Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux...

[mirror_ubuntu-bionic-kernel.git] / security / keys / gc.c

diff --git a/security/keys/gc.c b/security/keys/gc.c
index 9cb4fe4478a137e7bb3352ae958830657f6b5b7c..595becc6d0d259a017be1305842f6208562324bb 100644 (file)
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -220,7 +220,7 @@ continue_scanning:
                key = rb_entry(cursor, struct key, serial_node);
                cursor = rb_next(cursor);
 
-               if (atomic_read(&key->usage) == 0)
+               if (refcount_read(&key->usage) == 0)
                        goto found_unreferenced_key;
 
                if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
@@ -229,6 +229,9 @@ continue_scanning:
                                set_bit(KEY_FLAG_DEAD, &key->flags);
                                key->perm = 0;
                                goto skip_dead_key;
+                       } else if (key->type == &key_type_keyring &&
+                                  key->restrict_link) {
+                               goto found_restricted_keyring;
                        }
                }
 
@@ -334,6 +337,14 @@ found_unreferenced_key:
        gc_state |= KEY_GC_REAP_AGAIN;
        goto maybe_resched;
 
+       /* We found a restricted keyring and need to update the restriction if
+        * it is associated with the dead key type.
+        */
+found_restricted_keyring:
+       spin_unlock(&key_serial_lock);
+       keyring_restriction_gc(key, key_gc_dead_keytype);
+       goto maybe_resched;
+
        /* We found a keyring and we need to check the payload for links to
         * dead or expired keys.  We don't flag another reap immediately as we
         * have to wait for the old payload to be destroyed by RCU before we