/* Keyring handling

   *

   * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.

   * Written by David Howells (dhowells@redhat.com)
   *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
   * as published by the Free Software Foundation; either version
   * 2 of the License, or (at your option) any later version.
   */
  
  #include <linux/module.h>
  #include <linux/init.h>
  #include <linux/sched.h>
  #include <linux/slab.h>

  #include <linux/security.h>

  #include <linux/seq_file.h>
  #include <linux/err.h>

  #include <keys/keyring-type.h>

  #include <linux/uaccess.h>

  #include "internal.h"

  #define rcu_dereference_locked_keyring(keyring)				\
  	(rcu_dereference_protected(					\
  		(keyring)->payload.subscriptions,			\
  		rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))

  #define KEY_LINK_FIXQUOTA 1UL

  /*

   * When plumbing the depths of the key tree, this sets a hard limit
   * set on how deep we're willing to go.

   */
  #define KEYRING_SEARCH_MAX_DEPTH 6
  
  /*

   * We keep all named keyrings in a hash to speed looking them up.

   */
  #define KEYRING_NAME_HASH_SIZE	(1 << 5)
  
  static struct list_head	keyring_name_hash[KEYRING_NAME_HASH_SIZE];
  static DEFINE_RWLOCK(keyring_name_lock);
  
  static inline unsigned keyring_hash(const char *desc)
  {
  	unsigned bucket = 0;
  
  	for (; *desc; desc++)

  		bucket += (unsigned char)*desc;

  
  	return bucket & (KEYRING_NAME_HASH_SIZE - 1);
  }
  
  /*

   * The keyring key type definition.  Keyrings are simply keys of this type and
   * can be treated as ordinary keys in addition to having their own special
   * operations.

   */
  static int keyring_instantiate(struct key *keyring,
  			       const void *data, size_t datalen);

  static int keyring_match(const struct key *keyring, const void *criterion);

  static void keyring_revoke(struct key *keyring);

  static void keyring_destroy(struct key *keyring);
  static void keyring_describe(const struct key *keyring, struct seq_file *m);
  static long keyring_read(const struct key *keyring,
  			 char __user *buffer, size_t buflen);
  
  struct key_type key_type_keyring = {
  	.name		= "keyring",
  	.def_datalen	= sizeof(struct keyring_list),
  	.instantiate	= keyring_instantiate,

  	.match		= keyring_match,

  	.revoke		= keyring_revoke,

  	.destroy	= keyring_destroy,
  	.describe	= keyring_describe,
  	.read		= keyring_read,
  };

  EXPORT_SYMBOL(key_type_keyring);

  /*

   * Semaphore to serialise link/link calls to prevent two link calls in parallel
   * introducing a cycle.

   */

  static DECLARE_RWSEM(keyring_serialise_link_sem);

  /*

   * Publish the name of a keyring so that it can be found by name (if it has
   * one).

   */

  static void keyring_publish_name(struct key *keyring)

  {
  	int bucket;
  
  	if (keyring->description) {
  		bucket = keyring_hash(keyring->description);
  
  		write_lock(&keyring_name_lock);
  
  		if (!keyring_name_hash[bucket].next)
  			INIT_LIST_HEAD(&keyring_name_hash[bucket]);
  
  		list_add_tail(&keyring->type_data.link,
  			      &keyring_name_hash[bucket]);
  
  		write_unlock(&keyring_name_lock);
  	}

  }

  /*

   * Initialise a keyring.
   *
   * Returns 0 on success, -EINVAL if given any data.

   */
  static int keyring_instantiate(struct key *keyring,
  			       const void *data, size_t datalen)
  {
  	int ret;
  
  	ret = -EINVAL;
  	if (datalen == 0) {
  		/* make the keyring available by name if it has one */
  		keyring_publish_name(keyring);
  		ret = 0;
  	}
  
  	return ret;

  }

  /*

   * Match keyrings on their name

   */
  static int keyring_match(const struct key *keyring, const void *description)
  {
  	return keyring->description &&
  		strcmp(keyring->description, description) == 0;

  }

  /*

   * Clean up a keyring when it is destroyed.  Unpublish its name if it had one
   * and dispose of its data.

   */
  static void keyring_destroy(struct key *keyring)
  {
  	struct keyring_list *klist;
  	int loop;
  
  	if (keyring->description) {
  		write_lock(&keyring_name_lock);

  
  		if (keyring->type_data.link.next != NULL &&
  		    !list_empty(&keyring->type_data.link))
  			list_del(&keyring->type_data.link);

  		write_unlock(&keyring_name_lock);
  	}

  	klist = rcu_dereference_check(keyring->payload.subscriptions,

  				      atomic_read(&keyring->usage) == 0);

  	if (klist) {
  		for (loop = klist->nkeys - 1; loop >= 0; loop--)
  			key_put(klist->keys[loop]);
  		kfree(klist);
  	}

  }

  /*

   * Describe a keyring for /proc.

   */
  static void keyring_describe(const struct key *keyring, struct seq_file *m)
  {
  	struct keyring_list *klist;

  	if (keyring->description)

  		seq_puts(m, keyring->description);

  	else

  		seq_puts(m, "[anon]");

  	if (key_is_instantiated(keyring)) {
  		rcu_read_lock();
  		klist = rcu_dereference(keyring->payload.subscriptions);
  		if (klist)
  			seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
  		else
  			seq_puts(m, ": empty");
  		rcu_read_unlock();
  	}

  }

  /*

   * Read a list of key IDs from the keyring's contents in binary form
   *
   * The keyring's semaphore is read-locked by the caller.

   */
  static long keyring_read(const struct key *keyring,
  			 char __user *buffer, size_t buflen)
  {
  	struct keyring_list *klist;
  	struct key *key;
  	size_t qty, tmp;
  	int loop, ret;
  
  	ret = 0;

  	klist = rcu_dereference_locked_keyring(keyring);

  	if (klist) {
  		/* calculate how much data we could return */
  		qty = klist->nkeys * sizeof(key_serial_t);
  
  		if (buffer && buflen > 0) {
  			if (buflen > qty)
  				buflen = qty;
  
  			/* copy the IDs of the subscribed keys into the
  			 * buffer */
  			ret = -EFAULT;
  
  			for (loop = 0; loop < klist->nkeys; loop++) {
  				key = klist->keys[loop];
  
  				tmp = sizeof(key_serial_t);
  				if (tmp > buflen)
  					tmp = buflen;
  
  				if (copy_to_user(buffer,
  						 &key->serial,
  						 tmp) != 0)
  					goto error;
  
  				buflen -= tmp;
  				if (buflen == 0)
  					break;
  				buffer += tmp;
  			}
  		}
  
  		ret = qty;
  	}

  error:

  	return ret;

  }

  /*

   * Allocate a keyring and link into the destination keyring.

   */
  struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,

  			  const struct cred *cred, unsigned long flags,

  			  struct key *dest)

  {
  	struct key *keyring;
  	int ret;
  
  	keyring = key_alloc(&key_type_keyring, description,

  			    uid, gid, cred,

  			    (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,

  			    flags);

  
  	if (!IS_ERR(keyring)) {

  		ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);

  		if (ret < 0) {
  			key_put(keyring);
  			keyring = ERR_PTR(ret);
  		}
  	}
  
  	return keyring;

  }

  /**
   * keyring_search_aux - Search a keyring tree for a key matching some criteria
   * @keyring_ref: A pointer to the keyring with possession indicator.
   * @cred: The credentials to use for permissions checks.
   * @type: The type of key to search for.
   * @description: Parameter for @match.
   * @match: Function to rule on whether or not a key is the one required.

   * @no_state_check: Don't check if a matching key is bad

   *
   * Search the supplied keyring tree for a key that matches the criteria given.
   * The root keyring and any linked keyrings must grant Search permission to the
   * caller to be searchable and keys can only be found if they too grant Search
   * to the caller. The possession flag on the root keyring pointer controls use
   * of the possessor bits in permissions checking of the entire tree.  In
   * addition, the LSM gets to forbid keyring searches and key matches.
   *
   * The search is performed as a breadth-then-depth search up to the prescribed
   * limit (KEYRING_SEARCH_MAX_DEPTH).
   *
   * Keys are matched to the type provided and are then filtered by the match
   * function, which is given the description to use in any way it sees fit.  The
   * match function may use any attributes of a key that it wishes to to
   * determine the match.  Normally the match function from the key type would be
   * used.
   *
   * RCU is used to prevent the keyring key lists from disappearing without the
   * need to take lots of locks.
   *
   * Returns a pointer to the found key and increments the key usage count if
   * successful; -EAGAIN if no matching keys were found, or if expired or revoked
   * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
   * specified keyring wasn't a keyring.
   *
   * In the case of a successful return, the possession attribute from
   * @keyring_ref is propagated to the returned key reference.

   */

  key_ref_t keyring_search_aux(key_ref_t keyring_ref,

  			     const struct cred *cred,

  			     struct key_type *type,
  			     const void *description,

  			     key_match_func_t match,
  			     bool no_state_check)

  {
  	struct {

  		struct keyring_list *keylist;

  		int kix;
  	} stack[KEYRING_SEARCH_MAX_DEPTH];
  
  	struct keyring_list *keylist;
  	struct timespec now;

  	unsigned long possessed, kflags;

  	struct key *keyring, *key;
  	key_ref_t key_ref;

  	long err;

  	int sp, kix;

  	keyring = key_ref_to_ptr(keyring_ref);
  	possessed = is_key_possessed(keyring_ref);

  	key_check(keyring);
  
  	/* top keyring must have search permission to begin the search */

  	err = key_task_permission(keyring_ref, cred, KEY_SEARCH);

  	if (err < 0) {
  		key_ref = ERR_PTR(err);

  		goto error;

  	}

  	key_ref = ERR_PTR(-ENOTDIR);

  	if (keyring->type != &key_type_keyring)
  		goto error;

  	rcu_read_lock();

  	now = current_kernel_time();
  	err = -EAGAIN;
  	sp = 0;

  	/* firstly we should check to see if this top-level keyring is what we
  	 * are looking for */
  	key_ref = ERR_PTR(-EAGAIN);
  	kflags = keyring->flags;
  	if (keyring->type == type && match(keyring, description)) {
  		key = keyring;

  		if (no_state_check)
  			goto found;

  
  		/* check it isn't negative and hasn't expired or been
  		 * revoked */
  		if (kflags & (1 << KEY_FLAG_REVOKED))
  			goto error_2;
  		if (key->expiry && now.tv_sec >= key->expiry)
  			goto error_2;

  		key_ref = ERR_PTR(key->type_data.reject_error);

  		if (kflags & (1 << KEY_FLAG_NEGATIVE))
  			goto error_2;
  		goto found;
  	}
  
  	/* otherwise, the top keyring must not be revoked, expired, or
  	 * negatively instantiated if we are to search it */
  	key_ref = ERR_PTR(-EAGAIN);
  	if (kflags & ((1 << KEY_FLAG_REVOKED) | (1 << KEY_FLAG_NEGATIVE)) ||
  	    (keyring->expiry && now.tv_sec >= keyring->expiry))
  		goto error_2;

  	/* start processing a new keyring */

  descend:

  	if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))

  		goto not_this_keyring;

  	keylist = rcu_dereference(keyring->payload.subscriptions);

  	if (!keylist)
  		goto not_this_keyring;
  
  	/* iterate through the keys in this keyring first */
  	for (kix = 0; kix < keylist->nkeys; kix++) {
  		key = keylist->keys[kix];

  		kflags = key->flags;

  
  		/* ignore keys not of this type */
  		if (key->type != type)
  			continue;
  
  		/* skip revoked keys and expired keys */

  		if (!no_state_check) {
  			if (kflags & (1 << KEY_FLAG_REVOKED))
  				continue;

  			if (key->expiry && now.tv_sec >= key->expiry)
  				continue;
  		}

  
  		/* keys that don't match */
  		if (!match(key, description))
  			continue;
  
  		/* key must have search permissions */

  		if (key_task_permission(make_key_ref(key, possessed),

  					cred, KEY_SEARCH) < 0)

  			continue;

  		if (no_state_check)
  			goto found;

  		/* we set a different error code if we pass a negative key */
  		if (kflags & (1 << KEY_FLAG_NEGATIVE)) {

  			err = key->type_data.reject_error;

  			continue;
  		}
  
  		goto found;
  	}
  
  	/* search through the keyrings nested in this one */
  	kix = 0;

  ascend:

  	for (; kix < keylist->nkeys; kix++) {

  		key = keylist->keys[kix];
  		if (key->type != &key_type_keyring)

  			continue;

  
  		/* recursively search nested keyrings
  		 * - only search keyrings for which we have search permission
  		 */
  		if (sp >= KEYRING_SEARCH_MAX_DEPTH)

  			continue;

  		if (key_task_permission(make_key_ref(key, possessed),

  					cred, KEY_SEARCH) < 0)

  			continue;

  
  		/* stack the current position */

  		stack[sp].keylist = keylist;

  		stack[sp].kix = kix;
  		sp++;
  
  		/* begin again with the new keyring */
  		keyring = key;
  		goto descend;

  	}
  
  	/* the keyring we're looking at was disqualified or didn't contain a
  	 * matching key */

  not_this_keyring:

  	if (sp > 0) {
  		/* resume the processing of a keyring higher up in the tree */
  		sp--;

  		keylist = stack[sp].keylist;

  		kix = stack[sp].kix + 1;
  		goto ascend;
  	}

  	key_ref = ERR_PTR(err);
  	goto error_2;

  
  	/* we found a viable match */

  found:

  	atomic_inc(&key->usage);

  	key_check(key);

  	key_ref = make_key_ref(key, possessed);
  error_2:

  	rcu_read_unlock();

  error:
  	return key_ref;

  }

  /**
   * keyring_search - Search the supplied keyring tree for a matching key
   * @keyring: The root of the keyring tree to be searched.
   * @type: The type of keyring we want to find.
   * @description: The name of the keyring we want to find.
   *
   * As keyring_search_aux() above, but using the current task's credentials and
   * type's default matching function.

   */

  key_ref_t keyring_search(key_ref_t keyring,
  			 struct key_type *type,
  			 const char *description)

  {

  	if (!type->match)
  		return ERR_PTR(-ENOKEY);

  	return keyring_search_aux(keyring, current->cred,

  				  type, description, type->match, false);

  }

  EXPORT_SYMBOL(keyring_search);

  /*

   * Search the given keyring only (no recursion).
   *
   * The caller must guarantee that the keyring is a keyring and that the
   * permission is granted to search the keyring as no check is made here.
   *
   * RCU is used to make it unnecessary to lock the keyring key list here.
   *
   * Returns a pointer to the found key with usage count incremented if
   * successful and returns -ENOKEY if not found.  Revoked keys and keys not
   * providing the requested permission are skipped over.
   *
   * If successful, the possession indicator is propagated from the keyring ref
   * to the returned key reference.

   */

  key_ref_t __keyring_search_one(key_ref_t keyring_ref,
  			       const struct key_type *ktype,
  			       const char *description,
  			       key_perm_t perm)

  {
  	struct keyring_list *klist;

  	unsigned long possessed;
  	struct key *keyring, *key;

  	int loop;

  	keyring = key_ref_to_ptr(keyring_ref);
  	possessed = is_key_possessed(keyring_ref);

  	rcu_read_lock();
  
  	klist = rcu_dereference(keyring->payload.subscriptions);

  	if (klist) {
  		for (loop = 0; loop < klist->nkeys; loop++) {
  			key = klist->keys[loop];
  
  			if (key->type == ktype &&

  			    (!key->type->match ||
  			     key->type->match(key, description)) &&

  			    key_permission(make_key_ref(key, possessed),

  					   perm) == 0 &&

  			    !test_bit(KEY_FLAG_REVOKED, &key->flags)

  			    )
  				goto found;
  		}
  	}

  	rcu_read_unlock();
  	return ERR_PTR(-ENOKEY);

  found:

  	atomic_inc(&key->usage);

  	rcu_read_unlock();

  	return make_key_ref(key, possessed);

  }

  /*

   * Find a keyring with the specified name.
   *
   * All named keyrings in the current user namespace are searched, provided they
   * grant Search permission directly to the caller (unless this check is
   * skipped).  Keyrings whose usage points have reached zero or who have been
   * revoked are skipped.
   *
   * Returns a pointer to the keyring with the keyring's refcount having being
   * incremented on success.  -ENOKEY is returned if a key could not be found.

   */

  struct key *find_keyring_by_name(const char *name, bool skip_perm_check)

  {
  	struct key *keyring;
  	int bucket;

  	if (!name)

  		return ERR_PTR(-EINVAL);

  
  	bucket = keyring_hash(name);
  
  	read_lock(&keyring_name_lock);
  
  	if (keyring_name_hash[bucket].next) {
  		/* search this hash bucket for a keyring with a matching name
  		 * that's readable and that hasn't been revoked */
  		list_for_each_entry(keyring,
  				    &keyring_name_hash[bucket],
  				    type_data.link
  				    ) {

  			if (keyring->user->user_ns != current_user_ns())
  				continue;

  			if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))

  				continue;
  
  			if (strcmp(keyring->description, name) != 0)
  				continue;

  			if (!skip_perm_check &&
  			    key_permission(make_key_ref(keyring, 0),

  					   KEY_SEARCH) < 0)

  				continue;

  			/* we've got a match but we might end up racing with
  			 * key_cleanup() if the keyring is currently 'dead'
  			 * (ie. it has a zero usage count) */
  			if (!atomic_inc_not_zero(&keyring->usage))
  				continue;
  			goto out;

  		}
  	}

  	keyring = ERR_PTR(-ENOKEY);

  out:
  	read_unlock(&keyring_name_lock);

  	return keyring;

  }

  /*

   * See if a cycle will will be created by inserting acyclic tree B in acyclic
   * tree A at the topmost level (ie: as a direct child of A).
   *
   * Since we are adding B to A at the top level, checking for cycles should just
   * be a matter of seeing if node A is somewhere in tree B.

   */
  static int keyring_detect_cycle(struct key *A, struct key *B)
  {
  	struct {

  		struct keyring_list *keylist;

  		int kix;
  	} stack[KEYRING_SEARCH_MAX_DEPTH];
  
  	struct keyring_list *keylist;
  	struct key *subtree, *key;
  	int sp, kix, ret;

  	rcu_read_lock();

  	ret = -EDEADLK;
  	if (A == B)

  		goto cycle_detected;

  
  	subtree = B;
  	sp = 0;
  
  	/* start processing a new keyring */

  descend:

  	if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))

  		goto not_this_keyring;

  	keylist = rcu_dereference(subtree->payload.subscriptions);

  	if (!keylist)
  		goto not_this_keyring;
  	kix = 0;

  ascend:

  	/* iterate through the remaining keys in this keyring */
  	for (; kix < keylist->nkeys; kix++) {
  		key = keylist->keys[kix];
  
  		if (key == A)
  			goto cycle_detected;
  
  		/* recursively check nested keyrings */
  		if (key->type == &key_type_keyring) {
  			if (sp >= KEYRING_SEARCH_MAX_DEPTH)
  				goto too_deep;
  
  			/* stack the current position */

  			stack[sp].keylist = keylist;

  			stack[sp].kix = kix;
  			sp++;
  
  			/* begin again with the new keyring */
  			subtree = key;
  			goto descend;
  		}
  	}
  
  	/* the keyring we're looking at was disqualified or didn't contain a
  	 * matching key */

  not_this_keyring:

  	if (sp > 0) {
  		/* resume the checking of a keyring higher up in the tree */
  		sp--;

  		keylist = stack[sp].keylist;

  		kix = stack[sp].kix + 1;
  		goto ascend;
  	}
  
  	ret = 0; /* no cycles detected */

  error:

  	rcu_read_unlock();

  	return ret;

  too_deep:

  	ret = -ELOOP;

  	goto error;

  cycle_detected:

  	ret = -EDEADLK;

  	goto error;

  }

  /*

   * Dispose of a keyring list after the RCU grace period, freeing the unlinked

   * key
   */
  static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
  {
  	struct keyring_list *klist =
  		container_of(rcu, struct keyring_list, rcu);

  	if (klist->delkey != USHRT_MAX)

  		key_put(klist->keys[klist->delkey]);

  	kfree(klist);

  }

  /*

   * Preallocate memory so that a key can be linked into to a keyring.

   */

  int __key_link_begin(struct key *keyring, const struct key_type *type,

  		     const char *description, unsigned long *_prealloc)

  	__acquires(&keyring->sem)

  {
  	struct keyring_list *klist, *nklist;

  	unsigned long prealloc;

  	unsigned max;
  	size_t size;

  	int loop, ret;

  	kenter("%d,%s,%s,", key_serial(keyring), type->name, description);

  	if (keyring->type != &key_type_keyring)

  		return -ENOTDIR;
  
  	down_write(&keyring->sem);
  
  	ret = -EKEYREVOKED;
  	if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
  		goto error_krsem;

  	/* serialise link/link calls to prevent parallel calls causing a cycle
  	 * when linking two keyring in opposite orders */
  	if (type == &key_type_keyring)

  		down_write(&keyring_serialise_link_sem);

  	klist = rcu_dereference_locked_keyring(keyring);

  	/* see if there's a matching key we can displace */

  	if (klist && klist->nkeys > 0) {

  		for (loop = klist->nkeys - 1; loop >= 0; loop--) {
  			if (klist->keys[loop]->type == type &&
  			    strcmp(klist->keys[loop]->description,

  				   description) == 0

  			    ) {

  				/* found a match - we'll replace this one with
  				 * the new key */

  				size = sizeof(struct key *) * klist->maxkeys;
  				size += sizeof(*klist);
  				BUG_ON(size > PAGE_SIZE);
  
  				ret = -ENOMEM;

  				nklist = kmemdup(klist, size, GFP_KERNEL);

  				if (!nklist)

  					goto error_sem;

  				/* note replacement slot */
  				klist->delkey = nklist->delkey = loop;

  				prealloc = (unsigned long)nklist;

  				goto done;
  			}
  		}
  	}

  	/* check that we aren't going to overrun the user's quota */
  	ret = key_payload_reserve(keyring,
  				  keyring->datalen + KEYQUOTA_LINK_BYTES);
  	if (ret < 0)

  		goto error_sem;

  	if (klist && klist->nkeys < klist->maxkeys) {

  		/* there's sufficient slack space to append directly */
  		nklist = NULL;

  		prealloc = KEY_LINK_FIXQUOTA;

  	} else {

  		/* grow the key list */
  		max = 4;
  		if (klist)
  			max += klist->maxkeys;
  
  		ret = -ENFILE;

  		if (max > USHRT_MAX - 1)

  			goto error_quota;

  		size = sizeof(*klist) + sizeof(struct key *) * max;

  		if (size > PAGE_SIZE)

  			goto error_quota;

  
  		ret = -ENOMEM;
  		nklist = kmalloc(size, GFP_KERNEL);
  		if (!nklist)

  			goto error_quota;

  		nklist->maxkeys = max;

  		if (klist) {

  			memcpy(nklist->keys, klist->keys,

  			       sizeof(struct key *) * klist->nkeys);

  			nklist->delkey = klist->nkeys;
  			nklist->nkeys = klist->nkeys + 1;

  			klist->delkey = USHRT_MAX;

  		} else {
  			nklist->nkeys = 1;
  			nklist->delkey = 0;

  		}
  
  		/* add the key into the new space */

  		nklist->keys[nklist->delkey] = NULL;

  	}

  	prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;

  done:

  	*_prealloc = prealloc;

  	kleave(" = 0");
  	return 0;

  error_quota:

  	/* undo the quota changes */
  	key_payload_reserve(keyring,
  			    keyring->datalen - KEYQUOTA_LINK_BYTES);

  error_sem:
  	if (type == &key_type_keyring)
  		up_write(&keyring_serialise_link_sem);
  error_krsem:
  	up_write(&keyring->sem);
  	kleave(" = %d", ret);
  	return ret;
  }

  /*

   * Check already instantiated keys aren't going to be a problem.
   *
   * The caller must have called __key_link_begin(). Don't need to call this for
   * keys that were created since __key_link_begin() was called.

   */
  int __key_link_check_live_key(struct key *keyring, struct key *key)
  {
  	if (key->type == &key_type_keyring)
  		/* check that we aren't going to create a cycle by linking one
  		 * keyring to another */
  		return keyring_detect_cycle(keyring, key);
  	return 0;
  }
  
  /*

   * Link a key into to a keyring.
   *
   * Must be called with __key_link_begin() having being called.  Discards any
   * already extant link to matching key if there is one, so that each keyring
   * holds at most one link to any given key of a particular type+description
   * combination.

   */
  void __key_link(struct key *keyring, struct key *key,

  		unsigned long *_prealloc)

  {
  	struct keyring_list *klist, *nklist;

  	nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA);
  	*_prealloc = 0;

  
  	kenter("%d,%d,%p", keyring->serial, key->serial, nklist);

  	klist = rcu_dereference_locked_keyring(keyring);

  
  	atomic_inc(&key->usage);
  
  	/* there's a matching key we can displace or an empty slot in a newly
  	 * allocated list we can fill */
  	if (nklist) {
  		kdebug("replace %hu/%hu/%hu",
  		       nklist->delkey, nklist->nkeys, nklist->maxkeys);
  
  		nklist->keys[nklist->delkey] = key;
  
  		rcu_assign_pointer(keyring->payload.subscriptions, nklist);
  
  		/* dispose of the old keyring list and, if there was one, the
  		 * displaced key */
  		if (klist) {
  			kdebug("dispose %hu/%hu/%hu",
  			       klist->delkey, klist->nkeys, klist->maxkeys);
  			call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
  		}
  	} else {
  		/* there's sufficient slack space to append directly */
  		klist->keys[klist->nkeys] = key;
  		smp_wmb();
  		klist->nkeys++;
  	}
  }
  
  /*

   * Finish linking a key into to a keyring.
   *
   * Must be called with __key_link_begin() having being called.

   */
  void __key_link_end(struct key *keyring, struct key_type *type,

  		    unsigned long prealloc)

  	__releases(&keyring->sem)
  {
  	BUG_ON(type == NULL);
  	BUG_ON(type->name == NULL);

  	kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);

  
  	if (type == &key_type_keyring)
  		up_write(&keyring_serialise_link_sem);
  
  	if (prealloc) {

  		if (prealloc & KEY_LINK_FIXQUOTA)
  			key_payload_reserve(keyring,
  					    keyring->datalen -
  					    KEYQUOTA_LINK_BYTES);
  		kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));

  	}
  	up_write(&keyring->sem);
  }

  /**
   * key_link - Link a key to a keyring
   * @keyring: The keyring to make the link in.
   * @key: The key to link to.
   *
   * Make a link in a keyring to a key, such that the keyring holds a reference
   * on that key and the key can potentially be found by searching that keyring.
   *
   * This function will write-lock the keyring's semaphore and will consume some
   * of the user's key data quota to hold the link.
   *
   * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
   * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
   * full, -EDQUOT if there is insufficient key data quota remaining to add
   * another link or -ENOMEM if there's insufficient memory.
   *
   * It is assumed that the caller has checked that it is permitted for a link to
   * be made (the keyring should have Write permission and the key Link
   * permission).

   */
  int key_link(struct key *keyring, struct key *key)
  {

  	unsigned long prealloc;

  	int ret;
  
  	key_check(keyring);
  	key_check(key);

  	ret = __key_link_begin(keyring, key->type, key->description, &prealloc);
  	if (ret == 0) {
  		ret = __key_link_check_live_key(keyring, key);
  		if (ret == 0)
  			__key_link(keyring, key, &prealloc);
  		__key_link_end(keyring, key->type, prealloc);
  	}

  
  	return ret;

  }

  EXPORT_SYMBOL(key_link);

  /**
   * key_unlink - Unlink the first link to a key from a keyring.
   * @keyring: The keyring to remove the link from.
   * @key: The key the link is to.
   *
   * Remove a link from a keyring to a key.
   *
   * This function will write-lock the keyring's semaphore.
   *
   * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
   * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
   * memory.
   *
   * It is assumed that the caller has checked that it is permitted for a link to
   * be removed (the keyring should have Write permission; no permissions are
   * required on the key).

   */
  int key_unlink(struct key *keyring, struct key *key)
  {

  	struct keyring_list *klist, *nklist;

  	int loop, ret;
  
  	key_check(keyring);
  	key_check(key);
  
  	ret = -ENOTDIR;
  	if (keyring->type != &key_type_keyring)
  		goto error;
  
  	down_write(&keyring->sem);

  	klist = rcu_dereference_locked_keyring(keyring);

  	if (klist) {
  		/* search the keyring for the key */
  		for (loop = 0; loop < klist->nkeys; loop++)
  			if (klist->keys[loop] == key)
  				goto key_is_present;
  	}
  
  	up_write(&keyring->sem);
  	ret = -ENOENT;
  	goto error;

  key_is_present:
  	/* we need to copy the key list for RCU purposes */

  	nklist = kmalloc(sizeof(*klist) +
  			 sizeof(struct key *) * klist->maxkeys,

  			 GFP_KERNEL);
  	if (!nklist)
  		goto nomem;
  	nklist->maxkeys = klist->maxkeys;
  	nklist->nkeys = klist->nkeys - 1;
  
  	if (loop > 0)
  		memcpy(&nklist->keys[0],
  		       &klist->keys[0],

  		       loop * sizeof(struct key *));

  
  	if (loop < nklist->nkeys)
  		memcpy(&nklist->keys[loop],
  		       &klist->keys[loop + 1],

  		       (nklist->nkeys - loop) * sizeof(struct key *));

  	/* adjust the user's quota */
  	key_payload_reserve(keyring,
  			    keyring->datalen - KEYQUOTA_LINK_BYTES);

  	rcu_assign_pointer(keyring->payload.subscriptions, nklist);

  	up_write(&keyring->sem);

  	/* schedule for later cleanup */
  	klist->delkey = loop;
  	call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);

  	ret = 0;

  error:

  	return ret;

  nomem:
  	ret = -ENOMEM;
  	up_write(&keyring->sem);
  	goto error;

  }

  EXPORT_SYMBOL(key_unlink);

  /*

   * Dispose of a keyring list after the RCU grace period, releasing the keys it
   * links to.

   */
  static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
  {
  	struct keyring_list *klist;
  	int loop;
  
  	klist = container_of(rcu, struct keyring_list, rcu);
  
  	for (loop = klist->nkeys - 1; loop >= 0; loop--)
  		key_put(klist->keys[loop]);
  
  	kfree(klist);

  }

  /**
   * keyring_clear - Clear a keyring
   * @keyring: The keyring to clear.
   *
   * Clear the contents of the specified keyring.
   *
   * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.

   */
  int keyring_clear(struct key *keyring)
  {
  	struct keyring_list *klist;

  	int ret;

  
  	ret = -ENOTDIR;
  	if (keyring->type == &key_type_keyring) {
  		/* detach the pointer block with the locks held */
  		down_write(&keyring->sem);

  		klist = rcu_dereference_locked_keyring(keyring);

  		if (klist) {
  			/* adjust the quota */
  			key_payload_reserve(keyring,
  					    sizeof(struct keyring_list));

  			rcu_assign_pointer(keyring->payload.subscriptions,
  					   NULL);

  		}
  
  		up_write(&keyring->sem);
  
  		/* free the keys after the locks have been dropped */

  		if (klist)
  			call_rcu(&klist->rcu, keyring_clear_rcu_disposal);

  
  		ret = 0;
  	}
  
  	return ret;

  }

  EXPORT_SYMBOL(keyring_clear);

  /*

   * Dispose of the links from a revoked keyring.
   *
   * This is called with the key sem write-locked.

   */
  static void keyring_revoke(struct key *keyring)
  {

  	struct keyring_list *klist;
  
  	klist = rcu_dereference_locked_keyring(keyring);

  
  	/* adjust the quota */
  	key_payload_reserve(keyring, 0);
  
  	if (klist) {
  		rcu_assign_pointer(keyring->payload.subscriptions, NULL);
  		call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
  	}

  }

  
  /*

   * Determine whether a key is dead.

   */
  static bool key_is_dead(struct key *key, time_t limit)
  {
  	return test_bit(KEY_FLAG_DEAD, &key->flags) ||
  		(key->expiry > 0 && key->expiry <= limit);
  }
  
  /*

   * Collect garbage from the contents of a keyring, replacing the old list with
   * a new one with the pointers all shuffled down.
   *
   * Dead keys are classed as oned that are flagged as being dead or are revoked,
   * expired or negative keys that were revoked or expired before the specified
   * limit.

   */
  void keyring_gc(struct key *keyring, time_t limit)
  {
  	struct keyring_list *klist, *new;
  	struct key *key;
  	int loop, keep, max;

  	kenter("{%x,%s}", key_serial(keyring), keyring->description);

  
  	down_write(&keyring->sem);

  	klist = rcu_dereference_locked_keyring(keyring);

  	if (!klist)

  		goto no_klist;

  
  	/* work out how many subscriptions we're keeping */
  	keep = 0;
  	for (loop = klist->nkeys - 1; loop >= 0; loop--)

  		if (!key_is_dead(klist->keys[loop], limit))

  			keep++;
  
  	if (keep == klist->nkeys)
  		goto just_return;
  
  	/* allocate a new keyring payload */
  	max = roundup(keep, 4);
  	new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
  		      GFP_KERNEL);
  	if (!new)

  		goto nomem;

  	new->maxkeys = max;
  	new->nkeys = 0;
  	new->delkey = 0;
  
  	/* install the live keys
  	 * - must take care as expired keys may be updated back to life
  	 */
  	keep = 0;
  	for (loop = klist->nkeys - 1; loop >= 0; loop--) {
  		key = klist->keys[loop];
  		if (!key_is_dead(key, limit)) {
  			if (keep >= max)
  				goto discard_new;
  			new->keys[keep++] = key_get(key);
  		}
  	}
  	new->nkeys = keep;
  
  	/* adjust the quota */
  	key_payload_reserve(keyring,
  			    sizeof(struct keyring_list) +
  			    KEYQUOTA_LINK_BYTES * keep);
  
  	if (keep == 0) {
  		rcu_assign_pointer(keyring->payload.subscriptions, NULL);
  		kfree(new);
  	} else {
  		rcu_assign_pointer(keyring->payload.subscriptions, new);
  	}
  
  	up_write(&keyring->sem);
  
  	call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
  	kleave(" [yes]");
  	return;
  
  discard_new:
  	new->nkeys = keep;
  	keyring_clear_rcu_disposal(&new->rcu);

  	up_write(&keyring->sem);
  	kleave(" [discard]");
  	return;

  just_return:
  	up_write(&keyring->sem);

  	kleave(" [no dead]");
  	return;
  
  no_klist:
  	up_write(&keyring->sem);
  	kleave(" [no_klist]");
  	return;
  
  nomem:
  	up_write(&keyring->sem);
  	kleave(" [oom]");

  }