From: David Howells Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100) Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() Git-commit: 9d1ac65a9698513d00e5608d93fca0c53f536c14 Patch-mainline: 2.6.36-rc4 References: CVE-2010-2960 bnc#634637 Introduced-by: 2.6.32 KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() There's an protected access to the parent process's credentials in the middle of keyctl_session_to_parent(). This results in the following RCU warning: =================================================== [ INFO: suspicious rcu_dereference_check() usage. ] --------------------------------------------------- security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 1 lock held by keyctl-session-/2137: #0: (tasklist_lock){.+.+..}, at: [] keyctl_session_to_parent+0x60/0x236 stack backtrace: Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1 Call Trace: [] lockdep_rcu_dereference+0xaa/0xb3 [] keyctl_session_to_parent+0xed/0x236 [] sys_keyctl+0xb4/0xb6 [] system_call_fastpath+0x16/0x1b The code should take the RCU read lock to make sure the parents credentials don't go away, even though it's holding a spinlock and has IRQ disabled. Signed-off-by: David Howells Signed-off-by: Linus Torvalds Acked-by: Jeff Mahoney --- security/keys/keyctl.c | 3 +++ 1 file changed, 3 insertions(+) --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1259,6 +1259,7 @@ long keyctl_session_to_parent(void) keyring_r = NULL; me = current; + rcu_read_lock(); write_lock_irq(&tasklist_lock); parent = me->real_parent; @@ -1313,6 +1314,7 @@ long keyctl_session_to_parent(void) set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); write_unlock_irq(&tasklist_lock); + rcu_read_unlock(); if (oldcred) put_cred(oldcred); return 0; @@ -1321,6 +1323,7 @@ already_same: ret = 0; not_permitted: write_unlock_irq(&tasklist_lock); + rcu_read_unlock(); put_cred(cred); return ret;