Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 0c061b5707ab84ebfe8f18f1c9c3110ae5cd6073

Authored by David Howells
Committed by James Morris
1 parent d199798bdf
Exists in master and in 20 other branches dlt-processor-sdk-linux-03.00.00.04, newt-ti-linux-3.12.y, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.12.10, smarc-ti-linux-3.12.y, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.12.y, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

KEYS: Correctly destroy key payloads when their keytype is removed 

unregister_key_type() has code to mark a key as dead and make it unavailable in
one loop and then destroy all those unavailable key payloads in the next loop.
However, the loop to mark keys dead renders the key undetectable to the second
loop by changing the key type pointer also.

Fix this by the following means:

 (1) The key code has two garbage collectors: one deletes unreferenced keys and
     the other alters keyrings to delete links to old dead, revoked and expired
     keys.  They can end up holding each other up as both want to scan the key
     serial tree under spinlock.  Combine these into a single routine.

 (2) Move the dead key marking, dead link removal and dead key removal into the
     garbage collector as a three phase process running over the three cycles
     of the normal garbage collection procedure.  This is tracked by the
     KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.

     unregister_key_type() then just unlinks the key type from the list, wakes
     up the garbage collector and waits for the third phase to complete.

 (3) Downgrade the key types sem in unregister_key_type() once it has deleted
     the key type from the list so that it doesn't block the keyctl() syscall.

 (4) Dead keys that cannot be simply removed in the third phase have their
     payloads destroyed with the key's semaphore write-locked to prevent
     interference by the keyctl() syscall.  There should be no in-kernel users
     of dead keys of that type by the point of unregistration, though keyctl()
     may be holding a reference.

 (5) Only perform timer recalculation in the GC if the timer actually expired.
     If it didn't, we'll get another cycle when it goes off - and if the key
     that actually triggered it has been removed, it's not a problem.

 (6) Only garbage collect link if the timer expired or if we're doing dead key
     clean up phase 2.

 (7) As only key_garbage_collector() is permitted to use rb_erase() on the key
     serial tree, it doesn't need to revalidate its cursor after dropping the
     spinlock as the node the cursor points to must still exist in the tree.

 (8) Drop the spinlock in the GC if there is contention on it or if we need to
     reschedule.  After dealing with that, get the spinlock again and resume
     scanning.

This has been tested in the following ways:

 (1) Run the keyutils testsuite against it.

 (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:

     Load the rxrpc_s key type:

	# insmod /tmp/af-rxrpc.ko
	# insmod /tmp/rxkad.ko

     Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):

	# /tmp/listen &
	[1] 8173

     Find the key:

	# grep rxrpc_s /proc/keys
	091086e1 I--Q--     1 perm 39390000     0     0 rxrpc_s   52:2

     Link it to a session keyring, preferably one with a higher serial number:

	# keyctl link 0x20e36251 @s

     Kill the process (the key should remain as it's linked to another place):

	# fg
	/tmp/listen
	^C

     Remove the key type:

	rmmod rxkad
	rmmod af-rxrpc

     This can be made a more effective test by altering the following part of
     the patch:

	if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
		/* Make sure everyone revalidates their keys if we marked a
		 * bunch as being dead and make sure all keyring ex-payloads
		 * are destroyed.
		 */
		kdebug("dead sync");
		synchronize_rcu();

     To call synchronize_rcu() in GC phase 1 instead.  That causes that the
     keyring's old payload content to hang around longer until it's RCU
     destroyed - which usually happens after GC phase 3 is complete.  This
     allows the destroy_dead_key branch to be tested.

Reported-by: Benjamin Coddington <bcodding@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 3 changed files with 258 additions and 208 deletions Side-by-side Diff

1 1 /* Key garbage collector
2 2 *
3   - * Copyright (C) 2009 Red Hat, Inc. All Rights Reserved.
  3 + * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved.
4 4 * Written by David Howells (dhowells@redhat.com)
5 5 *
6 6 * This program is free software; you can redistribute it and/or
7 7  
8 8  
9 9  
10 10  
11 11  
... ... @@ -23,23 +23,33 @@
23 23 /*
24 24 * Reaper for unused keys.
25 25 */
26   -static void key_gc_unused_keys(struct work_struct *work);
27   -DECLARE_WORK(key_gc_unused_work, key_gc_unused_keys);
  26 +static void key_garbage_collector(struct work_struct *work);
  27 +DECLARE_WORK(key_gc_work, key_garbage_collector);
28 28  
29 29 /*
30 30 * Reaper for links from keyrings to dead keys.
31 31 */
32 32 static void key_gc_timer_func(unsigned long);
33   -static void key_gc_dead_links(struct work_struct *);
34 33 static DEFINE_TIMER(key_gc_timer, key_gc_timer_func, 0, 0);
35   -static DECLARE_WORK(key_gc_work, key_gc_dead_links);
36   -static key_serial_t key_gc_cursor; /* the last key the gc considered */
37   -static bool key_gc_again;
38   -static unsigned long key_gc_executing;
  34 +
39 35 static time_t key_gc_next_run = LONG_MAX;
40   -static time_t key_gc_new_timer;
  36 +static struct key_type *key_gc_dead_keytype;
41 37  
  38 +static unsigned long key_gc_flags;
  39 +#define KEY_GC_KEY_EXPIRED 0 /* A key expired and needs unlinking */
  40 +#define KEY_GC_REAP_KEYTYPE 1 /* A keytype is being unregistered */
  41 +#define KEY_GC_REAPING_KEYTYPE 2 /* Cleared when keytype reaped */
  42 +
  43 +
42 44 /*
  45 + * Any key whose type gets unregistered will be re-typed to this if it can't be
  46 + * immediately unlinked.
  47 + */
  48 +struct key_type key_type_dead = {
  49 + .name = "dead",
  50 +};
  51 +
  52 +/*
43 53 * Schedule a garbage collection run.
44 54 * - time precision isn't particularly important
45 55 */
46 56  
47 57  
48 58  
49 59  
50 60  
51 61  
... ... @@ -50,31 +60,75 @@
50 60  
51 61 kenter("%ld", gc_at - now);
52 62  
53   - if (gc_at <= now) {
  63 + if (gc_at <= now || test_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) {
  64 + kdebug("IMMEDIATE");
54 65 queue_work(system_nrt_wq, &key_gc_work);
55 66 } else if (gc_at < key_gc_next_run) {
  67 + kdebug("DEFERRED");
  68 + key_gc_next_run = gc_at;
56 69 expires = jiffies + (gc_at - now) * HZ;
57 70 mod_timer(&key_gc_timer, expires);
58 71 }
59 72 }
60 73  
61 74 /*
62   - * The garbage collector timer kicked off
  75 + * Some key's cleanup time was met after it expired, so we need to get the
  76 + * reaper to go through a cycle finding expired keys.
63 77 */
64 78 static void key_gc_timer_func(unsigned long data)
65 79 {
66 80 kenter("");
67 81 key_gc_next_run = LONG_MAX;
  82 + set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags);
68 83 queue_work(system_nrt_wq, &key_gc_work);
69 84 }
70 85  
71 86 /*
  87 + * wait_on_bit() sleep function for uninterruptible waiting
  88 + */
  89 +static int key_gc_wait_bit(void *flags)
  90 +{
  91 + schedule();
  92 + return 0;
  93 +}
  94 +
  95 +/*
  96 + * Reap keys of dead type.
  97 + *
  98 + * We use three flags to make sure we see three complete cycles of the garbage
  99 + * collector: the first to mark keys of that type as being dead, the second to
  100 + * collect dead links and the third to clean up the dead keys. We have to be
  101 + * careful as there may already be a cycle in progress.
  102 + *
  103 + * The caller must be holding key_types_sem.
  104 + */
  105 +void key_gc_keytype(struct key_type *ktype)
  106 +{
  107 + kenter("%s", ktype->name);
  108 +
  109 + key_gc_dead_keytype = ktype;
  110 + set_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
  111 + smp_mb();
  112 + set_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags);
  113 +
  114 + kdebug("schedule");
  115 + queue_work(system_nrt_wq, &key_gc_work);
  116 +
  117 + kdebug("sleep");
  118 + wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, key_gc_wait_bit,
  119 + TASK_UNINTERRUPTIBLE);
  120 +
  121 + key_gc_dead_keytype = NULL;
  122 + kleave("");
  123 +}
  124 +
  125 +/*
72 126 * Garbage collect pointers from a keyring.
73 127 *
74   - * Return true if we altered the keyring.
  128 + * Not called with any locks held. The keyring's key struct will not be
  129 + * deallocated under us as only our caller may deallocate it.
75 130 */
76   -static bool key_gc_keyring(struct key *keyring, time_t limit)
77   - __releases(key_serial_lock)
  131 +static void key_gc_keyring(struct key *keyring, time_t limit)
78 132 {
79 133 struct keyring_list *klist;
80 134 struct key *key;
81 135  
82 136  
83 137  
84 138  
85 139  
86 140  
87 141  
88 142  
89 143  
90 144  
91 145  
92 146  
... ... @@ -101,134 +155,49 @@
101 155 unlock_dont_gc:
102 156 rcu_read_unlock();
103 157 dont_gc:
104   - kleave(" = false");
105   - return false;
  158 + kleave(" [no gc]");
  159 + return;
106 160  
107 161 do_gc:
108 162 rcu_read_unlock();
109   - key_gc_cursor = keyring->serial;
110   - key_get(keyring);
111   - spin_unlock(&key_serial_lock);
  163 +
112 164 keyring_gc(keyring, limit);
113   - key_put(keyring);
114   - kleave(" = true");
115   - return true;
  165 + kleave(" [gc]");
116 166 }
117 167  
118 168 /*
119   - * Garbage collector for links to dead keys.
120   - *
121   - * This involves scanning the keyrings for dead, expired and revoked keys that
122   - * have overstayed their welcome
  169 + * Garbage collect an unreferenced, detached key
123 170 */
124   -static void key_gc_dead_links(struct work_struct *work)
  171 +static noinline void key_gc_unused_key(struct key *key)
125 172 {
126   - struct rb_node *rb;
127   - key_serial_t cursor;
128   - struct key *key, *xkey;
129   - time_t new_timer = LONG_MAX, limit, now;
  173 + key_check(key);
130 174  
131   - now = current_kernel_time().tv_sec;
132   - kenter("[%x,%ld]", key_gc_cursor, key_gc_new_timer - now);
  175 + security_key_free(key);
133 176  
134   - if (test_and_set_bit(0, &key_gc_executing)) {
135   - key_schedule_gc(current_kernel_time().tv_sec + 1);
136   - kleave(" [busy; deferring]");
137   - return;
  177 + /* deal with the user's key tracking and quota */
  178 + if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
  179 + spin_lock(&key->user->lock);
  180 + key->user->qnkeys--;
  181 + key->user->qnbytes -= key->quotalen;
  182 + spin_unlock(&key->user->lock);
138 183 }
139 184  
140   - limit = now;
141   - if (limit > key_gc_delay)
142   - limit -= key_gc_delay;
143   - else
144   - limit = key_gc_delay;
  185 + atomic_dec(&key->user->nkeys);
  186 + if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
  187 + atomic_dec(&key->user->nikeys);
145 188  
146   - spin_lock(&key_serial_lock);
  189 + key_user_put(key->user);
147 190  
148   - if (unlikely(RB_EMPTY_ROOT(&key_serial_tree))) {
149   - spin_unlock(&key_serial_lock);
150   - clear_bit(0, &key_gc_executing);
151   - return;
152   - }
  191 + /* now throw away the key memory */
  192 + if (key->type->destroy)
  193 + key->type->destroy(key);
153 194  
154   - cursor = key_gc_cursor;
155   - if (cursor < 0)
156   - cursor = 0;
157   - if (cursor > 0)
158   - new_timer = key_gc_new_timer;
159   - else
160   - key_gc_again = false;
  195 + kfree(key->description);
161 196  
162   - /* find the first key above the cursor */
163   - key = NULL;
164   - rb = key_serial_tree.rb_node;
165   - while (rb) {
166   - xkey = rb_entry(rb, struct key, serial_node);
167   - if (cursor < xkey->serial) {
168   - key = xkey;
169   - rb = rb->rb_left;
170   - } else if (cursor > xkey->serial) {
171   - rb = rb->rb_right;
172   - } else {
173   - rb = rb_next(rb);
174   - if (!rb)
175   - goto reached_the_end;
176   - key = rb_entry(rb, struct key, serial_node);
177   - break;
178   - }
179   - }
180   -
181   - if (!key)
182   - goto reached_the_end;
183   -
184   - /* trawl through the keys looking for keyrings */
185   - for (;;) {
186   - if (key->expiry > limit && key->expiry < new_timer) {
187   - kdebug("will expire %x in %ld",
188   - key_serial(key), key->expiry - limit);
189   - new_timer = key->expiry;
190   - }
191   -
192   - if (key->type == &key_type_keyring &&
193   - key_gc_keyring(key, limit))
194   - /* the gc had to release our lock so that the keyring
195   - * could be modified, so we have to get it again */
196   - goto gc_released_our_lock;
197   -
198   - rb = rb_next(&key->serial_node);
199   - if (!rb)
200   - goto reached_the_end;
201   - key = rb_entry(rb, struct key, serial_node);
202   - }
203   -
204   -gc_released_our_lock:
205   - kdebug("gc_released_our_lock");
206   - key_gc_new_timer = new_timer;
207   - key_gc_again = true;
208   - clear_bit(0, &key_gc_executing);
209   - queue_work(system_nrt_wq, &key_gc_work);
210   - kleave(" [continue]");
211   - return;
212   -
213   - /* when we reach the end of the run, we set the timer for the next one */
214   -reached_the_end:
215   - kdebug("reached_the_end");
216   - spin_unlock(&key_serial_lock);
217   - key_gc_new_timer = new_timer;
218   - key_gc_cursor = 0;
219   - clear_bit(0, &key_gc_executing);
220   -
221   - if (key_gc_again) {
222   - /* there may have been a key that expired whilst we were
223   - * scanning, so if we discarded any links we should do another
224   - * scan */
225   - new_timer = now + 1;
226   - key_schedule_gc(new_timer);
227   - } else if (new_timer < LONG_MAX) {
228   - new_timer += key_gc_delay;
229   - key_schedule_gc(new_timer);
230   - }
231   - kleave(" [end]");
  197 +#ifdef KEY_DEBUGGING
  198 + key->magic = KEY_DEBUG_MAGIC_X;
  199 +#endif
  200 + kmem_cache_free(key_jar, key);
232 201 }
233 202  
234 203 /*
235 204  
236 205  
237 206  
238 207  
239 208  
240 209  
241 210  
242 211  
243 212  
244 213  
245 214  
246 215  
247 216  
248 217  
249 218  
250 219  
251 220  
252 221  
... ... @@ -238,61 +207,183 @@
238 207 * all over the place. key_put() schedules this rather than trying to do the
239 208 * cleanup itself, which means key_put() doesn't have to sleep.
240 209 */
241   -static void key_gc_unused_keys(struct work_struct *work)
  210 +static void key_garbage_collector(struct work_struct *work)
242 211 {
243   - struct rb_node *_n;
  212 + static u8 gc_state; /* Internal persistent state */
  213 +#define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
  214 +#define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
  215 +#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */
  216 +#define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */
  217 +#define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */
  218 +#define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */
  219 +#define KEY_GC_FOUND_DEAD_KEY 0x80 /* - We found at least one dead key */
  220 +
  221 + struct rb_node *cursor;
244 222 struct key *key;
  223 + time_t new_timer, limit;
245 224  
246   -go_again:
247   - /* look for a dead key in the tree */
  225 + kenter("[%lx,%x]", key_gc_flags, gc_state);
  226 +
  227 + limit = current_kernel_time().tv_sec;
  228 + if (limit > key_gc_delay)
  229 + limit -= key_gc_delay;
  230 + else
  231 + limit = key_gc_delay;
  232 +
  233 + /* Work out what we're going to be doing in this pass */
  234 + gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
  235 + gc_state <<= 1;
  236 + if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
  237 + gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
  238 +
  239 + if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
  240 + gc_state |= KEY_GC_REAPING_DEAD_1;
  241 + kdebug("new pass %x", gc_state);
  242 +
  243 + new_timer = LONG_MAX;
  244 +
  245 + /* As only this function is permitted to remove things from the key
  246 + * serial tree, if cursor is non-NULL then it will always point to a
  247 + * valid node in the tree - even if lock got dropped.
  248 + */
248 249 spin_lock(&key_serial_lock);
  250 + cursor = rb_first(&key_serial_tree);
249 251  
250   - for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) {
251   - key = rb_entry(_n, struct key, serial_node);
  252 +continue_scanning:
  253 + while (cursor) {
  254 + key = rb_entry(cursor, struct key, serial_node);
  255 + cursor = rb_next(cursor);
252 256  
253 257 if (atomic_read(&key->usage) == 0)
254   - goto found_dead_key;
  258 + goto found_unreferenced_key;
  259 +
  260 + if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
  261 + if (key->type == key_gc_dead_keytype) {
  262 + gc_state |= KEY_GC_FOUND_DEAD_KEY;
  263 + set_bit(KEY_FLAG_DEAD, &key->flags);
  264 + key->perm = 0;
  265 + goto skip_dead_key;
  266 + }
  267 + }
  268 +
  269 + if (gc_state & KEY_GC_SET_TIMER) {
  270 + if (key->expiry > limit && key->expiry < new_timer) {
  271 + kdebug("will expire %x in %ld",
  272 + key_serial(key), key->expiry - limit);
  273 + new_timer = key->expiry;
  274 + }
  275 + }
  276 +
  277 + if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2))
  278 + if (key->type == key_gc_dead_keytype)
  279 + gc_state |= KEY_GC_FOUND_DEAD_KEY;
  280 +
  281 + if ((gc_state & KEY_GC_REAPING_LINKS) ||
  282 + unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
  283 + if (key->type == &key_type_keyring)
  284 + goto found_keyring;
  285 + }
  286 +
  287 + if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3))
  288 + if (key->type == key_gc_dead_keytype)
  289 + goto destroy_dead_key;
  290 +
  291 + skip_dead_key:
  292 + if (spin_is_contended(&key_serial_lock) || need_resched())
  293 + goto contended;
255 294 }
256 295  
  296 +contended:
257 297 spin_unlock(&key_serial_lock);
258   - return;
259 298  
260   -found_dead_key:
261   - /* we found a dead key - once we've removed it from the tree, we can
262   - * drop the lock */
263   - rb_erase(&key->serial_node, &key_serial_tree);
264   - spin_unlock(&key_serial_lock);
  299 +maybe_resched:
  300 + if (cursor) {
  301 + cond_resched();
  302 + spin_lock(&key_serial_lock);
  303 + goto continue_scanning;
  304 + }
265 305  
266   - key_check(key);
  306 + /* We've completed the pass. Set the timer if we need to and queue a
  307 + * new cycle if necessary. We keep executing cycles until we find one
  308 + * where we didn't reap any keys.
  309 + */
  310 + kdebug("pass complete");
267 311  
268   - security_key_free(key);
  312 + if (gc_state & KEY_GC_SET_TIMER && new_timer != (time_t)LONG_MAX) {
  313 + new_timer += key_gc_delay;
  314 + key_schedule_gc(new_timer);
  315 + }
269 316  
270   - /* deal with the user's key tracking and quota */
271   - if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
272   - spin_lock(&key->user->lock);
273   - key->user->qnkeys--;
274   - key->user->qnbytes -= key->quotalen;
275   - spin_unlock(&key->user->lock);
  317 + if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
  318 + /* Make sure everyone revalidates their keys if we marked a
  319 + * bunch as being dead and make sure all keyring ex-payloads
  320 + * are destroyed.
  321 + */
  322 + kdebug("dead sync");
  323 + synchronize_rcu();
276 324 }
277 325  
278   - atomic_dec(&key->user->nkeys);
279   - if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
280   - atomic_dec(&key->user->nikeys);
  326 + if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
  327 + KEY_GC_REAPING_DEAD_2))) {
  328 + if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
  329 + /* No remaining dead keys: short circuit the remaining
  330 + * keytype reap cycles.
  331 + */
  332 + kdebug("dead short");
  333 + gc_state &= ~(KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2);
  334 + gc_state |= KEY_GC_REAPING_DEAD_3;
  335 + } else {
  336 + gc_state |= KEY_GC_REAP_AGAIN;
  337 + }
  338 + }
281 339  
282   - key_user_put(key->user);
  340 + if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) {
  341 + kdebug("dead wake");
  342 + smp_mb();
  343 + clear_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
  344 + wake_up_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE);
  345 + }
283 346  
284   - /* now throw away the key memory */
285   - if (key->type->destroy)
286   - key->type->destroy(key);
  347 + if (gc_state & KEY_GC_REAP_AGAIN)
  348 + queue_work(system_nrt_wq, &key_gc_work);
  349 + kleave(" [end %x]", gc_state);
  350 + return;
287 351  
288   - kfree(key->description);
  352 + /* We found an unreferenced key - once we've removed it from the tree,
  353 + * we can safely drop the lock.
  354 + */
  355 +found_unreferenced_key:
  356 + kdebug("unrefd key %d", key->serial);
  357 + rb_erase(&key->serial_node, &key_serial_tree);
  358 + spin_unlock(&key_serial_lock);
289 359  
290   -#ifdef KEY_DEBUGGING
291   - key->magic = KEY_DEBUG_MAGIC_X;
292   -#endif
293   - kmem_cache_free(key_jar, key);
  360 + key_gc_unused_key(key);
  361 + gc_state |= KEY_GC_REAP_AGAIN;
  362 + goto maybe_resched;
294 363  
295   - /* there may, of course, be more than one key to destroy */
296   - goto go_again;
  364 + /* We found a keyring and we need to check the payload for links to
  365 + * dead or expired keys. We don't flag another reap immediately as we
  366 + * have to wait for the old payload to be destroyed by RCU before we
  367 + * can reap the keys to which it refers.
  368 + */
  369 +found_keyring:
  370 + spin_unlock(&key_serial_lock);
  371 + kdebug("scan keyring %d", key->serial);
  372 + key_gc_keyring(key, limit);
  373 + goto maybe_resched;
  374 +
  375 + /* We found a dead key that is still referenced. Reset its type and
  376 + * destroy its payload with its semaphore held.
  377 + */
  378 +destroy_dead_key:
  379 + spin_unlock(&key_serial_lock);
  380 + kdebug("destroy key %d", key->serial);
  381 + down_write(&key->sem);
  382 + key->type = &key_type_dead;
  383 + if (key_gc_dead_keytype->destroy)
  384 + key_gc_dead_keytype->destroy(key);
  385 + memset(&key->payload, KEY_DESTROY, sizeof(key->payload));
  386 + up_write(&key->sem);
  387 + goto maybe_resched;
297 388 }
security/keys/internal.h
Diff comments   View file @ 0c061b5
... ... @@ -31,6 +31,7 @@
31 31 no_printk(KERN_DEBUG FMT"\n", ##__VA_ARGS__)
32 32 #endif
33 33  
  34 +extern struct key_type key_type_dead;
34 35 extern struct key_type key_type_user;
35 36  
36 37 /*****************************************************************************/
37 38  
... ... @@ -147,10 +148,11 @@
147 148  
148 149 extern long join_session_keyring(const char *name);
149 150  
150   -extern struct work_struct key_gc_unused_work;
  151 +extern struct work_struct key_gc_work;
151 152 extern unsigned key_gc_delay;
152 153 extern void keyring_gc(struct key *keyring, time_t limit);
153 154 extern void key_schedule_gc(time_t expiry_at);
  155 +extern void key_gc_keytype(struct key_type *ktype);
154 156  
155 157 extern int key_task_permission(const key_ref_t key_ref,
156 158 const struct cred *cred,
... ... @@ -39,11 +39,6 @@
39 39 /* We serialise key instantiation and link */
40 40 DEFINE_MUTEX(key_construction_mutex);
41 41  
42   -/* Any key who's type gets unegistered will be re-typed to this */
43   -static struct key_type key_type_dead = {
44   - .name = "dead",
45   -};
46   -
47 42 #ifdef KEY_DEBUGGING
48 43 void __key_check(const struct key *key)
49 44 {
... ... @@ -602,7 +597,7 @@
602 597 key_check(key);
603 598  
604 599 if (atomic_dec_and_test(&key->usage))
605   - queue_work(system_nrt_wq, &key_gc_unused_work);
  600 + queue_work(system_nrt_wq, &key_gc_work);
606 601 }
607 602 }
608 603 EXPORT_SYMBOL(key_put);
609 604  
610 605  
... ... @@ -980,49 +975,11 @@
980 975 */
981 976 void unregister_key_type(struct key_type *ktype)
982 977 {
983   - struct rb_node *_n;
984   - struct key *key;
985   -
986 978 down_write(&key_types_sem);
987   -
988   - /* withdraw the key type */
989 979 list_del_init(&ktype->link);
990   -
991   - /* mark all the keys of this type dead */
992   - spin_lock(&key_serial_lock);
993   -
994   - for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) {
995   - key = rb_entry(_n, struct key, serial_node);
996   -
997   - if (key->type == ktype) {
998   - key->type = &key_type_dead;
999   - set_bit(KEY_FLAG_DEAD, &key->flags);
1000   - }
1001   - }
1002   -
1003   - spin_unlock(&key_serial_lock);
1004   -
1005   - /* make sure everyone revalidates their keys */
1006   - synchronize_rcu();
1007   -
1008   - /* we should now be able to destroy the payloads of all the keys of
1009   - * this type with impunity */
1010   - spin_lock(&key_serial_lock);
1011   -
1012   - for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) {
1013   - key = rb_entry(_n, struct key, serial_node);
1014   -
1015   - if (key->type == ktype) {
1016   - if (ktype->destroy)
1017   - ktype->destroy(key);
1018   - memset(&key->payload, KEY_DESTROY, sizeof(key->payload));
1019   - }
1020   - }
1021   -
1022   - spin_unlock(&key_serial_lock);
1023   - up_write(&key_types_sem);
1024   -
1025   - key_schedule_gc(0);
  980 + downgrade_write(&key_types_sem);
  981 + key_gc_keytype(ktype);
  982 + up_read(&key_types_sem);
1026 983 }
1027 984 EXPORT_SYMBOL(unregister_key_type);
1028 985