xref: /linux/security/keys/gc.c (revision d7b4e3287ca3a7baf66efd9158498e551a9550da) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Key garbage collector
3  *
4  * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #include <linux/slab.h>
9 #include <linux/security.h>
10 #include <keys/keyring-type.h>
11 #include "internal.h"
12 
13 /*
14  * Delay between key revocation/expiry in seconds
15  */
16 unsigned key_gc_delay = 5 * 60;
17 
18 /*
19  * Reaper for unused keys.
20  */
21 static void key_garbage_collector(struct work_struct *work);
22 DECLARE_WORK(key_gc_work, key_garbage_collector);
23 
24 /*
25  * Reaper for links from keyrings to dead keys.
26  */
27 static void key_gc_timer_func(struct timer_list *);
28 static DEFINE_TIMER(key_gc_timer, key_gc_timer_func);
29 
30 static time64_t key_gc_next_run = TIME64_MAX;
31 static struct key_type *key_gc_dead_keytype;
32 
33 static unsigned long key_gc_flags;
34 #define KEY_GC_KEY_EXPIRED	0	/* A key expired and needs unlinking */
35 #define KEY_GC_REAP_KEYTYPE	1	/* A keytype is being unregistered */
36 #define KEY_GC_REAPING_KEYTYPE	2	/* Cleared when keytype reaped */
37 
38 
39 /*
40  * Any key whose type gets unregistered will be re-typed to this if it can't be
41  * immediately unlinked.
42  */
43 struct key_type key_type_dead = {
44 	.name = ".dead",
45 };
46 
47 /*
48  * Schedule a garbage collection run.
49  * - time precision isn't particularly important
50  */
51 void key_schedule_gc(time64_t gc_at)
52 {
53 	unsigned long expires;
54 	time64_t now = ktime_get_real_seconds();
55 
56 	kenter("%lld", gc_at - now);
57 
58 	if (gc_at <= now || test_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) {
59 		kdebug("IMMEDIATE");
60 		schedule_work(&key_gc_work);
61 	} else if (gc_at < key_gc_next_run) {
62 		kdebug("DEFERRED");
63 		key_gc_next_run = gc_at;
64 		expires = jiffies + (gc_at - now) * HZ;
65 		mod_timer(&key_gc_timer, expires);
66 	}
67 }
68 
69 /*
70  * Set the expiration time on a key.
71  */
72 void key_set_expiry(struct key *key, time64_t expiry)
73 {
74 	key->expiry = expiry;
75 	if (expiry != TIME64_MAX) {
76 		if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
77 			expiry += key_gc_delay;
78 		key_schedule_gc(expiry);
79 	}
80 }
81 
82 /*
83  * Schedule a dead links collection run.
84  */
85 void key_schedule_gc_links(void)
86 {
87 	set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags);
88 	schedule_work(&key_gc_work);
89 }
90 
91 /*
92  * Some key's cleanup time was met after it expired, so we need to get the
93  * reaper to go through a cycle finding expired keys.
94  */
95 static void key_gc_timer_func(struct timer_list *unused)
96 {
97 	kenter("");
98 	key_gc_next_run = TIME64_MAX;
99 	key_schedule_gc_links();
100 }
101 
102 /*
103  * Reap keys of dead type.
104  *
105  * We use three flags to make sure we see three complete cycles of the garbage
106  * collector: the first to mark keys of that type as being dead, the second to
107  * collect dead links and the third to clean up the dead keys.  We have to be
108  * careful as there may already be a cycle in progress.
109  *
110  * The caller must be holding key_types_sem.
111  */
112 void key_gc_keytype(struct key_type *ktype)
113 {
114 	kenter("%s", ktype->name);
115 
116 	key_gc_dead_keytype = ktype;
117 	set_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
118 	smp_mb();
119 	set_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags);
120 
121 	kdebug("schedule");
122 	schedule_work(&key_gc_work);
123 
124 	kdebug("sleep");
125 	wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE,
126 		    TASK_UNINTERRUPTIBLE);
127 
128 	key_gc_dead_keytype = NULL;
129 	kleave("");
130 }
131 
132 /*
133  * Garbage collect a list of unreferenced, detached keys
134  */
135 static noinline void key_gc_unused_keys(struct list_head *keys)
136 {
137 	while (!list_empty(keys)) {
138 		struct key *key =
139 			list_entry(keys->next, struct key, graveyard_link);
140 		short state = key->state;
141 
142 		list_del(&key->graveyard_link);
143 
144 		kdebug("- %u", key->serial);
145 		key_check(key);
146 
147 #ifdef CONFIG_KEY_NOTIFICATIONS
148 		remove_watch_list(key->watchers, key->serial);
149 		key->watchers = NULL;
150 #endif
151 
152 		/* Throw away the key data if the key is instantiated */
153 		if (state == KEY_IS_POSITIVE && key->type->destroy)
154 			key->type->destroy(key);
155 
156 		security_key_free(key);
157 
158 		/* deal with the user's key tracking and quota */
159 		if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
160 			spin_lock(&key->user->lock);
161 			key->user->qnkeys--;
162 			key->user->qnbytes -= key->quotalen;
163 			spin_unlock(&key->user->lock);
164 		}
165 
166 		atomic_dec(&key->user->nkeys);
167 		if (state != KEY_IS_UNINSTANTIATED)
168 			atomic_dec(&key->user->nikeys);
169 
170 		key_user_put(key->user);
171 		key_put_tag(key->domain_tag);
172 		kfree(key->description);
173 
174 		memzero_explicit(key, sizeof(*key));
175 		kmem_cache_free(key_jar, key);
176 	}
177 }
178 
179 /*
180  * Garbage collector for unused keys.
181  *
182  * This is done in process context so that we don't have to disable interrupts
183  * all over the place.  key_put() schedules this rather than trying to do the
184  * cleanup itself, which means key_put() doesn't have to sleep.
185  */
186 static void key_garbage_collector(struct work_struct *work)
187 {
188 	static LIST_HEAD(graveyard);
189 	static u8 gc_state;		/* Internal persistent state */
190 #define KEY_GC_REAP_AGAIN	0x01	/* - Need another cycle */
191 #define KEY_GC_REAPING_LINKS	0x02	/* - We need to reap links */
192 #define KEY_GC_REAPING_DEAD_1	0x10	/* - We need to mark dead keys */
193 #define KEY_GC_REAPING_DEAD_2	0x20	/* - We need to reap dead key links */
194 #define KEY_GC_REAPING_DEAD_3	0x40	/* - We need to reap dead keys */
195 #define KEY_GC_FOUND_DEAD_KEY	0x80	/* - We found at least one dead key */
196 
197 	struct rb_node *cursor;
198 	struct key *key;
199 	time64_t new_timer, limit, expiry;
200 
201 	kenter("[%lx,%x]", key_gc_flags, gc_state);
202 
203 	limit = ktime_get_real_seconds();
204 
205 	/* Work out what we're going to be doing in this pass */
206 	gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
207 	gc_state <<= 1;
208 	if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
209 		gc_state |= KEY_GC_REAPING_LINKS;
210 
211 	if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
212 		gc_state |= KEY_GC_REAPING_DEAD_1;
213 	kdebug("new pass %x", gc_state);
214 
215 	new_timer = TIME64_MAX;
216 
217 	/* As only this function is permitted to remove things from the key
218 	 * serial tree, if cursor is non-NULL then it will always point to a
219 	 * valid node in the tree - even if lock got dropped.
220 	 */
221 	spin_lock(&key_serial_lock);
222 	cursor = rb_first(&key_serial_tree);
223 
224 continue_scanning:
225 	while (cursor) {
226 		key = rb_entry(cursor, struct key, serial_node);
227 		cursor = rb_next(cursor);
228 
229 		if (refcount_read(&key->usage) == 0)
230 			goto found_unreferenced_key;
231 
232 		if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
233 			if (key->type == key_gc_dead_keytype) {
234 				gc_state |= KEY_GC_FOUND_DEAD_KEY;
235 				set_bit(KEY_FLAG_DEAD, &key->flags);
236 				key->perm = 0;
237 				goto skip_dead_key;
238 			} else if (key->type == &key_type_keyring &&
239 				   key->restrict_link) {
240 				goto found_restricted_keyring;
241 			}
242 		}
243 
244 		expiry = key->expiry;
245 		if (expiry != TIME64_MAX) {
246 			if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
247 				expiry += key_gc_delay;
248 			if (expiry > limit && expiry < new_timer) {
249 				kdebug("will expire %x in %lld",
250 				       key_serial(key), key->expiry - limit);
251 				new_timer = key->expiry;
252 			}
253 		}
254 
255 		if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2))
256 			if (key->type == key_gc_dead_keytype)
257 				gc_state |= KEY_GC_FOUND_DEAD_KEY;
258 
259 		if ((gc_state & KEY_GC_REAPING_LINKS) ||
260 		    unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
261 			if (key->type == &key_type_keyring)
262 				goto found_keyring;
263 		}
264 
265 		if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3))
266 			if (key->type == key_gc_dead_keytype)
267 				goto destroy_dead_key;
268 
269 	skip_dead_key:
270 		if (spin_is_contended(&key_serial_lock) || need_resched())
271 			goto contended;
272 	}
273 
274 contended:
275 	spin_unlock(&key_serial_lock);
276 
277 maybe_resched:
278 	if (cursor) {
279 		cond_resched();
280 		spin_lock(&key_serial_lock);
281 		goto continue_scanning;
282 	}
283 
284 	/* We've completed the pass.  Set the timer if we need to and queue a
285 	 * new cycle if necessary.  We keep executing cycles until we find one
286 	 * where we didn't reap any keys.
287 	 */
288 	kdebug("pass complete");
289 
290 	if (new_timer != TIME64_MAX) {
291 		new_timer += key_gc_delay;
292 		key_schedule_gc(new_timer);
293 	}
294 
295 	if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) ||
296 	    !list_empty(&graveyard)) {
297 		/* Make sure that all pending keyring payload destructions are
298 		 * fulfilled and that people aren't now looking at dead or
299 		 * dying keys that they don't have a reference upon or a link
300 		 * to.
301 		 */
302 		kdebug("gc sync");
303 		synchronize_rcu();
304 	}
305 
306 	if (!list_empty(&graveyard)) {
307 		kdebug("gc keys");
308 		key_gc_unused_keys(&graveyard);
309 	}
310 
311 	if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
312 				 KEY_GC_REAPING_DEAD_2))) {
313 		if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
314 			/* No remaining dead keys: short circuit the remaining
315 			 * keytype reap cycles.
316 			 */
317 			kdebug("dead short");
318 			gc_state &= ~(KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2);
319 			gc_state |= KEY_GC_REAPING_DEAD_3;
320 		} else {
321 			gc_state |= KEY_GC_REAP_AGAIN;
322 		}
323 	}
324 
325 	if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) {
326 		kdebug("dead wake");
327 		smp_mb();
328 		clear_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
329 		wake_up_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE);
330 	}
331 
332 	if (gc_state & KEY_GC_REAP_AGAIN)
333 		schedule_work(&key_gc_work);
334 	kleave(" [end %x]", gc_state);
335 	return;
336 
337 	/* We found an unreferenced key - once we've removed it from the tree,
338 	 * we can safely drop the lock.
339 	 */
340 found_unreferenced_key:
341 	kdebug("unrefd key %d", key->serial);
342 	rb_erase(&key->serial_node, &key_serial_tree);
343 	spin_unlock(&key_serial_lock);
344 
345 	list_add_tail(&key->graveyard_link, &graveyard);
346 	gc_state |= KEY_GC_REAP_AGAIN;
347 	goto maybe_resched;
348 
349 	/* We found a restricted keyring and need to update the restriction if
350 	 * it is associated with the dead key type.
351 	 */
352 found_restricted_keyring:
353 	spin_unlock(&key_serial_lock);
354 	keyring_restriction_gc(key, key_gc_dead_keytype);
355 	goto maybe_resched;
356 
357 	/* We found a keyring and we need to check the payload for links to
358 	 * dead or expired keys.  We don't flag another reap immediately as we
359 	 * have to wait for the old payload to be destroyed by RCU before we
360 	 * can reap the keys to which it refers.
361 	 */
362 found_keyring:
363 	spin_unlock(&key_serial_lock);
364 	keyring_gc(key, limit);
365 	goto maybe_resched;
366 
367 	/* We found a dead key that is still referenced.  Reset its type and
368 	 * destroy its payload with its semaphore held.
369 	 */
370 destroy_dead_key:
371 	spin_unlock(&key_serial_lock);
372 	kdebug("destroy key %d", key->serial);
373 	down_write(&key->sem);
374 	key->type = &key_type_dead;
375 	if (key_gc_dead_keytype->destroy)
376 		key_gc_dead_keytype->destroy(key);
377 	memset(&key->payload, KEY_DESTROY, sizeof(key->payload));
378 	up_write(&key->sem);
379 	goto maybe_resched;
380 }
381