[PATCH 0/2] KVM: s390: Don't use %pK through debug printing or tracepoints

[PATCH 0/2] KVM: s390: Don't use %pK through debug printing or tracepoints

[Thomas Weißschuh]

Restricted pointers ("%pK") are only meant to be used when directly
printing to a file from task context.
Otherwise it can unintentionally expose security sensitive, raw pointer values.

Use regular pointer formatting instead.

Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/

Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
Thomas Weißschuh (2):
      KVM: s390: Don't use %pK through tracepoints
      KVM: s390: Don't use %pK through debug printing

 arch/s390/kvm/intercept.c  |  2 +-
 arch/s390/kvm/interrupt.c  |  8 ++++----
 arch/s390/kvm/kvm-s390.c   | 10 +++++-----
 arch/s390/kvm/trace-s390.h |  4 ++--
 4 files changed, 12 insertions(+), 12 deletions(-)
---
base-commit: 0ad2507d5d93f39619fc42372c347d6006b64319
change-id: 20250217-restricted-pointers-s390-3e93b67a9996

Best regards,
-- 
Thomas Weißschuh <thomas.weissschuh@linutronix.de>

[PATCH 1/2] KVM: s390: Don't use %pK through tracepoints

[Thomas Weißschuh]

Restricted pointers ("%pK") are not meant to be used through TP_format().
It can unintentionally expose security sensitive, raw pointer values.

Use regular pointer formatting instead.

Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
 arch/s390/kvm/trace-s390.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h
index 9ac92dbf680dbbe7703dd63945968b1cda46cf13..9e28f165c114caab99857ed3b53edc6ed5045dfa 100644
--- a/arch/s390/kvm/trace-s390.h
+++ b/arch/s390/kvm/trace-s390.h
@@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu,
 		    __entry->sie_block = sie_block;
 		    ),
 
-	    TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK",
+	    TP_printk("create cpu %d at 0x%p, sie block at 0x%p",
 		      __entry->id, __entry->vcpu, __entry->sie_block)
 	);
 
@@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css,
 		    __entry->kvm = kvm;
 		    ),
 
-	    TP_printk("enabling channel I/O support (kvm @ %pK)\n",
+	    TP_printk("enabling channel I/O support (kvm @ %p)\n",
 		      __entry->kvm)
 	);
 

-- 
2.48.1

[PATCH 2/2] KVM: s390: Don't use %pK through debug printing

[Thomas Weißschuh]

Restricted pointers ("%pK") are only meant to be used when directly
printing to a file from task context.
Otherwise it can unintentionally expose security sensitive,
raw pointer values.

Use regular pointer formatting instead.

Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
 arch/s390/kvm/intercept.c |  2 +-
 arch/s390/kvm/interrupt.c |  8 ++++----
 arch/s390/kvm/kvm-s390.c  | 10 +++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
index 610dd44a948b22945b0a35b760ded64bd44ef7cb..a06a000f196ce0066bfd21b0d914492a1796819a 100644
--- a/arch/s390/kvm/intercept.c
+++ b/arch/s390/kvm/intercept.c
@@ -95,7 +95,7 @@ static int handle_validity(struct kvm_vcpu *vcpu)
 
 	vcpu->stat.exit_validity++;
 	trace_kvm_s390_intercept_validity(vcpu, viwhy);
-	KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%pK)", viwhy,
+	KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%p)", viwhy,
 		  current->pid, vcpu->kvm);
 
 	/* do not warn on invalid runtime instrumentation mode */
diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
index 07ff0e10cb7f5c0294bf85f1d65d1eb124698705..c0558f05400732b2fe6911c1ef58f86b62364770 100644
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -3161,7 +3161,7 @@ void kvm_s390_gisa_clear(struct kvm *kvm)
 	if (!gi->origin)
 		return;
 	gisa_clear_ipm(gi->origin);
-	VM_EVENT(kvm, 3, "gisa 0x%pK cleared", gi->origin);
+	VM_EVENT(kvm, 3, "gisa 0x%p cleared", gi->origin);
 }
 
 void kvm_s390_gisa_init(struct kvm *kvm)
@@ -3178,7 +3178,7 @@ void kvm_s390_gisa_init(struct kvm *kvm)
 	gi->timer.function = gisa_vcpu_kicker;
 	memset(gi->origin, 0, sizeof(struct kvm_s390_gisa));
 	gi->origin->next_alert = (u32)virt_to_phys(gi->origin);
-	VM_EVENT(kvm, 3, "gisa 0x%pK initialized", gi->origin);
+	VM_EVENT(kvm, 3, "gisa 0x%p initialized", gi->origin);
 }
 
 void kvm_s390_gisa_enable(struct kvm *kvm)
@@ -3219,7 +3219,7 @@ void kvm_s390_gisa_destroy(struct kvm *kvm)
 		process_gib_alert_list();
 	hrtimer_cancel(&gi->timer);
 	gi->origin = NULL;
-	VM_EVENT(kvm, 3, "gisa 0x%pK destroyed", gisa);
+	VM_EVENT(kvm, 3, "gisa 0x%p destroyed", gisa);
 }
 
 void kvm_s390_gisa_disable(struct kvm *kvm)
@@ -3468,7 +3468,7 @@ int __init kvm_s390_gib_init(u8 nisc)
 		}
 	}
 
-	KVM_EVENT(3, "gib 0x%pK (nisc=%d) initialized", gib, gib->nisc);
+	KVM_EVENT(3, "gib 0x%p (nisc=%d) initialized", gib, gib->nisc);
 	goto out;
 
 out_unreg_gal:
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index ebecb96bacce7d75563bd3a130a7cc31869dc254..9e427ba3aed42edf617d6625b5bcaba8f43dc464 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -1020,7 +1020,7 @@ static int kvm_s390_set_mem_control(struct kvm *kvm, struct kvm_device_attr *att
 		}
 		mutex_unlock(&kvm->lock);
 		VM_EVENT(kvm, 3, "SET: max guest address: %lu", new_limit);
-		VM_EVENT(kvm, 3, "New guest asce: 0x%pK",
+		VM_EVENT(kvm, 3, "New guest asce: 0x%p",
 			 (void *) kvm->arch.gmap->asce);
 		break;
 	}
@@ -3464,7 +3464,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
 		kvm_s390_gisa_init(kvm);
 	INIT_LIST_HEAD(&kvm->arch.pv.need_cleanup);
 	kvm->arch.pv.set_aside = NULL;
-	KVM_EVENT(3, "vm 0x%pK created by pid %u", kvm, current->pid);
+	KVM_EVENT(3, "vm 0x%p created by pid %u", kvm, current->pid);
 
 	return 0;
 out_err:
@@ -3527,7 +3527,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
 	kvm_s390_destroy_adapters(kvm);
 	kvm_s390_clear_float_irqs(kvm);
 	kvm_s390_vsie_destroy(kvm);
-	KVM_EVENT(3, "vm 0x%pK destroyed", kvm);
+	KVM_EVENT(3, "vm 0x%p destroyed", kvm);
 }
 
 /* Section: vcpu related */
@@ -3648,7 +3648,7 @@ static int sca_switch_to_extended(struct kvm *kvm)
 
 	free_page((unsigned long)old_sca);
 
-	VM_EVENT(kvm, 2, "Switched to ESCA (0x%pK -> 0x%pK)",
+	VM_EVENT(kvm, 2, "Switched to ESCA (0x%p -> 0x%p)",
 		 old_sca, kvm->arch.sca);
 	return 0;
 }
@@ -4025,7 +4025,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
 			goto out_free_sie_block;
 	}
 
-	VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%pK, sie block at 0x%pK",
+	VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%p, sie block at 0x%p",
 		 vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);
 	trace_kvm_s390_create_vcpu(vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);
 

-- 
2.48.1

Re: [PATCH 2/2] KVM: s390: Don't use %pK through debug printing

[Michael Mueller]

On 17.02.25 14:13, Thomas Weißschuh wrote:
> Restricted pointers ("%pK") are only meant to be used when directly
> printing to a file from task context.
> Otherwise it can unintentionally expose security sensitive,
> raw pointer values.
> 
> Use regular pointer formatting instead.
> 
> Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>


I sucessfully ran our test suite after applying this patch.

Reviewed-by: Michael Mueller <mimu@linux.ibm.com>
Tested-by: Michael Mueller <mimu@linux.ibm.com>

> ---
>   arch/s390/kvm/intercept.c |  2 +-
>   arch/s390/kvm/interrupt.c |  8 ++++----
>   arch/s390/kvm/kvm-s390.c  | 10 +++++-----
>   3 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
> index 610dd44a948b22945b0a35b760ded64bd44ef7cb..a06a000f196ce0066bfd21b0d914492a1796819a 100644
> --- a/arch/s390/kvm/intercept.c
> +++ b/arch/s390/kvm/intercept.c
> @@ -95,7 +95,7 @@ static int handle_validity(struct kvm_vcpu *vcpu)
>   
>   	vcpu->stat.exit_validity++;
>   	trace_kvm_s390_intercept_validity(vcpu, viwhy);
> -	KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%pK)", viwhy,
> +	KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%p)", viwhy,
>   		  current->pid, vcpu->kvm);
>   
>   	/* do not warn on invalid runtime instrumentation mode */
> diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
> index 07ff0e10cb7f5c0294bf85f1d65d1eb124698705..c0558f05400732b2fe6911c1ef58f86b62364770 100644
> --- a/arch/s390/kvm/interrupt.c
> +++ b/arch/s390/kvm/interrupt.c
> @@ -3161,7 +3161,7 @@ void kvm_s390_gisa_clear(struct kvm *kvm)
>   	if (!gi->origin)
>   		return;
>   	gisa_clear_ipm(gi->origin);
> -	VM_EVENT(kvm, 3, "gisa 0x%pK cleared", gi->origin);
> +	VM_EVENT(kvm, 3, "gisa 0x%p cleared", gi->origin);
>   }
>   
>   void kvm_s390_gisa_init(struct kvm *kvm)
> @@ -3178,7 +3178,7 @@ void kvm_s390_gisa_init(struct kvm *kvm)
>   	gi->timer.function = gisa_vcpu_kicker;
>   	memset(gi->origin, 0, sizeof(struct kvm_s390_gisa));
>   	gi->origin->next_alert = (u32)virt_to_phys(gi->origin);
> -	VM_EVENT(kvm, 3, "gisa 0x%pK initialized", gi->origin);
> +	VM_EVENT(kvm, 3, "gisa 0x%p initialized", gi->origin);
>   }
>   
>   void kvm_s390_gisa_enable(struct kvm *kvm)
> @@ -3219,7 +3219,7 @@ void kvm_s390_gisa_destroy(struct kvm *kvm)
>   		process_gib_alert_list();
>   	hrtimer_cancel(&gi->timer);
>   	gi->origin = NULL;
> -	VM_EVENT(kvm, 3, "gisa 0x%pK destroyed", gisa);
> +	VM_EVENT(kvm, 3, "gisa 0x%p destroyed", gisa);
>   }
>   
>   void kvm_s390_gisa_disable(struct kvm *kvm)
> @@ -3468,7 +3468,7 @@ int __init kvm_s390_gib_init(u8 nisc)
>   		}
>   	}
>   
> -	KVM_EVENT(3, "gib 0x%pK (nisc=%d) initialized", gib, gib->nisc);
> +	KVM_EVENT(3, "gib 0x%p (nisc=%d) initialized", gib, gib->nisc);
>   	goto out;
>   
>   out_unreg_gal:
> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
> index ebecb96bacce7d75563bd3a130a7cc31869dc254..9e427ba3aed42edf617d6625b5bcaba8f43dc464 100644
> --- a/arch/s390/kvm/kvm-s390.c
> +++ b/arch/s390/kvm/kvm-s390.c
> @@ -1020,7 +1020,7 @@ static int kvm_s390_set_mem_control(struct kvm *kvm, struct kvm_device_attr *att
>   		}
>   		mutex_unlock(&kvm->lock);
>   		VM_EVENT(kvm, 3, "SET: max guest address: %lu", new_limit);
> -		VM_EVENT(kvm, 3, "New guest asce: 0x%pK",
> +		VM_EVENT(kvm, 3, "New guest asce: 0x%p",
>   			 (void *) kvm->arch.gmap->asce);
>   		break;
>   	}
> @@ -3464,7 +3464,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
>   		kvm_s390_gisa_init(kvm);
>   	INIT_LIST_HEAD(&kvm->arch.pv.need_cleanup);
>   	kvm->arch.pv.set_aside = NULL;
> -	KVM_EVENT(3, "vm 0x%pK created by pid %u", kvm, current->pid);
> +	KVM_EVENT(3, "vm 0x%p created by pid %u", kvm, current->pid);
>   
>   	return 0;
>   out_err:
> @@ -3527,7 +3527,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
>   	kvm_s390_destroy_adapters(kvm);
>   	kvm_s390_clear_float_irqs(kvm);
>   	kvm_s390_vsie_destroy(kvm);
> -	KVM_EVENT(3, "vm 0x%pK destroyed", kvm);
> +	KVM_EVENT(3, "vm 0x%p destroyed", kvm);
>   }
>   
>   /* Section: vcpu related */
> @@ -3648,7 +3648,7 @@ static int sca_switch_to_extended(struct kvm *kvm)
>   
>   	free_page((unsigned long)old_sca);
>   
> -	VM_EVENT(kvm, 2, "Switched to ESCA (0x%pK -> 0x%pK)",
> +	VM_EVENT(kvm, 2, "Switched to ESCA (0x%p -> 0x%p)",
>   		 old_sca, kvm->arch.sca);
>   	return 0;
>   }
> @@ -4025,7 +4025,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
>   			goto out_free_sie_block;
>   	}
>   
> -	VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%pK, sie block at 0x%pK",
> +	VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%p, sie block at 0x%p",
>   		 vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);
>   	trace_kvm_s390_create_vcpu(vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);
>   
> 

Re: [PATCH 1/2] KVM: s390: Don't use %pK through tracepoints

[Michael Mueller]

On 17.02.25 14:13, Thomas Weißschuh wrote:
> Restricted pointers ("%pK") are not meant to be used through TP_format().
> It can unintentionally expose security sensitive, raw pointer values.
> 
> Use regular pointer formatting instead.
> 
> Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>

Reviewed-by: Michael Mueller <mimu@linux.ibm.com>

> ---
>   arch/s390/kvm/trace-s390.h | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h
> index 9ac92dbf680dbbe7703dd63945968b1cda46cf13..9e28f165c114caab99857ed3b53edc6ed5045dfa 100644
> --- a/arch/s390/kvm/trace-s390.h
> +++ b/arch/s390/kvm/trace-s390.h
> @@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu,
>   		    __entry->sie_block = sie_block;
>   		    ),
>   
> -	    TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK",
> +	    TP_printk("create cpu %d at 0x%p, sie block at 0x%p",
>   		      __entry->id, __entry->vcpu, __entry->sie_block)
>   	);
>   
> @@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css,
>   		    __entry->kvm = kvm;
>   		    ),
>   
> -	    TP_printk("enabling channel I/O support (kvm @ %pK)\n",
> +	    TP_printk("enabling channel I/O support (kvm @ %p)\n",
>   		      __entry->kvm)
>   	);
>   
> 

Re: [PATCH 0/2] KVM: s390: Don't use %pK through debug printing or tracepoints

[Janosch Frank]

On 2/17/25 2:13 PM, Thomas Weißschuh wrote:
> Restricted pointers ("%pK") are only meant to be used when directly
> printing to a file from task context.
> Otherwise it can unintentionally expose security sensitive, raw pointer values.
> 
> Use regular pointer formatting instead.


Thanks, picked!