1 /* Key garbage collector
3 * Copyright (C) 2009 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
12 #include <linux/module.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <keys/keyring-type.h>
19 * Delay between key revocation/expiry in seconds
21 unsigned key_gc_delay = 5 * 60;
24 * Reaper for unused keys.
26 static void key_gc_unused_keys(struct work_struct *work);
27 DECLARE_WORK(key_gc_unused_work, key_gc_unused_keys);
30 * Reaper for links from keyrings to dead keys.
32 static void key_gc_timer_func(unsigned long);
33 static void key_gc_dead_links(struct work_struct *);
34 static DEFINE_TIMER(key_gc_timer, key_gc_timer_func, 0, 0);
35 static DECLARE_WORK(key_gc_work, key_gc_dead_links);
36 static key_serial_t key_gc_cursor; /* the last key the gc considered */
37 static bool key_gc_again;
38 static unsigned long key_gc_executing;
39 static time_t key_gc_next_run = LONG_MAX;
40 static time_t key_gc_new_timer;
43 * Schedule a garbage collection run.
44 * - time precision isn't particularly important
46 void key_schedule_gc(time_t gc_at)
48 unsigned long expires;
49 time_t now = current_kernel_time().tv_sec;
51 kenter("%ld", gc_at - now);
54 schedule_work(&key_gc_work);
55 } else if (gc_at < key_gc_next_run) {
56 expires = jiffies + (gc_at - now) * HZ;
57 mod_timer(&key_gc_timer, expires);
62 * The garbage collector timer kicked off
64 static void key_gc_timer_func(unsigned long data)
67 key_gc_next_run = LONG_MAX;
68 schedule_work(&key_gc_work);
72 * Garbage collect pointers from a keyring.
74 * Return true if we altered the keyring.
76 static bool key_gc_keyring(struct key *keyring, time_t limit)
77 __releases(key_serial_lock)
79 struct keyring_list *klist;
83 kenter("%x", key_serial(keyring));
85 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
88 /* scan the keyring looking for dead keys */
90 klist = rcu_dereference(keyring->payload.subscriptions);
94 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
95 key = klist->keys[loop];
96 if (test_bit(KEY_FLAG_DEAD, &key->flags) ||
97 (key->expiry > 0 && key->expiry <= limit))
109 key_gc_cursor = keyring->serial;
111 spin_unlock(&key_serial_lock);
112 keyring_gc(keyring, limit);
119 * Garbage collector for links to dead keys.
121 * This involves scanning the keyrings for dead, expired and revoked keys that
122 * have overstayed their welcome
124 static void key_gc_dead_links(struct work_struct *work)
128 struct key *key, *xkey;
129 time_t new_timer = LONG_MAX, limit, now;
131 now = current_kernel_time().tv_sec;
132 kenter("[%x,%ld]", key_gc_cursor, key_gc_new_timer - now);
134 if (test_and_set_bit(0, &key_gc_executing)) {
135 key_schedule_gc(current_kernel_time().tv_sec + 1);
136 kleave(" [busy; deferring]");
141 if (limit > key_gc_delay)
142 limit -= key_gc_delay;
144 limit = key_gc_delay;
146 spin_lock(&key_serial_lock);
148 if (unlikely(RB_EMPTY_ROOT(&key_serial_tree))) {
149 spin_unlock(&key_serial_lock);
150 clear_bit(0, &key_gc_executing);
154 cursor = key_gc_cursor;
158 new_timer = key_gc_new_timer;
160 key_gc_again = false;
162 /* find the first key above the cursor */
164 rb = key_serial_tree.rb_node;
166 xkey = rb_entry(rb, struct key, serial_node);
167 if (cursor < xkey->serial) {
170 } else if (cursor > xkey->serial) {
175 goto reached_the_end;
176 key = rb_entry(rb, struct key, serial_node);
182 goto reached_the_end;
184 /* trawl through the keys looking for keyrings */
186 if (key->expiry > limit && key->expiry < new_timer) {
187 kdebug("will expire %x in %ld",
188 key_serial(key), key->expiry - limit);
189 new_timer = key->expiry;
192 if (key->type == &key_type_keyring &&
193 key_gc_keyring(key, limit))
194 /* the gc had to release our lock so that the keyring
195 * could be modified, so we have to get it again */
196 goto gc_released_our_lock;
198 rb = rb_next(&key->serial_node);
200 goto reached_the_end;
201 key = rb_entry(rb, struct key, serial_node);
204 gc_released_our_lock:
205 kdebug("gc_released_our_lock");
206 key_gc_new_timer = new_timer;
208 clear_bit(0, &key_gc_executing);
209 schedule_work(&key_gc_work);
210 kleave(" [continue]");
213 /* when we reach the end of the run, we set the timer for the next one */
215 kdebug("reached_the_end");
216 spin_unlock(&key_serial_lock);
217 key_gc_new_timer = new_timer;
219 clear_bit(0, &key_gc_executing);
222 /* there may have been a key that expired whilst we were
223 * scanning, so if we discarded any links we should do another
226 key_schedule_gc(new_timer);
227 } else if (new_timer < LONG_MAX) {
228 new_timer += key_gc_delay;
229 key_schedule_gc(new_timer);
235 * Garbage collector for unused keys.
237 * This is done in process context so that we don't have to disable interrupts
238 * all over the place. key_put() schedules this rather than trying to do the
239 * cleanup itself, which means key_put() doesn't have to sleep.
241 static void key_gc_unused_keys(struct work_struct *work)
247 /* look for a dead key in the tree */
248 spin_lock(&key_serial_lock);
250 for (_n = rb_first(&key_serial_tree); _n; _n = rb_next(_n)) {
251 key = rb_entry(_n, struct key, serial_node);
253 if (atomic_read(&key->usage) == 0)
257 spin_unlock(&key_serial_lock);
261 /* we found a dead key - once we've removed it from the tree, we can
263 rb_erase(&key->serial_node, &key_serial_tree);
264 spin_unlock(&key_serial_lock);
268 security_key_free(key);
270 /* deal with the user's key tracking and quota */
271 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
272 spin_lock(&key->user->lock);
274 key->user->qnbytes -= key->quotalen;
275 spin_unlock(&key->user->lock);
278 atomic_dec(&key->user->nkeys);
279 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
280 atomic_dec(&key->user->nikeys);
282 key_user_put(key->user);
284 /* now throw away the key memory */
285 if (key->type->destroy)
286 key->type->destroy(key);
288 kfree(key->description);
291 key->magic = KEY_DEBUG_MAGIC_X;
293 kmem_cache_free(key_jar, key);
295 /* there may, of course, be more than one key to destroy */