Received: by 10.213.65.68 with SMTP id h4csp978220imn;
        Fri, 6 Apr 2018 12:15:26 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+efqMmPjaIG70VxU606adnY6dFTVRsgV1OSi6O6ZriYzd/N1rdRUPt5FjLHVdMyT26ZFJW
X-Received: by 2002:a17:902:b617:: with SMTP id b23-v6mr27983952pls.191.1523042126318;
        Fri, 06 Apr 2018 12:15:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523042126; cv=none;
        d=google.com; s=arc-20160816;
        b=gtC9yHrWRyHPdaWuHRazGUzHgmzVTARY+R2RhY2L1JNAXkEqfwec0NxSfydoCsH76B
         nz0XpLyaJU0FYAQi0z5QEpNmG8TM0oQd+iXAYHa97KziXJkcitswqoN7iieUIDqtJVlP
         2ybtOqBWeLKiSsDQXFAu1jieanKnfiu1pFbaY/v0d2HQcHxqrTOMnZXOMAPeMWRntFMM
         cfUSKpo0NS/3wj7kLlwyS0jMPheXSy15a2hBw1q9p4agnKVs18WZs9OLlUFvrlnHh7M9
         hhL6wf7phRu2dYN+OTX1C3s6VQBm0pQL8eFSt1Ew3lkmD7XdUg2jBvuopeutR80x4FLk
         tG4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :date:cc:to:from:subject:message-id:arc-authentication-results;
        bh=BrU3o90Imp90LCdqAGJ6VJxEphuGI4potAEIC7eBIn8=;
        b=ryvaLjd7ixYmwRieLSHSw6uWNx66wMHh6bX4A2Od2g00D01CkGtw7vWtcPBdCGZbPk
         u50f7jrzd/76qIoGx2vvpAnSxwmhJL5Y8K4qbCuk6m/yOxbnBlXAdi6nuMTeCKfgRfd2
         5IfQi36j3GxdjD4viGAnjAeXtd0gX8hwXCKf7LeCIgmuggWMBVa+uVYuRH3MjnBDelQq
         3g7+xaBo3ZDsRAS2NSWVEAgy5IwSOx1ahAWDx8O+YwOdT0lCNw2IWbvAAD08n+Le1qhx
         848YZn6qqUhK6h1xYuf8X5o/G5qIHK5peNBB/14373cziVGLW/70YQdpKrEyeQD+LNTJ
         kvqQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q4si7380018pga.319.2018.04.06.12.14.48;
        Fri, 06 Apr 2018 12:15:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751759AbeDFTIs (ORCPT <rfc822;tuxbino@gmail.com> + 99 others);
        Fri, 6 Apr 2018 15:08:48 -0400
Received: from smtprelay0086.hostedemail.com ([216.40.44.86]:42888 "EHLO
        smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1751312AbeDFTIr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 15:08:47 -0400
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60])
        by smtprelay02.hostedemail.com (Postfix) with ESMTP id E5F8040C6;
        Fri,  6 Apr 2018 19:08:46 +0000 (UTC)
X-Session-Marker: 6A6F6540706572636865732E636F6D
X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::::::,RULES_HIT:41:355:379:541:960:969:973:988:989:1260:1277:1311:1313:1314:1345:1373:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1777:1792:1801:2393:2559:2562:2693:2828:3138:3139:3140:3141:3142:3353:3740:3865:3866:3867:3868:3870:3871:4470:4605:5007:6117:7557:7903:8660:10004:10400:10848:11026:11658:11914:12043:12296:12438:12555:12760:13148:13161:13229:13230:13439:14181:14659:14721:21080:21094:21323:21324:21451:21622:30054:30056:30070:30080,0,RBL:47.151.150.235:@perches.com:.lbl8.mailshell.net-62.8.0.100 64.201.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:21,LUA_SUMMARY:none
X-HE-Tag: desk47_698de06465520
X-Filterd-Recvd-Size: 3388
Received: from XPS-9350 (unknown [47.151.150.235])
        (Authenticated sender: joe@perches.com)
        by omf07.hostedemail.com (Postfix) with ESMTPA;
        Fri,  6 Apr 2018 19:08:45 +0000 (UTC)
Message-ID: <1523041723.6127.33.camel@perches.com>
Subject: s390: defective uses of va_arg in __debug_sprintf_event
From:   Joe Perches <joe@perches.com>
To:     Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Heiko Carstens <heiko.carstens@de.ibm.com>
Cc:     linux-s390@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        Petr Mladek <pmladek@suse.com>
Date:   Fri, 06 Apr 2018 12:08:43 -0700
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailer: Evolution 3.26.1-1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

debug_sprintf_event calls __debug_sprintf_event
with a format and arguments.

There various types of arguments used in these
call, but __debug_sprintf_event uses va_arg
with only long as the type argument so random
errors could occur because the type and argument
are supposed to match.

    debug_entry_t *__debug_sprintf_event(debug_info_t *id, int level, char *string, ...)
    {
    	    [...]
    	    va_start(ap, string);
    	    curr_event->string = string;
    	    for (idx = 0; idx < min(numargs, (int)(id->buf_size / sizeof(long)) - 1); idx++)
    	    	    curr_event->args[idx] = va_arg(ap, long);
    	    va_end(ap);
    	    [...]
    }

from man va_arg

    va_arg()

    if type is not compatible with the type of the actual next argument
    (as promoted according to the default argument promotions),
    random errors will occur.

For instance, uses like:

arch/s390/kernel/perf_cpum_sf.c:919:    debug_sprintf_event(sfdbg, 6, "pmu_enable: es=%i cs=%i ed=%i cd=%i "
arch/s390/kernel/perf_cpum_sf.c-920-                        "tear=%p dear=%p\n", cpuhw->lsctl.es, cpuhw->lsctl.cs,
arch/s390/kernel/perf_cpum_sf.c-921-                        cpuhw->lsctl.ed, cpuhw->lsctl.cd,
arch/s390/kernel/perf_cpum_sf.c-922-                        (void *) cpuhw->lsctl.tear, (void *) cpuhw->lsctl.dear);

where the first 3 arguments are int but their type
as used by va_arg in __debug_sprintf_event is long
which could produce random errors.

Instead of adding complete format % decoding,
perhaps the easiest solution is to change all
the formats to use %lu or %ld and cast each
argument as appropriate.

And I found this when looking at another defect
in debug_sprintf_event where a %p<foo> extension
is unintentionally used via a string concatenation.
as pointed out by Rasmus Villemoes
---
 arch/s390/kernel/perf_cpum_sf.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index 1c9ddd7aa5ec..1c449a6f841a 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -212,9 +212,7 @@ static int realloc_sampling_buffer(struct sf_buffer *sfb,
 	 * the sampling buffer origin.
 	 */
 	if (sfb->sdbt != get_next_sdbt(tail)) {
-		debug_sprintf_event(sfdbg, 3, "realloc_sampling_buffer: "
-				    "sampling buffer is not linked: origin=%p"
-				    "tail=%p\n",
+		debug_sprintf_event(sfdbg, 3, "realloc_sampling_buffer: sampling buffer is not linked: origin=%p tail=%p\n",
 				    (void *) sfb->sdbt, (void *) tail);
 		return -EINVAL;
 	}