We should make sure that the key type does it's destruction dance first before we start tearing down the key structure itself so that we won't have a live key in a semi-coherent state.
This would prevent a race between key destruction and lookup in the keyring case, resulting in a use-after-free. Signed-off-by: Sasha Levin <[email protected]> --- security/keys/gc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/keys/gc.c b/security/keys/gc.c index 9609a7f..8f3b518 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -134,6 +134,9 @@ static noinline void key_gc_unused_keys(struct list_head *keys) kdebug("- %u", key->serial); key_check(key); + if (key->type->destroy) + key->type->destroy(key); + security_key_free(key); /* deal with the user's key tracking and quota */ @@ -151,9 +154,6 @@ static noinline void key_gc_unused_keys(struct list_head *keys) key_user_put(key->user); /* now throw away the key memory */ - if (key->type->destroy) - key->type->destroy(key); - kfree(key->description); #ifdef KEY_DEBUGGING -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
