From: Petr Mladek <pmladek@suse.com>
To: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Steven Rostedt <rostedt@goodmis.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Sergey Senozhatsky <senozhatsky@chromium.org>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Will Deacon <will@kernel.org>,
Boqun Feng <boqun@kernel.org>, Waiman Long <longman@redhat.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Clark Williams <clrkwllms@kernel.org>,
Kees Cook <kees@kernel.org>,
linux-kernel@vger.kernel.org, linux-rt-devel@lists.linux.dev
Subject: Re: [PATCH v4 5/5] lib/vsprintf: Validate spinlock context during restricted pointer formatting
Date: Tue, 16 Jun 2026 11:14:50 +0200 [thread overview]
Message-ID: <ajEUClmHBPiiB4eC@pathway.suse.cz> (raw)
In-Reply-To: <20260611120615-4252b75d-55aa-4bed-b64b-0316b2148d2c@linutronix.de>
On Thu 2026-06-11 12:09:08, Thomas Weißschuh wrote:
> On Mon, Jun 08, 2026 at 04:21:45PM +0200, Thomas Weißschuh wrote:
> > Depending on the system configuration, the restricted pointer formatting
> > might call into the security subsystem which takes spinlocks, which
> > might sleep under PREEMPT_RT. As %pK is intended to be only used from
> > read handlers of virtual files, which always run in task context,
> > this should not be a problem in practice.
> > However, developers have used %pK before from atomic context without
> > realizing this restriction. While all existing user of %pK through
> > printk() have been removed, new ones might be reintroduced accidentally
> > in the future.
> >
> > Add a lockdep annotation to unconditionally introduce a fake spinlock in
> > restricted_pointer(), so lockdep can detect misuse even if the current
> > test system configuration would not exhibit the issue.
> > This is intentionally a single lock instance shared by all callers,
> > as that mirrors what can happen in the security subsystem.
> >
> > This check comes intentionally after the in_task() one, to have the
> > clearer diagnostic first when the function is called from IRQ context,
> > which will trigger both.
> >
> > Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
> > Link: https://lore.kernel.org/lkml/20241217142032.55793-1-acarmina@redhat.com/
> > Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
> > Reviewed-by: Petr Mladek <pmladek@suse.com>
> > ---
> > lib/vsprintf.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> > index 09e0e5194d41..728a1acd69ae 100644
> > --- a/lib/vsprintf.c
> > +++ b/lib/vsprintf.c
> > @@ -864,7 +864,14 @@ static noinline_for_stack
> > char *restricted_pointer(char *buf, char *end, const void *ptr,
> > struct printf_spec spec)
> > {
> > + /*
> > + * has_capability_noaudit() may use spinlocks.
> > + * Make sure %pK is only used from valid contexts.
> > + */
> > + static DEFINE_WAIT_ASSERT_MAP(vsprintf_restricted_pointer_map, LD_WAIT_CONFIG);
> > +
> > lockdep_assert(in_task());
> > + guard(lock_map_acquire)(&vsprintf_restricted_pointer_map);
>
> The kernel test robot found a lockdep violation with this patch:
> https://lore.kernel.org/all/202606110945.d3871219-lkp@intel.com/
>
> My suspicion is that this is a pre-existing problem that was not visible
> to lockdep so far, exactly what this patch is supposed to mitigate.
> I'll investigate some more and try to reproduce it.
I was curious and found the following. The problematic patch seems to be:
[ 92.754552][ T3827] lock_acquire (locking/lockdep.c:5868)
[ 92.757345][ T3827] class_lock_map_acquire_constructor (linux/lockdep.h:557 (discriminator 1))
[ 92.759895][ T3827] restricted_pointer (vsprintf.c:874)
[ 92.770231][ T3827] pointer (vsprintf.c:2582)
[ 92.772166][ T3827] vsnprintf (vsprintf.c:2956)
[ 92.774145][ T3827] seq_printf (seq_file.c:392 seq_file.c:407)
[ 92.776083][ T3827] tcp6_seq_show (ipv6/tcp_ipv6.c:2147 (discriminator 1) ipv6/tcp_ipv6.c:2221 (discriminator 1))
[ 92.778212][ T3827] traverse (seq_file.c:112)
[ 92.780125][ T3827] seq_lseek (seq_file.c:324 (discriminator 1))
[ 92.782106][ T3827] proc_reg_llseek (proc/inode.c:283)
[ 92.789616][ T3827] __ia32_sys_lseek (read_write.c:391)
[ 92.791786][ T3827] ia32_sys_call (kbuild/obj/consumer/i386-randconfig-013-20260610/./arch/x86/include/generated/asm/syscalls_32.h:20)
[ 92.793792][ T3827] __do_fast_syscall_32 (x86/entry/syscall_32.c:83)
[ 92.795973][ T3827] do_fast_syscall_32 (x86/entry/syscall_32.c:332)
[ 92.797992][ T3827] do_SYSENTER_32 (x86/entry/syscall_32.c:370)
[ 92.799987][ T3827] entry_SYSENTER_32 (x86/entry/entry_32.S:835)
If I get it correctly then traverse() might take spin_lock_bh(lock)
via:
+ traverse()
+ tcp_seq_start()
+ tcp_get_idx()
+ established_get_idx()
+ established_get_first()
+ spin_lock_bh(lock);
And then it calls vsnprintf(" %pK" in
+ tcp6_seq_show()
+ get_tcp6_sock()
+ seq_printf()
By other words, it calls vsnprintf("%pK") with disabled softirqs.
If I get it correctly then this might create a deadlock because
vsnprinf("%pK") can be called also with (soft)irqs enabled,
then soft(irq) might came and want to take the spin_lock(lock)...
As a result, we should not use %pK in tcp6_seq_show().
Best Regards,
Petr
prev parent reply other threads:[~2026-06-16 9:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 14:21 [PATCH v4 0/5] lib/vsprintf: Validate spinlock context during restricted pointer formatting Thomas Weißschuh
2026-06-08 14:21 ` [PATCH v4 1/5] locking/lockdep: Add a helper to validate the locking context without a lock Thomas Weißschuh
2026-06-08 14:21 ` [PATCH v4 2/5] locking/lockdep: Add a guard for lock_map_acquire() Thomas Weißschuh
2026-06-08 14:21 ` [PATCH v4 3/5] lib/vsprintf: Use in_task() for restricted pointer context check Thomas Weißschuh
2026-06-08 14:21 ` [PATCH v4 4/5] lib/vsprintf: Always check interrupt context restrictions Thomas Weißschuh
2026-06-08 14:21 ` [PATCH v4 5/5] lib/vsprintf: Validate spinlock context during restricted pointer formatting Thomas Weißschuh
2026-06-11 10:09 ` Thomas Weißschuh
2026-06-16 9:14 ` Petr Mladek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajEUClmHBPiiB4eC@pathway.suse.cz \
--to=pmladek@suse.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bigeasy@linutronix.de \
--cc=boqun@kernel.org \
--cc=clrkwllms@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rt-devel@lists.linux.dev \
--cc=linux@rasmusvillemoes.dk \
--cc=longman@redhat.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=senozhatsky@chromium.org \
--cc=thomas.weissschuh@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.