[PATCH] crash_dump: fix dm_crypt keys locking and ref leak

Mon, 26 Jan 2026 03:21:14 -0800 

crash_load_dm_crypt_keys() reads dm-crypt volume keys from the user
keyring. It uses user_key_payload_locked() without holding key->sem,
which makes lockdep complain when kexec_file_load() assembles the
crash image:

  =============================
  WARNING: suspicious RCU usage
  -----------------------------
  ./include/keys/user-type.h:53 suspicious rcu_dereference_protected() usage!

  other info that might help us debug this:

  rcu_scheduler_active = 2, debug_locks = 1
  no locks held by kexec/4875.

  stack backtrace:
  Call Trace:
   <TASK>
   dump_stack_lvl+0x5d/0x80
   lockdep_rcu_suspicious.cold+0x4e/0x96
   crash_load_dm_crypt_keys+0x314/0x390
   bzImage64_load+0x116/0x9a0
   ? __lock_acquire+0x464/0x1ba0
   __do_sys_kexec_file_load+0x26a/0x4f0
   do_syscall_64+0xbd/0x430
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

In addition, the key returned by request_key() is never key_put()'d,
leaking a key reference on each load attempt.

Take key->sem while copying the payload and drop the key reference
afterwards.

Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in kdump reserved memory")
Signed-off-by: Vasily Gorbik <[email protected]>
---
 kernel/crash_dump_dm_crypt.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/kernel/crash_dump_dm_crypt.c b/kernel/crash_dump_dm_crypt.c
index 0d23dc1de67c..37129243054d 100644
--- a/kernel/crash_dump_dm_crypt.c
+++ b/kernel/crash_dump_dm_crypt.c
@@ -143,6 +143,7 @@ static int read_key_from_user_keying(struct dm_crypt_key 
*dm_key)
 {
        const struct user_key_payload *ukp;
        struct key *key;
+       int ret = 0;
 
        kexec_dprintk("Requesting logon key %s", dm_key->key_desc);
        key = request_key(&key_type_logon, dm_key->key_desc, NULL);
@@ -152,20 +153,28 @@ static int read_key_from_user_keying(struct dm_crypt_key 
*dm_key)
                return PTR_ERR(key);
        }
 
+       down_read(&key->sem);
        ukp = user_key_payload_locked(key);
-       if (!ukp)
-               return -EKEYREVOKED;
+       if (!ukp) {
+               ret = -EKEYREVOKED;
+               goto out;
+       }
 
        if (ukp->datalen > KEY_SIZE_MAX) {
                pr_err("Key size %u exceeds maximum (%u)\n", ukp->datalen, 
KEY_SIZE_MAX);
-               return -EINVAL;
+               ret = -EINVAL;
+               goto out;
        }
 
        memcpy(dm_key->data, ukp->data, ukp->datalen);
        dm_key->key_size = ukp->datalen;
        kexec_dprintk("Get dm crypt key (size=%u) %s: %8ph\n", dm_key->key_size,
                      dm_key->key_desc, dm_key->data);
-       return 0;
+
+out:
+       up_read(&key->sem);
+       key_put(key);
+       return ret;
 }
 
 struct config_key {
-- 
2.52.0

Reply via email to