2 files changed, 17 insertions, 6 deletions
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 485fc6233c38..4770be375ffe 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -169,9 +169,9 @@ static void key_garbage_collector(struct work_struct *work)
        /* trawl through the keys looking for keyrings */
        for (;;) {
-                if (key->expiry > now && key->expiry < new_timer) {
+                if (key->expiry > limit && key->expiry < new_timer) {
                        kdebug("will expire %x in %ld",
-                               key_serial(key), key->expiry - now);
+                               key_serial(key), key->expiry - limit);
                        new_timer = key->expiry;
                }
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 1ed0f076aadc..b4b5da1c0a42 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -868,8 +868,19 @@ u32 avc_policy_seqno(void)
 void avc_disable(void)
 {
-        avc_flush();
+        /*
-        synchronize_rcu();
+         * If you are looking at this because you have realized that we are
-        if (avc_node_cachep)
+         * not destroying the avc_node_cachep it might be easy to fix, but
-                kmem_cache_destroy(avc_node_cachep);
+         * I don't know the memory barrier semantics well enough to know.  It's
+         * possible that some other task dereferenced security_ops when
+         * it still pointed to selinux operations.  If that is the case it's
+         * possible that it is about to use the avc and is about to need the
+         * avc_node_cachep.  I know I could wrap the security.c security_ops call
+         * in an rcu_lock, but seriously, it's not worth it.  Instead I just flush
+         * the cache and get that memory back.
+         */
+        if (avc_node_cachep) {
+                avc_flush();
+                /* kmem_cache_destroy(avc_node_cachep); */
+        }
 }