In the past %pK was preferable to %p as it would not leak raw pointer
values into the kernel log.
Since commit ad67b74d2469 ("printk: hash addresses printed with %p")
the regular %p has been improved to avoid this issue.
Furthermore, restricted pointers ("%pK") were never meant to be used
through printk(). They can still unintentionally leak raw pointers or
acquire sleeping looks in atomic contexts.

Switch to the regular pointer formatting which is safer and
easier to reason about.
There are still a few users of %pK left, but these use it through seq_file,
for which its usage is safe.

Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
---
Thomas Weißschuh (7):
      wifi: ath10k: Don't use %pK through printk
      wifi: ath11k: Don't use %pK through printk
      wifi: ath12k: Don't use %pK through printk
      wifi: wcn36xx: Don't use %pK through printk
      wifi: mwifiex: Don't use %pK through printk
      ice: Don't use %pK through printk or tracepoints
      net/mlx5: Don't use %pK through tracepoints

 drivers/net/ethernet/intel/ice/ice_main.c          |  2 +-
 drivers/net/ethernet/intel/ice/ice_trace.h         | 10 +++++-----
 .../mlx5/core/sf/dev/diag/dev_tracepoint.h         |  2 +-
 drivers/net/wireless/ath/ath10k/ahb.c              |  2 +-
 drivers/net/wireless/ath/ath10k/bmi.c              |  6 +++---
 drivers/net/wireless/ath/ath10k/ce.c               |  4 ++--
 drivers/net/wireless/ath/ath10k/core.c             |  4 ++--
 drivers/net/wireless/ath/ath10k/htc.c              |  6 +++---
 drivers/net/wireless/ath/ath10k/htt_rx.c           |  2 +-
 drivers/net/wireless/ath/ath10k/mac.c              | 22 +++++++++++-----------
 drivers/net/wireless/ath/ath10k/pci.c              |  2 +-
 drivers/net/wireless/ath/ath10k/testmode.c         |  4 ++--
 drivers/net/wireless/ath/ath10k/txrx.c             |  2 +-
 drivers/net/wireless/ath/ath10k/usb.c              |  4 ++--
 drivers/net/wireless/ath/ath10k/wmi.c              |  4 ++--
 drivers/net/wireless/ath/ath11k/testmode.c         |  2 +-
 drivers/net/wireless/ath/ath12k/testmode.c         |  4 ++--
 drivers/net/wireless/ath/wcn36xx/testmode.c        |  2 +-
 drivers/net/wireless/marvell/mwifiex/pcie.c        |  2 +-
 19 files changed, 43 insertions(+), 43 deletions(-)
---
base-commit: 8ffd015db85fea3e15a77027fda6c02ced4d2444
change-id: 20250404-restricted-pointers-net-a8cddd03e5d1

Best regards,
-- 
Thomas Weißschuh <thomas.weissschuh@linutronix.de>

On 4/14/2025 1:26 AM, Thomas Weißschuh wrote:
>       wifi: ath10k: Don't use %pK through printk
>       wifi: ath11k: Don't use %pK through printk
>       wifi: ath12k: Don't use %pK through printk
>       wifi: wcn36xx: Don't use %pK through printk

the first four should go through ath-next and not net-next

>       wifi: mwifiex: Don't use %pK through printk

this should go through wireless-next

/jeff

On Mon, Apr 14, 2025 at 08:02:39AM -0700, Jeff Johnson wrote:
> On 4/14/2025 1:26 AM, Thomas Weißschuh wrote:
> >       wifi: ath10k: Don't use %pK through printk
> >       wifi: ath11k: Don't use %pK through printk
> >       wifi: ath12k: Don't use %pK through printk
> >       wifi: wcn36xx: Don't use %pK through printk
> 
> the first four should go through ath-next and not net-next
> 
> >       wifi: mwifiex: Don't use %pK through printk
> 
> this should go through wireless-next

Ack, thanks. I'll resend it there when the discussions here are done.

On Mon, Apr 14, 2025 at 10:26:01AM +0200, Thomas Weißschuh wrote:
> Furthermore, restricted pointers ("%pK") were never meant to be used
> through printk().

Is this really true? Documentation/admin-guide/sysctl/kernel.rst still
has a section on kptr_restrict which talks about dmesg, CAP_SYSLOG, and
%pK, which sounds like it's intended. But I'm not highly familiar with
this space, so maybe I'm misreading something.

(I do see that commit a48849e2358e ("printk: clarify the documentation
for plain pointer printing") updated
Documentation/core-api/printk-formats.rst.)

In any case, even if the advice has changed, it seems (again, to an
outsider) a bit much to say it was "never" meant to be used through
printk().

Brian

On Mon, Apr 14, 2025 at 11:44:24AM -0700, Brian Norris wrote:
> On Mon, Apr 14, 2025 at 10:26:01AM +0200, Thomas Weißschuh wrote:
> > Furthermore, restricted pointers ("%pK") were never meant to be used
> > through printk().
> 
> Is this really true? Documentation/admin-guide/sysctl/kernel.rst still
> has a section on kptr_restrict which talks about dmesg, CAP_SYSLOG, and
> %pK, which sounds like it's intended. But I'm not highly familiar with
> this space, so maybe I'm misreading something.

The wording about dmesg, etc was added in
commit 312b4e226951 ("vsprintf: check real user/group id for %pK").

Its commit message also notes:

    This is a only temporary solution to the issue.  The correct solution is
    to do the permission check at open() time on files, and to replace %pK
    with a function which checks the open() time permission.  %pK uses in
    printk should be removed since no sane permission check can be done, and
    instead protected by using dmesg_restrict.

Doing this is my goal. One of the later steps is to replace %pK completely.
Probably with a function similar to kallsyms_show_value().

> (I do see that commit a48849e2358e ("printk: clarify the documentation
> for plain pointer printing") updated
> Documentation/core-api/printk-formats.rst.)
> 
> In any case, even if the advice has changed, it seems (again, to an
> outsider) a bit much to say it was "never" meant to be used through
> printk().

IMO "never" is correct. Using %pK through printk() was only ever a bandaid to
get at least some of the security benefits of hashed pointers.


Thomas

> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of
> Thomas Weißschuh
> Sent: Monday, April 14, 2025 10:26 AM
> To: Jeff Johnson <jjohnson@kernel.org>; Loic Poulain
> <loic.poulain@linaro.org>; Brian Norris <briannorris@chromium.org>;
> Francesco Dolcini <francesco@dolcini.it>; Nguyen, Anthony L
> <anthony.l.nguyen@intel.com>; Kitszel, Przemyslaw
> <przemyslaw.kitszel@intel.com>; Andrew Lunn <andrew+netdev@lunn.ch>;
> David S. Miller <davem@davemloft.net>; Dumazet, Eric
> <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo Abeni
> <pabeni@redhat.com>; Saeed Mahameed <saeedm@nvidia.com>; Leon
> Romanovsky <leon@kernel.org>; Tariq Toukan <tariqt@nvidia.com>
> Cc: ath10k@lists.infradead.org; linux-kernel@vger.kernel.org;
> ath11k@lists.infradead.org; ath12k@lists.infradead.org;
> wcn36xx@lists.infradead.org; linux-wireless@vger.kernel.org; intel-wired-
> lan@lists.osuosl.org; netdev@vger.kernel.org; linux-rdma@vger.kernel.org;
> Thomas Weißschuh <thomas.weissschuh@linutronix.de>
> Subject: [Intel-wired-lan] [PATCH net-next 0/7] net: Don't use %pK through
> printk
> 
> In the past %pK was preferable to %p as it would not leak raw pointer values
> into the kernel log.
> Since commit ad67b74d2469 ("printk: hash addresses printed with %p") the
> regular %p has been improved to avoid this issue.
> Furthermore, restricted pointers ("%pK") were never meant to be used
> through printk(). They can still unintentionally leak raw pointers or acquire
> sleeping looks in atomic contexts.
> 
> Switch to the regular pointer formatting which is safer and easier to reason
> about.
> There are still a few users of %pK left, but these use it through seq_file, for
> which its usage is safe.
> 
> Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
> ---
> Thomas Weißschuh (7):
>       wifi: ath10k: Don't use %pK through printk
>       wifi: ath11k: Don't use %pK through printk
>       wifi: ath12k: Don't use %pK through printk
>       wifi: wcn36xx: Don't use %pK through printk
>       wifi: mwifiex: Don't use %pK through printk
>       ice: Don't use %pK through printk or tracepoints
>       net/mlx5: Don't use %pK through tracepoints
> 
>  drivers/net/ethernet/intel/ice/ice_main.c          |  2 +-
>  drivers/net/ethernet/intel/ice/ice_trace.h         | 10 +++++-----
>  .../mlx5/core/sf/dev/diag/dev_tracepoint.h         |  2 +-
>  drivers/net/wireless/ath/ath10k/ahb.c              |  2 +-
>  drivers/net/wireless/ath/ath10k/bmi.c              |  6 +++---
>  drivers/net/wireless/ath/ath10k/ce.c               |  4 ++--
>  drivers/net/wireless/ath/ath10k/core.c             |  4 ++--
>  drivers/net/wireless/ath/ath10k/htc.c              |  6 +++---
>  drivers/net/wireless/ath/ath10k/htt_rx.c           |  2 +-
>  drivers/net/wireless/ath/ath10k/mac.c              | 22 +++++++++++-----------
>  drivers/net/wireless/ath/ath10k/pci.c              |  2 +-
>  drivers/net/wireless/ath/ath10k/testmode.c         |  4 ++--
>  drivers/net/wireless/ath/ath10k/txrx.c             |  2 +-
>  drivers/net/wireless/ath/ath10k/usb.c              |  4 ++--
>  drivers/net/wireless/ath/ath10k/wmi.c              |  4 ++--
>  drivers/net/wireless/ath/ath11k/testmode.c         |  2 +-
>  drivers/net/wireless/ath/ath12k/testmode.c         |  4 ++--
>  drivers/net/wireless/ath/wcn36xx/testmode.c        |  2 +-
>  drivers/net/wireless/marvell/mwifiex/pcie.c        |  2 +-
>  19 files changed, 43 insertions(+), 43 deletions(-)
> ---
> base-commit: 8ffd015db85fea3e15a77027fda6c02ced4d2444
> change-id: 20250404-restricted-pointers-net-a8cddd03e5d1
> 
> Best regards,
> --
> Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>