[PATCH v2 0/2] x86/bug: Add printf() validation to x86's custom WARNs

[PATCH v2 0/2] x86/bug: Add printf() validation to x86's custom WARNs

[Sean Christopherson]

In x86's custom HAVE_ARCH_BUG_FORMAT_ARGS WARNs, invoke a dummy function
with __printf() annotation to validate the formatting+arguments of any
provided messages.

Yan reported a bug where I botched the formatting of a WARN_ONCE() argument,
but none of my builds (with W=1 and -Werror) detected the issue, nor did any
of the build bots (AFAIK).  Turns out that Yan found it via CONFIG_BUG=n,
which due to the code being 64-bit-only, was the only way to detect the
malformed message.

v2:
 - Drop the dummy macro for assembly code. [Yan]
 - Extend the #ifdeffery to hide the WARN macros themselves from assembly
   code. [Yan]

v1: https://lore.kernel.org/all/20260409182941.1912856-1-seanjc@google.com

Sean Christopherson (2):
  x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs
  x86/bug: Put HAVE_ARCH_BUG_FORMAT_ARGS WARN definitions inside
    __ASSEMBLER__

 arch/x86/include/asm/bug.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)


base-commit: 59287e6ad4a9e5d13519b783d6bbc1015b94d63e
-- 
2.54.0.545.g6539524ca2-goog

[PATCH v2 1/2] x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

[Sean Christopherson]

Add explicit printf() validation for x86-64's newfangled WARN
implementation, as most (all?) compilers fail to detect basic formatting
issues without the annotation.  E.g. even goofs like printing a u64 as a
string aren't detected:

  WARN_ONCE(1, "Bad message, %s", vcpu->arch.last_guest_tsc);

Lack of validation is especially problematic for code that is 64-bit-only,
as blatant goofs can easily go unnoticed, as they (somewhat ironically)
will only be noticed by CONFIG_BUG=n builds.

Cc: Yan Zhao <yan.y.zhao@intel.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/adc1IrD8uqWdaOKv@yzhao56-desk.sh.intel.com
Fixes: 5b472b6e5bd9 ("x86_64/bug: Implement __WARN_printf()")
Fixes: 11bb4944f014 ("x86/bug: Implement WARN_ONCE()")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/asm/bug.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/include/asm/bug.h b/arch/x86/include/asm/bug.h
index 80c1696d8d59..bf3c802654d1 100644
--- a/arch/x86/include/asm/bug.h
+++ b/arch/x86/include/asm/bug.h
@@ -153,6 +153,7 @@ struct arch_va_list {
 	struct sysv_va_list args;
 };
 extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs);
+static __always_inline __printf(1, 2) void __WARN_validate_printf(const char *fmt, ...) { }
 #endif /* __ASSEMBLER__ */
 
 #define __WARN_bug_entry(flags, format) ({				\
@@ -172,6 +173,7 @@ extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs);
 #define __WARN_print_arg(flags, format, arg...)				\
 do {									\
 	int __flags = (flags) | BUGFLAG_WARNING | BUGFLAG_ARGS ;	\
+	__WARN_validate_printf(format, ## arg);				\
 	static_call_mod(WARN_trap)(__WARN_bug_entry(__flags, format), ## arg); \
 	asm (""); /* inhibit tail-call optimization */			\
 } while (0)
-- 
2.54.0.545.g6539524ca2-goog

[PATCH v2 2/2] x86/bug: Put HAVE_ARCH_BUG_FORMAT_ARGS WARN definitions inside __ASSEMBLER__

[Sean Christopherson]

Extend the !assembly #ifdef guarding x86's custom WARN helpers to cover the
WARN macros themselves, as they aren't assembly friendly.  This helps make
it clear that things like __WARN_validate_printf() don't need a dummy
definition for assembly code.

No functional change intended.

Suggested-by: Yan Zhao <yan.y.zhao@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/include/asm/bug.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/bug.h b/arch/x86/include/asm/bug.h
index bf3c802654d1..23ab05438269 100644
--- a/arch/x86/include/asm/bug.h
+++ b/arch/x86/include/asm/bug.h
@@ -154,7 +154,6 @@ struct arch_va_list {
 };
 extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs);
 static __always_inline __printf(1, 2) void __WARN_validate_printf(const char *fmt, ...) { }
-#endif /* __ASSEMBLER__ */
 
 #define __WARN_bug_entry(flags, format) ({				\
 	struct bug_entry *bug;						\
@@ -189,6 +188,7 @@ do {									\
 	}								\
 	__ret_warn_on;							\
 })
+#endif /* __ASSEMBLER__ */
 
 #endif /* HAVE_ARCH_BUG_FORMAT_ARGS */
 
-- 
2.54.0.545.g6539524ca2-goog

Re: [PATCH v2 1/2] x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

[Dave Hansen]

On 4/23/26 07:54, Sean Christopherson wrote:
> Lack of validation is especially problematic for code that is 64-bit-only,
> as blatant goofs can easily go unnoticed, as they (somewhat ironically)
> will only be noticed by CONFIG_BUG=n builds.

This took me a minute to piece together.

CONFIG_BUG=n builds use the asm-generic/bug.h implementations which have:

	no_printk(format);

and do their own printk validation. Right?

Also, what do you mean about 64-bit-only code?

I'm also debating if we should stick these in x86/urgent and get them to
Linus sooner rather than later so folks aren't bitten by this for a
whole development cycle.

Re: [PATCH v2 1/2] x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

[Sean Christopherson]

On Thu, Apr 23, 2026, Dave Hansen wrote:
> On 4/23/26 07:54, Sean Christopherson wrote:
> > Lack of validation is especially problematic for code that is 64-bit-only,
> > as blatant goofs can easily go unnoticed, as they (somewhat ironically)
> > will only be noticed by CONFIG_BUG=n builds.
> 
> This took me a minute to piece together.
> 
> CONFIG_BUG=n builds use the asm-generic/bug.h implementations which have:
> 
> 	no_printk(format);
> 
> and do their own printk validation. Right?

Ya.

> Also, what do you mean about 64-bit-only code?

32-bit x86 doesn't support HAVE_ARCH_BUG_FORMAT_ARGS, and so it too uses generic
implementations that provide printk validation.  I.e. the blind spot is code that
is strictly x86-64, because code that builds on other architectures and on 32-bit
x86 will be detected by those other builds, and unlike CONFIG_BUG=n, people and
bots regularly test those configurations.

> I'm also debating if we should stick these in x86/urgent and get them to
> Linus sooner rather than later so folks aren't bitten by this for a
> whole development cycle.

Re: [PATCH v2 1/2] x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

[Dave Hansen]

On 4/23/26 08:47, Sean Christopherson wrote:
>> Also, what do you mean about 64-bit-only code?
> 32-bit x86 doesn't support HAVE_ARCH_BUG_FORMAT_ARGS, and so it too uses generic
> implementations that provide printk validation.  I.e. the blind spot is code that
> is strictly x86-64, because code that builds on other architectures and on 32-bit
> x86 will be detected by those other builds, and unlike CONFIG_BUG=n, people and
> bots regularly test those configurations.

Ahhh, thanks for the explanation. In any case:

Acked-by: Dave Hansen <dave.hansen@linux.intel.com>

I'll plan to suck these in after -rc1 if someone else doesn't beat me to it.

[tip: x86/misc] x86/bug: Put HAVE_ARCH_BUG_FORMAT_ARGS WARN definitions inside __ASSEMBLER__

[tip-bot2 for Sean Christopherson]

The following commit has been merged into the x86/misc branch of tip:

Commit-ID:     23aea3c539a62ab97ca3aecf41d590d91f2911fc
Gitweb:        https://git.kernel.org/tip/23aea3c539a62ab97ca3aecf41d590d91f2911fc
Author:        Sean Christopherson <seanjc@google.com>
AuthorDate:    Thu, 23 Apr 2026 07:54:18 -07:00
Committer:     Dave Hansen <dave.hansen@linux.intel.com>
CommitterDate: Mon, 27 Apr 2026 12:02:57 -07:00

x86/bug: Put HAVE_ARCH_BUG_FORMAT_ARGS WARN definitions inside __ASSEMBLER__

Extend the !assembly #ifdef guarding x86's custom WARN helpers to cover the
WARN macros themselves, as they aren't assembly friendly.  This helps make
it clear that things like __WARN_validate_printf() don't need a dummy
definition for assembly code.

No functional change intended.

Suggested-by: Yan Zhao <yan.y.zhao@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://patch.msgid.link/20260423145419.459988-3-seanjc@google.com
---
 arch/x86/include/asm/bug.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/bug.h b/arch/x86/include/asm/bug.h
index bf3c802..23ab054 100644
--- a/arch/x86/include/asm/bug.h
+++ b/arch/x86/include/asm/bug.h
@@ -154,7 +154,6 @@ struct arch_va_list {
 };
 extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs);
 static __always_inline __printf(1, 2) void __WARN_validate_printf(const char *fmt, ...) { }
-#endif /* __ASSEMBLER__ */
 
 #define __WARN_bug_entry(flags, format) ({				\
 	struct bug_entry *bug;						\
@@ -189,6 +188,7 @@ do {									\
 	}								\
 	__ret_warn_on;							\
 })
+#endif /* __ASSEMBLER__ */
 
 #endif /* HAVE_ARCH_BUG_FORMAT_ARGS */
 

[tip: x86/misc] x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

[tip-bot2 for Sean Christopherson]

The following commit has been merged into the x86/misc branch of tip:

Commit-ID:     40c4b47f41b95dff743c841536cb64014e65ef0c
Gitweb:        https://git.kernel.org/tip/40c4b47f41b95dff743c841536cb64014e65ef0c
Author:        Sean Christopherson <seanjc@google.com>
AuthorDate:    Thu, 23 Apr 2026 07:54:17 -07:00
Committer:     Dave Hansen <dave.hansen@linux.intel.com>
CommitterDate: Mon, 27 Apr 2026 12:02:40 -07:00

x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

Add explicit printf() validation for x86-64's newfangled WARN
implementation, as most (all?) compilers fail to detect basic formatting
issues without the annotation.  E.g. even goofs like printing a u64 as a
string aren't detected:

  WARN_ONCE(1, "Bad message, %s", vcpu->arch.last_guest_tsc);

32-bit x86 doesn't support HAVE_ARCH_BUG_FORMAT_ARGS and uses generic
implementations that provide printf() validation. This means there's
now a big blind spot is code that is strictly x86-64. Inconveniently,
new features are also frequently x86-64-only.

Fix the blind 64-bit blind spot.

[ dhansen: changelog tweaks to flesh out the 64-bit-only details ]

Fixes: 5b472b6e5bd9 ("x86_64/bug: Implement __WARN_printf()")
Fixes: 11bb4944f014 ("x86/bug: Implement WARN_ONCE()")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lore.kernel.org/all/adc1IrD8uqWdaOKv@yzhao56-desk.sh.intel.com
Link: https://patch.msgid.link/20260423145419.459988-2-seanjc@google.com
---
 arch/x86/include/asm/bug.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/include/asm/bug.h b/arch/x86/include/asm/bug.h
index 80c1696..bf3c802 100644
--- a/arch/x86/include/asm/bug.h
+++ b/arch/x86/include/asm/bug.h
@@ -153,6 +153,7 @@ struct arch_va_list {
 	struct sysv_va_list args;
 };
 extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs);
+static __always_inline __printf(1, 2) void __WARN_validate_printf(const char *fmt, ...) { }
 #endif /* __ASSEMBLER__ */
 
 #define __WARN_bug_entry(flags, format) ({				\
@@ -172,6 +173,7 @@ extern void *__warn_args(struct arch_va_list *args, struct pt_regs *regs);
 #define __WARN_print_arg(flags, format, arg...)				\
 do {									\
 	int __flags = (flags) | BUGFLAG_WARNING | BUGFLAG_ARGS ;	\
+	__WARN_validate_printf(format, ## arg);				\
 	static_call_mod(WARN_trap)(__WARN_bug_entry(__flags, format), ## arg); \
 	asm (""); /* inhibit tail-call optimization */			\
 } while (0)

Re: [tip: x86/misc] x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs

[Sean Christopherson]

On Mon, Apr 27, 2026, tip-bot2 for Sean Christopherson wrote:
> The following commit has been merged into the x86/misc branch of tip:
> 
> Commit-ID:     40c4b47f41b95dff743c841536cb64014e65ef0c
> Gitweb:        https://git.kernel.org/tip/40c4b47f41b95dff743c841536cb64014e65ef0c
> Author:        Sean Christopherson <seanjc@google.com>
> AuthorDate:    Thu, 23 Apr 2026 07:54:17 -07:00
> Committer:     Dave Hansen <dave.hansen@linux.intel.com>
> CommitterDate: Mon, 27 Apr 2026 12:02:40 -07:00
> 
> x86/bug: Add printf() validation to HAVE_ARCH_BUG_FORMAT_ARGS WARNs
> 
> Add explicit printf() validation for x86-64's newfangled WARN
> implementation, as most (all?) compilers fail to detect basic formatting
> issues without the annotation.  E.g. even goofs like printing a u64 as a
> string aren't detected:
> 
>   WARN_ONCE(1, "Bad message, %s", vcpu->arch.last_guest_tsc);
> 
> 32-bit x86 doesn't support HAVE_ARCH_BUG_FORMAT_ARGS and uses generic
> implementations that provide printf() validation. This means there's
> now a big blind spot is code that is strictly x86-64. Inconveniently,
> new features are also frequently x86-64-only.
> 
> Fix the blind 64-bit blind spot.
> 
> [ dhansen: changelog tweaks to flesh out the 64-bit-only details ]

Much better than what I wrote, thanks Dave!