Re: linux-next: build failure after merge of the apparmor tree

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <kuba@kernel.org>
Cc: <davem@davemloft.net>, <john.johansen@canonical.com>,
	<kuniyu@amazon.com>, <linux-kernel@vger.kernel.org>,
	<linux-next@vger.kernel.org>, <netdev@vger.kernel.org>,
	<pabeni@redhat.com>, <sfr@canb.auug.org.au>
Subject: Re: linux-next: build failure after merge of the apparmor tree
Date: Wed, 26 Mar 2025 09:19:56 -0700	[thread overview]
Message-ID: <20250326162104.20801-1-kuniyu@amazon.com> (raw)
In-Reply-To: <20250326042655.4e160022@kernel.org>

From: Jakub Kicinski <kuba@kernel.org>
Date: Wed, 26 Mar 2025 04:26:55 -0700
> On Wed, 26 Mar 2025 15:01:48 +1100 Stephen Rothwell wrote:
> > After merging the apparmor tree, today's linux-next build (x86_64
> > allmodconfig) failed like this:
> > 
> > security/apparmor/af_unix.c: In function 'unix_state_double_lock':
> > security/apparmor/af_unix.c:627:17: error: implicit declaration of function 'unix_state_lock'; did you mean 'unix_state_double_lock'? [-Wimplicit-function-declaration]
> >   627 |                 unix_state_lock(sk1);
> >       |                 ^~~~~~~~~~~~~~~
> >       |                 unix_state_double_lock
> > security/apparmor/af_unix.c: In function 'unix_state_double_unlock':
> > security/apparmor/af_unix.c:642:17: error: implicit declaration of function 'unix_state_unlock'; did you mean 'unix_state_double_lock'? [-Wimplicit-function-declaration]
> >   642 |                 unix_state_unlock(sk1);
> >       |                 ^~~~~~~~~~~~~~~~~
> >       |                 unix_state_double_lock
> 
> Thanks Stephen! I'll pop this into the tree in a few hours,
> just giving Kuniyuki a bit more time to ack.

Thanks for catching this, Stephen !

The patch itself looks good, for the patch:

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>


John:

I had a cursory look at this commit and the exact user of
unix_state_lock() is broken for SOCK_DGRAM.

https://web.git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/commit/?h=apparmor-next&id=c05e705812d179f4b85aeacc34a555a42bc4f9ac

---8<---
+
+	/* TODO: update sock label with new task label */
+	unix_state_lock(sock->sk);
+	peer_sk = unix_peer(sock->sk);
+	if (peer_sk)
+		sock_hold(peer_sk);
+
+	is_sk_fs = is_unix_fs(sock->sk);
+	if (is_sk_fs && peer_sk)
+		sk_req = request;
+	if (sk_req)
+		error = unix_label_sock_perm(subj_cred, label, op, sk_req,
+					     sock);
+	unix_state_unlock(sock->sk);
+	if (!peer_sk)
+		return error;
+
+	unix_state_double_lock(sock->sk, peer_sk);

Here, unix_peer(sock->sk) could have been changed and must be
double checked.  See unix_dgram_sendmsg().

The patch seems to be written in 2022 and recently merged.
I'm not sure if it's reviewed by netdev folks at that time,
but please cc me and netdev next time for patches regarding
AF_UNIX.

Thanks!


+	if (!is_sk_fs && is_unix_fs(peer_sk)) {
+		last_error(error,
+			   unix_fs_perm(op, request, subj_cred, label,
+					unix_sk(peer_sk)));
+	} else if (!is_sk_fs) {
+		struct aa_sk_ctx *pctx = aa_sock(peer_sk);
+
+		last_error(error,
+			xcheck(aa_unix_peer_perm(subj_cred, label, op,
+						 MAY_READ | MAY_WRITE,
+						 sock->sk, peer_sk, NULL),
+			       aa_unix_peer_perm(file->f_cred, pctx->label, op,
+						 MAY_READ | MAY_WRITE,
+						 peer_sk, sock->sk, label)));
+	}
+	unix_state_double_unlock(sock->sk, peer_sk);
---8<---

next prev parent reply	other threads:[~2025-03-26 16:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-26  4:01 linux-next: build failure after merge of the apparmor tree Stephen Rothwell
2025-03-26 11:26 ` Jakub Kicinski
2025-03-26 16:19   ` Kuniyuki Iwashima [this message]
2025-03-26 16:38 ` Jakub Kicinski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250326162104.20801-1-kuniyu@amazon.com \
    --to=kuniyu@amazon.com \
    --cc=davem@davemloft.net \
    --cc=john.johansen@canonical.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-next@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sfr@canb.auug.org.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).