From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 May 2026 10:38:28 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v5.10.258~10
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=3a3f434545f3e5a322697ae4d7efe0fcfb7e2fef;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	security-keys-fix-missed-rcu-read-section-on-lookup.patch
---

diff --git a/queue-6.1/security-keys-fix-missed-rcu-read-section-on-lookup.patch b/queue-6.1/security-keys-fix-missed-rcu-read-section-on-lookup.patch
new file mode 100644
index 0000000000..ce83f4b876
--- /dev/null
+++ b/queue-6.1/security-keys-fix-missed-rcu-read-section-on-lookup.patch
@@ -0,0 +1,48 @@
+From 43a1e3744548e6fd85873e6fb43e293eb4010694 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 28 May 2026 11:45:41 -0700
+Subject: security/keys: fix missed RCU read section on lookup
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 43a1e3744548e6fd85873e6fb43e293eb4010694 upstream.
+
+Nicholas Carlini reports that the keyring code calls assoc_array_find()
+in find_key_to_update() without holding the RCU read lock, while the
+assoc_array_gc() code really is designed around removing the node from
+the tree and then freeing it after an RCU grace-period.
+
+The regular key handling doesn't see this because holding the keyring
+semaphore hides any lifetime issues, but the persistent key handling
+uses a different model.
+
+Instead of extending the keyring locking, just do the simple RCU locking
+that the assoc_array was designed for.
+
+Reported-by: Nicholas Carlini <npc@anthropic.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: James Morris James Morris <jmorris@namei.org>
+Cc: Serge E. Hallyn <serge@hallyn.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/keyring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index b39038f7dd31..5a9887d6b7be 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1109,6 +1109,7 @@ key_ref_t find_key_to_update(key_ref_t keyring_ref,
+ 	kenter("{%d},{%s,%s}",
+ 	       keyring->serial, index_key->type->name, index_key->description);
+ 
++	guard(rcu)();
+ 	object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
+ 				  index_key);
+ 
+-- 
+2.54.0
+
diff --git a/queue-6.1/series b/queue-6.1/series
index 6edbb6c691..04bc81cd61 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -966,3 +966,4 @@ string-add-mem_is_zero-helper-to-check-if-memory-are.patch
 gpiolib-cdev-use-mem_is_zero-instead-of-memchr_inv-s.patch
 gpio-cdev-check-if-uapi-v2-config-attributes-are-cor.patch
 net-mana-validate-rx_req_idx-to-prevent-out-of-bound.patch
+security-keys-fix-missed-rcu-read-section-on-lookup.patch