[kbuild-all] [linux-next:master 13681/14117] security/safesetid/lsm.c:119:42: sparse: sparse: cast to non-scalar

tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master head: 471e638c4c5df4c0035a76a561ada4d28228e5fd commit: 02e316b088df08dcd88439961f888145df68dcf5 [13681/14117] LSM: SafeSetID: Add GID security policy handling config: i386-randconfig-s002-20200808 (attached as .config) compiler: gcc-9 (Debian 9.3.0-15) 9.3.0 reproduce: # apt-get install sparse # sparse version: v0.6.2-118-ge1578773-dirty git checkout 02e316b088df08dcd88439961f888145df68dcf5 # save the attached .config to linux build tree make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp(a)intel.com&gt; sparse warnings: (new ones prefixed by >>) security/safesetid/lsm.c:134:42: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:134:42: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:177:34: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:177:34: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:205:34: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:205:34: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:208:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:208:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:209:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:209:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:210:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:210:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:211:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:211:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:229:34: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:229:34: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:232:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:232:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:233:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:233:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:234:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:234:41: sparse: sparse: cast from non-scalar security/safesetid/lsm.c:235:41: sparse: sparse: cast to non-scalar security/safesetid/lsm.c:235:41: sparse: sparse: cast from non-scalar -- security/safesetid/securityfs.c:293:61: sparse: sparse: incorrect type in argument 6 (different address spaces) @@ expected struct setid_ruleset *ruleset @@ got struct setid_ruleset [noderef] __rcu *extern [addressable] [assigned] [toplevel] safesetid_setgid_rules @@ security/safesetid/securityfs.c:293:61: sparse: expected struct setid_ruleset *ruleset vim +119 security/safesetid/lsm.c 89 90 static int safesetid_security_capable(const struct cred *cred, 91 struct user_namespace *ns, 92 int cap, 93 unsigned int opts) 94 { 95 /* We're only interested in CAP_SETUID and CAP_SETGID. */ 96 if (cap != CAP_SETUID && cap != CAP_SETGID) 97 return 0; 98 99 /* 100 * If CAP_SET{U/G}ID is currently used for a setid() syscall, we want to 101 * let it go through here; the real security check happens later, in the 102 * task_fix_set{u/g}id hook. 103 * 104 * NOTE: 105 * Until we add support for restricting setgroups() calls, GID security 106 * policies offer no meaningful security since we always return 0 here 107 * when called from within the setgroups() syscall and there is no 108 * additional hook later on to enforce security policies for setgroups(). 109 */ 110 if ((opts & CAP_OPT_INSETID) != 0) 111 return 0; 112 113 switch (cap) { 114 case CAP_SETUID: 115 /* 116 * If no policy applies to this task, allow the use of CAP_SETUID for 117 * other purposes. 118 */ 120 return 0; 121 /* 122 * Reject use of CAP_SETUID for functionality other than calling 123 * set*uid() (e.g. setting up userns uid mappings). 124 */ 125 pr_warn("Operation requires CAP_SETUID, which is not available to UID %u for operations besides approved set*uid transitions\n", 126 __kuid_val(cred->uid)); 127 return -EPERM; 128 break; 129 case CAP_SETGID: 130 /* 131 * If no policy applies to this task, allow the use of CAP_SETGID for 132 * other purposes. 133 */ 134 if (setid_policy_lookup((kid_t)cred->gid, INVALID_ID, GID) == SIDPOL_DEFAULT) 135 return 0; 136 /* 137 * Reject use of CAP_SETUID for functionality other than calling 138 * set*gid() (e.g. setting up userns gid mappings). 139 */ 140 pr_warn("Operation requires CAP_SETGID, which is not available to GID %u for operations besides approved set*gid transitions\n", 141 __kuid_val(cred->uid)); 142 return -EPERM; 143 break; 144 default: 145 /* Error, the only capabilities were checking for is CAP_SETUID/GID */ 146 return 0; 147 break; 148 } 149 return 0; 150 } 151 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org