Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision

[Petr Mladek]

On Mon 2026-03-23 13:59:05, David Laight wrote:
> On Mon, 23 Mar 2026 15:27:31 +0200
> Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> wrote:
> 
> > On Sat, Mar 21, 2026 at 11:41:12PM +0900, Masami Hiramatsu (Google) wrote:
> > 
> > > Check the field_width and presition correctly. Previously it depends
> > > on the bitfield conversion from int to check out-of-range error.
> > > However, commit 938df695e98d ("vsprintf: associate the format state
> > > with the format pointer") changed those fields to int.
> > > We need to check the out-of-range correctly without bitfield
> > > conversion.  
> > 
> > ...
> > 
> > >  static void
> > >  set_field_width(struct printf_spec *spec, int width)
> > >  {
> > > -	spec->field_width = width;
> > > -	if (WARN_ONCE(spec->field_width != width, "field width %d too large", width)) {
> > > -		spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > > +	if (WARN_ONCE(width > FIELD_WIDTH_MAX || width < -FIELD_WIDTH_MAX,
> > > +		      "field width %d too large", width)) {
> > > +		width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> > >  	}
> > > +	spec->field_width = width;
> > >  }
> > >  
> > >  static void
> > >  set_precision(struct printf_spec *spec, int prec)
> > >  {
> > > -	spec->precision = prec;
> > > -	if (WARN_ONCE(spec->precision != prec, "precision %d too large", prec)) {
> > > -		spec->precision = clamp(prec, 0, PRECISION_MAX);
> > > +	if (WARN_ONCE(prec > PRECISION_MAX || prec < 0,
> > > +		      "precision %d too large", prec)) {
> > > +		prec = clamp(prec, 0, PRECISION_MAX);
> > >  	}
> > > +	spec->precision = prec;
> > >  }  
> > 
> > Looking at this, perhaps
> > 
> > #define clamp_WARN_*(...)
> > 	...

It would make sense. But I do not want to force Masami to do so.


> When I looked at this I did wonder whether the compiler would manage to
> only do the comparisons once.

I believe that compilers would optimize this.

> Even if it doesn't the separate WARN is more readable.
> 
> Or maybe:
> 	spec->field_width = clamp(width, -FIELD_WIDTH_MAX, FIELD_WIDTH_MAX);
> 	WARN_ON(spec->field_width != width, "field width %d too large", width);

But this is fine as well.

> I'd be more worried about the bloat and system panic for all the systems
> with panic_on_warn set (the default for many distos).
> (And, like panic_on_oops, it doesn't give time for the error to get into
> the system logs.)

The WARN_ONCE() has been added by the commit 4d72ba014b4b09 ("lib/vsprintf.c:
warn about too large precisions and field widths"). The motivation was
that it was used also by some %p? modifiers, e.g. for the bitfield size, where
a clamped value might cause more confusion.

I do not want to open a bike shedding whether it is important enough
or not. I agree that it likely is not a reason to panic but it was
there 10 years so I could live with it.

That said, I always thought about introducing a macro which would
print a message+backtrace but it would not panic, e.g. SOFT_WARN()
or INFO() or MSG_AND_BT(level, msg, ...). But it seems to be
out of scope of this patchset.

> I've also just fixed nolibc's handling of %*.*s (which is in 'next' since
> I only wrote it recently), the above is actually broken.
> Negative 'precision' (all values) are fine, they just request the default.

Great catch! We should clamp the precision to (0, PRECISION_MAX). But we
should warn only when it is outside of (-PRECISION_MAX, PRECISION_MAX).

> So the patch needs a big fat NACK...

What is an acceptable solution then, please?

Frankly, I would like to stay on earth. This started as a simple fix
of a regression added a year ago. For me, any solution which
restores the year old behavior is good enough.

We might need to find another volunteer to implement a better
solution, e.g. the new non-panicing MSG_AND_BT() macro.

Alternatively, we could remove the WARN_ONCE() completely.
It looks acceptable for me. But Rasmus would need to agree as well.

Best Regards,
Petr