Subject: Re: [PATCH 00/14] Fix wrong %pF and %pS printk format specifier
 usages
To: "Luck, Tony" <tony.luck@intel.com>,
        Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
        Petr Mladek <pmladek@suse.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        "Yu, Fenghua" <fenghua.yu@intel.com>,
        Benjamin Herrenschmidt <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Michael Ellerman <mpe@ellerman.id.au>
References: <20170907004522.GA3885@jagdpanzerIV.localdomain>
 <8b93f9ca-95f6-4e40-1cc8-d1a65833abff@gmx.de>
 <20170907075653.GA533@jagdpanzerIV.localdomain>
 <20170907083207.GC533@jagdpanzerIV.localdomain>
 <667b8849-fb60-a312-2483-505252ff737e@gmx.de>
 <20170907093631.GD533@jagdpanzerIV.localdomain>
 <20170907095119.GE533@jagdpanzerIV.localdomain>
 <0604f27e-24ab-625b-9013-c6c0f4f6acc1@gmx.de>
 <3908561D78D1C84285E8C5FCA982C28F6136C2ED@ORSMSX114.amr.corp.intel.com>
 <20170908061830.GA496@jagdpanzerIV.localdomain>
 <20170908172528.qc2vdtxzqh777k6o@intel.com>
From: Helge Deller <deller@gmx.de>
Message-ID: <67a0aad8-5412-60f8-6481-562d37995eb2@gmx.de>
Date: Fri, 8 Sep 2017 20:28:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170908172528.qc2vdtxzqh777k6o@intel.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1920
Lines: 44

On 08.09.2017 19:25, Luck, Tony wrote:
> On Fri, Sep 08, 2017 at 03:18:30PM +0900, Sergey Senozhatsky wrote:
>> if the addr is not in kernel .text, then try dereferencing it and check
>> if the dereferenced addr is in kernel .text.
> 
> If it really is a function pointer, then we know that it is safe
> to dereference. But if it isn't, then maybe not?
> 
> If it is a function pointer then dereferening will indeed give
> us a .text address. But if it isn't, it might still give us a
> .text address (we could reduce the probability of a false hit
> by checking that the .text address was exactly on a symbol with
> no offset ... but data values that happen to be the addresses of
> function entry points are possible).

I don't like this kind of trying to figure out at runtime at all.
It's too much guessing in here IMHO.

What about this idea:
For %pF we always have pointers to functions, e.g.: 
        printk("Going to call: %pF\n", gettimeofday);
        printk("Going to call: %pF\n", p->func);

and for %pS most (if not all) usages use some kind of casting 
from "unsigned long" to "void *", e.g.:
        printk("%s: called from %pS\n", __func__, (void *)_RET_IP_);
        printk("%s: called from %pS\n", __func__, (void *)__builtin_return_address(0));
        printk("Faulted at %pS\n", (void *)regs->ip);

So, what if we for the %pS case simply take the type as it is 
(unsigned long) and introduce a new printk-format, e.g. "%luS" ?
The %pS examples above then become:
        printk("%s: called from %luS\n", __func__, _RET_IP_);
        printk("%s: called from %luS\n", __func__, __builtin_return_address(0));
        printk("Faulted at %luS\n", regs->ip);

That way we don't need type-casting, gain compile-time type 
checks from the compiler, and we could add a checkpatch (or occinelle)
check which checks for the combination of %pF/%pS and "void*" keyword
and suggest to use %luS.

Opinions?

Helge