Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754950AbdIGJMb (ORCPT ); Thu, 7 Sep 2017 05:12:31 -0400 Received: from mout.gmx.net ([212.227.17.20]:61808 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754404AbdIGJMa (ORCPT ); Thu, 7 Sep 2017 05:12:30 -0400 Subject: Re: [PATCH 00/14] Fix wrong %pF and %pS printk format specifier usages To: Sergey Senozhatsky Cc: linux-kernel@vger.kernel.org, Sergey Senozhatsky , Petr Mladek , Andrew Morton References: <1504729681-3504-1-git-send-email-deller@gmx.de> <20170907004522.GA3885@jagdpanzerIV.localdomain> <8b93f9ca-95f6-4e40-1cc8-d1a65833abff@gmx.de> <20170907075653.GA533@jagdpanzerIV.localdomain> <20170907083207.GC533@jagdpanzerIV.localdomain> From: Helge Deller Message-ID: <667b8849-fb60-a312-2483-505252ff737e@gmx.de> Date: Thu, 7 Sep 2017 11:12:21 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20170907083207.GC533@jagdpanzerIV.localdomain> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:WzO7qb7kncTAKm/W40+atUJr2KdMxjmESs75Mb0JVMe1L5Fzr0t kbGfUpyPKOqxe7yeu+CMQW7DKrFgGTTwHpDlyC4EVTqs+UW+ODzF2GMVYeYkruN3DOWqfCs NcNrZ4gsIKdgEWRorDP6NjejiEfQTEys3cEmKPXjzs+jf+PUcfItGA8YpArmcJjYFf21gqM P9kxBngpimoHjCL00gydg== X-UI-Out-Filterresults: notjunk:1;V01:K0:V9hZ3BbyhEc=:T1CZOH+GvUw+OBibh4B2WS 3VCK0TrzCKLOcyRM6E2tZroUyuOkGoN2BKUZx4slsow7x3pztaQTx9rxz2pdwTkKVsRhxgrNG 0fMhkGHBqHuOl4BULTNtJ/RhiiubekTk/EQGcqrRw1Y6Yupy5sOhuJOVlOv9hxC7D+grUFy/e +5C2F7s7yszCH26U76f4USUSePcUiUmx2J0fNZN261d2/oX6aj925Vca3BFJFhu0iO6dHhROA 8/xIg+icxEC3nsVReA8ubIBRyG/H9GK3zdzH7Ls/QkmgUfSgfQSxLjLRN8A7LcPxBod66mVwz PaMVs2WeoytOUfAe5pdoqk1Gf5l2wCWiywFn/irVLNShUK9v5Vif1FgWHa/fNm9by5iMgzOL/ ZXCi+LVpA/qRfcZ9wlGfxEZjoRnVVr+Xn0ZwnTFKnn/UUS7mO1BK8WOP/1OdcswR8++mcfHlQ gY0852k7Cr48xxTy8pIyJ3BSGtooWeqIlBfHAaTKw/joXkBHBfLAL2oKEGMWuAxif590YLyIH zTAzFoqDLuQt+DTYTjeDqMgE1OSEmr2BlPqJYMhqfkUvtbg3H2nlcV+lJsz7LVRyeCa4Q4IF1 98qAND9Ch8cgNaRrtFKIoNtm4/0EdX1F5w+XLBwrmovo4pSmZnp2AesWy27DmPFXMyvM96p4Y ZLwvae+kz/kR8qQHmYD82lyjAXU+WSgzlJzhYN+xCpJl4DcwxvSd/KrLaSWapnSNeyfjs3AZT srn3xfT1+6wq93GeZxOnfhLFbwlifpumI/0LZIS5wmK4XzOVbgI1j7CfXgWsM+cMC7TFPbCY4 g2Onm/v7Qxx+w+BHGeGGz9y2bxbEL61LHU2Whu98sAoEtppN64= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3110 Lines: 89 On 07.09.2017 10:32, Sergey Senozhatsky wrote: > On (09/07/17 16:56), Sergey Senozhatsky wrote: > [..] > probe_kernel_address() handles the page fault and returns -EFAULT if > you give it bad pointer. module_address_lookup() and get_symbol_pos() > seems to be smart enough not to crash on bad pointer as well. what am > I missing? could you please explain where we will crash? Actually I never faced a kernel crash because of this on parisc. Don't know for ia64 and ppc64. >> BTW, are we sure we can crash? when attempt to deference IP from >> the given descriptor? shall we handle page fault in this case and >> do something sane? just asking. > > I don't know... does the below code make any sense? No. Read below. > basically it checks that it's safe to access ptr (we can access it > without page fault in __dereference_function_descriptor()). then > we do ptr->ip, and also check if it's safe, but in > dereference_function_descriptor(). > > I suppose somethign like > > pr_err("%pF\n", 1); > > can crash ia64, etc. correct? On parisc it will not crash because we handle that one already. For others I don't know. But something like pr_err("%pF\n", (unsigned long) (-1)); or any address above 0xffffffff00000000ULL might do bad things on parisc, because it touches the I/O space and we don't check that yet. > lib/vsprintf.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/lib/vsprintf.c b/lib/vsprintf.c > index 86c3385b9eb3..0dc39b95e1d9 100644 > --- a/lib/vsprintf.c > +++ b/lib/vsprintf.c > @@ -1593,6 +1593,16 @@ char *device_node_string(char *buf, char *end, struct device_node *dn, > > int kptr_restrict __read_mostly; > > +static void *__dereference_function_descriptor(void *ptr) > +{ > + void *p; > + > + if (!probe_kernel_address(ptr, p)) > + return dereference_function_descriptor(ptr); > + > + return ptr; > +} > + > /* > * Show a '%p' thing. A kernel extension is that the '%p' is followed > * by an extra set of alphanumeric characters that are extended format > @@ -1723,7 +1733,7 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr, > switch (*fmt) { > case 'F': > case 'f': > - ptr = dereference_function_descriptor(ptr); > + ptr = __dereference_function_descriptor(ptr); This is not needed. All affected arches (ia64, ppc64, parisc64) already call probe_kernel_address() inside their dereference_function_descriptor() function. So this patch just adds unnecessary overhead for all arches. > ... here is a question, does function descriptor belong to a special > section? can we check that supplied ptr belongs to a descriptor section > and avoid dereference_function_descriptor() if it doesn't? (just fall > through directly to symbol_string() in this case). is this possible? I think theoretically yes. On parisc ptr does *not* point to any code segment, and most likely it points to the .data segment. I don't know if that's the case for ia64 and ppc64 too. I can look into adding such check-code, but even then the warning will only show up if you run on ia64, ppc64 and parisc64. Helge