Commit 65d87fe6 authored by David Howells's avatar David Howells

KEYS: Perform RCU synchronisation on keys prior to key destruction

Make the keys garbage collector invoke synchronize_rcu() prior to destroying
keys with a zero usage count.  This means that a key can be examined under the
RCU read lock in the safe knowledge that it won't get deallocated until after
the lock is released - even if its usage count becomes zero whilst we're
looking at it.

This is useful in keyring search vs key link.  Consider a keyring containing a
link to a key.  That link can be replaced in-place in the keyring without
requiring an RCU copy-and-replace on the keyring contents without breaking a
search underway on that keyring when the displaced key is released, provided
the key is actually destroyed only after the RCU read lock held by the search
algorithm is released.

This permits __key_link() to replace a key without having to reallocate the key
payload.  A key gets replaced if a new key being linked into a keyring has the
same type and description.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarJeff Layton <jlayton@redhat.com>
parent 1eb1bcf5
...@@ -124,7 +124,10 @@ static inline unsigned long is_key_possessed(const key_ref_t key_ref) ...@@ -124,7 +124,10 @@ static inline unsigned long is_key_possessed(const key_ref_t key_ref)
struct key { struct key {
atomic_t usage; /* number of references */ atomic_t usage; /* number of references */
key_serial_t serial; /* key serial number */ key_serial_t serial; /* key serial number */
union {
struct list_head graveyard_link;
struct rb_node serial_node; struct rb_node serial_node;
};
struct key_type *type; /* type of key */ struct key_type *type; /* type of key */
struct rw_semaphore sem; /* change vs change sem */ struct rw_semaphore sem; /* change vs change sem */
struct key_user *user; /* owner of this key */ struct key_user *user; /* owner of this key */
......
...@@ -168,10 +168,16 @@ static void key_gc_keyring(struct key *keyring, time_t limit) ...@@ -168,10 +168,16 @@ static void key_gc_keyring(struct key *keyring, time_t limit)
} }
/* /*
* Garbage collect an unreferenced, detached key * Garbage collect a list of unreferenced, detached keys
*/ */
static noinline void key_gc_unused_key(struct key *key) static noinline void key_gc_unused_keys(struct list_head *keys)
{ {
while (!list_empty(keys)) {
struct key *key =
list_entry(keys->next, struct key, graveyard_link);
list_del(&key->graveyard_link);
kdebug("- %u", key->serial);
key_check(key); key_check(key);
security_key_free(key); security_key_free(key);
...@@ -200,6 +206,7 @@ static noinline void key_gc_unused_key(struct key *key) ...@@ -200,6 +206,7 @@ static noinline void key_gc_unused_key(struct key *key)
key->magic = KEY_DEBUG_MAGIC_X; key->magic = KEY_DEBUG_MAGIC_X;
#endif #endif
kmem_cache_free(key_jar, key); kmem_cache_free(key_jar, key);
}
} }
/* /*
...@@ -211,6 +218,7 @@ static noinline void key_gc_unused_key(struct key *key) ...@@ -211,6 +218,7 @@ static noinline void key_gc_unused_key(struct key *key)
*/ */
static void key_garbage_collector(struct work_struct *work) static void key_garbage_collector(struct work_struct *work)
{ {
static LIST_HEAD(graveyard);
static u8 gc_state; /* Internal persistent state */ static u8 gc_state; /* Internal persistent state */
#define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
#define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
...@@ -316,15 +324,22 @@ static void key_garbage_collector(struct work_struct *work) ...@@ -316,15 +324,22 @@ static void key_garbage_collector(struct work_struct *work)
key_schedule_gc(new_timer); key_schedule_gc(new_timer);
} }
if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) { if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) ||
/* Make sure everyone revalidates their keys if we marked a !list_empty(&graveyard)) {
* bunch as being dead and make sure all keyring ex-payloads /* Make sure that all pending keyring payload destructions are
* are destroyed. * fulfilled and that people aren't now looking at dead or
* dying keys that they don't have a reference upon or a link
* to.
*/ */
kdebug("dead sync"); kdebug("gc sync");
synchronize_rcu(); synchronize_rcu();
} }
if (!list_empty(&graveyard)) {
kdebug("gc keys");
key_gc_unused_keys(&graveyard);
}
if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 | if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
KEY_GC_REAPING_DEAD_2))) { KEY_GC_REAPING_DEAD_2))) {
if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) { if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
...@@ -359,7 +374,7 @@ static void key_garbage_collector(struct work_struct *work) ...@@ -359,7 +374,7 @@ static void key_garbage_collector(struct work_struct *work)
rb_erase(&key->serial_node, &key_serial_tree); rb_erase(&key->serial_node, &key_serial_tree);
spin_unlock(&key_serial_lock); spin_unlock(&key_serial_lock);
key_gc_unused_key(key); list_add_tail(&key->graveyard_link, &graveyard);
gc_state |= KEY_GC_REAP_AGAIN; gc_state |= KEY_GC_REAP_AGAIN;
goto maybe_resched; goto maybe_resched;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment