52 	if (ret < 0)  in key_get_type_from_user()
54 	if (ret == 0 || ret >= len)  in key_get_type_from_user()
56 	if (type[0] == '.')  in key_get_type_from_user()
66  * If the description is NULL or an empty string, the key type is asked to
71  * If successful, the new key's serial number is returned, otherwise an error
86 	if (plen > 1024 * 1024 - 1)  in SYSCALL_DEFINE5()
91 	if (ret < 0)  in SYSCALL_DEFINE5()
95 	if (_description) {  in SYSCALL_DEFINE5()
97 		if (IS_ERR(description)) {  in SYSCALL_DEFINE5()
101 		if (!*description) {  in SYSCALL_DEFINE5()
104 		} else if ((description[0] == '.') &&  in SYSCALL_DEFINE5()
111 	/* pull the payload in if one was supplied */  in SYSCALL_DEFINE5()
114 	if (plen) {  in SYSCALL_DEFINE5()
117 		if (!payload)  in SYSCALL_DEFINE5()
121 		if (copy_from_user(payload, _payload, plen) != 0)  in SYSCALL_DEFINE5()
127 	if (IS_ERR(keyring_ref)) {  in SYSCALL_DEFINE5()
137 	if (!IS_ERR(key_ref)) {  in SYSCALL_DEFINE5()
159  * If a key is found, it will be attached to the destination keyring if there's
162  * If no key is found, /sbin/request-key will be invoked if _callout_info is
164  * passed to /sbin/request-key to aid with completing the request.  If the
181 	if (ret < 0)  in SYSCALL_DEFINE4()
186 	if (IS_ERR(description)) {  in SYSCALL_DEFINE4()
194 	if (_callout_info) {  in SYSCALL_DEFINE4()
196 		if (IS_ERR(callout_info)) {  in SYSCALL_DEFINE4()
203 	/* get the destination keyring if specified */  in SYSCALL_DEFINE4()
205 	if (destringid) {  in SYSCALL_DEFINE4()
208 		if (IS_ERR(dest_ref)) {  in SYSCALL_DEFINE4()
216 	if (IS_ERR(ktype)) {  in SYSCALL_DEFINE4()
225 	if (IS_ERR(key)) {  in SYSCALL_DEFINE4()
232 	if (ret < 0)  in SYSCALL_DEFINE4()
256  * If successful, the ID of the requested keyring will be returned.
266 	if (IS_ERR(key_ref)) {  in keyctl_get_keyring_ID()
281  * keyring, creating it if necessary.  A named session keyring must have Search
286  * If successful, the ID of the joined session keyring will be returned.
295 	if (_name) {  in keyctl_join_session_keyring()
297 		if (IS_ERR(name)) {  in keyctl_join_session_keyring()
303 		if (name[0] == '.')  in keyctl_join_session_keyring()
322  * If successful, 0 will be returned.  If the key type does not support
334 	if (plen > PAGE_SIZE)  in keyctl_update_key()
337 	/* pull the payload in if one was supplied */  in keyctl_update_key()
339 	if (plen) {  in keyctl_update_key()
342 		if (!payload)  in keyctl_update_key()
346 		if (copy_from_user(payload, _payload, plen) != 0)  in keyctl_update_key()
352 	if (IS_ERR(key_ref)) {  in keyctl_update_key()
377  * If successful, 0 is returned.
386 	if (IS_ERR(key_ref)) {  in keyctl_revoke_key()
388 		if (ret != -EACCES)  in keyctl_revoke_key()
391 		if (IS_ERR(key_ref)) {  in keyctl_revoke_key()
399 	if (test_bit(KEY_FLAG_KEEP, &key->flags))  in keyctl_revoke_key()
418  * If successful, 0 is returned.
429 	if (IS_ERR(key_ref)) {  in keyctl_invalidate_key()
433 		if (capable(CAP_SYS_ADMIN)) {  in keyctl_invalidate_key()
435 			if (IS_ERR(key_ref))  in keyctl_invalidate_key()
437 			if (test_bit(KEY_FLAG_ROOT_CAN_INVAL,  in keyctl_invalidate_key()
449 	if (test_bit(KEY_FLAG_KEEP, &key->flags))  in keyctl_invalidate_key()
461  * Clear the specified keyring, creating an empty process keyring if one of the
465  * KEY_FLAG_KEEP set for this to work.  If successful, 0 will be returned.
474 	if (IS_ERR(keyring_ref)) {  in keyctl_keyring_clear()
478 		if (capable(CAP_SYS_ADMIN)) {  in keyctl_keyring_clear()
481 			if (IS_ERR(keyring_ref))  in keyctl_keyring_clear()
483 			if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,  in keyctl_keyring_clear()
494 	if (test_bit(KEY_FLAG_KEEP, &keyring->flags))  in keyctl_keyring_clear()
505  * Create a link from a keyring to a key if there's no matching key in the
510  * the caller Write permission.  Furthermore, if an additional link is created,
513  * If successful, 0 will be returned.
521 	if (IS_ERR(keyring_ref)) {  in keyctl_keyring_link()
527 	if (IS_ERR(key_ref)) {  in keyctl_keyring_link()
545  * itself need not grant the caller anything.  If the last link to a key is
550  * If successful, 0 will be returned.
559 	if (IS_ERR(keyring_ref)) {  in keyctl_keyring_unlink()
565 	if (IS_ERR(key_ref)) {  in keyctl_keyring_unlink()
572 	if (test_bit(KEY_FLAG_KEEP, &keyring->flags) &&  in keyctl_keyring_unlink()
591  * to the key.  If both keyrings are the same, nothing is done.
593  * If successful, 0 will be returned.
601 	if (flags & ~KEYCTL_MOVE_EXCL)  in keyctl_keyring_move()
605 	if (IS_ERR(key_ref))  in keyctl_keyring_move()
609 	if (IS_ERR(from_ref)) {  in keyctl_keyring_move()
615 	if (IS_ERR(to_ref)) {  in keyctl_keyring_move()
636  * If there's a buffer, we place up to buflen bytes of data into it formatted
641  * If successful, we return the amount of description available, irrespective
655 	if (IS_ERR(key_ref)) {  in keyctl_describe_key()
656 		/* viewing a key under construction is permitted if we have the  in keyctl_describe_key()
658 		if (PTR_ERR(key_ref) == -EACCES) {  in keyctl_describe_key()
660 			if (!IS_ERR(instkey)) {  in keyctl_describe_key()
665 				if (!IS_ERR(key_ref))  in keyctl_describe_key()
686 	if (!infobuf)  in keyctl_describe_key()
692 	if (buffer && buflen >= ret) {  in keyctl_describe_key()
693 		if (copy_to_user(buffer, infobuf, infolen) != 0 ||  in keyctl_describe_key()
712  * If successful, the found key will be linked to the destination keyring if
728 	if (ret < 0)  in keyctl_keyring_search()
732 	if (IS_ERR(description)) {  in keyctl_keyring_search()
739 	if (IS_ERR(keyring_ref)) {  in keyctl_keyring_search()
744 	/* get the destination keyring if specified */  in keyctl_keyring_search()
746 	if (destringid) {  in keyctl_keyring_search()
749 		if (IS_ERR(dest_ref)) {  in keyctl_keyring_search()
757 	if (IS_ERR(ktype)) {  in keyctl_keyring_search()
764 	if (IS_ERR(key_ref)) {  in keyctl_keyring_search()
768 		if (ret == -EAGAIN)  in keyctl_keyring_search()
773 	/* link the resulting key to the destination keyring if we can */  in keyctl_keyring_search()
774 	if (dest_ref) {  in keyctl_keyring_search()
776 		if (ret < 0)  in keyctl_keyring_search()
780 		if (ret < 0)  in keyctl_keyring_search()
809 	if (ret == 0)  in __keyctl_read_key()
821  * If successful, we place up to buflen bytes of data into the buffer, if one
835 	if (IS_ERR(key_ref)) {  in keyctl_read_key()
843 	if (ret < 0)  in keyctl_read_key()
846 	/* see if we can read it directly */  in keyctl_read_key()
848 	if (ret == 0)  in keyctl_read_key()
850 	if (ret != -EACCES)  in keyctl_read_key()
853 	/* we can't; see if it's searchable from this process's keyrings  in keyctl_read_key()
857 	if (!is_key_possessed(key_ref)) {  in keyctl_read_key()
864 	if (!key->type->read) {  in keyctl_read_key()
869 	if (!buffer || !buflen) {  in keyctl_read_key()
892 		if (key_data_len) {  in keyctl_read_key()
894 			if (!key_data) {  in keyctl_read_key()
904 		 * any copying if the provided length isn't large enough.  in keyctl_read_key()
906 		if (ret <= 0 || ret > buflen)  in keyctl_read_key()
915 		if (ret > key_data_len) {  in keyctl_read_key()
916 			if (unlikely(key_data))  in keyctl_read_key()
922 		if (copy_to_user(buffer, key_data, ret))  in keyctl_read_key()
940  * caller must have sysadmin capability.  If either uid or gid is -1 then that
943  * If the UID is to be changed, the new user must have sufficient quota to
947  * If successful, 0 will be returned.
961 	if ((user != (uid_t) -1) && !uid_valid(uid))  in keyctl_chown_key()
963 	if ((group != (gid_t) -1) && !gid_valid(gid))  in keyctl_chown_key()
967 	if (user == (uid_t) -1 && group == (gid_t) -1)  in keyctl_chown_key()
972 	if (IS_ERR(key_ref)) {  in keyctl_chown_key()
983 	if (!capable(CAP_SYS_ADMIN)) {  in keyctl_chown_key()
985 		if (user != (uid_t) -1 && !uid_eq(key->uid, uid))  in keyctl_chown_key()
990 		if (group != (gid_t) -1 && !gid_eq(gid, key->gid) && !in_group_p(gid))  in keyctl_chown_key()
995 	if (user != (uid_t) -1 && !uid_eq(uid, key->uid)) {  in keyctl_chown_key()
998 		if (!newowner)  in keyctl_chown_key()
1002 		if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {  in keyctl_chown_key()
1009 			if (newowner->qnkeys + 1 > maxkeys ||  in keyctl_chown_key()
1028 		if (key->state != KEY_IS_UNINSTANTIATED) {  in keyctl_chown_key()
1039 	if (group != (gid_t) -1)  in keyctl_chown_key()
1048 	if (zapowner)  in keyctl_chown_key()
1064  * the key need not be fully instantiated yet.  If the caller does not have
1074 	if (perm & ~(KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL))  in keyctl_setperm_key()
1079 	if (IS_ERR(key_ref)) {  in keyctl_setperm_key()
1090 	/* if we're not the sysadmin, we can only change a key that we own */  in keyctl_setperm_key()
1091 	if (capable(CAP_SYS_ADMIN) || uid_eq(key->uid, current_fsuid())) {  in keyctl_setperm_key()
1115 	/* just return a NULL pointer if we weren't asked to make a link */  in get_instantiation_keyring()
1116 	if (ringid == 0)  in get_instantiation_keyring()
1119 	/* if a specific keyring is nominated by ID, then use that */  in get_instantiation_keyring()
1120 	if (ringid > 0) {  in get_instantiation_keyring()
1122 		if (IS_ERR(dkref))  in get_instantiation_keyring()
1128 	if (ringid == KEY_SPEC_REQKEY_AUTH_KEY)  in get_instantiation_keyring()
1133 	if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) {  in get_instantiation_keyring()
1149 	if (!new)  in keyctl_change_reqkey_auth()
1160  * destination keyring if one is given.
1165  * If successful, 0 will be returned.
1180 	if (!plen)  in keyctl_instantiate_key_common()
1184 	if (plen > 1024 * 1024 - 1)  in keyctl_instantiate_key_common()
1191 	if (!instkey)  in keyctl_instantiate_key_common()
1195 	if (rka->target_key->serial != id)  in keyctl_instantiate_key_common()
1198 	/* pull the payload in if one was supplied */  in keyctl_instantiate_key_common()
1201 	if (from) {  in keyctl_instantiate_key_common()
1204 		if (!payload)  in keyctl_instantiate_key_common()
1208 		if (!copy_from_iter_full(payload, plen, from))  in keyctl_instantiate_key_common()
1215 	if (ret < 0)  in keyctl_instantiate_key_common()
1224 	/* discard the assumed authority if it's just been disabled by  in keyctl_instantiate_key_common()
1226 	if (ret == 0)  in keyctl_instantiate_key_common()
1237  * destination keyring if one is given.
1242  * If successful, 0 will be returned.
1249 	if (_payload && plen) {  in keyctl_instantiate_key()
1256 		if (unlikely(ret))  in keyctl_instantiate_key()
1267  * the destination keyring if one is given.
1272  * If successful, 0 will be returned.
1283 	if (!_payload_iov)  in keyctl_instantiate_key_iov()
1288 	if (ret < 0)  in keyctl_instantiate_key_iov()
1297  * the key into the destination keyring if one is given.
1308  * If successful, 0 will be returned.
1317  * code and link the key into the destination keyring if one is given.
1328  * If successful, 0 will be returned.
1341 	if (error <= 0 ||  in keyctl_reject_key()
1353 	if (!instkey)  in keyctl_reject_key()
1357 	if (rka->target_key->serial != id)  in keyctl_reject_key()
1360 	/* find the destination keyring if present (which must also be  in keyctl_reject_key()
1363 	if (ret < 0)  in keyctl_reject_key()
1372 	/* discard the assumed authority if it's just been disabled by  in keyctl_reject_key()
1374 	if (ret == 0)  in keyctl_reject_key()
1385  * If a thread or process keyring is specified then it will be created if it
1386  * doesn't yet exist.  The old setting will be returned if successful.
1395 	if (reqkey_defl == KEY_REQKEY_DEFL_NO_CHANGE)  in keyctl_set_reqkey_keyring()
1399 	if (!new)  in keyctl_set_reqkey_keyring()
1405 		if (ret < 0)  in keyctl_set_reqkey_keyring()
1411 		if (ret < 0)  in keyctl_set_reqkey_keyring()
1450  * If successful, 0 is returned.
1460 	if (IS_ERR(key_ref)) {  in keyctl_set_timeout()
1462 		 * if we have the authorisation token handy */  in keyctl_set_timeout()
1463 		if (PTR_ERR(key_ref) == -EACCES) {  in keyctl_set_timeout()
1465 			if (!IS_ERR(instkey)) {  in keyctl_set_timeout()
1470 				if (!IS_ERR(key_ref))  in keyctl_set_timeout()
1482 	if (test_bit(KEY_FLAG_KEEP, &key->flags)) {  in keyctl_set_timeout()
1505  * If the ID given is 0, then the setting will be cleared and 0 returned.
1507  * If the ID given has a matching an authorisation key, then that key will be
1518 	if (id < 0)  in keyctl_assume_authority()
1521 	/* we divest ourselves of authority if given an ID of 0 */  in keyctl_assume_authority()
1522 	if (id == 0) {  in keyctl_assume_authority()
1533 	if (IS_ERR(authkey)) {  in keyctl_assume_authority()
1539 	if (ret == 0)  in keyctl_assume_authority()
1551  * If there's a buffer, then up to buflen bytes of data will be placed into it.
1553  * If successful, the amount of information available will be returned,
1566 	if (IS_ERR(key_ref)) {  in keyctl_get_security()
1567 		if (PTR_ERR(key_ref) != -EACCES)  in keyctl_get_security()
1570 		/* viewing a key under construction is also permitted if we  in keyctl_get_security()
1573 		if (IS_ERR(instkey))  in keyctl_get_security()
1579 		if (IS_ERR(key_ref))  in keyctl_get_security()
1585 	if (ret == 0) {  in keyctl_get_security()
1586 		/* if no information was returned, give userspace an empty  in keyctl_get_security()
1589 		if (buffer && buflen > 0 &&  in keyctl_get_security()
1592 	} else if (ret > 0) {  in keyctl_get_security()
1594 		if (buffer && buflen > 0) {  in keyctl_get_security()
1595 			if (buflen > ret)  in keyctl_get_security()
1598 			if (copy_to_user(buffer, context, buflen) != 0)  in keyctl_get_security()
1619  * If successful, 0 will be returned.
1631 	if (IS_ERR(keyring_r))  in keyctl_session_to_parent()
1640 	if (!cred)  in keyctl_session_to_parent()
1658 	if (parent->pid <= 1 || !parent->mm)  in keyctl_session_to_parent()
1662 	if (!thread_group_empty(parent))  in keyctl_session_to_parent()
1669 	if (mycred == pcred ||  in keyctl_session_to_parent()
1677 	if (!uid_eq(pcred->uid,	 mycred->euid) ||  in keyctl_session_to_parent()
1686 	if ((pcred->session_keyring &&  in keyctl_session_to_parent()
1697 	if (!ret)  in keyctl_session_to_parent()
1702 	if (oldwork)  in keyctl_session_to_parent()
1704 	if (newwork)  in keyctl_session_to_parent()
1722  * Returns 0 if successful.
1733 	if (IS_ERR(key_ref))  in keyctl_restrict_keyring()
1737 	if (_type) {  in keyctl_restrict_keyring()
1738 		if (!_restriction)  in keyctl_restrict_keyring()
1742 		if (ret < 0)  in keyctl_restrict_keyring()
1746 		if (IS_ERR(restriction)) {  in keyctl_restrict_keyring()
1751 		if (_restriction)  in keyctl_restrict_keyring()
1777 	if (watch_id < -1 || watch_id > 0xff)  in keyctl_watch_key()
1781 	if (IS_ERR(key_ref))  in keyctl_watch_key()
1786 	if (IS_ERR(wqueue)) {  in keyctl_watch_key()
1791 	if (watch_id >= 0) {  in keyctl_watch_key()
1793 		if (!key->watchers) {  in keyctl_watch_key()
1795 			if (!wlist)  in keyctl_watch_key()
1801 		if (!watch)  in keyctl_watch_key()
1809 		if (ret < 0)  in keyctl_watch_key()
1813 		if (!key->watchers) {  in keyctl_watch_key()
1821 		if (ret == 0)  in keyctl_watch_key()
1825 		if (key->watchers) {  in keyctl_watch_key()
1853 	if (size > 0) {  in keyctl_capabilities()
1854 		if (size > sizeof(keyrings_capabilities))  in keyctl_capabilities()
1856 		if (copy_to_user(_buffer, keyrings_capabilities, size) != 0)  in keyctl_capabilities()
1858 		if (size < buflen &&  in keyctl_capabilities()
1983 		if (arg3 != 0)  in SYSCALL_DEFINE5()