Re: [PATCH] lib/vsprintf: Validate sleepable context during restrictred pointer formatting
From: Petr Mladek
Date: Wed Mar 18 2026 - 07:11:42 EST
Now, really with John and Sebastian in Cc.
On Wed 2026-03-18 09:48:06, Thomas Weißschuh wrote:
> On Tue, Mar 17, 2026 at 12:41:23PM +0100, Thomas Weißschuh wrote:
> > Depending on the system configuration, the restricted pointer formatting
> > might call into the security subsystem which might sleep.
> > As %pK is intended to be only used from read handlers of virtual files,
> > which always run in task context, this should never happen in practice.
> > However, developers have used %pK before from atomic context without
> > realizing this restriction. While all existing user of %pK through
> > printk() have been removed, new ones might be reintroduced accidentally
> > in the future.
> >
> > Add a might_sleep(), so that misuse of %pK from atomic context is
> > detected right away.
> >
> > Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@xxxxxxxxxxxxx/
> > Link: https://lore.kernel.org/lkml/20241217142032.55793-1-acarmina@xxxxxxxxxx/
> > Signed-off-by: Thomas Weißschuh <thomas.weissschuh@xxxxxxxxxxxxx>
> > ---
> > This depends on commit 5886cc8f895b ("drm/msm/dpu: Don't use %pK through
> > printk (again)"), which was merged in v7.0-rc2.
> > ---
> > lib/vsprintf.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/lib/vsprintf.c b/lib/vsprintf.c
> > index 800b8ac49f53..eb9dbb28fb9b 100644
> > --- a/lib/vsprintf.c
> > +++ b/lib/vsprintf.c
> > @@ -862,6 +862,9 @@ static noinline_for_stack
> > char *restricted_pointer(char *buf, char *end, const void *ptr,
> > struct printf_spec spec)
> > {
> > + /* Only usable from task context, The call to has_capability_noaudit() might sleep. */
> > + might_sleep();
> > +
>
> So might_sleep() is not actually the right thing to do here.
> Some callers use %pK under a spinlock, which fails the might_sleep() check.
> However this is fine to do, as has_capability_noaudit() also only takes a
> spinlock.
My understanding is that we want to simulate that we are going
to call a normal spin_lock() which might sleep in PREEMPT_RT.
So that we trigger the warning when %pK is used under
a raw_spin_lock.
It might likely be achieved by adding a "fake" spin_lock and might_lock().
I am not sure if there is an easier way by using just
a struct lockdep_map.
I am always a bit confused by the lockdep annotation.
>
> > switch (kptr_restrict) {
> > case 0:
> > /* Handle as %p, hash and do _not_ leak addresses. */
Best Regards,
Petr