleneck: every lock held by any caller
of %pK forms a forward dependency to the fake lock, and the fake lock forms
a forward dependency to any lock acquired inside %pK. This artificially
links completely independent locking contexts across the kernel, which might
generate massive false-positive circular deadlock warnings.
Furthermore, if %pK is evaluated in an IRQ context, the lock map is marked
USED_IN_HARDIRQ. If it is later evaluated in a process context with IRQs
enabled, the map is marked ENABLED_HARDIRQ. Won't lockdep immediately
trigger an inconsistent IRQ usage splat upon detecting both states?
While using trylock=1 (like lock_map_acquire_try()) might seem like a way
around this, lockdep's check_wait_context() explicitly bypasses wait-context
validation when trylock=1. This would defeat the purpose of this patch.
Is there a different mechanism to assert the wait context without fully
tracking it in the lock dependency graph?
</paste>
My opinion:
The fear of generating massive false-positive cirular locks does
not fit here. It is the opposite. This fake lock represents the
various locks which might be taken by has_capability_noaudit()
on purpose. And %pK formatting must never be used under these
locks because it might create deadlock otherwise.
The fear of inconsistent IRQ usage reports makes some sense.
It might happen and it might be confusing because %pK fomatting
must not be used in IRQ context at all. The misleading IRQ
reports should be prevented by adding the lockdep_assert(in_task)
later in this patch set.
Resume:
This patch looks good to me:
Reviewed-by: Petr Mladek <pmladek@suse.com>
> switch (kptr_restrict) {
> case 0:
> /* Handle as %p, hash and do _not_ leak addresses. */
Best Regards,
Petr
next prev parent reply other threads:[~2026-05-27 15:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 8:39 [PATCH v3 0/5] lib/vsprintf: Validate spinlock context during restricted pointer formatting Thomas Weißschuh
2026-05-20 8:40 ` [PATCH v3 1/5] locking/lockdep: Add a helper to validate the locking context without a lock Thomas Weißschuh
2026-05-20 8:40 ` [PATCH v3 2/5] locking/lockdep: Add a guard for lock_map_acquire() Thomas Weißschuh
2026-05-20 8:40 ` [PATCH v3 3/5] lib/vsprintf: Validate spinlock context during restricted pointer formatting Thomas Weißschuh
2026-05-27 15:38 ` Petr Mladek [this message]
2026-05-20 8:40 ` [PATCH v3 4/5] lib/vsprintf: Use in_task() for restricted pointer context check Thomas Weißschuh
2026-05-20 8:40 ` [PATCH v3 5/5] lib/vsprintf: Always check interrupt context restrictions Thomas Weißschuh
2026-05-27 15:45 ` Petr Mladek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahcP_G9bD9M1_JrC@pathway.suse.cz \
--to=pmladek@suse.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bigeasy@linutronix.de \
--cc=boqun@kernel.org \
--cc=clrkwllms@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-devel@lists.linux.dev \
--cc=linux@rasmusvillemoes.dk \
--cc=longman@redhat.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
--cc=thomas.weissschuh@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.