[PATCH V10] fixup: audit: implement audit by executable

[PATCH V10] fixup: audit: implement audit by executable

[Richard Guy Briggs]

The Intel build-bot detected a sparse warning with with a patch I posted a
couple of days ago that was accepted in the audit/next tree:

Subject: [linux-next:master 6689/6751] kernel/audit_watch.c:543:36: sparse: dereference of noderef expression
Date: Friday, August 07, 2015, 06:57:55 PM
From: kbuild test robot <fengguang.wu@intel.com>
tree:   git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head:   e6455bc5b91f41f842f30465c9193320f0568707
commit: 2e3a8aeb63e5335d4f837d453787c71bcb479796 [6689/6751] Merge remote- tracking branch 'audit/next'
sparse warnings: (new ones prefixed by >>)
>> kernel/audit_watch.c:543:36: sparse: dereference of noderef expression
   kernel/audit_watch.c:544:28: sparse: dereference of noderef expression

34d99af5 Richard Guy Briggs 2015-08-05  541  int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
34d99af5 Richard Guy Briggs 2015-08-05  542  {
34d99af5 Richard Guy Briggs 2015-08-05 @543     unsigned long ino = tsk->mm- >exe_file->f_inode->i_ino;
34d99af5 Richard Guy Briggs 2015-08-05  544     dev_t dev = tsk->mm->exe_file- >f_inode->i_sb->s_dev;

:::::: The code at line 543 was first introduced by commit
:::::: 34d99af52ad40bd498ba66970579a5bc1fb1a3bc audit: implement audit by executable

tsk->mm->exe_file requires RCU access.  The warning was reproduceable by adding
"C=1 CF=-D__CHECK_ENDIAN__" to the build command, and verified eliminated with
this patch.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit_watch.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 1255dbf..656c7e9 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -540,8 +540,14 @@ int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old)
 
 int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
 {
-	unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
-	dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
-
+	struct file *exe_file;
+	unsigned long ino;
+	dev_t dev;
+
+	rcu_read_lock();
+	exe_file = rcu_dereference(tsk->mm->exe_file);
+	ino = exe_file->f_inode->i_ino;
+	dev = exe_file->f_inode->i_sb->s_dev;
+	rcu_read_unlock();
 	return audit_mark_compare(mark, ino, dev);
 }
-- 
1.7.1

Re: [PATCH V10] fixup: audit: implement audit by executable

[Paul Moore]

On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 1255dbf..656c7e9 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -540,8 +540,14 @@ int audit_dupe_exe(struct audit_krule *new, struct
> audit_krule *old)
> 
>  int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark
> *mark) {
> -	unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
> -	dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
> -
> +	struct file *exe_file;
> +	unsigned long ino;
> +	dev_t dev;
> +
> +	rcu_read_lock();
> +	exe_file = rcu_dereference(tsk->mm->exe_file);

This line is triggering a sparse error on my system:

 # make C=1 M=kernel
 ...
   CHECK   kernel/audit_watch.c
 kernel/audit_watch.c:548:20: error: incompatible types in comparison  
 expression (different address spaces)

For the record I'm using gcc v4.9.3 and sparse v0.5.0.

> +	ino = exe_file->f_inode->i_ino;
> +	dev = exe_file->f_inode->i_sb->s_dev;
> +	rcu_read_unlock();
>  	return audit_mark_compare(mark, ino, dev);
>  }

-- 
paul moore
security @ redhat

Re: [PATCH V10] fixup: audit: implement audit by executable

[Richard Guy Briggs]

On 15/08/10, Paul Moore wrote:
> On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 1255dbf..656c7e9 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -540,8 +540,14 @@ int audit_dupe_exe(struct audit_krule *new, struct
> > audit_krule *old)
> > 
> >  int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark
> > *mark) {
> > -	unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
> > -	dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
> > -
> > +	struct file *exe_file;
> > +	unsigned long ino;
> > +	dev_t dev;
> > +
> > +	rcu_read_lock();
> > +	exe_file = rcu_dereference(tsk->mm->exe_file);
> 
> This line is triggering a sparse error on my system:
> 
>  # make C=1 M=kernel
>  ...
>    CHECK   kernel/audit_watch.c
>  kernel/audit_watch.c:548:20: error: incompatible types in comparison  
>  expression (different address spaces)

That's odd.  I got this complaint when I had forgotten to add the
rcu_dereference() call, but not in its current state.  Mind you, I get
swamped with errors and warnings from all over the system (starting with
ptrace.c, signal.c, exit.c, fork.c, audit.c, ftrace.c,
selinux/netnode.c, ...) when I add
"M=kernel" to my build command, so I start to wonder how valid that
result is or that flag.  Where is M=kernel documented?

> For the record I'm using gcc v4.9.3 and sparse v0.5.0.

gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-11)
sparse 0.4.4-7.el6

> > +	ino = exe_file->f_inode->i_ino;
> > +	dev = exe_file->f_inode->i_sb->s_dev;
> > +	rcu_read_unlock();
> >  	return audit_mark_compare(mark, ino, dev);
> >  }
> 
> -- 
> paul moore
> security @ redhat
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH V10] fixup: audit: implement audit by executable

[Paul Moore]

On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
> On 15/08/10, Paul Moore wrote:
> > On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > > index 1255dbf..656c7e9 100644
> > > --- a/kernel/audit_watch.c
> > > +++ b/kernel/audit_watch.c
> > > @@ -540,8 +540,14 @@ int audit_dupe_exe(struct audit_krule *new, struct
> > > audit_krule *old)
> > > 
> > >  int audit_exe_compare(struct task_struct *tsk, struct
> > >  audit_fsnotify_mark
> > > 
> > > *mark) {
> > > -	unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
> > > -	dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
> > > -
> > > +	struct file *exe_file;
> > > +	unsigned long ino;
> > > +	dev_t dev;
> > > +
> > > +	rcu_read_lock();
> > > +	exe_file = rcu_dereference(tsk->mm->exe_file);
> > 
> > This line is triggering a sparse error on my system:
> >  # make C=1 M=kernel
> >  ...
> >  
> >    CHECK   kernel/audit_watch.c
> >  
> >  kernel/audit_watch.c:548:20: error: incompatible types in comparison
> >  expression (different address spaces)
> 
> That's odd.  I got this complaint when I had forgotten to add the
> rcu_dereference() call, but not in its current state.  Mind you, I get
> swamped with errors and warnings from all over the system (starting with
> ptrace.c, signal.c, exit.c, fork.c, audit.c, ftrace.c,
> selinux/netnode.c, ...) when I add
> "M=kernel" to my build command, so I start to wonder how valid that
> result is or that flag.  Where is M=kernel documented?

I don't remember anymore, it's something I've been using so long that I've 
forgotten where I first learned of it.  The "M=<X>" flag signals that you only 
want to build a specific module/directory, e.g. M=kernel builds everything 
under kernel/ whereas M=security/selinux builds everything under 
security/selinux.

So you don't see this error?

-- 
paul moore
security @ redhat

Re: [PATCH V10] fixup: audit: implement audit by executable

[Richard Guy Briggs]

On 15/08/10, Paul Moore wrote:
> On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
> > On 15/08/10, Paul Moore wrote:
> > > On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > > > index 1255dbf..656c7e9 100644
> > > > --- a/kernel/audit_watch.c
> > > > +++ b/kernel/audit_watch.c
> > > > @@ -540,8 +540,14 @@ int audit_dupe_exe(struct audit_krule *new, struct
> > > > audit_krule *old)
> > > > 
> > > >  int audit_exe_compare(struct task_struct *tsk, struct
> > > >  audit_fsnotify_mark
> > > > 
> > > > *mark) {
> > > > -	unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
> > > > -	dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
> > > > -
> > > > +	struct file *exe_file;
> > > > +	unsigned long ino;
> > > > +	dev_t dev;
> > > > +
> > > > +	rcu_read_lock();
> > > > +	exe_file = rcu_dereference(tsk->mm->exe_file);
> > > 
> > > This line is triggering a sparse error on my system:
> > >  # make C=1 M=kernel
> > >  ...
> > >  
> > >    CHECK   kernel/audit_watch.c
> > >  
> > >  kernel/audit_watch.c:548:20: error: incompatible types in comparison
> > >  expression (different address spaces)
> > 
> > That's odd.  I got this complaint when I had forgotten to add the
> > rcu_dereference() call, but not in its current state.  Mind you, I get
> > swamped with errors and warnings from all over the system (starting with
> > ptrace.c, signal.c, exit.c, fork.c, audit.c, ftrace.c,
> > selinux/netnode.c, ...) when I add
> > "M=kernel" to my build command, so I start to wonder how valid that
> > result is or that flag.  Where is M=kernel documented?
> 
> I don't remember anymore, it's something I've been using so long that I've 
> forgotten where I first learned of it.  The "M=<X>" flag signals that you only 
> want to build a specific module/directory, e.g. M=kernel builds everything 
> under kernel/ whereas M=security/selinux builds everything under 
> security/selinux.
> 
> So you don't see this error?

No, I don't, but I see a number of unrelated ones that I will address in time...

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH V10] fixup: audit: implement audit by executable

[Richard Guy Briggs]

On 15/08/11, Richard Guy Briggs wrote:
> On 15/08/10, Paul Moore wrote:
> > On Monday, August 10, 2015 01:29:43 PM Richard Guy Briggs wrote:
> > > On 15/08/10, Paul Moore wrote:
> > > > On Saturday, August 08, 2015 10:20:25 AM Richard Guy Briggs wrote:
> > > > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > > > > index 1255dbf..656c7e9 100644
> > > > > --- a/kernel/audit_watch.c
> > > > > +++ b/kernel/audit_watch.c
> > > > > @@ -540,8 +540,14 @@ int audit_dupe_exe(struct audit_krule *new, struct
> > > > > audit_krule *old)
> > > > > 
> > > > >  int audit_exe_compare(struct task_struct *tsk, struct
> > > > >  audit_fsnotify_mark
> > > > > 
> > > > > *mark) {
> > > > > -	unsigned long ino = tsk->mm->exe_file->f_inode->i_ino;
> > > > > -	dev_t dev = tsk->mm->exe_file->f_inode->i_sb->s_dev;
> > > > > -
> > > > > +	struct file *exe_file;
> > > > > +	unsigned long ino;
> > > > > +	dev_t dev;
> > > > > +
> > > > > +	rcu_read_lock();
> > > > > +	exe_file = rcu_dereference(tsk->mm->exe_file);
> > > > 
> > > > This line is triggering a sparse error on my system:
> > > >  # make C=1 M=kernel
> > > >  ...
> > > >  
> > > >    CHECK   kernel/audit_watch.c
> > > >  
> > > >  kernel/audit_watch.c:548:20: error: incompatible types in comparison
> > > >  expression (different address spaces)
> > > 
> > > That's odd.  I got this complaint when I had forgotten to add the
> > > rcu_dereference() call, but not in its current state.  Mind you, I get
> > > swamped with errors and warnings from all over the system (starting with
> > > ptrace.c, signal.c, exit.c, fork.c, audit.c, ftrace.c,
> > > selinux/netnode.c, ...) when I add
> > > "M=kernel" to my build command, so I start to wonder how valid that
> > > result is or that flag.  Where is M=kernel documented?
> > 
> > I don't remember anymore, it's something I've been using so long that I've 
> > forgotten where I first learned of it.  The "M=<X>" flag signals that you only 
> > want to build a specific module/directory, e.g. M=kernel builds everything 
> > under kernel/ whereas M=security/selinux builds everything under 
> > security/selinux.
> > 
> > So you don't see this error?
> 
> No, I don't, but I see a number of unrelated ones that I will address in time...

Do you plan to push this fix to next?

> > paul moore
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH V10] fixup: audit: implement audit by executable

[Paul Moore]

On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote:
>
> Do you plan to push this fix to next?

Patience.  Yes, I'll be pushing this to next sometime this week; as usual I'll 
send mail when I do.

-- 
paul moore
security @ redhat

Re: [PATCH V10] fixup: audit: implement audit by executable

[Richard Guy Briggs]

On 15/08/12, Paul Moore wrote:
> On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote:
> >
> > Do you plan to push this fix to next?
> 
> Patience.  Yes, I'll be pushing this to next sometime this week; as usual I'll 
> send mail when I do.

Ok, no problem, I'm not rushing.  I was unsure what your intentions were
or whether there was more to do to help it happen.

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH V10] fixup: audit: implement audit by executable

[Paul Moore]

On Wednesday, August 12, 2015 11:19:44 AM Richard Guy Briggs wrote:
> On 15/08/12, Paul Moore wrote:
> > On Wednesday, August 12, 2015 05:48:48 AM Richard Guy Briggs wrote:
> > > Do you plan to push this fix to next?
> > 
> > Patience.  Yes, I'll be pushing this to next sometime this week; as usual
> > I'll send mail when I do.
> 
> Ok, no problem, I'm not rushing.  I was unsure what your intentions were
> or whether there was more to do to help it happen.

It's merged.  I still don't know why I'm seeing that error, but the patch is 
obviously correct so I'm just going to merge it anyway and chalk it up to some 
compiler/sparse oddity.

As far as patch follow-ups, if you haven't heard back from me after four days 
or so (yes, that is as arbitrary as it sounds), it isn't a bad idea to send a 
follow-up, especially if it is a critical patch, to make sure I've seen the 
patch (things do occasionally fall through the cracks).  However, if it is 
only been a day or two and I haven't responded, rest assured I've likely seen 
your patch I'm just dealing with something else at the moment and haven't had 
the time to review/comment/merge your patch.

-- 
paul moore
security @ redhat