From: kernel test robot <lkp@intel.com>
To: liqiong <liqiong@nfschina.com>
Cc: kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>,
Mimi Zohar <zohar@linux.ibm.com>,
THOBY Simon <Simon.THOBY@viveris.fr>
Subject: [linux-next:master 5873/6649] security/integrity/ima/ima_policy.c:748:9: sparse: sparse: dereference of noderef expression
Date: Fri, 8 Oct 2021 00:08:01 +0800 [thread overview]
Message-ID: <202110080051.ZLGms667-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 6911 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: f8dc23b3dc0cc5b32dfd0c446e59377736d073a7
commit: 4079d72411f03de5cd73bbc9be38a30ebdae77e2 [5873/6649] ima: fix deadlock when traversing "ima_default_rules".
config: riscv-allyesconfig (attached as .config)
compiler: riscv64-linux-gcc (GCC) 11.2.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.4-dirty
# https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4079d72411f03de5cd73bbc9be38a30ebdae77e2
git remote add linux-next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
git fetch --no-tags linux-next master
git checkout 4079d72411f03de5cd73bbc9be38a30ebdae77e2
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=riscv SHELL=/bin/bash security/integrity/ima/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
security/integrity/ima/ima_policy.c:748:9: sparse: sparse: incompatible types in comparison expression (different address spaces):
security/integrity/ima/ima_policy.c:748:9: sparse: struct list_head *
security/integrity/ima/ima_policy.c:748:9: sparse: struct list_head [noderef] __rcu *
security/integrity/ima/ima_policy.c:973:23: sparse: sparse: incompatible types in comparison expression (different address spaces):
security/integrity/ima/ima_policy.c:973:23: sparse: struct list_head [noderef] __rcu *
security/integrity/ima/ima_policy.c:973:23: sparse: struct list_head *
security/integrity/ima/ima_policy.c:1066:31: sparse: sparse: incompatible types in comparison expression (different address spaces):
security/integrity/ima/ima_policy.c:1066:31: sparse: struct list_head [noderef] __rcu *
security/integrity/ima/ima_policy.c:1066:31: sparse: struct list_head *
>> security/integrity/ima/ima_policy.c:748:9: sparse: sparse: dereference of noderef expression
vim +748 security/integrity/ima/ima_policy.c
3323eec921efd8 Mimi Zohar 2009-02-04 726
4f2946aa0c45c7 THOBY Simon 2021-08-16 727 /**
4f2946aa0c45c7 THOBY Simon 2021-08-16 728 * ima_update_policy_flags() - Update global IMA variables
4f2946aa0c45c7 THOBY Simon 2021-08-16 729 *
4f2946aa0c45c7 THOBY Simon 2021-08-16 730 * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms
4f2946aa0c45c7 THOBY Simon 2021-08-16 731 * based on the currently loaded policy.
4f2946aa0c45c7 THOBY Simon 2021-08-16 732 *
4f2946aa0c45c7 THOBY Simon 2021-08-16 733 * With ima_policy_flag, the decision to short circuit out of a function
4f2946aa0c45c7 THOBY Simon 2021-08-16 734 * or not call the function in the first place can be made earlier.
4f2946aa0c45c7 THOBY Simon 2021-08-16 735 *
4f2946aa0c45c7 THOBY Simon 2021-08-16 736 * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the
4f2946aa0c45c7 THOBY Simon 2021-08-16 737 * set of hash algorithms accepted when updating the security.ima xattr of
4f2946aa0c45c7 THOBY Simon 2021-08-16 738 * a file.
4f2946aa0c45c7 THOBY Simon 2021-08-16 739 *
4f2946aa0c45c7 THOBY Simon 2021-08-16 740 * Context: called after a policy update and at system initialization.
a756024efea259 Roberto Sassu 2014-09-12 741 */
4f2946aa0c45c7 THOBY Simon 2021-08-16 742 void ima_update_policy_flags(void)
a756024efea259 Roberto Sassu 2014-09-12 743 {
a756024efea259 Roberto Sassu 2014-09-12 744 struct ima_rule_entry *entry;
4f2946aa0c45c7 THOBY Simon 2021-08-16 745 int new_policy_flag = 0;
a756024efea259 Roberto Sassu 2014-09-12 746
4f2946aa0c45c7 THOBY Simon 2021-08-16 747 rcu_read_lock();
a756024efea259 Roberto Sassu 2014-09-12 @748 list_for_each_entry(entry, ima_rules, list) {
4f2946aa0c45c7 THOBY Simon 2021-08-16 749 /*
4f2946aa0c45c7 THOBY Simon 2021-08-16 750 * SETXATTR_CHECK rules do not implement a full policy check
4f2946aa0c45c7 THOBY Simon 2021-08-16 751 * because rule checking would probably have an important
4f2946aa0c45c7 THOBY Simon 2021-08-16 752 * performance impact on setxattr(). As a consequence, only one
4f2946aa0c45c7 THOBY Simon 2021-08-16 753 * SETXATTR_CHECK can be active at a given time.
4f2946aa0c45c7 THOBY Simon 2021-08-16 754 * Because we want to preserve that property, we set out to use
4f2946aa0c45c7 THOBY Simon 2021-08-16 755 * atomic_cmpxchg. Either:
4f2946aa0c45c7 THOBY Simon 2021-08-16 756 * - the atomic was non-zero: a setxattr hash policy is
4f2946aa0c45c7 THOBY Simon 2021-08-16 757 * already enforced, we do nothing
4f2946aa0c45c7 THOBY Simon 2021-08-16 758 * - the atomic was zero: no setxattr policy was set, enable
4f2946aa0c45c7 THOBY Simon 2021-08-16 759 * the setxattr hash policy
4f2946aa0c45c7 THOBY Simon 2021-08-16 760 */
4f2946aa0c45c7 THOBY Simon 2021-08-16 761 if (entry->func == SETXATTR_CHECK) {
4f2946aa0c45c7 THOBY Simon 2021-08-16 762 atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms,
4f2946aa0c45c7 THOBY Simon 2021-08-16 763 0, entry->allowed_algos);
4f2946aa0c45c7 THOBY Simon 2021-08-16 764 /* SETXATTR_CHECK doesn't impact ima_policy_flag */
4f2946aa0c45c7 THOBY Simon 2021-08-16 765 continue;
4f2946aa0c45c7 THOBY Simon 2021-08-16 766 }
4f2946aa0c45c7 THOBY Simon 2021-08-16 767
a756024efea259 Roberto Sassu 2014-09-12 768 if (entry->action & IMA_DO_MASK)
4f2946aa0c45c7 THOBY Simon 2021-08-16 769 new_policy_flag |= entry->action;
a756024efea259 Roberto Sassu 2014-09-12 770 }
4f2946aa0c45c7 THOBY Simon 2021-08-16 771 rcu_read_unlock();
a756024efea259 Roberto Sassu 2014-09-12 772
ef96837b0de4af Mimi Zohar 2018-07-13 773 ima_appraise |= (build_ima_appraise | temp_ima_appraise);
a756024efea259 Roberto Sassu 2014-09-12 774 if (!ima_appraise)
4f2946aa0c45c7 THOBY Simon 2021-08-16 775 new_policy_flag &= ~IMA_APPRAISE;
4f2946aa0c45c7 THOBY Simon 2021-08-16 776
4f2946aa0c45c7 THOBY Simon 2021-08-16 777 ima_policy_flag = new_policy_flag;
a756024efea259 Roberto Sassu 2014-09-12 778 }
a756024efea259 Roberto Sassu 2014-09-12 779
:::::: The code at line 748 was first introduced by commit
:::::: a756024efea259282e65f3a00f512b094e805d76 ima: added ima_policy_flag variable
:::::: TO: Roberto Sassu <roberto.sassu@polito.it>
:::::: CC: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 71090 bytes --]
reply other threads:[~2021-10-07 16:11 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202110080051.ZLGms667-lkp@intel.com \
--to=lkp@intel.com \
--cc=Simon.THOBY@viveris.fr \
--cc=kbuild-all@lists.01.org \
--cc=linux-mm@kvack.org \
--cc=liqiong@nfschina.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox