From: Petr Mladek <pmladek@suse.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
David Laight <David.Laight@aculab.com>,
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
christophe leroy <christophe.leroy@c-s.fr>,
Linus Torvalds <torvalds@linux-foundation.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
"Tobin C . Harding" <me@tobin.cc>, Michal Hocko <mhocko@suse.cz>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
Russell Currey <ruscur@russell.cc>,
Stephen Rothwell <sfr@ozlabs.org>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>
Subject: Re: [PATCH] vsprintf: Do not break early boot with probing addresses
Date: Wed, 15 May 2019 09:53:39 +0200 [thread overview]
Message-ID: <20190515075339.7biocrjfpxj77l3b@pathway.suse.cz> (raw)
In-Reply-To: <CAMuHMdUFEwxwQUWg0HNUiz75hP6S7TVGSx7fWXnsQ_3qsVfotQ@mail.gmail.com>
On Wed 2019-05-15 09:23:05, Geert Uytterhoeven wrote:
> Hi Steve,
>
> On Tue, May 14, 2019 at 9:35 PM Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Tue, 14 May 2019 21:13:06 +0200
> > Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > > > > Do we care about the value? "(-E%u)"?
> > > >
> > > > That too could be confusing. What would (-E22) be considered by a user
> > > > doing an sprintf() on some string. I know that would confuse me, or I
> > > > would think that it was what the %pX displayed, and wonder why it
> > > > displayed it that way. Whereas "(fault)" is quite obvious for any %p
> > > > use case.
> > >
> > > I would immediately understand there's a missing IS_ERR() check in a
> > > function that can return -EINVAL, without having to add a new printk()
> > > to find out what kind of bogus value has been received, and without
> > > having to reboot, and trying to reproduce...
> >
> > I have to ask. Has there actually been a case that you used a %pX and
> > it faulted, and you had to go back to find what the value of the
> > failure was?
>
> If it faulted, the bad pointer value is obvious from the backtrace.
> If the code avoids the fault by verifying the pointer and returning
> "(efault)" instead, the bad pointer value is lost.
>
> Or am I missing something?
Should buggy printk() crash the system?
Another problem is that vsprintf() is called in printk() under
lockbuf_lock. The messages are stored into printk_safe per CPU
buffers. It allows to see the nested messages. But there is still
a bigger risk of missing them than with a "normal" fault.
Finally, various variants of these checks were already used
in "random" printf formats. The only change is that we are
using them consistently everywhere[*] a pointer is accessed.
[*] Just the top level pointer is checked. Some pointer modifiers
are accessing ptr->ptr->val. The lower level pointers are not
checked to avoid too much complexity.
Best Regards,
Petr
WARNING: multiple messages have this Message-ID (diff)
From: Petr Mladek <pmladek@suse.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
David Laight <David.Laight@aculab.com>,
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
christophe leroy <christophe.leroy@c-s.fr>,
Linus Torvalds <torvalds@linux-foundation.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
"Tobin C . Harding" <me@tobin.cc>, Michal Hocko <mhocko@suse.cz>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Michael Ellerman <mpe@ellerman.id.au>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
Russell Currey <ruscur@russell.cc>,
Stephen Rothwell <sfr@ozlabs.org>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.>
Subject: Re: [PATCH] vsprintf: Do not break early boot with probing addresses
Date: Wed, 15 May 2019 09:53:39 +0200 [thread overview]
Message-ID: <20190515075339.7biocrjfpxj77l3b@pathway.suse.cz> (raw)
In-Reply-To: <CAMuHMdUFEwxwQUWg0HNUiz75hP6S7TVGSx7fWXnsQ_3qsVfotQ@mail.gmail.com>
On Wed 2019-05-15 09:23:05, Geert Uytterhoeven wrote:
> Hi Steve,
>
> On Tue, May 14, 2019 at 9:35 PM Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Tue, 14 May 2019 21:13:06 +0200
> > Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > > > > Do we care about the value? "(-E%u)"?
> > > >
> > > > That too could be confusing. What would (-E22) be considered by a user
> > > > doing an sprintf() on some string. I know that would confuse me, or I
> > > > would think that it was what the %pX displayed, and wonder why it
> > > > displayed it that way. Whereas "(fault)" is quite obvious for any %p
> > > > use case.
> > >
> > > I would immediately understand there's a missing IS_ERR() check in a
> > > function that can return -EINVAL, without having to add a new printk()
> > > to find out what kind of bogus value has been received, and without
> > > having to reboot, and trying to reproduce...
> >
> > I have to ask. Has there actually been a case that you used a %pX and
> > it faulted, and you had to go back to find what the value of the
> > failure was?
>
> If it faulted, the bad pointer value is obvious from the backtrace.
> If the code avoids the fault by verifying the pointer and returning
> "(efault)" instead, the bad pointer value is lost.
>
> Or am I missing something?
Should buggy printk() crash the system?
Another problem is that vsprintf() is called in printk() under
lockbuf_lock. The messages are stored into printk_safe per CPU
buffers. It allows to see the nested messages. But there is still
a bigger risk of missing them than with a "normal" fault.
Finally, various variants of these checks were already used
in "random" printf formats. The only change is that we are
using them consistently everywhere[*] a pointer is accessed.
[*] Just the top level pointer is checked. Some pointer modifiers
are accessing ptr->ptr->val. The lower level pointers are not
checked to avoid too much complexity.
Best Regards,
Petr
WARNING: multiple messages have this Message-ID (diff)
From: Petr Mladek <pmladek@suse.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: "linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Michal Hocko <mhocko@suse.cz>,
Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
David Laight <David.Laight@aculab.com>,
Stephen Rothwell <sfr@ozlabs.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
"Tobin C . Harding" <me@tobin.cc>
Subject: Re: [PATCH] vsprintf: Do not break early boot with probing addresses
Date: Wed, 15 May 2019 09:53:39 +0200 [thread overview]
Message-ID: <20190515075339.7biocrjfpxj77l3b@pathway.suse.cz> (raw)
In-Reply-To: <CAMuHMdUFEwxwQUWg0HNUiz75hP6S7TVGSx7fWXnsQ_3qsVfotQ@mail.gmail.com>
On Wed 2019-05-15 09:23:05, Geert Uytterhoeven wrote:
> Hi Steve,
>
> On Tue, May 14, 2019 at 9:35 PM Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Tue, 14 May 2019 21:13:06 +0200
> > Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > > > > Do we care about the value? "(-E%u)"?
> > > >
> > > > That too could be confusing. What would (-E22) be considered by a user
> > > > doing an sprintf() on some string. I know that would confuse me, or I
> > > > would think that it was what the %pX displayed, and wonder why it
> > > > displayed it that way. Whereas "(fault)" is quite obvious for any %p
> > > > use case.
> > >
> > > I would immediately understand there's a missing IS_ERR() check in a
> > > function that can return -EINVAL, without having to add a new printk()
> > > to find out what kind of bogus value has been received, and without
> > > having to reboot, and trying to reproduce...
> >
> > I have to ask. Has there actually been a case that you used a %pX and
> > it faulted, and you had to go back to find what the value of the
> > failure was?
>
> If it faulted, the bad pointer value is obvious from the backtrace.
> If the code avoids the fault by verifying the pointer and returning
> "(efault)" instead, the bad pointer value is lost.
>
> Or am I missing something?
Should buggy printk() crash the system?
Another problem is that vsprintf() is called in printk() under
lockbuf_lock. The messages are stored into printk_safe per CPU
buffers. It allows to see the nested messages. But there is still
a bigger risk of missing them than with a "normal" fault.
Finally, various variants of these checks were already used
in "random" printf formats. The only change is that we are
using them consistently everywhere[*] a pointer is accessed.
[*] Just the top level pointer is checked. Some pointer modifiers
are accessing ptr->ptr->val. The lower level pointers are not
checked to avoid too much complexity.
Best Regards,
Petr
next prev parent reply other threads:[~2019-05-15 7:53 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-09 12:19 [PATCH] vsprintf: Do not break early boot with probing addresses Petr Mladek
2019-05-09 12:19 ` Petr Mladek
2019-05-09 13:05 ` Andy Shevchenko
2019-05-09 13:05 ` Andy Shevchenko
2019-05-09 13:13 ` Steven Rostedt
2019-05-09 13:13 ` Steven Rostedt
2019-05-09 14:06 ` Petr Mladek
2019-05-09 14:06 ` Petr Mladek
2019-05-09 13:38 ` Michal Suchánek
2019-05-09 13:38 ` Michal Suchánek
2019-05-09 13:46 ` David Laight
2019-05-09 13:46 ` David Laight
2019-05-10 10:21 ` Michael Ellerman
2019-05-10 10:21 ` Michael Ellerman
2019-05-10 10:21 ` Michael Ellerman
2019-05-10 4:32 ` Sergey Senozhatsky
2019-05-10 4:32 ` Sergey Senozhatsky
2019-05-10 4:47 ` Linus Torvalds
2019-05-10 5:07 ` Sergey Senozhatsky
2019-05-10 5:07 ` Sergey Senozhatsky
2019-05-10 6:41 ` Michael Ellerman
2019-05-10 6:41 ` Michael Ellerman
2019-05-10 6:41 ` Michael Ellerman
2019-05-10 6:41 ` Michael Ellerman
2019-05-10 8:06 ` Petr Mladek
2019-05-10 8:06 ` Petr Mladek
2019-05-10 8:16 ` Sergey Senozhatsky
2019-05-10 8:16 ` Sergey Senozhatsky
2019-05-10 8:42 ` Petr Mladek
2019-05-10 8:42 ` Petr Mladek
2019-05-10 8:51 ` Sergey Senozhatsky
2019-05-10 8:51 ` Sergey Senozhatsky
2019-05-10 14:49 ` Petr Mladek
2019-05-10 14:49 ` Petr Mladek
2019-05-10 16:24 ` Steven Rostedt
2019-05-10 16:24 ` Steven Rostedt
2019-05-10 16:32 ` Martin Schwidefsky
2019-05-10 16:32 ` Martin Schwidefsky
2019-05-10 16:40 ` Steven Rostedt
2019-05-10 16:40 ` Steven Rostedt
2019-05-10 16:45 ` Martin Schwidefsky
2019-05-10 16:45 ` Martin Schwidefsky
2019-05-13 12:24 ` Petr Mladek
2019-05-13 12:24 ` Petr Mladek
2019-05-10 16:41 ` Andy Shevchenko
2019-05-10 16:41 ` Andy Shevchenko
2019-05-10 17:35 ` christophe leroy
2019-05-10 17:35 ` christophe leroy
2019-05-13 8:52 ` David Laight
2019-05-13 8:52 ` David Laight
2019-05-13 9:13 ` Andy Shevchenko
2019-05-13 9:13 ` Andy Shevchenko
2019-05-13 9:13 ` Andy Shevchenko
2019-05-13 12:42 ` Petr Mladek
2019-05-13 12:42 ` Petr Mladek
2019-05-13 12:42 ` Petr Mladek
2019-05-13 14:15 ` Steven Rostedt
2019-05-13 14:15 ` Steven Rostedt
2019-05-13 14:15 ` Steven Rostedt
2019-05-14 2:07 ` Sergey Senozhatsky
2019-05-14 2:07 ` Sergey Senozhatsky
2019-05-14 2:07 ` Sergey Senozhatsky
2019-05-14 2:25 ` Sergey Senozhatsky
2019-05-14 2:25 ` Sergey Senozhatsky
2019-05-14 2:25 ` Sergey Senozhatsky
2019-05-14 8:28 ` David Laight
2019-05-14 8:28 ` David Laight
2019-05-14 8:28 ` David Laight
2019-05-14 9:02 ` Geert Uytterhoeven
2019-05-14 9:02 ` Geert Uytterhoeven
2019-05-14 9:02 ` Geert Uytterhoeven
2019-05-14 18:37 ` Steven Rostedt
2019-05-14 18:37 ` Steven Rostedt
2019-05-14 18:37 ` Steven Rostedt
2019-05-14 19:13 ` Geert Uytterhoeven
2019-05-14 19:13 ` Geert Uytterhoeven
2019-05-14 19:13 ` Geert Uytterhoeven
2019-05-14 19:35 ` Steven Rostedt
2019-05-14 19:35 ` Steven Rostedt
2019-05-14 19:35 ` Steven Rostedt
2019-05-15 7:23 ` Geert Uytterhoeven
2019-05-15 7:23 ` Geert Uytterhoeven
2019-05-15 7:23 ` Geert Uytterhoeven
2019-05-15 7:53 ` Petr Mladek [this message]
2019-05-15 7:53 ` Petr Mladek
2019-05-15 7:53 ` Petr Mladek
2019-05-15 6:21 ` Sergey Senozhatsky
2019-05-15 6:21 ` Sergey Senozhatsky
2019-05-15 6:21 ` Sergey Senozhatsky
2019-05-15 7:35 ` Petr Mladek
2019-05-15 7:35 ` Petr Mladek
2019-05-15 7:35 ` Petr Mladek
2019-05-15 9:00 ` David Laight
2019-05-15 9:00 ` David Laight
2019-05-15 9:00 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515075339.7biocrjfpxj77l3b@pathway.suse.cz \
--to=pmladek@suse.com \
--cc=David.Laight@aculab.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=christophe.leroy@c-s.fr \
--cc=geert@linux-m68k.org \
--cc=heiko.carstens@de.ibm.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=me@tobin.cc \
--cc=mhocko@suse.cz \
--cc=mpe@ellerman.id.au \
--cc=rostedt@goodmis.org \
--cc=ruscur@russell.cc \
--cc=schwidefsky@de.ibm.com \
--cc=sergey.senozhatsky.work@gmail.com \
--cc=sergey.senozhatsky@gmail.com \
--cc=sfr@ozlabs.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.