From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shaomin Chen <eeesssooo020@gmail.com>,
Jarkko Sakkinen <jarkko@kernel.org>
Subject: [PATCH 5.15 59/95] keys: Pin request_key_auth payload in instantiate paths
Date: Thu, 2 Jul 2026 18:20:02 +0200 [thread overview]
Message-ID: <20260702155110.451512449@linuxfoundation.org> (raw)
In-Reply-To: <20260702155109.196223802@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaomin Chen <eeesssooo020@gmail.com>
commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.
A: request_key() B: KEYCTL_INSTANTIATE_IOV
================ =========================
create auth key
store rka in auth key
wait for helper
get auth key
load rka from auth key
copy user payload
sleep on #PF
helper completed
detach and free rka
destroy auth key
wake up
use rka->target_key
**USE-AFTER-FREE**
Give request_key_auth payloads a refcount. Take a payload reference while
authkey->sem stabilizes the payload and revocation state. Hold that
reference across the instantiate and reject paths. Drop the auth key
owning reference from revoke and destroy.
[jarkko: Replaced the first two paragraphs of text with an actual
concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/keys/request_key_auth-type.h | 2 ++
security/keys/internal.h | 2 ++
security/keys/keyctl.c | 24 ++++++++++++++++++------
security/keys/request_key_auth.c | 33 +++++++++++++++++++++++++++++++--
4 files changed, 53 insertions(+), 8 deletions(-)
--- a/include/keys/request_key_auth-type.h
+++ b/include/keys/request_key_auth-type.h
@@ -9,12 +9,14 @@
#define _KEYS_REQUEST_KEY_AUTH_TYPE_H
#include <linux/key.h>
+#include <linux/refcount.h>
/*
* Authorisation record for request_key().
*/
struct request_key_auth {
struct rcu_head rcu;
+ refcount_t usage;
struct key *target_key;
struct key *dest_keyring;
const struct cred *cred;
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -217,6 +217,8 @@ extern struct key *request_key_auth_new(
const void *callout_info,
size_t callout_len,
struct key *dest_keyring);
+struct request_key_auth *request_key_auth_get(struct key *authkey);
+void request_key_auth_put(struct request_key_auth *rka);
extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1196,9 +1196,13 @@ static long keyctl_instantiate_key_commo
if (!instkey)
goto error;
- rka = instkey->payload.data[0];
- if (rka->target_key->serial != id)
+ rka = request_key_auth_get(instkey);
+ if (!rka) {
+ ret = -EKEYREVOKED;
goto error;
+ }
+ if (rka->target_key->serial != id)
+ goto error_put_rka;
/* pull the payload in if one was supplied */
payload = NULL;
@@ -1207,7 +1211,7 @@ static long keyctl_instantiate_key_commo
ret = -ENOMEM;
payload = kvmalloc(plen, GFP_KERNEL);
if (!payload)
- goto error;
+ goto error_put_rka;
ret = -EFAULT;
if (!copy_from_iter_full(payload, plen, from))
@@ -1233,6 +1237,8 @@ static long keyctl_instantiate_key_commo
error2:
kvfree_sensitive(payload, plen);
+error_put_rka:
+ request_key_auth_put(rka);
error:
return ret;
}
@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id,
if (!instkey)
goto error;
- rka = instkey->payload.data[0];
- if (rka->target_key->serial != id)
+ rka = request_key_auth_get(instkey);
+ if (!rka) {
+ ret = -EKEYREVOKED;
goto error;
+ }
+ if (rka->target_key->serial != id)
+ goto error_put_rka;
/* find the destination keyring if present (which must also be
* writable) */
ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
if (ret < 0)
- goto error;
+ goto error_put_rka;
/* instantiate the key and link it into a keyring */
ret = key_reject_and_link(rka->target_key, timeout, error,
@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id,
if (ret == 0)
keyctl_change_reqkey_auth(NULL);
+error_put_rka:
+ request_key_auth_put(rka);
error:
return ret;
}
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -23,6 +23,7 @@ static void request_key_auth_describe(co
static void request_key_auth_revoke(struct key *);
static void request_key_auth_destroy(struct key *);
static long request_key_auth_read(const struct key *, char *, size_t);
+static void request_key_auth_rcu_disposal(struct rcu_head *);
/*
* The request-key authorisation key type definition.
@@ -116,6 +117,31 @@ static void free_request_key_auth(struct
}
/*
+ * Take a reference to the request-key authorisation payload so callers can
+ * drop authkey->sem before doing operations that may sleep.
+ */
+struct request_key_auth *request_key_auth_get(struct key *authkey)
+{
+ struct request_key_auth *rka;
+
+ down_read(&authkey->sem);
+ rka = dereference_key_locked(authkey);
+ if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
+ refcount_inc(&rka->usage);
+ else
+ rka = NULL;
+ up_read(&authkey->sem);
+
+ return rka;
+}
+
+void request_key_auth_put(struct request_key_auth *rka)
+{
+ if (rka && refcount_dec_and_test(&rka->usage))
+ call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+}
+
+/*
* Dispose of the request_key_auth record under RCU conditions
*/
static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru
struct request_key_auth *rka = dereference_key_locked(key);
kenter("{%d}", key->serial);
+ if (!rka)
+ return;
rcu_assign_keypointer(key, NULL);
- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+ request_key_auth_put(rka);
}
/*
@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str
kenter("{%d}", key->serial);
if (rka) {
rcu_assign_keypointer(key, NULL);
- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+ request_key_auth_put(rka);
}
}
@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct
rka = kzalloc(sizeof(*rka), GFP_KERNEL);
if (!rka)
goto error;
+ refcount_set(&rka->usage, 1);
rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
if (!rka->callout_info)
goto error_free_rka;
next prev parent reply other threads:[~2026-07-02 16:28 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:19 [PATCH 5.15 00/95] 5.15.211-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 01/95] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 02/95] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 03/95] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 04/95] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 05/95] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 06/95] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 07/95] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 08/95] drm/v3d: Store the active job inside the queues state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 09/95] drm/v3d: Skip CSD when it has zeroed workgroups Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 10/95] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 11/95] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 12/95] iio: light: bh1780: fix PM runtime leak on error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 13/95] vfio/iommu_type1: replace kfree with kvfree Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 14/95] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 15/95] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 16/95] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 17/95] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 18/95] xhci: fix memory leak regression when freeing xhci vdev devices depth first Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 19/95] af_unix: Reject SIOCATMARK on non-stream sockets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 20/95] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 21/95] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 22/95] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 23/95] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 24/95] Revert "selftest/ptp: update ptp selftest to exercise the gettimex options" Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 25/95] Revert "ptp: add testptp mask test" Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 26/95] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 27/95] kselftest/arm64: signal: Skip SVE signal test if not enough VLs supported Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 28/95] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 29/95] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 30/95] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 31/95] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 32/95] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 33/95] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 34/95] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 35/95] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 36/95] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 37/95] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 38/95] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 39/95] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 40/95] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 41/95] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 42/95] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 43/95] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 44/95] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 45/95] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 46/95] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 47/95] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 48/95] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 49/95] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 50/95] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 51/95] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 52/95] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 53/95] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 54/95] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 55/95] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.15 56/95] crypto: af_alg - Set merge to zero early in af_alg_sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 57/95] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 58/95] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` Greg Kroah-Hartman [this message]
2026-07-02 16:20 ` [PATCH 5.15 60/95] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 61/95] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 62/95] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 63/95] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 64/95] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 65/95] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 66/95] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 67/95] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 68/95] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 69/95] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 70/95] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 71/95] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 72/95] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 73/95] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 74/95] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 75/95] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 76/95] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 77/95] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 78/95] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 79/95] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 80/95] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 81/95] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 82/95] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 83/95] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 84/95] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 85/95] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 86/95] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 87/95] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 88/95] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 89/95] fuse: re-lock request before replacing page cache folio Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 90/95] ksmbd: reject non-VALID session in compound request branch Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 91/95] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 92/95] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 93/95] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 94/95] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.15 95/95] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 5.15 00/95] 5.15.211-rc1 review Brett A C Sheffield
2026-07-03 6:46 ` Ron Economos
2026-07-03 9:44 ` Pavel Machek
2026-07-03 13:56 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702155110.451512449@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=eeesssooo020@gmail.com \
--cc=jarkko@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox