From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E10E330FF2A for ; Tue, 7 Jul 2026 09:28:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783416500; cv=none; b=oTcKTHiVKXNpuZza+d8Gt6SyW6zCHBs0okzhigJutGyJKWjBK99mrM78O60+lRX6uhIIN8L0w3M3UXvrNKsFONVdUSW3fw+/cjBjmIttm7rdqGIBIUJ9jPhlUU2z62sm+K8ZpVb9a5WJV5mPiPnHtwMtWBBYEKhSYKQ5ei/Awdw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783416500; c=relaxed/simple; bh=/AC7M6m85bg4/DIhZhRiQ2nfDsanJJu0Qe+lX1wS8uk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fZf6H2oLtbMlNQ5nY59eqVkeDhz1oQJ8N3IRhdyROc6ueFyMBzf+WV+hb/GvQo0Cba6IWSb5K6pv0BGvUYxXPX3KWwX9aQUftu/bvlcQaHhPKZCSo0pWP0rd4oVyFbXxMQ5c7BSVBsv1gBSirngAIosFWrqjNfcliqtdQwlu1po= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=PA5TBKhx; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="PA5TBKhx" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-490cf322ed0so25560645e9.1 for ; Tue, 07 Jul 2026 02:28:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1783416496; x=1784021296; darn=vger.kernel.org; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:from:to:cc:subject :date:message-id:reply-to:content-type; bh=fVqV40sPygPGTJ7GO/0STywASI+KAPKvvI6Bd3ie5TU=; b=PA5TBKhxEfTM+C6OvL4nihBJjp5eaq4pHXm2MUQ3NXuGXog9y2RmdjaFMMbGjBRCVN fSzyCbnsisG2iPGNof/V43ZwPk/cAys4pMnVGsuKFuih9mjPhKaDVy8CUOW9JDYsGSsb m+1oi35F/MD+JJ5izbB8LkkdAQjCZqqgE2KJ+4kWTYwayNVRwIw8WJXf17woNMBoDwj2 D+gxSIAy2P9KiCb6EjCmXXQ3yrttsTluXSmIB3ifTBeK1IAowi43l+jnqF/L9qxESJpp cAj1gfAVC8mOx8dCiGdEq2v1H9RuzkY2gPs1MQ1RT9w10vi8NRvAbpWKqggbaJUfrdje uWFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783416496; x=1784021296; h=in-reply-to:content-disposition:content-type:mime-version :references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=fVqV40sPygPGTJ7GO/0STywASI+KAPKvvI6Bd3ie5TU=; b=fpLQGWQFQV7W47uwu/n/QhPWzGi640d1jYpfyr0vN5mG1hQNu3XVvqsZomtGAeTTS4 GfepWkDeoBP+Joz8DcYuynJMbwSejKu8TU20RrGptdSGY3HT+6pavI6lG8SX37ki8K41 Exg0wmT6GR8NQZoEpaGrVLb4ekShjwDMgoYNVgRyAecBvnT75HzRiCtfYRBQm219o7m0 yVTsimKinzgilT0b03wUEvXuqa8rhjstrAc6yfGiuhS8KtdxJ9OJIIaHPpHKKr15L/nM /2CbVf39UXVBx4shqeoedZjvcQKonwh53h8+KrWsBTakVtEWaV62ic9yvfKBVmzLIo54 UNlQ== X-Forwarded-Encrypted: i=1; AHgh+RpBf0xEC0o57n9zm/Cixfx1Ptsz58XJGiMK5XPAvrBlMX/eYoml2xQjitFZliKwss7RaxAFrrGHqg7MLEA=@vger.kernel.org X-Gm-Message-State: AOJu0YzE8T7dp26Rdov6dBU7YTBhZUKOulC5cwIGNzhHo2+Cvk2GCmY+ M7CHDmO1W8SBCjbkYigD+qew59o6qHcsNlIIR0w09nvA01fH5d237h7bQOCCBsmelZk= X-Gm-Gg: AfdE7cmNvhSZrneZk+iOJG/hqVgnlbXaAA990QliqyMXnZ/nkykO03svtsaa3os07b8 TNbnH79FBeDzKXHhsIm+FUBJMmu+d1aZ+ursKMg4G1Oec9ofSd1aASlNh0NAWQ9HUKQgEvoANyx E/pfvTySSvkdG8pwEATyMKiPFqtufW1iboFOZBzzFKz3TgbXEVUNJT4jeew1sldh69ffzM6ZXLm xa8Us4rqhTTGYJobq+BslONAPEiLBMJ8vir+MIFaZfnvkTx3akkesDc4m+/AWGaxLoj8Z0ArUMM L1o8/j+mGsExxAOU/WzIKaCwA/4IjL6R6y/cwqwe9fyyGDGMj83+4omfJ5b1xNT+pI3XeYsOKuy Z4yt+msv430dtzKDbWao8mryhJbs55ZLJm2T1LQ25bKDSn1eMLdRQcJwRLYKJVo3evIOM4x1GU7 3AJuRWb/9p6s7TwL4= X-Received: by 2002:a05:600c:c289:b0:493:c862:3f2d with SMTP id 5b1f17b1804b1-493df06697fmr32432945e9.5.1783416496208; Tue, 07 Jul 2026 02:28:16 -0700 (PDT) Received: from pathway.suse.cz ([176.114.240.130]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-493e0f5bc78sm49059445e9.14.2026.07.07.02.28.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2026 02:28:15 -0700 (PDT) Date: Tue, 7 Jul 2026 11:28:13 +0200 From: Petr Mladek To: Andrew Morton Cc: Bradley Morgan , Feng Tang , Jinchao Wang , linux-kernel@vger.kernel.org Subject: Re: [PATCH] panic: fix va_list reuse in panic_try_force_cpu() Message-ID: References: <20260705164123.18746-1-include@grrlz.net> <20260705121014.d783e021f38f262faf2404f2@linux-foundation.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260705121014.d783e021f38f262faf2404f2@linux-foundation.org> On Sun 2026-07-05 12:10:14, Andrew Morton wrote: > On Sun, 5 Jul 2026 16:41:23 +0000 Bradley Morgan wrote: > > > vsnprintf() consumes the caller's va_list. When the redirect fails, > > vpanic() reuses it for the panic message, which is undefined > > behavior. Use va_copy(). > > Thanks. > > > --- a/kernel/panic.c > > +++ b/kernel/panic.c > > @@ -412,7 +412,12 @@ static bool panic_try_force_cpu(const char *fmt, va_list args) > > * fall back to static message for early boot panics or allocation failure. > > */ > > if (panic_force_buf) { > > - vsnprintf(panic_force_buf, PANIC_MSG_BUFSZ, fmt, args); > > + va_list ap; > > + > > + /* Do not consume args, the caller reuses it if we fail */ > > Nice comment! > > > + va_copy(ap, args); > > + vsnprintf(panic_force_buf, PANIC_MSG_BUFSZ, fmt, ap); > > + va_end(ap); > > msg = panic_force_buf; > > } else { > > msg = "Redirected panic (buffer unavailable)"; > > AI review found a possible pre-existing thing in there (as usual, > sigh). Seems pretty improbable: > > https://sashiko.dev/#/patchset/20260705164123.18746-1-include@grrlz.net Sashiko's comment is: This is a pre-existing issue, but looking at panic_try_force_cpu() in kernel/panic.c, could concurrent panics bypass the panic_force_cpu redirection? If multiple CPUs enter panic() concurrently: CPU A successfully sets panic_redirect_cpu: if (!atomic_try_cmpxchg(&panic_redirect_cpu, &old_cpu, this_cpu)) and eventually returns true to stop itself. CPU B fails the cmpxchg on panic_redirect_cpu and returns false. Because the target CPU (CPU C) hasn't yet started executing panic and hasn't set panic_cpu, CPU B falls through to panic_try_start(). CPU B successfully sets panic_cpu and handles the panic itself. When CPU C eventually receives the IPI, it stops itself because panic_cpu is already claimed. Could this result in the crash kernel executing on a CPU other than the one specified by panic_force_cpu? It has a point. panic_try_force_cpu() should return true when it can't set panic_redirect_cpu. The panic() will be finished either by the requested CPU or by the CPU which was able to set panic_redirect_cpu. I could send a patch. Or Bradley, would you like to send it? Best Regards, Petr