• Mark Rutland's avatar
    KEYS: fix refcount_inc() on zero · 92347cfd
    Mark Rutland authored
    If a key's refcount is dropped to zero between key_lookup() peeking at
    the refcount and subsequently attempting to increment it, refcount_inc()
    will see a zero refcount.  Here, refcount_inc() will WARN_ONCE(), and
    will *not* increment the refcount, which will remain zero.
    
    Once key_lookup() drops key_serial_lock, it is possible for the key to
    be freed behind our back.
    
    This patch uses refcount_inc_not_zero() to perform the peek and increment
    atomically.
    
    Fixes: fff29291 ("security, keys: convert key.usage from atomic_t to refcount_t")
    Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Cc: David Windsor <dwindsor@gmail.com>
    Cc: Elena Reshetova <elena.reshetova@intel.com>
    Cc: Hans Liljestrand <ishkamiel@gmail.com>
    Cc: James Morris <james.l.morris@oracle.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    92347cfd
key.c 30.2 KB