Re: [PATCH] lib/vsprintf: Validate sleepable context during restrictred pointer formatting

[Thomas Weißschuh]

On Tue, Mar 17, 2026 at 12:41:23PM +0100, Thomas Weißschuh wrote:
> Depending on the system configuration, the restricted pointer formatting
> might call into the security subsystem which might sleep.
> As %pK is intended to be only used from read handlers of virtual files,
> which always run in task context, this should never happen in practice.
> However, developers have used %pK before from atomic context without
> realizing this restriction. While all existing user of %pK through
> printk() have been removed, new ones might be reintroduced accidentally
> in the future.
> 
> Add a might_sleep(), so that misuse of %pK from atomic context is
> detected right away.
> 
> Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@xxxxxxxxxxxxx/
> Link: https://lore.kernel.org/lkml/20241217142032.55793-1-acarmina@xxxxxxxxxx/
> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@xxxxxxxxxxxxx>
> ---
> This depends on commit 5886cc8f895b ("drm/msm/dpu: Don't use %pK through
> printk (again)"), which was merged in v7.0-rc2.
> ---
>  lib/vsprintf.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> index 800b8ac49f53..eb9dbb28fb9b 100644
> --- a/lib/vsprintf.c
> +++ b/lib/vsprintf.c
> @@ -862,6 +862,9 @@ static noinline_for_stack
>  char *restricted_pointer(char *buf, char *end, const void *ptr,
>  			 struct printf_spec spec)
>  {
> +	/* Only usable from task context, The call to has_capability_noaudit() might sleep. */
> +	might_sleep();
> +

So might_sleep() is not actually the right thing to do here.
Some callers use %pK under a spinlock, which fails the might_sleep() check.
However this is fine to do, as has_capability_noaudit() also only takes a
spinlock.

>  	switch (kptr_restrict) {
>  	case 0:
>  		/* Handle as %p, hash and do _not_ leak addresses. */