When searching a keyring or iterating over all the contents of a keyring, we set KEYRING_SEARCH_DO_STATE_CHECK before checking the root keyring so that the iterator function will ensure that we have permission to search that keyring. However, we should restore the value of the flag afterwards as it will otherwise affect all other keys checked by the iterator. Signed-off-by: David Howells <dhowells@xxxxxxxxxx> --- security/keys/keyring.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 8177010174f7..f44b3a8d605a 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -636,6 +636,7 @@ static bool search_nested_keyrings(struct key *keyring, */ if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || keyring_compare_object(keyring, &ctx->index_key)) { + unsigned long saved_flags = ctx->flags; ctx->skipped_ret = 2; ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK; switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { @@ -644,6 +645,7 @@ static bool search_nested_keyrings(struct key *keyring, case 2: return false; default: + ctx->flags = saved_flags; break; } } -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html