Branch data Line data Source code
1 : : /* Key garbage collector
2 : : *
3 : : * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved.
4 : : * Written by David Howells (dhowells@redhat.com)
5 : : *
6 : : * This program is free software; you can redistribute it and/or
7 : : * modify it under the terms of the GNU General Public Licence
8 : : * as published by the Free Software Foundation; either version
9 : : * 2 of the Licence, or (at your option) any later version.
10 : : */
11 : :
12 : : #include <linux/module.h>
13 : : #include <linux/slab.h>
14 : : #include <linux/security.h>
15 : : #include <keys/keyring-type.h>
16 : : #include "internal.h"
17 : :
18 : : /*
19 : : * Delay between key revocation/expiry in seconds
20 : : */
21 : : unsigned key_gc_delay = 5 * 60;
22 : :
23 : : /*
24 : : * Reaper for unused keys.
25 : : */
26 : : static void key_garbage_collector(struct work_struct *work);
27 : : DECLARE_WORK(key_gc_work, key_garbage_collector);
28 : :
29 : : /*
30 : : * Reaper for links from keyrings to dead keys.
31 : : */
32 : : static void key_gc_timer_func(unsigned long);
33 : : static DEFINE_TIMER(key_gc_timer, key_gc_timer_func, 0, 0);
34 : :
35 : : static time_t key_gc_next_run = LONG_MAX;
36 : : static struct key_type *key_gc_dead_keytype;
37 : :
38 : : static unsigned long key_gc_flags;
39 : : #define KEY_GC_KEY_EXPIRED 0 /* A key expired and needs unlinking */
40 : : #define KEY_GC_REAP_KEYTYPE 1 /* A keytype is being unregistered */
41 : : #define KEY_GC_REAPING_KEYTYPE 2 /* Cleared when keytype reaped */
42 : :
43 : :
44 : : /*
45 : : * Any key whose type gets unregistered will be re-typed to this if it can't be
46 : : * immediately unlinked.
47 : : */
48 : : struct key_type key_type_dead = {
49 : : .name = "dead",
50 : : };
51 : :
52 : : /*
53 : : * Schedule a garbage collection run.
54 : : * - time precision isn't particularly important
55 : : */
56 : 0 : void key_schedule_gc(time_t gc_at)
57 : : {
58 : : unsigned long expires;
59 : 0 : time_t now = current_kernel_time().tv_sec;
60 : :
61 : : kenter("%ld", gc_at - now);
62 : :
63 [ # # ][ # # ]: 0 : if (gc_at <= now || test_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) {
64 : : kdebug("IMMEDIATE");
65 : : schedule_work(&key_gc_work);
66 [ # # ]: 0 : } else if (gc_at < key_gc_next_run) {
67 : : kdebug("DEFERRED");
68 : 0 : key_gc_next_run = gc_at;
69 : 0 : expires = jiffies + (gc_at - now) * HZ;
70 : 0 : mod_timer(&key_gc_timer, expires);
71 : : }
72 : 0 : }
73 : :
74 : : /*
75 : : * Schedule a dead links collection run.
76 : : */
77 : 0 : void key_schedule_gc_links(void)
78 : : {
79 : 0 : set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags);
80 : : schedule_work(&key_gc_work);
81 : 0 : }
82 : :
83 : : /*
84 : : * Some key's cleanup time was met after it expired, so we need to get the
85 : : * reaper to go through a cycle finding expired keys.
86 : : */
87 : 0 : static void key_gc_timer_func(unsigned long data)
88 : : {
89 : : kenter("");
90 : 0 : key_gc_next_run = LONG_MAX;
91 : 0 : key_schedule_gc_links();
92 : 0 : }
93 : :
94 : : /*
95 : : * wait_on_bit() sleep function for uninterruptible waiting
96 : : */
97 : 0 : static int key_gc_wait_bit(void *flags)
98 : : {
99 : 0 : schedule();
100 : 0 : return 0;
101 : : }
102 : :
103 : : /*
104 : : * Reap keys of dead type.
105 : : *
106 : : * We use three flags to make sure we see three complete cycles of the garbage
107 : : * collector: the first to mark keys of that type as being dead, the second to
108 : : * collect dead links and the third to clean up the dead keys. We have to be
109 : : * careful as there may already be a cycle in progress.
110 : : *
111 : : * The caller must be holding key_types_sem.
112 : : */
113 : 0 : void key_gc_keytype(struct key_type *ktype)
114 : : {
115 : : kenter("%s", ktype->name);
116 : :
117 : 0 : key_gc_dead_keytype = ktype;
118 : 0 : set_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
119 : 0 : smp_mb();
120 : 0 : set_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags);
121 : :
122 : : kdebug("schedule");
123 : : schedule_work(&key_gc_work);
124 : :
125 : : kdebug("sleep");
126 : : wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, key_gc_wait_bit,
127 : : TASK_UNINTERRUPTIBLE);
128 : :
129 : 0 : key_gc_dead_keytype = NULL;
130 : : kleave("");
131 : 0 : }
132 : :
133 : : /*
134 : : * Garbage collect a list of unreferenced, detached keys
135 : : */
136 : 0 : static noinline void key_gc_unused_keys(struct list_head *keys)
137 : : {
138 [ + + ]: 6 : while (!list_empty(keys)) {
139 : 3 : struct key *key =
140 : : list_entry(keys->next, struct key, graveyard_link);
141 : : list_del(&key->graveyard_link);
142 : :
143 : : kdebug("- %u", key->serial);
144 : : key_check(key);
145 : :
146 : 3 : security_key_free(key);
147 : :
148 : : /* deal with the user's key tracking and quota */
149 [ + - ]: 3 : if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
150 : 3 : spin_lock(&key->user->lock);
151 : 3 : key->user->qnkeys--;
152 : 3 : key->user->qnbytes -= key->quotalen;
153 : 3 : spin_unlock(&key->user->lock);
154 : : }
155 : :
156 : 3 : atomic_dec(&key->user->nkeys);
157 [ + + ]: 3 : if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
158 : 2 : atomic_dec(&key->user->nikeys);
159 : :
160 : 3 : key_user_put(key->user);
161 : :
162 : : /* now throw away the key memory */
163 [ + - ]: 3 : if (key->type->destroy)
164 : 3 : key->type->destroy(key);
165 : :
166 : 3 : kfree(key->description);
167 : :
168 : : #ifdef KEY_DEBUGGING
169 : : key->magic = KEY_DEBUG_MAGIC_X;
170 : : #endif
171 : 3 : kmem_cache_free(key_jar, key);
172 : : }
173 : 3 : }
174 : :
175 : : /*
176 : : * Garbage collector for unused keys.
177 : : *
178 : : * This is done in process context so that we don't have to disable interrupts
179 : : * all over the place. key_put() schedules this rather than trying to do the
180 : : * cleanup itself, which means key_put() doesn't have to sleep.
181 : : */
182 : 0 : static void key_garbage_collector(struct work_struct *work)
183 : : {
184 : : static LIST_HEAD(graveyard);
185 : : static u8 gc_state; /* Internal persistent state */
186 : : #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
187 : : #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
188 : : #define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */
189 : : #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */
190 : : #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */
191 : : #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */
192 : : #define KEY_GC_FOUND_DEAD_KEY 0x80 /* - We found at least one dead key */
193 : :
194 : : struct rb_node *cursor;
195 : : struct key *key;
196 : : time_t new_timer, limit;
197 : :
198 : : kenter("[%lx,%x]", key_gc_flags, gc_state);
199 : :
200 : 5 : limit = current_kernel_time().tv_sec;
201 [ + - ]: 5 : if (limit > key_gc_delay)
202 : 5 : limit -= key_gc_delay;
203 : : else
204 : 0 : limit = key_gc_delay;
205 : :
206 : : /* Work out what we're going to be doing in this pass */
207 : 5 : gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
208 : 5 : gc_state <<= 1;
209 [ - + ]: 5 : if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
210 : 0 : gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
211 : :
212 [ - + ]: 5 : if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
213 : 0 : gc_state |= KEY_GC_REAPING_DEAD_1;
214 : : kdebug("new pass %x", gc_state);
215 : :
216 : : new_timer = LONG_MAX;
217 : :
218 : : /* As only this function is permitted to remove things from the key
219 : : * serial tree, if cursor is non-NULL then it will always point to a
220 : : * valid node in the tree - even if lock got dropped.
221 : : */
222 : : spin_lock(&key_serial_lock);
223 : 5 : cursor = rb_first(&key_serial_tree);
224 : :
225 : : continue_scanning:
226 [ + + ]: 33 : while (cursor) {
227 : 28 : key = rb_entry(cursor, struct key, serial_node);
228 : 28 : cursor = rb_next(cursor);
229 : :
230 [ + + ]: 28 : if (atomic_read(&key->usage) == 0)
231 : : goto found_unreferenced_key;
232 : :
233 [ - + ]: 25 : if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
234 [ # # ]: 0 : if (key->type == key_gc_dead_keytype) {
235 : 0 : gc_state |= KEY_GC_FOUND_DEAD_KEY;
236 : 0 : set_bit(KEY_FLAG_DEAD, &key->flags);
237 : 0 : key->perm = 0;
238 : 0 : goto skip_dead_key;
239 : : }
240 : : }
241 : :
242 [ - + ]: 25 : if (gc_state & KEY_GC_SET_TIMER) {
243 [ # # ][ # # ]: 0 : if (key->expiry > limit && key->expiry < new_timer) {
244 : : kdebug("will expire %x in %ld",
245 : : key_serial(key), key->expiry - limit);
246 : : new_timer = key->expiry;
247 : : }
248 : : }
249 : :
250 [ - + ]: 25 : if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2))
251 [ # # ]: 0 : if (key->type == key_gc_dead_keytype)
252 : 0 : gc_state |= KEY_GC_FOUND_DEAD_KEY;
253 : :
254 [ + - ][ - + ]: 25 : if ((gc_state & KEY_GC_REAPING_LINKS) ||
255 : 25 : unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
256 [ # # ]: 0 : if (key->type == &key_type_keyring)
257 : : goto found_keyring;
258 : : }
259 : :
260 [ - + ]: 25 : if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3))
261 [ # # ]: 0 : if (key->type == key_gc_dead_keytype)
262 : : goto destroy_dead_key;
263 : :
264 : : skip_dead_key:
265 [ + - ][ + - ]: 28 : if (spin_is_contended(&key_serial_lock) || need_resched())
266 : : goto contended;
267 : : }
268 : :
269 : : contended:
270 : : spin_unlock(&key_serial_lock);
271 : :
272 : : maybe_resched:
273 [ + + ]: 8 : if (cursor) {
274 : 3 : cond_resched();
275 : : spin_lock(&key_serial_lock);
276 : : goto continue_scanning;
277 : : }
278 : :
279 : : /* We've completed the pass. Set the timer if we need to and queue a
280 : : * new cycle if necessary. We keep executing cycles until we find one
281 : : * where we didn't reap any keys.
282 : : */
283 : : kdebug("pass complete");
284 : :
285 [ - + ][ # # ]: 5 : if (gc_state & KEY_GC_SET_TIMER && new_timer != (time_t)LONG_MAX) {
286 : 0 : new_timer += key_gc_delay;
287 : 0 : key_schedule_gc(new_timer);
288 : : }
289 : :
290 [ + - ][ + + ]: 5 : if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) ||
291 : : !list_empty(&graveyard)) {
292 : : /* Make sure that all pending keyring payload destructions are
293 : : * fulfilled and that people aren't now looking at dead or
294 : : * dying keys that they don't have a reference upon or a link
295 : : * to.
296 : : */
297 : : kdebug("gc sync");
298 : : synchronize_rcu();
299 : : }
300 : :
301 [ + + ]: 5 : if (!list_empty(&graveyard)) {
302 : : kdebug("gc keys");
303 : 3 : key_gc_unused_keys(&graveyard);
304 : : }
305 : :
306 [ - + ]: 5 : if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
307 : : KEY_GC_REAPING_DEAD_2))) {
308 [ # # ]: 0 : if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
309 : : /* No remaining dead keys: short circuit the remaining
310 : : * keytype reap cycles.
311 : : */
312 : : kdebug("dead short");
313 : 0 : gc_state &= ~(KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2);
314 : 0 : gc_state |= KEY_GC_REAPING_DEAD_3;
315 : : } else {
316 : 0 : gc_state |= KEY_GC_REAP_AGAIN;
317 : : }
318 : : }
319 : :
320 [ - + ]: 5 : if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) {
321 : : kdebug("dead wake");
322 : 0 : smp_mb();
323 : 0 : clear_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
324 : 0 : wake_up_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE);
325 : : }
326 : :
327 [ + + ]: 5 : if (gc_state & KEY_GC_REAP_AGAIN)
328 : : schedule_work(&key_gc_work);
329 : : kleave(" [end %x]", gc_state);
330 : 5 : return;
331 : :
332 : : /* We found an unreferenced key - once we've removed it from the tree,
333 : : * we can safely drop the lock.
334 : : */
335 : : found_unreferenced_key:
336 : : kdebug("unrefd key %d", key->serial);
337 : 3 : rb_erase(&key->serial_node, &key_serial_tree);
338 : : spin_unlock(&key_serial_lock);
339 : :
340 : : list_add_tail(&key->graveyard_link, &graveyard);
341 : 3 : gc_state |= KEY_GC_REAP_AGAIN;
342 : 3 : goto maybe_resched;
343 : :
344 : : /* We found a keyring and we need to check the payload for links to
345 : : * dead or expired keys. We don't flag another reap immediately as we
346 : : * have to wait for the old payload to be destroyed by RCU before we
347 : : * can reap the keys to which it refers.
348 : : */
349 : : found_keyring:
350 : : spin_unlock(&key_serial_lock);
351 : 0 : keyring_gc(key, limit);
352 : 0 : goto maybe_resched;
353 : :
354 : : /* We found a dead key that is still referenced. Reset its type and
355 : : * destroy its payload with its semaphore held.
356 : : */
357 : : destroy_dead_key:
358 : : spin_unlock(&key_serial_lock);
359 : : kdebug("destroy key %d", key->serial);
360 : 0 : down_write(&key->sem);
361 : 0 : key->type = &key_type_dead;
362 [ # # ]: 0 : if (key_gc_dead_keytype->destroy)
363 : 0 : key_gc_dead_keytype->destroy(key);
364 : 0 : memset(&key->payload, KEY_DESTROY, sizeof(key->payload));
365 : 0 : up_write(&key->sem);
366 : 0 : goto maybe_resched;
367 : : }
|
