diff --git a/security/keys/gc.c b/security/keys/gc.c
index 19902319d097acc75ef6246d6981e33b43a8c69f..a46e825cbf0265311288115453ee25227baa28e4 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -77,10 +77,10 @@ static bool key_gc_keyring(struct key *keyring, time_t limit)
 		goto dont_gc;
 
 	/* scan the keyring looking for dead keys */
-	klist = rcu_dereference_check(keyring->payload.subscriptions,
-				      lockdep_is_held(&key_serial_lock));
+	rcu_read_lock();
+	klist = rcu_dereference(keyring->payload.subscriptions);
 	if (!klist)
-		goto dont_gc;
+		goto unlock_dont_gc;
 
 	for (loop = klist->nkeys - 1; loop >= 0; loop--) {
 		key = klist->keys[loop];
@@ -89,11 +89,14 @@ static bool key_gc_keyring(struct key *keyring, time_t limit)
 			goto do_gc;
 	}
 
+unlock_dont_gc:
+	rcu_read_unlock();
 dont_gc:
 	kleave(" = false");
 	return false;
 
 do_gc:
+	rcu_read_unlock();
 	key_gc_cursor = keyring->serial;
 	key_get(keyring);
 	spin_unlock(&key_serial_lock);
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 7c687d568221cd71a3e863b9c9c50f5cd9352005..e9aa079296561507835e0e349a55f07b11bec5bb 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -199,7 +199,8 @@ long user_read(const struct key *key, char __user *buffer, size_t buflen)
 	struct user_key_payload *upayload;
 	long ret;
 
-	upayload = rcu_dereference(key->payload.data);
+	upayload = rcu_dereference_protected(
+		key->payload.data, rwsem_is_locked(&((struct key *)key)->sem));
 	ret = upayload->datalen;
 
 	/* we can return the data as is */