root/security/keys/gc.c

DEFINITIONS

1. key_schedule_gc
2. key_schedule_gc_links
3. key_gc_timer_func
4. key_gc_keytype
5. key_gc_unused_keys
6. key_garbage_collector

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /* Key garbage collector
   3  *
   4  * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  */
   7 
   8 #include <linux/slab.h>
   9 #include <linux/security.h>
  10 #include <keys/keyring-type.h>
  11 #include "internal.h"
  12 
  13 /*
  14  * Delay between key revocation/expiry in seconds
  15  */
  16 unsigned key_gc_delay = 5 * 60;
  17 
  18 /*
  19  * Reaper for unused keys.
  20  */
  21 static void key_garbage_collector(struct work_struct *work);
  22 DECLARE_WORK(key_gc_work, key_garbage_collector);
  23 
  24 /*
  25  * Reaper for links from keyrings to dead keys.
  26  */
  27 static void key_gc_timer_func(struct timer_list *);
  28 static DEFINE_TIMER(key_gc_timer, key_gc_timer_func);
  29 
  30 static time64_t key_gc_next_run = TIME64_MAX;
  31 static struct key_type *key_gc_dead_keytype;
  32 
  33 static unsigned long key_gc_flags;
  34 #define KEY_GC_KEY_EXPIRED      0       /* A key expired and needs unlinking */
  35 #define KEY_GC_REAP_KEYTYPE     1       /* A keytype is being unregistered */
  36 #define KEY_GC_REAPING_KEYTYPE  2       /* Cleared when keytype reaped */
  37 
  38 
  39 /*
  40  * Any key whose type gets unregistered will be re-typed to this if it can't be
  41  * immediately unlinked.
  42  */
  43 struct key_type key_type_dead = {
  44         .name = ".dead",
  45 };
  46 
  47 /*
  48  * Schedule a garbage collection run.
  49  * - time precision isn't particularly important
  50  */
  51 void key_schedule_gc(time64_t gc_at)
  52 {
  53         unsigned long expires;
  54         time64_t now = ktime_get_real_seconds();
  55 
  56         kenter("%lld", gc_at - now);
  57 
  58         if (gc_at <= now || test_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) {
  59                 kdebug("IMMEDIATE");
  60                 schedule_work(&key_gc_work);
  61         } else if (gc_at < key_gc_next_run) {
  62                 kdebug("DEFERRED");
  63                 key_gc_next_run = gc_at;
  64                 expires = jiffies + (gc_at - now) * HZ;
  65                 mod_timer(&key_gc_timer, expires);
  66         }
  67 }
  68 
  69 /*
  70  * Schedule a dead links collection run.
  71  */
  72 void key_schedule_gc_links(void)
  73 {
  74         set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags);
  75         schedule_work(&key_gc_work);
  76 }
  77 
  78 /*
  79  * Some key's cleanup time was met after it expired, so we need to get the
  80  * reaper to go through a cycle finding expired keys.
  81  */
  82 static void key_gc_timer_func(struct timer_list *unused)
  83 {
  84         kenter("");
  85         key_gc_next_run = TIME64_MAX;
  86         key_schedule_gc_links();
  87 }
  88 
  89 /*
  90  * Reap keys of dead type.
  91  *
  92  * We use three flags to make sure we see three complete cycles of the garbage
  93  * collector: the first to mark keys of that type as being dead, the second to
  94  * collect dead links and the third to clean up the dead keys.  We have to be
  95  * careful as there may already be a cycle in progress.
  96  *
  97  * The caller must be holding key_types_sem.
  98  */
  99 void key_gc_keytype(struct key_type *ktype)
 100 {
 101         kenter("%s", ktype->name);
 102 
 103         key_gc_dead_keytype = ktype;
 104         set_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
 105         smp_mb();
 106         set_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags);
 107 
 108         kdebug("schedule");
 109         schedule_work(&key_gc_work);
 110 
 111         kdebug("sleep");
 112         wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE,
 113                     TASK_UNINTERRUPTIBLE);
 114 
 115         key_gc_dead_keytype = NULL;
 116         kleave("");
 117 }
 118 
 119 /*
 120  * Garbage collect a list of unreferenced, detached keys
 121  */
 122 static noinline void key_gc_unused_keys(struct list_head *keys)
 123 {
 124         while (!list_empty(keys)) {
 125                 struct key *key =
 126                         list_entry(keys->next, struct key, graveyard_link);
 127                 short state = key->state;
 128 
 129                 list_del(&key->graveyard_link);
 130 
 131                 kdebug("- %u", key->serial);
 132                 key_check(key);
 133 
 134                 /* Throw away the key data if the key is instantiated */
 135                 if (state == KEY_IS_POSITIVE && key->type->destroy)
 136                         key->type->destroy(key);
 137 
 138                 security_key_free(key);
 139 
 140                 /* deal with the user's key tracking and quota */
 141                 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
 142                         spin_lock(&key->user->lock);
 143                         key->user->qnkeys--;
 144                         key->user->qnbytes -= key->quotalen;
 145                         spin_unlock(&key->user->lock);
 146                 }
 147 
 148                 atomic_dec(&key->user->nkeys);
 149                 if (state != KEY_IS_UNINSTANTIATED)
 150                         atomic_dec(&key->user->nikeys);
 151 
 152                 key_user_put(key->user);
 153                 key_put_tag(key->domain_tag);
 154                 kfree(key->description);
 155 
 156                 memzero_explicit(key, sizeof(*key));
 157                 kmem_cache_free(key_jar, key);
 158         }
 159 }
 160 
 161 /*
 162  * Garbage collector for unused keys.
 163  *
 164  * This is done in process context so that we don't have to disable interrupts
 165  * all over the place.  key_put() schedules this rather than trying to do the
 166  * cleanup itself, which means key_put() doesn't have to sleep.
 167  */
 168 static void key_garbage_collector(struct work_struct *work)
 169 {
 170         static LIST_HEAD(graveyard);
 171         static u8 gc_state;             /* Internal persistent state */
 172 #define KEY_GC_REAP_AGAIN       0x01    /* - Need another cycle */
 173 #define KEY_GC_REAPING_LINKS    0x02    /* - We need to reap links */
 174 #define KEY_GC_SET_TIMER        0x04    /* - We need to restart the timer */
 175 #define KEY_GC_REAPING_DEAD_1   0x10    /* - We need to mark dead keys */
 176 #define KEY_GC_REAPING_DEAD_2   0x20    /* - We need to reap dead key links */
 177 #define KEY_GC_REAPING_DEAD_3   0x40    /* - We need to reap dead keys */
 178 #define KEY_GC_FOUND_DEAD_KEY   0x80    /* - We found at least one dead key */
 179 
 180         struct rb_node *cursor;
 181         struct key *key;
 182         time64_t new_timer, limit;
 183 
 184         kenter("[%lx,%x]", key_gc_flags, gc_state);
 185 
 186         limit = ktime_get_real_seconds();
 187         if (limit > key_gc_delay)
 188                 limit -= key_gc_delay;
 189         else
 190                 limit = key_gc_delay;
 191 
 192         /* Work out what we're going to be doing in this pass */
 193         gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
 194         gc_state <<= 1;
 195         if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
 196                 gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
 197 
 198         if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
 199                 gc_state |= KEY_GC_REAPING_DEAD_1;
 200         kdebug("new pass %x", gc_state);
 201 
 202         new_timer = TIME64_MAX;
 203 
 204         /* As only this function is permitted to remove things from the key
 205          * serial tree, if cursor is non-NULL then it will always point to a
 206          * valid node in the tree - even if lock got dropped.
 207          */
 208         spin_lock(&key_serial_lock);
 209         cursor = rb_first(&key_serial_tree);
 210 
 211 continue_scanning:
 212         while (cursor) {
 213                 key = rb_entry(cursor, struct key, serial_node);
 214                 cursor = rb_next(cursor);
 215 
 216                 if (refcount_read(&key->usage) == 0)
 217                         goto found_unreferenced_key;
 218 
 219                 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
 220                         if (key->type == key_gc_dead_keytype) {
 221                                 gc_state |= KEY_GC_FOUND_DEAD_KEY;
 222                                 set_bit(KEY_FLAG_DEAD, &key->flags);
 223                                 key->perm = 0;
 224                                 goto skip_dead_key;
 225                         } else if (key->type == &key_type_keyring &&
 226                                    key->restrict_link) {
 227                                 goto found_restricted_keyring;
 228                         }
 229                 }
 230 
 231                 if (gc_state & KEY_GC_SET_TIMER) {
 232                         if (key->expiry > limit && key->expiry < new_timer) {
 233                                 kdebug("will expire %x in %lld",
 234                                        key_serial(key), key->expiry - limit);
 235                                 new_timer = key->expiry;
 236                         }
 237                 }
 238 
 239                 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2))
 240                         if (key->type == key_gc_dead_keytype)
 241                                 gc_state |= KEY_GC_FOUND_DEAD_KEY;
 242 
 243                 if ((gc_state & KEY_GC_REAPING_LINKS) ||
 244                     unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
 245                         if (key->type == &key_type_keyring)
 246                                 goto found_keyring;
 247                 }
 248 
 249                 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3))
 250                         if (key->type == key_gc_dead_keytype)
 251                                 goto destroy_dead_key;
 252 
 253         skip_dead_key:
 254                 if (spin_is_contended(&key_serial_lock) || need_resched())
 255                         goto contended;
 256         }
 257 
 258 contended:
 259         spin_unlock(&key_serial_lock);
 260 
 261 maybe_resched:
 262         if (cursor) {
 263                 cond_resched();
 264                 spin_lock(&key_serial_lock);
 265                 goto continue_scanning;
 266         }
 267 
 268         /* We've completed the pass.  Set the timer if we need to and queue a
 269          * new cycle if necessary.  We keep executing cycles until we find one
 270          * where we didn't reap any keys.
 271          */
 272         kdebug("pass complete");
 273 
 274         if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) {
 275                 new_timer += key_gc_delay;
 276                 key_schedule_gc(new_timer);
 277         }
 278 
 279         if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) ||
 280             !list_empty(&graveyard)) {
 281                 /* Make sure that all pending keyring payload destructions are
 282                  * fulfilled and that people aren't now looking at dead or
 283                  * dying keys that they don't have a reference upon or a link
 284                  * to.
 285                  */
 286                 kdebug("gc sync");
 287                 synchronize_rcu();
 288         }
 289 
 290         if (!list_empty(&graveyard)) {
 291                 kdebug("gc keys");
 292                 key_gc_unused_keys(&graveyard);
 293         }
 294 
 295         if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
 296                                  KEY_GC_REAPING_DEAD_2))) {
 297                 if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
 298                         /* No remaining dead keys: short circuit the remaining
 299                          * keytype reap cycles.
 300                          */
 301                         kdebug("dead short");
 302                         gc_state &= ~(KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2);
 303                         gc_state |= KEY_GC_REAPING_DEAD_3;
 304                 } else {
 305                         gc_state |= KEY_GC_REAP_AGAIN;
 306                 }
 307         }
 308 
 309         if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) {
 310                 kdebug("dead wake");
 311                 smp_mb();
 312                 clear_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
 313                 wake_up_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE);
 314         }
 315 
 316         if (gc_state & KEY_GC_REAP_AGAIN)
 317                 schedule_work(&key_gc_work);
 318         kleave(" [end %x]", gc_state);
 319         return;
 320 
 321         /* We found an unreferenced key - once we've removed it from the tree,
 322          * we can safely drop the lock.
 323          */
 324 found_unreferenced_key:
 325         kdebug("unrefd key %d", key->serial);
 326         rb_erase(&key->serial_node, &key_serial_tree);
 327         spin_unlock(&key_serial_lock);
 328 
 329         list_add_tail(&key->graveyard_link, &graveyard);
 330         gc_state |= KEY_GC_REAP_AGAIN;
 331         goto maybe_resched;
 332 
 333         /* We found a restricted keyring and need to update the restriction if
 334          * it is associated with the dead key type.
 335          */
 336 found_restricted_keyring:
 337         spin_unlock(&key_serial_lock);
 338         keyring_restriction_gc(key, key_gc_dead_keytype);
 339         goto maybe_resched;
 340 
 341         /* We found a keyring and we need to check the payload for links to
 342          * dead or expired keys.  We don't flag another reap immediately as we
 343          * have to wait for the old payload to be destroyed by RCU before we
 344          * can reap the keys to which it refers.
 345          */
 346 found_keyring:
 347         spin_unlock(&key_serial_lock);
 348         keyring_gc(key, limit);
 349         goto maybe_resched;
 350 
 351         /* We found a dead key that is still referenced.  Reset its type and
 352          * destroy its payload with its semaphore held.
 353          */
 354 destroy_dead_key:
 355         spin_unlock(&key_serial_lock);
 356         kdebug("destroy key %d", key->serial);
 357         down_write(&key->sem);
 358         key->type = &key_type_dead;
 359         if (key_gc_dead_keytype->destroy)
 360                 key_gc_dead_keytype->destroy(key);
 361         memset(&key->payload, KEY_DESTROY, sizeof(key->payload));
 362         up_write(&key->sem);
 363         goto maybe_resched;
 364 }