keys: Pin request_key_auth payload in instantiate paths - kernel/linux.git

diff options

author	Shaomin Chen <eeesssooo020@gmail.com>	2026-06-10 13:10:05 +0300
committer	Jarkko Sakkinen <jarkko@kernel.org>	2026-06-15 15:19:13 +0300
commit	fd15b457a86939c38aa12116adabd8ff686c5e51 (patch)
tree	823ffd4cf1670f1afb7936c1e74b01f8a6b11631 /include/linux/raid
parent	0934c38b12bd838cc133d5895fc8b42c2c1717ee (diff)
download	linux-fd15b457a86939c38aa12116adabd8ff686c5e51.tar.xz

keys: Pin request_key_auth payload in instantiate paths

A: request_key() B: KEYCTL_INSTANTIATE_IOV ================ ========================= create auth key store rka in auth key wait for helper get auth key load rka from auth key copy user payload sleep on #PF helper completed detach and free rka destroy auth key wake up use rka->target_key **USE-AFTER-FREE** Give request_key_auth payloads a refcount. Take a payload reference while authkey->sem stabilizes the payload and revocation state. Hold that reference across the instantiate and reject paths. Drop the auth key owning reference from revoke and destroy. [jarkko: Replaced the first two paragraphs of text with an actual concurrency scenario.] Cc: stable@vger.kernel.org # v5.10+ Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys") Reported-by: Shaomin Chen <eeesssooo020@gmail.com> Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

Diffstat (limited to 'include/linux/raid')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: