1 /* keyring.c: keyring handling 2 * 3 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/sched.h> 15 #include <linux/slab.h> 16 #include <linux/security.h> 17 #include <linux/seq_file.h> 18 #include <linux/err.h> 19 #include <asm/uaccess.h> 20 #include "internal.h" 21 22 /* 23 * when plumbing the depths of the key tree, this sets a hard limit set on how 24 * deep we're willing to go 25 */ 26 #define KEYRING_SEARCH_MAX_DEPTH 6 27 28 /* 29 * we keep all named keyrings in a hash to speed looking them up 30 */ 31 #define KEYRING_NAME_HASH_SIZE (1 << 5) 32 33 static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE]; 34 static DEFINE_RWLOCK(keyring_name_lock); 35 36 static inline unsigned keyring_hash(const char *desc) 37 { 38 unsigned bucket = 0; 39 40 for (; *desc; desc++) 41 bucket += (unsigned char) *desc; 42 43 return bucket & (KEYRING_NAME_HASH_SIZE - 1); 44 } 45 46 /* 47 * the keyring type definition 48 */ 49 static int keyring_instantiate(struct key *keyring, 50 const void *data, size_t datalen); 51 static int keyring_match(const struct key *keyring, const void *criterion); 52 static void keyring_revoke(struct key *keyring); 53 static void keyring_destroy(struct key *keyring); 54 static void keyring_describe(const struct key *keyring, struct seq_file *m); 55 static long keyring_read(const struct key *keyring, 56 char __user *buffer, size_t buflen); 57 58 struct key_type key_type_keyring = { 59 .name = "keyring", 60 .def_datalen = sizeof(struct keyring_list), 61 .instantiate = keyring_instantiate, 62 .match = keyring_match, 63 .revoke = keyring_revoke, 64 .destroy = keyring_destroy, 65 .describe = keyring_describe, 66 .read = keyring_read, 67 }; 68 69 /* 70 * semaphore to serialise link/link calls to prevent two link calls in parallel 71 * introducing a cycle 72 */ 73 static DECLARE_RWSEM(keyring_serialise_link_sem); 74 75 /*****************************************************************************/ 76 /* 77 * publish the name of a keyring so that it can be found by name (if it has 78 * one) 79 */ 80 void keyring_publish_name(struct key *keyring) 81 { 82 int bucket; 83 84 if (keyring->description) { 85 bucket = keyring_hash(keyring->description); 86 87 write_lock(&keyring_name_lock); 88 89 if (!keyring_name_hash[bucket].next) 90 INIT_LIST_HEAD(&keyring_name_hash[bucket]); 91 92 list_add_tail(&keyring->type_data.link, 93 &keyring_name_hash[bucket]); 94 95 write_unlock(&keyring_name_lock); 96 } 97 98 } /* end keyring_publish_name() */ 99 100 /*****************************************************************************/ 101 /* 102 * initialise a keyring 103 * - we object if we were given any data 104 */ 105 static int keyring_instantiate(struct key *keyring, 106 const void *data, size_t datalen) 107 { 108 int ret; 109 110 ret = -EINVAL; 111 if (datalen == 0) { 112 /* make the keyring available by name if it has one */ 113 keyring_publish_name(keyring); 114 ret = 0; 115 } 116 117 return ret; 118 119 } /* end keyring_instantiate() */ 120 121 /*****************************************************************************/ 122 /* 123 * match keyrings on their name 124 */ 125 static int keyring_match(const struct key *keyring, const void *description) 126 { 127 return keyring->description && 128 strcmp(keyring->description, description) == 0; 129 130 } /* end keyring_match() */ 131 132 /*****************************************************************************/ 133 /* 134 * dispose of the data dangling from the corpse of a keyring 135 */ 136 static void keyring_destroy(struct key *keyring) 137 { 138 struct keyring_list *klist; 139 int loop; 140 141 if (keyring->description) { 142 write_lock(&keyring_name_lock); 143 144 if (keyring->type_data.link.next != NULL && 145 !list_empty(&keyring->type_data.link)) 146 list_del(&keyring->type_data.link); 147 148 write_unlock(&keyring_name_lock); 149 } 150 151 klist = rcu_dereference(keyring->payload.subscriptions); 152 if (klist) { 153 for (loop = klist->nkeys - 1; loop >= 0; loop--) 154 key_put(klist->keys[loop]); 155 kfree(klist); 156 } 157 158 } /* end keyring_destroy() */ 159 160 /*****************************************************************************/ 161 /* 162 * describe the keyring 163 */ 164 static void keyring_describe(const struct key *keyring, struct seq_file *m) 165 { 166 struct keyring_list *klist; 167 168 if (keyring->description) { 169 seq_puts(m, keyring->description); 170 } 171 else { 172 seq_puts(m, "[anon]"); 173 } 174 175 rcu_read_lock(); 176 klist = rcu_dereference(keyring->payload.subscriptions); 177 if (klist) 178 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys); 179 else 180 seq_puts(m, ": empty"); 181 rcu_read_unlock(); 182 183 } /* end keyring_describe() */ 184 185 /*****************************************************************************/ 186 /* 187 * read a list of key IDs from the keyring's contents 188 * - the keyring's semaphore is read-locked 189 */ 190 static long keyring_read(const struct key *keyring, 191 char __user *buffer, size_t buflen) 192 { 193 struct keyring_list *klist; 194 struct key *key; 195 size_t qty, tmp; 196 int loop, ret; 197 198 ret = 0; 199 klist = rcu_dereference(keyring->payload.subscriptions); 200 201 if (klist) { 202 /* calculate how much data we could return */ 203 qty = klist->nkeys * sizeof(key_serial_t); 204 205 if (buffer && buflen > 0) { 206 if (buflen > qty) 207 buflen = qty; 208 209 /* copy the IDs of the subscribed keys into the 210 * buffer */ 211 ret = -EFAULT; 212 213 for (loop = 0; loop < klist->nkeys; loop++) { 214 key = klist->keys[loop]; 215 216 tmp = sizeof(key_serial_t); 217 if (tmp > buflen) 218 tmp = buflen; 219 220 if (copy_to_user(buffer, 221 &key->serial, 222 tmp) != 0) 223 goto error; 224 225 buflen -= tmp; 226 if (buflen == 0) 227 break; 228 buffer += tmp; 229 } 230 } 231 232 ret = qty; 233 } 234 235 error: 236 return ret; 237 238 } /* end keyring_read() */ 239 240 /*****************************************************************************/ 241 /* 242 * allocate a keyring and link into the destination keyring 243 */ 244 struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, 245 struct task_struct *ctx, unsigned long flags, 246 struct key *dest) 247 { 248 struct key *keyring; 249 int ret; 250 251 keyring = key_alloc(&key_type_keyring, description, 252 uid, gid, ctx, 253 (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL, 254 flags); 255 256 if (!IS_ERR(keyring)) { 257 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL); 258 if (ret < 0) { 259 key_put(keyring); 260 keyring = ERR_PTR(ret); 261 } 262 } 263 264 return keyring; 265 266 } /* end keyring_alloc() */ 267 268 /*****************************************************************************/ 269 /* 270 * search the supplied keyring tree for a key that matches the criterion 271 * - perform a breadth-then-depth search up to the prescribed limit 272 * - we only find keys on which we have search permission 273 * - we use the supplied match function to see if the description (or other 274 * feature of interest) matches 275 * - we rely on RCU to prevent the keyring lists from disappearing on us 276 * - we return -EAGAIN if we didn't find any matching key 277 * - we return -ENOKEY if we only found negative matching keys 278 * - we propagate the possession attribute from the keyring ref to the key ref 279 */ 280 key_ref_t keyring_search_aux(key_ref_t keyring_ref, 281 struct task_struct *context, 282 struct key_type *type, 283 const void *description, 284 key_match_func_t match) 285 { 286 struct { 287 struct keyring_list *keylist; 288 int kix; 289 } stack[KEYRING_SEARCH_MAX_DEPTH]; 290 291 struct keyring_list *keylist; 292 struct timespec now; 293 unsigned long possessed; 294 struct key *keyring, *key; 295 key_ref_t key_ref; 296 long err; 297 int sp, kix; 298 299 keyring = key_ref_to_ptr(keyring_ref); 300 possessed = is_key_possessed(keyring_ref); 301 key_check(keyring); 302 303 /* top keyring must have search permission to begin the search */ 304 err = key_task_permission(keyring_ref, context, KEY_SEARCH); 305 if (err < 0) { 306 key_ref = ERR_PTR(err); 307 goto error; 308 } 309 310 key_ref = ERR_PTR(-ENOTDIR); 311 if (keyring->type != &key_type_keyring) 312 goto error; 313 314 rcu_read_lock(); 315 316 now = current_kernel_time(); 317 err = -EAGAIN; 318 sp = 0; 319 320 /* start processing a new keyring */ 321 descend: 322 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 323 goto not_this_keyring; 324 325 keylist = rcu_dereference(keyring->payload.subscriptions); 326 if (!keylist) 327 goto not_this_keyring; 328 329 /* iterate through the keys in this keyring first */ 330 for (kix = 0; kix < keylist->nkeys; kix++) { 331 key = keylist->keys[kix]; 332 333 /* ignore keys not of this type */ 334 if (key->type != type) 335 continue; 336 337 /* skip revoked keys and expired keys */ 338 if (test_bit(KEY_FLAG_REVOKED, &key->flags)) 339 continue; 340 341 if (key->expiry && now.tv_sec >= key->expiry) 342 continue; 343 344 /* keys that don't match */ 345 if (!match(key, description)) 346 continue; 347 348 /* key must have search permissions */ 349 if (key_task_permission(make_key_ref(key, possessed), 350 context, KEY_SEARCH) < 0) 351 continue; 352 353 /* we set a different error code if we find a negative key */ 354 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { 355 err = -ENOKEY; 356 continue; 357 } 358 359 goto found; 360 } 361 362 /* search through the keyrings nested in this one */ 363 kix = 0; 364 ascend: 365 for (; kix < keylist->nkeys; kix++) { 366 key = keylist->keys[kix]; 367 if (key->type != &key_type_keyring) 368 continue; 369 370 /* recursively search nested keyrings 371 * - only search keyrings for which we have search permission 372 */ 373 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 374 continue; 375 376 if (key_task_permission(make_key_ref(key, possessed), 377 context, KEY_SEARCH) < 0) 378 continue; 379 380 /* stack the current position */ 381 stack[sp].keylist = keylist; 382 stack[sp].kix = kix; 383 sp++; 384 385 /* begin again with the new keyring */ 386 keyring = key; 387 goto descend; 388 } 389 390 /* the keyring we're looking at was disqualified or didn't contain a 391 * matching key */ 392 not_this_keyring: 393 if (sp > 0) { 394 /* resume the processing of a keyring higher up in the tree */ 395 sp--; 396 keylist = stack[sp].keylist; 397 kix = stack[sp].kix + 1; 398 goto ascend; 399 } 400 401 key_ref = ERR_PTR(err); 402 goto error_2; 403 404 /* we found a viable match */ 405 found: 406 atomic_inc(&key->usage); 407 key_check(key); 408 key_ref = make_key_ref(key, possessed); 409 error_2: 410 rcu_read_unlock(); 411 error: 412 return key_ref; 413 414 } /* end keyring_search_aux() */ 415 416 /*****************************************************************************/ 417 /* 418 * search the supplied keyring tree for a key that matches the criterion 419 * - perform a breadth-then-depth search up to the prescribed limit 420 * - we only find keys on which we have search permission 421 * - we readlock the keyrings as we search down the tree 422 * - we return -EAGAIN if we didn't find any matching key 423 * - we return -ENOKEY if we only found negative matching keys 424 */ 425 key_ref_t keyring_search(key_ref_t keyring, 426 struct key_type *type, 427 const char *description) 428 { 429 if (!type->match) 430 return ERR_PTR(-ENOKEY); 431 432 return keyring_search_aux(keyring, current, 433 type, description, type->match); 434 435 } /* end keyring_search() */ 436 437 EXPORT_SYMBOL(keyring_search); 438 439 /*****************************************************************************/ 440 /* 441 * search the given keyring only (no recursion) 442 * - keyring must be locked by caller 443 * - caller must guarantee that the keyring is a keyring 444 */ 445 key_ref_t __keyring_search_one(key_ref_t keyring_ref, 446 const struct key_type *ktype, 447 const char *description, 448 key_perm_t perm) 449 { 450 struct keyring_list *klist; 451 unsigned long possessed; 452 struct key *keyring, *key; 453 int loop; 454 455 keyring = key_ref_to_ptr(keyring_ref); 456 possessed = is_key_possessed(keyring_ref); 457 458 rcu_read_lock(); 459 460 klist = rcu_dereference(keyring->payload.subscriptions); 461 if (klist) { 462 for (loop = 0; loop < klist->nkeys; loop++) { 463 key = klist->keys[loop]; 464 465 if (key->type == ktype && 466 (!key->type->match || 467 key->type->match(key, description)) && 468 key_permission(make_key_ref(key, possessed), 469 perm) == 0 && 470 !test_bit(KEY_FLAG_REVOKED, &key->flags) 471 ) 472 goto found; 473 } 474 } 475 476 rcu_read_unlock(); 477 return ERR_PTR(-ENOKEY); 478 479 found: 480 atomic_inc(&key->usage); 481 rcu_read_unlock(); 482 return make_key_ref(key, possessed); 483 484 } /* end __keyring_search_one() */ 485 486 /*****************************************************************************/ 487 /* 488 * find a keyring with the specified name 489 * - all named keyrings are searched 490 * - only find keyrings with search permission for the process 491 * - only find keyrings with a serial number greater than the one specified 492 */ 493 struct key *find_keyring_by_name(const char *name, key_serial_t bound) 494 { 495 struct key *keyring; 496 int bucket; 497 498 keyring = ERR_PTR(-EINVAL); 499 if (!name) 500 goto error; 501 502 bucket = keyring_hash(name); 503 504 read_lock(&keyring_name_lock); 505 506 if (keyring_name_hash[bucket].next) { 507 /* search this hash bucket for a keyring with a matching name 508 * that's readable and that hasn't been revoked */ 509 list_for_each_entry(keyring, 510 &keyring_name_hash[bucket], 511 type_data.link 512 ) { 513 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 514 continue; 515 516 if (strcmp(keyring->description, name) != 0) 517 continue; 518 519 if (key_permission(make_key_ref(keyring, 0), 520 KEY_SEARCH) < 0) 521 continue; 522 523 /* found a potential candidate, but we still need to 524 * check the serial number */ 525 if (keyring->serial <= bound) 526 continue; 527 528 /* we've got a match */ 529 atomic_inc(&keyring->usage); 530 read_unlock(&keyring_name_lock); 531 goto error; 532 } 533 } 534 535 read_unlock(&keyring_name_lock); 536 keyring = ERR_PTR(-ENOKEY); 537 538 error: 539 return keyring; 540 541 } /* end find_keyring_by_name() */ 542 543 /*****************************************************************************/ 544 /* 545 * see if a cycle will will be created by inserting acyclic tree B in acyclic 546 * tree A at the topmost level (ie: as a direct child of A) 547 * - since we are adding B to A at the top level, checking for cycles should 548 * just be a matter of seeing if node A is somewhere in tree B 549 */ 550 static int keyring_detect_cycle(struct key *A, struct key *B) 551 { 552 struct { 553 struct keyring_list *keylist; 554 int kix; 555 } stack[KEYRING_SEARCH_MAX_DEPTH]; 556 557 struct keyring_list *keylist; 558 struct key *subtree, *key; 559 int sp, kix, ret; 560 561 rcu_read_lock(); 562 563 ret = -EDEADLK; 564 if (A == B) 565 goto cycle_detected; 566 567 subtree = B; 568 sp = 0; 569 570 /* start processing a new keyring */ 571 descend: 572 if (test_bit(KEY_FLAG_REVOKED, &subtree->flags)) 573 goto not_this_keyring; 574 575 keylist = rcu_dereference(subtree->payload.subscriptions); 576 if (!keylist) 577 goto not_this_keyring; 578 kix = 0; 579 580 ascend: 581 /* iterate through the remaining keys in this keyring */ 582 for (; kix < keylist->nkeys; kix++) { 583 key = keylist->keys[kix]; 584 585 if (key == A) 586 goto cycle_detected; 587 588 /* recursively check nested keyrings */ 589 if (key->type == &key_type_keyring) { 590 if (sp >= KEYRING_SEARCH_MAX_DEPTH) 591 goto too_deep; 592 593 /* stack the current position */ 594 stack[sp].keylist = keylist; 595 stack[sp].kix = kix; 596 sp++; 597 598 /* begin again with the new keyring */ 599 subtree = key; 600 goto descend; 601 } 602 } 603 604 /* the keyring we're looking at was disqualified or didn't contain a 605 * matching key */ 606 not_this_keyring: 607 if (sp > 0) { 608 /* resume the checking of a keyring higher up in the tree */ 609 sp--; 610 keylist = stack[sp].keylist; 611 kix = stack[sp].kix + 1; 612 goto ascend; 613 } 614 615 ret = 0; /* no cycles detected */ 616 617 error: 618 rcu_read_unlock(); 619 return ret; 620 621 too_deep: 622 ret = -ELOOP; 623 goto error; 624 625 cycle_detected: 626 ret = -EDEADLK; 627 goto error; 628 629 } /* end keyring_detect_cycle() */ 630 631 /*****************************************************************************/ 632 /* 633 * dispose of a keyring list after the RCU grace period 634 */ 635 static void keyring_link_rcu_disposal(struct rcu_head *rcu) 636 { 637 struct keyring_list *klist = 638 container_of(rcu, struct keyring_list, rcu); 639 640 kfree(klist); 641 642 } /* end keyring_link_rcu_disposal() */ 643 644 /*****************************************************************************/ 645 /* 646 * dispose of a keyring list after the RCU grace period, freeing the unlinked 647 * key 648 */ 649 static void keyring_unlink_rcu_disposal(struct rcu_head *rcu) 650 { 651 struct keyring_list *klist = 652 container_of(rcu, struct keyring_list, rcu); 653 654 key_put(klist->keys[klist->delkey]); 655 kfree(klist); 656 657 } /* end keyring_unlink_rcu_disposal() */ 658 659 /*****************************************************************************/ 660 /* 661 * link a key into to a keyring 662 * - must be called with the keyring's semaphore write-locked 663 * - discard already extant link to matching key if there is one 664 */ 665 int __key_link(struct key *keyring, struct key *key) 666 { 667 struct keyring_list *klist, *nklist; 668 unsigned max; 669 size_t size; 670 int loop, ret; 671 672 ret = -EKEYREVOKED; 673 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 674 goto error; 675 676 ret = -ENOTDIR; 677 if (keyring->type != &key_type_keyring) 678 goto error; 679 680 /* serialise link/link calls to prevent parallel calls causing a 681 * cycle when applied to two keyring in opposite orders */ 682 down_write(&keyring_serialise_link_sem); 683 684 /* check that we aren't going to create a cycle adding one keyring to 685 * another */ 686 if (key->type == &key_type_keyring) { 687 ret = keyring_detect_cycle(keyring, key); 688 if (ret < 0) 689 goto error2; 690 } 691 692 /* see if there's a matching key we can displace */ 693 klist = keyring->payload.subscriptions; 694 695 if (klist && klist->nkeys > 0) { 696 struct key_type *type = key->type; 697 698 for (loop = klist->nkeys - 1; loop >= 0; loop--) { 699 if (klist->keys[loop]->type == type && 700 strcmp(klist->keys[loop]->description, 701 key->description) == 0 702 ) { 703 /* found a match - replace with new key */ 704 size = sizeof(struct key *) * klist->maxkeys; 705 size += sizeof(*klist); 706 BUG_ON(size > PAGE_SIZE); 707 708 ret = -ENOMEM; 709 nklist = kmalloc(size, GFP_KERNEL); 710 if (!nklist) 711 goto error2; 712 713 memcpy(nklist, klist, size); 714 715 /* replace matched key */ 716 atomic_inc(&key->usage); 717 nklist->keys[loop] = key; 718 719 rcu_assign_pointer( 720 keyring->payload.subscriptions, 721 nklist); 722 723 /* dispose of the old keyring list and the 724 * displaced key */ 725 klist->delkey = loop; 726 call_rcu(&klist->rcu, 727 keyring_unlink_rcu_disposal); 728 729 goto done; 730 } 731 } 732 } 733 734 /* check that we aren't going to overrun the user's quota */ 735 ret = key_payload_reserve(keyring, 736 keyring->datalen + KEYQUOTA_LINK_BYTES); 737 if (ret < 0) 738 goto error2; 739 740 klist = keyring->payload.subscriptions; 741 742 if (klist && klist->nkeys < klist->maxkeys) { 743 /* there's sufficient slack space to add directly */ 744 atomic_inc(&key->usage); 745 746 klist->keys[klist->nkeys] = key; 747 smp_wmb(); 748 klist->nkeys++; 749 smp_wmb(); 750 } 751 else { 752 /* grow the key list */ 753 max = 4; 754 if (klist) 755 max += klist->maxkeys; 756 757 ret = -ENFILE; 758 if (max > 65535) 759 goto error3; 760 size = sizeof(*klist) + sizeof(struct key *) * max; 761 if (size > PAGE_SIZE) 762 goto error3; 763 764 ret = -ENOMEM; 765 nklist = kmalloc(size, GFP_KERNEL); 766 if (!nklist) 767 goto error3; 768 nklist->maxkeys = max; 769 nklist->nkeys = 0; 770 771 if (klist) { 772 nklist->nkeys = klist->nkeys; 773 memcpy(nklist->keys, 774 klist->keys, 775 sizeof(struct key *) * klist->nkeys); 776 } 777 778 /* add the key into the new space */ 779 atomic_inc(&key->usage); 780 nklist->keys[nklist->nkeys++] = key; 781 782 rcu_assign_pointer(keyring->payload.subscriptions, nklist); 783 784 /* dispose of the old keyring list */ 785 if (klist) 786 call_rcu(&klist->rcu, keyring_link_rcu_disposal); 787 } 788 789 done: 790 ret = 0; 791 error2: 792 up_write(&keyring_serialise_link_sem); 793 error: 794 return ret; 795 796 error3: 797 /* undo the quota changes */ 798 key_payload_reserve(keyring, 799 keyring->datalen - KEYQUOTA_LINK_BYTES); 800 goto error2; 801 802 } /* end __key_link() */ 803 804 /*****************************************************************************/ 805 /* 806 * link a key to a keyring 807 */ 808 int key_link(struct key *keyring, struct key *key) 809 { 810 int ret; 811 812 key_check(keyring); 813 key_check(key); 814 815 down_write(&keyring->sem); 816 ret = __key_link(keyring, key); 817 up_write(&keyring->sem); 818 819 return ret; 820 821 } /* end key_link() */ 822 823 EXPORT_SYMBOL(key_link); 824 825 /*****************************************************************************/ 826 /* 827 * unlink the first link to a key from a keyring 828 */ 829 int key_unlink(struct key *keyring, struct key *key) 830 { 831 struct keyring_list *klist, *nklist; 832 int loop, ret; 833 834 key_check(keyring); 835 key_check(key); 836 837 ret = -ENOTDIR; 838 if (keyring->type != &key_type_keyring) 839 goto error; 840 841 down_write(&keyring->sem); 842 843 klist = keyring->payload.subscriptions; 844 if (klist) { 845 /* search the keyring for the key */ 846 for (loop = 0; loop < klist->nkeys; loop++) 847 if (klist->keys[loop] == key) 848 goto key_is_present; 849 } 850 851 up_write(&keyring->sem); 852 ret = -ENOENT; 853 goto error; 854 855 key_is_present: 856 /* we need to copy the key list for RCU purposes */ 857 nklist = kmalloc(sizeof(*klist) + 858 sizeof(struct key *) * klist->maxkeys, 859 GFP_KERNEL); 860 if (!nklist) 861 goto nomem; 862 nklist->maxkeys = klist->maxkeys; 863 nklist->nkeys = klist->nkeys - 1; 864 865 if (loop > 0) 866 memcpy(&nklist->keys[0], 867 &klist->keys[0], 868 loop * sizeof(struct key *)); 869 870 if (loop < nklist->nkeys) 871 memcpy(&nklist->keys[loop], 872 &klist->keys[loop + 1], 873 (nklist->nkeys - loop) * sizeof(struct key *)); 874 875 /* adjust the user's quota */ 876 key_payload_reserve(keyring, 877 keyring->datalen - KEYQUOTA_LINK_BYTES); 878 879 rcu_assign_pointer(keyring->payload.subscriptions, nklist); 880 881 up_write(&keyring->sem); 882 883 /* schedule for later cleanup */ 884 klist->delkey = loop; 885 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal); 886 887 ret = 0; 888 889 error: 890 return ret; 891 nomem: 892 ret = -ENOMEM; 893 up_write(&keyring->sem); 894 goto error; 895 896 } /* end key_unlink() */ 897 898 EXPORT_SYMBOL(key_unlink); 899 900 /*****************************************************************************/ 901 /* 902 * dispose of a keyring list after the RCU grace period, releasing the keys it 903 * links to 904 */ 905 static void keyring_clear_rcu_disposal(struct rcu_head *rcu) 906 { 907 struct keyring_list *klist; 908 int loop; 909 910 klist = container_of(rcu, struct keyring_list, rcu); 911 912 for (loop = klist->nkeys - 1; loop >= 0; loop--) 913 key_put(klist->keys[loop]); 914 915 kfree(klist); 916 917 } /* end keyring_clear_rcu_disposal() */ 918 919 /*****************************************************************************/ 920 /* 921 * clear the specified process keyring 922 * - implements keyctl(KEYCTL_CLEAR) 923 */ 924 int keyring_clear(struct key *keyring) 925 { 926 struct keyring_list *klist; 927 int ret; 928 929 ret = -ENOTDIR; 930 if (keyring->type == &key_type_keyring) { 931 /* detach the pointer block with the locks held */ 932 down_write(&keyring->sem); 933 934 klist = keyring->payload.subscriptions; 935 if (klist) { 936 /* adjust the quota */ 937 key_payload_reserve(keyring, 938 sizeof(struct keyring_list)); 939 940 rcu_assign_pointer(keyring->payload.subscriptions, 941 NULL); 942 } 943 944 up_write(&keyring->sem); 945 946 /* free the keys after the locks have been dropped */ 947 if (klist) 948 call_rcu(&klist->rcu, keyring_clear_rcu_disposal); 949 950 ret = 0; 951 } 952 953 return ret; 954 955 } /* end keyring_clear() */ 956 957 EXPORT_SYMBOL(keyring_clear); 958 959 /*****************************************************************************/ 960 /* 961 * dispose of the links from a revoked keyring 962 * - called with the key sem write-locked 963 */ 964 static void keyring_revoke(struct key *keyring) 965 { 966 struct keyring_list *klist = keyring->payload.subscriptions; 967 968 /* adjust the quota */ 969 key_payload_reserve(keyring, 0); 970 971 if (klist) { 972 rcu_assign_pointer(keyring->payload.subscriptions, NULL); 973 call_rcu(&klist->rcu, keyring_clear_rcu_disposal); 974 } 975 976 } /* end keyring_revoke() */ 977