When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.
This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).
This would cause either a panic, or corrupt memory.
Change-Id: I01a5ec17916864929458caa9d0fbefea2ca2c5e2
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 5a64f79179)
f25e91801f