5 files changed, 28 insertions, 24 deletions
diff --git a/security/keys/key.c b/security/keys/key.c
index a057e3311aad..b6061fa29da7 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
        key_check(keyring);
+        key_ref = ERR_PTR(-ENOTDIR);
+        if (keyring->type != &key_type_keyring)
+                goto error_2;
        down_write(&keyring->sem);
        /* if we're going to allocate a new key, we're going to have
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d65a180f888d..bffa924c1f88 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
 /*
 * search the given keyring only (no recursion)
 * - keyring must be locked by caller
+ * - caller must guarantee that the keyring is a keyring
 */
 key_ref_t __keyring_search_one(key_ref_t keyring_ref,
                               const struct key_type *ktype,
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index f6940618e345..217a0bef3c82 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -168,11 +168,12 @@ error:
 */
 int install_process_keyring(struct task_struct *tsk)
 {
-        unsigned long flags;
        struct key *keyring;
        char buf[20];
        int ret;
+        might_sleep();
        if (!tsk->signal->process_keyring) {
                sprintf(buf, "_pid.%u", tsk->tgid);
@@ -183,12 +184,12 @@ int install_process_keyring(struct task_struct *tsk)
                }
                /* attach keyring */
-                spin_lock_irqsave(&tsk->sighand->siglock, flags);
+                spin_lock_irq(&tsk->sighand->siglock);
                if (!tsk->signal->process_keyring) {
                        tsk->signal->process_keyring = keyring;
                        keyring = NULL;
                }
-                spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
+                spin_unlock_irq(&tsk->sighand->siglock);
                key_put(keyring);
        }
@@ -207,38 +208,37 @@ error:
 static int install_session_keyring(struct task_struct *tsk,
                                   struct key *keyring)
 {
-        unsigned long flags;
        struct key *old;
        char buf[20];
-        int ret;
+        might_sleep();
        /* create an empty session keyring */
        if (!keyring) {
                sprintf(buf, "_ses.%u", tsk->tgid);
                keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
-                if (IS_ERR(keyring)) {
+                if (IS_ERR(keyring))
-                        ret = PTR_ERR(keyring);
+                        return PTR_ERR(keyring);
-                        goto error;
-                }
        }
        else {
                atomic_inc(&keyring->usage);
        }
        /* install the keyring */
-        spin_lock_irqsave(&tsk->sighand->siglock, flags);
+        spin_lock_irq(&tsk->sighand->siglock);
-        old = rcu_dereference(tsk->signal->session_keyring);
+        old = tsk->signal->session_keyring;
        rcu_assign_pointer(tsk->signal->session_keyring, keyring);
-        spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
+        spin_unlock_irq(&tsk->sighand->siglock);
-        ret = 0;
+        /* we're using RCU on the pointer, but there's no point synchronising
+         * on it if it didn't previously point to anything */
+        if (old) {
+                synchronize_rcu();
+                key_put(old);
+        }
-        /* we're using RCU on the pointer */
+        return 0;
-        synchronize_rcu();
-        key_put(old);
-error:
-        return ret;
 } /* end install_session_keyring() */
@@ -311,7 +311,6 @@ void exit_keys(struct task_struct *tsk)
 */
 int exec_keys(struct task_struct *tsk)
 {
-        unsigned long flags;
        struct key *old;
        /* newly exec'd tasks don't get a thread keyring */
@@ -323,10 +322,10 @@ int exec_keys(struct task_struct *tsk)
        key_put(old);
        /* discard the process keyring from a newly exec'd task */
-        spin_lock_irqsave(&tsk->sighand->siglock, flags);
+        spin_lock_irq(&tsk->sighand->siglock);
        old = tsk->signal->process_keyring;
        tsk->signal->process_keyring = NULL;
-        spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
+        spin_unlock_irq(&tsk->sighand->siglock);
        key_put(old);
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 640d0bfdbc68..84047f69f9c1 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -264,7 +264,7 @@ int mls_context_to_sid(char oldc,
        if (!selinux_mls_enabled) {
                if (def_sid != SECSID_NULL && oldc)
-                        *scontext += strlen(*scontext);
+                        *scontext += strlen(*scontext)+1;
                return 0;
        }
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index dfab6c886698..abe99d881376 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -281,7 +281,7 @@ u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
                int i;
                for (i = sp->len-1; i >= 0; i--) {
-                        struct xfrm_state *x = sp->x[i].xvec;
+                        struct xfrm_state *x = sp->xvec[i];
                        if (selinux_authorizable_xfrm(x)) {
                                struct xfrm_sec_ctx *ctx = x->security;
                                return ctx->ctx_sid;
@@ -314,7 +314,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
                 *  Only need to verify the existence of an authorizable sp.
                 */
                for (i = 0; i < sp->len; i++) {
-                        struct xfrm_state *x = sp->x[i].xvec;
+                        struct xfrm_state *x = sp->xvec[i];
                        if (x && selinux_authorizable_xfrm(x))
                                goto accept;

diff --git a/security/keys/key.c b/security/keys/key.c index a057e3311aad..b6061fa29da7 100644 --- a/security/keys/key.c +++ b/security/keys/key.c
@@ -785,6 +785,10 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
785		785
786	key_check(keyring);	786	key_check(keyring);
787		787
		788	key_ref = ERR_PTR(-ENOTDIR);
		789	if (keyring->type != &key_type_keyring)
		790	goto error_2;
		791
788	down_write(&keyring->sem);	792	down_write(&keyring->sem);
789		793
790	/* if we're going to allocate a new key, we're going to have	794	/* if we're going to allocate a new key, we're going to have


diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d65a180f888d..bffa924c1f88 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c
@@ -437,6 +437,7 @@ EXPORT_SYMBOL(keyring_search);
437	/*	437	/*
438	* search the given keyring only (no recursion)	438	* search the given keyring only (no recursion)
439	* - keyring must be locked by caller	439	* - keyring must be locked by caller
		440	* - caller must guarantee that the keyring is a keyring
440	*/	441	*/
441	key_ref_t __keyring_search_one(key_ref_t keyring_ref,	442	key_ref_t __keyring_search_one(key_ref_t keyring_ref,
442	const struct key_type *ktype,	443	const struct key_type *ktype,


diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index f6940618e345..217a0bef3c82 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -168,11 +168,12 @@ error:
168	*/	168	*/
169	int install_process_keyring(struct task_struct *tsk)	169	int install_process_keyring(struct task_struct *tsk)
170	{	170	{
171	unsigned long flags;
172	struct key *keyring;	171	struct key *keyring;
173	char buf[20];	172	char buf[20];
174	int ret;	173	int ret;
175		174
		175	might_sleep();
		176
176	if (!tsk->signal->process_keyring) {	177	if (!tsk->signal->process_keyring) {
177	sprintf(buf, "_pid.%u", tsk->tgid);	178	sprintf(buf, "_pid.%u", tsk->tgid);
178		179
@@ -183,12 +184,12 @@ int install_process_keyring(struct task_struct *tsk)
183	}	184	}
184		185
185	/* attach keyring */	186	/* attach keyring */
186	spin_lock_irqsave(&tsk->sighand->siglock, flags);	187	spin_lock_irq(&tsk->sighand->siglock);
187	if (!tsk->signal->process_keyring) {	188	if (!tsk->signal->process_keyring) {
188	tsk->signal->process_keyring = keyring;	189	tsk->signal->process_keyring = keyring;
189	keyring = NULL;	190	keyring = NULL;
190	}	191	}
191	spin_unlock_irqrestore(&tsk->sighand->siglock, flags);	192	spin_unlock_irq(&tsk->sighand->siglock);
192		193
193	key_put(keyring);	194	key_put(keyring);
194	}	195	}
@@ -207,38 +208,37 @@ error:
207	static int install_session_keyring(struct task_struct *tsk,	208	static int install_session_keyring(struct task_struct *tsk,
208	struct key *keyring)	209	struct key *keyring)
209	{	210	{
210	unsigned long flags;
211	struct key *old;	211	struct key *old;
212	char buf[20];	212	char buf[20];
213	int ret;	213
		214	might_sleep();
214		215
215	/* create an empty session keyring */	216	/* create an empty session keyring */
216	if (!keyring) {	217	if (!keyring) {
217	sprintf(buf, "_ses.%u", tsk->tgid);	218	sprintf(buf, "_ses.%u", tsk->tgid);
218		219
219	keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);	220	keyring = keyring_alloc(buf, tsk->uid, tsk->gid, 1, NULL);
220	if (IS_ERR(keyring)) {	221	if (IS_ERR(keyring))
221	ret = PTR_ERR(keyring);	222	return PTR_ERR(keyring);
222	goto error;
223	}
224	}	223	}
225	else {	224	else {
226	atomic_inc(&keyring->usage);	225	atomic_inc(&keyring->usage);
227	}	226	}
228		227
229	/* install the keyring */	228	/* install the keyring */
230	spin_lock_irqsave(&tsk->sighand->siglock, flags);	229	spin_lock_irq(&tsk->sighand->siglock);
231	old = rcu_dereference(tsk->signal->session_keyring);	230	old = tsk->signal->session_keyring;
232	rcu_assign_pointer(tsk->signal->session_keyring, keyring);	231	rcu_assign_pointer(tsk->signal->session_keyring, keyring);
233	spin_unlock_irqrestore(&tsk->sighand->siglock, flags);	232	spin_unlock_irq(&tsk->sighand->siglock);
234		233
235	ret = 0;	234	/* we're using RCU on the pointer, but there's no point synchronising
		235	* on it if it didn't previously point to anything */
		236	if (old) {
		237	synchronize_rcu();
		238	key_put(old);
		239	}
236		240
237	/* we're using RCU on the pointer */	241	return 0;
238	synchronize_rcu();
239	key_put(old);
240	error:
241	return ret;
242		242
243	} /* end install_session_keyring() */	243	} /* end install_session_keyring() */
244		244
@@ -311,7 +311,6 @@ void exit_keys(struct task_struct *tsk)
311	*/	311	*/
312	int exec_keys(struct task_struct *tsk)	312	int exec_keys(struct task_struct *tsk)
313	{	313	{
314	unsigned long flags;
315	struct key *old;	314	struct key *old;
316		315
317	/* newly exec'd tasks don't get a thread keyring */	316	/* newly exec'd tasks don't get a thread keyring */
@@ -323,10 +322,10 @@ int exec_keys(struct task_struct *tsk)
323	key_put(old);	322	key_put(old);
324		323
325	/* discard the process keyring from a newly exec'd task */	324	/* discard the process keyring from a newly exec'd task */
326	spin_lock_irqsave(&tsk->sighand->siglock, flags);	325	spin_lock_irq(&tsk->sighand->siglock);
327	old = tsk->signal->process_keyring;	326	old = tsk->signal->process_keyring;
328	tsk->signal->process_keyring = NULL;	327	tsk->signal->process_keyring = NULL;
329	spin_unlock_irqrestore(&tsk->sighand->siglock, flags);	328	spin_unlock_irq(&tsk->sighand->siglock);
330		329
331	key_put(old);	330	key_put(old);
332		331


diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 640d0bfdbc68..84047f69f9c1 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c
@@ -264,7 +264,7 @@ int mls_context_to_sid(char oldc,
264		264
265	if (!selinux_mls_enabled) {	265	if (!selinux_mls_enabled) {
266	if (def_sid != SECSID_NULL && oldc)	266	if (def_sid != SECSID_NULL && oldc)
267	scontext += strlen(scontext);	267	scontext += strlen(scontext)+1;
268	return 0;	268	return 0;
269	}	269	}
270		270


diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index dfab6c886698..abe99d881376 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -281,7 +281,7 @@ u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
281	int i;	281	int i;
282		282
283	for (i = sp->len-1; i >= 0; i--) {	283	for (i = sp->len-1; i >= 0; i--) {
284	struct xfrm_state *x = sp->x[i].xvec;	284	struct xfrm_state *x = sp->xvec[i];
285	if (selinux_authorizable_xfrm(x)) {	285	if (selinux_authorizable_xfrm(x)) {
286	struct xfrm_sec_ctx *ctx = x->security;	286	struct xfrm_sec_ctx *ctx = x->security;
287	return ctx->ctx_sid;	287	return ctx->ctx_sid;
@@ -314,7 +314,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
314	* Only need to verify the existence of an authorizable sp.	314	* Only need to verify the existence of an authorizable sp.
315	*/	315	*/
316	for (i = 0; i < sp->len; i++) {	316	for (i = 0; i < sp->len; i++) {
317	struct xfrm_state *x = sp->x[i].xvec;	317	struct xfrm_state *x = sp->xvec[i];
318		318
319	if (x && selinux_authorizable_xfrm(x))	319	if (x && selinux_authorizable_xfrm(x))
320	goto accept;	320	goto accept;