LinuxLists.cc - [ammarfaizi2-block:google/android/kernel/common/android12-5.4 3638/9999] kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3 (different address spaces)

2022-01-25 15:09:31

Subject: [ammarfaizi2-block:google/android/kernel/common/android12-5.4 3638/9999] kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3 (different address spaces)

tree: https://github.com/ammarfaizi2/linux-block google/android/kernel/common/android12-5.4
head: 3307e1a058380163f1a11c8f7632706168f9fcb1
commit: 5444477e8a4d31f6e6ff720c2d018d06e405bcc1 [3638/9999] UPSTREAM: seccomp: Remove bogus __user annotations
config: x86_64-randconfig-s022 (https://download.01.org/0day-ci/archive/20220125/[email protected]/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.4-dirty
# https://github.com/ammarfaizi2/linux-block/commit/5444477e8a4d31f6e6ff720c2d018d06e405bcc1
git remote add ammarfaizi2-block https://github.com/ammarfaizi2/linux-block
git fetch --no-tags ammarfaizi2-block google/android/kernel/common/android12-5.4
git checkout 5444477e8a4d31f6e6ff720c2d018d06e405bcc1
# save the config file to linux build tree
mkdir build_dir
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=x86_64 SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>

sparse warnings: (new ones prefixed by >>)
>> kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void [noderef] <asn:1> * @@ got void *buffer @@
kernel/seccomp.c:2041:41: sparse: expected void [noderef] <asn:1> *
kernel/seccomp.c:2041:41: sparse: got void *buffer
kernel/seccomp.c:2059:40: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void [noderef] <asn:1> * @@ got void *buffer @@
kernel/seccomp.c:2059:40: sparse: expected void [noderef] <asn:1> *
kernel/seccomp.c:2059:40: sparse: got void *buffer
>> kernel/seccomp.c:2115:54: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *buffer @@ got void [noderef] <asn:1> *buffer @@
kernel/seccomp.c:2115:54: sparse: expected void *buffer
kernel/seccomp.c:2115:54: sparse: got void [noderef] <asn:1> *buffer
kernel/seccomp.c:2119:53: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *buffer @@ got void [noderef] <asn:1> *buffer @@
kernel/seccomp.c:2119:53: sparse: expected void *buffer
kernel/seccomp.c:2119:53: sparse: got void [noderef] <asn:1> *buffer

vim +2041 kernel/seccomp.c

0ddec0fc890020 Tyler Hicks 2017-08-11 2025
5444477e8a4d31 Jann Horn 2020-11-20 2026 static int read_actions_logged(struct ctl_table *ro_table, void *buffer,
d013db029491b4 Tyler Hicks 2018-05-04 2027 size_t *lenp, loff_t *ppos)
0ddec0fc890020 Tyler Hicks 2017-08-11 2028 {
0ddec0fc890020 Tyler Hicks 2017-08-11 2029 char names[sizeof(seccomp_actions_avail)];
0ddec0fc890020 Tyler Hicks 2017-08-11 2030 struct ctl_table table;
0ddec0fc890020 Tyler Hicks 2017-08-11 2031
0ddec0fc890020 Tyler Hicks 2017-08-11 2032 memset(names, 0, sizeof(names));
0ddec0fc890020 Tyler Hicks 2017-08-11 2033
0ddec0fc890020 Tyler Hicks 2017-08-11 2034 if (!seccomp_names_from_actions_logged(names, sizeof(names),
beb44acaf000c9 Tyler Hicks 2018-05-04 2035 seccomp_actions_logged, " "))
0ddec0fc890020 Tyler Hicks 2017-08-11 2036 return -EINVAL;
d013db029491b4 Tyler Hicks 2018-05-04 2037
d013db029491b4 Tyler Hicks 2018-05-04 2038 table = *ro_table;
d013db029491b4 Tyler Hicks 2018-05-04 2039 table.data = names;
d013db029491b4 Tyler Hicks 2018-05-04 2040 table.maxlen = sizeof(names);
d013db029491b4 Tyler Hicks 2018-05-04 @2041 return proc_dostring(&table, 0, buffer, lenp, ppos);
0ddec0fc890020 Tyler Hicks 2017-08-11 2042 }
0ddec0fc890020 Tyler Hicks 2017-08-11 2043
5444477e8a4d31 Jann Horn 2020-11-20 2044 static int write_actions_logged(struct ctl_table *ro_table, void *buffer,
ea6eca778500b0 Tyler Hicks 2018-05-04 2045 size_t *lenp, loff_t *ppos, u32 *actions_logged)
d013db029491b4 Tyler Hicks 2018-05-04 2046 {
d013db029491b4 Tyler Hicks 2018-05-04 2047 char names[sizeof(seccomp_actions_avail)];
d013db029491b4 Tyler Hicks 2018-05-04 2048 struct ctl_table table;
d013db029491b4 Tyler Hicks 2018-05-04 2049 int ret;
d013db029491b4 Tyler Hicks 2018-05-04 2050
d013db029491b4 Tyler Hicks 2018-05-04 2051 if (!capable(CAP_SYS_ADMIN))
d013db029491b4 Tyler Hicks 2018-05-04 2052 return -EPERM;
d013db029491b4 Tyler Hicks 2018-05-04 2053
d013db029491b4 Tyler Hicks 2018-05-04 2054 memset(names, 0, sizeof(names));
d013db029491b4 Tyler Hicks 2018-05-04 2055
0ddec0fc890020 Tyler Hicks 2017-08-11 2056 table = *ro_table;
0ddec0fc890020 Tyler Hicks 2017-08-11 2057 table.data = names;
0ddec0fc890020 Tyler Hicks 2017-08-11 2058 table.maxlen = sizeof(names);
d013db029491b4 Tyler Hicks 2018-05-04 2059 ret = proc_dostring(&table, 1, buffer, lenp, ppos);
0ddec0fc890020 Tyler Hicks 2017-08-11 2060 if (ret)
0ddec0fc890020 Tyler Hicks 2017-08-11 2061 return ret;
0ddec0fc890020 Tyler Hicks 2017-08-11 2062
ea6eca778500b0 Tyler Hicks 2018-05-04 2063 if (!seccomp_actions_logged_from_names(actions_logged, table.data))
0ddec0fc890020 Tyler Hicks 2017-08-11 2064 return -EINVAL;
0ddec0fc890020 Tyler Hicks 2017-08-11 2065
ea6eca778500b0 Tyler Hicks 2018-05-04 2066 if (*actions_logged & SECCOMP_LOG_ALLOW)
0ddec0fc890020 Tyler Hicks 2017-08-11 2067 return -EINVAL;
0ddec0fc890020 Tyler Hicks 2017-08-11 2068
ea6eca778500b0 Tyler Hicks 2018-05-04 2069 seccomp_actions_logged = *actions_logged;
d013db029491b4 Tyler Hicks 2018-05-04 2070 return 0;
0ddec0fc890020 Tyler Hicks 2017-08-11 2071 }
0ddec0fc890020 Tyler Hicks 2017-08-11 2072
ea6eca778500b0 Tyler Hicks 2018-05-04 2073 static void audit_actions_logged(u32 actions_logged, u32 old_actions_logged,
ea6eca778500b0 Tyler Hicks 2018-05-04 2074 int ret)
ea6eca778500b0 Tyler Hicks 2018-05-04 2075 {
ea6eca778500b0 Tyler Hicks 2018-05-04 2076 char names[sizeof(seccomp_actions_avail)];
ea6eca778500b0 Tyler Hicks 2018-05-04 2077 char old_names[sizeof(seccomp_actions_avail)];
ea6eca778500b0 Tyler Hicks 2018-05-04 2078 const char *new = names;
ea6eca778500b0 Tyler Hicks 2018-05-04 2079 const char *old = old_names;
ea6eca778500b0 Tyler Hicks 2018-05-04 2080
ea6eca778500b0 Tyler Hicks 2018-05-04 2081 if (!audit_enabled)
ea6eca778500b0 Tyler Hicks 2018-05-04 2082 return;
ea6eca778500b0 Tyler Hicks 2018-05-04 2083
ea6eca778500b0 Tyler Hicks 2018-05-04 2084 memset(names, 0, sizeof(names));
ea6eca778500b0 Tyler Hicks 2018-05-04 2085 memset(old_names, 0, sizeof(old_names));
ea6eca778500b0 Tyler Hicks 2018-05-04 2086
ea6eca778500b0 Tyler Hicks 2018-05-04 2087 if (ret)
ea6eca778500b0 Tyler Hicks 2018-05-04 2088 new = "?";
ea6eca778500b0 Tyler Hicks 2018-05-04 2089 else if (!actions_logged)
ea6eca778500b0 Tyler Hicks 2018-05-04 2090 new = "(none)";
ea6eca778500b0 Tyler Hicks 2018-05-04 2091 else if (!seccomp_names_from_actions_logged(names, sizeof(names),
ea6eca778500b0 Tyler Hicks 2018-05-04 2092 actions_logged, ","))
ea6eca778500b0 Tyler Hicks 2018-05-04 2093 new = "?";
ea6eca778500b0 Tyler Hicks 2018-05-04 2094
ea6eca778500b0 Tyler Hicks 2018-05-04 2095 if (!old_actions_logged)
ea6eca778500b0 Tyler Hicks 2018-05-04 2096 old = "(none)";
ea6eca778500b0 Tyler Hicks 2018-05-04 2097 else if (!seccomp_names_from_actions_logged(old_names,
ea6eca778500b0 Tyler Hicks 2018-05-04 2098 sizeof(old_names),
ea6eca778500b0 Tyler Hicks 2018-05-04 2099 old_actions_logged, ","))
ea6eca778500b0 Tyler Hicks 2018-05-04 2100 old = "?";
ea6eca778500b0 Tyler Hicks 2018-05-04 2101
ea6eca778500b0 Tyler Hicks 2018-05-04 2102 return audit_seccomp_actions_logged(new, old, !ret);
ea6eca778500b0 Tyler Hicks 2018-05-04 2103 }
ea6eca778500b0 Tyler Hicks 2018-05-04 2104
d013db029491b4 Tyler Hicks 2018-05-04 2105 static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write,
d013db029491b4 Tyler Hicks 2018-05-04 2106 void __user *buffer, size_t *lenp,
d013db029491b4 Tyler Hicks 2018-05-04 2107 loff_t *ppos)
d013db029491b4 Tyler Hicks 2018-05-04 2108 {
ea6eca778500b0 Tyler Hicks 2018-05-04 2109 int ret;
ea6eca778500b0 Tyler Hicks 2018-05-04 2110
ea6eca778500b0 Tyler Hicks 2018-05-04 2111 if (write) {
ea6eca778500b0 Tyler Hicks 2018-05-04 2112 u32 actions_logged = 0;
ea6eca778500b0 Tyler Hicks 2018-05-04 2113 u32 old_actions_logged = seccomp_actions_logged;
ea6eca778500b0 Tyler Hicks 2018-05-04 2114
ea6eca778500b0 Tyler Hicks 2018-05-04 @2115 ret = write_actions_logged(ro_table, buffer, lenp, ppos,
ea6eca778500b0 Tyler Hicks 2018-05-04 2116 &actions_logged);
ea6eca778500b0 Tyler Hicks 2018-05-04 2117 audit_actions_logged(actions_logged, old_actions_logged, ret);
ea6eca778500b0 Tyler Hicks 2018-05-04 2118 } else
ea6eca778500b0 Tyler Hicks 2018-05-04 2119 ret = read_actions_logged(ro_table, buffer, lenp, ppos);
ea6eca778500b0 Tyler Hicks 2018-05-04 2120
ea6eca778500b0 Tyler Hicks 2018-05-04 2121 return ret;
0ddec0fc890020 Tyler Hicks 2017-08-11 2122 }
0ddec0fc890020 Tyler Hicks 2017-08-11 2123

:::::: The code at line 2041 was first introduced by commit
:::::: d013db029491b49e1459d5a55ecd9ec1be1447ca seccomp: Separate read and write code for actions_logged sysctl

:::::: TO: Tyler Hicks <[email protected]>
:::::: CC: Paul Moore <[email protected]>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

2022-01-25 16:45:17

by Jann Horn

[permalink] [raw]

Subject: seccomp __user annotation fix backported too far in Android [was: Re: [ammarfaizi2-block:google/android/kernel/common/android12-5.4 3638/9999] kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3 (different address spaces)]

On Tue, Jan 25, 2022 at 12:25 PM kernel test robot <[email protected]> wrote:
> tree: https://github.com/ammarfaizi2/linux-block google/android/kernel/common/android12-5.4
> head: 3307e1a058380163f1a11c8f7632706168f9fcb1
> commit: 5444477e8a4d31f6e6ff720c2d018d06e405bcc1 [3638/9999] UPSTREAM: seccomp: Remove bogus __user annotations
> config: x86_64-randconfig-s022 (https://download.01.org/0day-ci/archive/20220125/[email protected]/config)
> compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
> reproduce:
> # apt-get install sparse
> # sparse version: v0.6.4-dirty
> # https://github.com/ammarfaizi2/linux-block/commit/5444477e8a4d31f6e6ff720c2d018d06e405bcc1
> git remote add ammarfaizi2-block https://github.com/ammarfaizi2/linux-block
> git fetch --no-tags ammarfaizi2-block google/android/kernel/common/android12-5.4
> git checkout 5444477e8a4d31f6e6ff720c2d018d06e405bcc1
> # save the config file to linux build tree
> mkdir build_dir
> make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=x86_64 SHELL=/bin/bash
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <[email protected]>

It looks like this was a bogus backport -
fab686eb0307121e7a2890b6d6c57edd2457863d is marked as 'Fixes:
32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler")', but
Android incorrectly backported the patch further
(https://android-review.googlesource.com/c/kernel/common/+/1535131/).

> sparse warnings: (new ones prefixed by >>)
> >> kernel/seccomp.c:2041:41: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void [noderef] <asn:1> * @@ got void *buffer @@
> kernel/seccomp.c:2041:41: sparse: expected void [noderef] <asn:1> *
> kernel/seccomp.c:2041:41: sparse: got void *buffer
> kernel/seccomp.c:2059:40: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void [noderef] <asn:1> * @@ got void *buffer @@
> kernel/seccomp.c:2059:40: sparse: expected void [noderef] <asn:1> *
> kernel/seccomp.c:2059:40: sparse: got void *buffer
> >> kernel/seccomp.c:2115:54: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *buffer @@ got void [noderef] <asn:1> *buffer @@
> kernel/seccomp.c:2115:54: sparse: expected void *buffer
> kernel/seccomp.c:2115:54: sparse: got void [noderef] <asn:1> *buffer
> kernel/seccomp.c:2119:53: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *buffer @@ got void [noderef] <asn:1> *buffer @@
> kernel/seccomp.c:2119:53: sparse: expected void *buffer
> kernel/seccomp.c:2119:53: sparse: got void [noderef] <asn:1> *buffer
>
> vim +2041 kernel/seccomp.c
>
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2025
> 5444477e8a4d31 Jann Horn 2020-11-20 2026 static int read_actions_logged(struct ctl_table *ro_table, void *buffer,
> d013db029491b4 Tyler Hicks 2018-05-04 2027 size_t *lenp, loff_t *ppos)
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2028 {
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2029 char names[sizeof(seccomp_actions_avail)];
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2030 struct ctl_table table;
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2031
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2032 memset(names, 0, sizeof(names));
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2033
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2034 if (!seccomp_names_from_actions_logged(names, sizeof(names),
> beb44acaf000c9 Tyler Hicks 2018-05-04 2035 seccomp_actions_logged, " "))
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2036 return -EINVAL;
> d013db029491b4 Tyler Hicks 2018-05-04 2037
> d013db029491b4 Tyler Hicks 2018-05-04 2038 table = *ro_table;
> d013db029491b4 Tyler Hicks 2018-05-04 2039 table.data = names;
> d013db029491b4 Tyler Hicks 2018-05-04 2040 table.maxlen = sizeof(names);
> d013db029491b4 Tyler Hicks 2018-05-04 @2041 return proc_dostring(&table, 0, buffer, lenp, ppos);
> 0ddec0fc890020 Tyler Hicks 2017-08-11 2042 }
[...]