1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Key garbage collector 3 * 4 * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/slab.h> 9 #include <linux/security.h> 10 #include <keys/keyring-type.h> 11 #include "internal.h" 12 13 /* 14 * Delay between key revocation/expiry in seconds 15 */ 16 unsigned key_gc_delay = 5 * 60; 17 18 /* 19 * Reaper for unused keys. 20 */ 21 static void key_garbage_collector(struct work_struct *work); 22 DECLARE_WORK(key_gc_work, key_garbage_collector); 23 24 /* 25 * Reaper for links from keyrings to dead keys. 26 */ 27 static void key_gc_timer_func(struct timer_list *); 28 static DEFINE_TIMER(key_gc_timer, key_gc_timer_func); 29 30 static time64_t key_gc_next_run = TIME64_MAX; 31 static struct key_type *key_gc_dead_keytype; 32 33 static unsigned long key_gc_flags; 34 #define KEY_GC_KEY_EXPIRED 0 /* A key expired and needs unlinking */ 35 #define KEY_GC_REAP_KEYTYPE 1 /* A keytype is being unregistered */ 36 #define KEY_GC_REAPING_KEYTYPE 2 /* Cleared when keytype reaped */ 37 38 39 /* 40 * Any key whose type gets unregistered will be re-typed to this if it can't be 41 * immediately unlinked. 42 */ 43 struct key_type key_type_dead = { 44 .name = ".dead", 45 }; 46 47 /* 48 * Schedule a garbage collection run. 49 * - time precision isn't particularly important 50 */ 51 void key_schedule_gc(time64_t gc_at) 52 { 53 unsigned long expires; 54 time64_t now = ktime_get_real_seconds(); 55 56 kenter("%lld", gc_at - now); 57 58 if (gc_at <= now || test_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) { 59 kdebug("IMMEDIATE"); 60 schedule_work(&key_gc_work); 61 } else if (gc_at < key_gc_next_run) { 62 kdebug("DEFERRED"); 63 key_gc_next_run = gc_at; 64 expires = jiffies + (gc_at - now) * HZ; 65 mod_timer(&key_gc_timer, expires); 66 } 67 } 68 69 /* 70 * Set the expiration time on a key. 71 */ 72 void key_set_expiry(struct key *key, time64_t expiry) 73 { 74 key->expiry = expiry; 75 if (expiry != TIME64_MAX) { 76 if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) 77 expiry += key_gc_delay; 78 key_schedule_gc(expiry); 79 } 80 } 81 82 /* 83 * Schedule a dead links collection run. 84 */ 85 void key_schedule_gc_links(void) 86 { 87 set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags); 88 schedule_work(&key_gc_work); 89 } 90 91 /* 92 * Some key's cleanup time was met after it expired, so we need to get the 93 * reaper to go through a cycle finding expired keys. 94 */ 95 static void key_gc_timer_func(struct timer_list *unused) 96 { 97 kenter(""); 98 key_gc_next_run = TIME64_MAX; 99 key_schedule_gc_links(); 100 } 101 102 /* 103 * Reap keys of dead type. 104 * 105 * We use three flags to make sure we see three complete cycles of the garbage 106 * collector: the first to mark keys of that type as being dead, the second to 107 * collect dead links and the third to clean up the dead keys. We have to be 108 * careful as there may already be a cycle in progress. 109 * 110 * The caller must be holding key_types_sem. 111 */ 112 void key_gc_keytype(struct key_type *ktype) 113 { 114 kenter("%s", ktype->name); 115 116 key_gc_dead_keytype = ktype; 117 set_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags); 118 smp_mb(); 119 set_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags); 120 121 kdebug("schedule"); 122 schedule_work(&key_gc_work); 123 124 kdebug("sleep"); 125 wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, 126 TASK_UNINTERRUPTIBLE); 127 128 key_gc_dead_keytype = NULL; 129 kleave(""); 130 } 131 132 /* 133 * Garbage collect a list of unreferenced, detached keys 134 */ 135 static noinline void key_gc_unused_keys(struct list_head *keys) 136 { 137 while (!list_empty(keys)) { 138 struct key *key = 139 list_entry(keys->next, struct key, graveyard_link); 140 short state = key->state; 141 142 list_del(&key->graveyard_link); 143 144 kdebug("- %u", key->serial); 145 key_check(key); 146 147 #ifdef CONFIG_KEY_NOTIFICATIONS 148 remove_watch_list(key->watchers, key->serial); 149 key->watchers = NULL; 150 #endif 151 152 /* Throw away the key data if the key is instantiated */ 153 if (state == KEY_IS_POSITIVE && key->type->destroy) 154 key->type->destroy(key); 155 156 security_key_free(key); 157 158 atomic_dec(&key->user->nkeys); 159 if (state != KEY_IS_UNINSTANTIATED) 160 atomic_dec(&key->user->nikeys); 161 162 key_user_put(key->user); 163 key_put_tag(key->domain_tag); 164 kfree(key->description); 165 166 memzero_explicit(key, sizeof(*key)); 167 kmem_cache_free(key_jar, key); 168 } 169 } 170 171 /* 172 * Garbage collector for unused keys. 173 * 174 * This is done in process context so that we don't have to disable interrupts 175 * all over the place. key_put() schedules this rather than trying to do the 176 * cleanup itself, which means key_put() doesn't have to sleep. 177 */ 178 static void key_garbage_collector(struct work_struct *work) 179 { 180 static LIST_HEAD(graveyard); 181 static u8 gc_state; /* Internal persistent state */ 182 #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ 183 #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ 184 #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */ 185 #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */ 186 #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */ 187 #define KEY_GC_FOUND_DEAD_KEY 0x80 /* - We found at least one dead key */ 188 189 struct rb_node *cursor; 190 struct key *key; 191 time64_t new_timer, limit, expiry; 192 193 kenter("[%lx,%x]", key_gc_flags, gc_state); 194 195 limit = ktime_get_real_seconds(); 196 197 /* Work out what we're going to be doing in this pass */ 198 gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2; 199 gc_state <<= 1; 200 if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags)) 201 gc_state |= KEY_GC_REAPING_LINKS; 202 203 if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) 204 gc_state |= KEY_GC_REAPING_DEAD_1; 205 kdebug("new pass %x", gc_state); 206 207 new_timer = TIME64_MAX; 208 209 /* As only this function is permitted to remove things from the key 210 * serial tree, if cursor is non-NULL then it will always point to a 211 * valid node in the tree - even if lock got dropped. 212 */ 213 spin_lock(&key_serial_lock); 214 cursor = rb_first(&key_serial_tree); 215 216 continue_scanning: 217 while (cursor) { 218 key = rb_entry(cursor, struct key, serial_node); 219 cursor = rb_next(cursor); 220 221 if (test_bit(KEY_FLAG_FINAL_PUT, &key->flags)) { 222 smp_mb(); /* Clobber key->user after FINAL_PUT seen. */ 223 goto found_unreferenced_key; 224 } 225 226 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) { 227 if (key->type == key_gc_dead_keytype) { 228 gc_state |= KEY_GC_FOUND_DEAD_KEY; 229 set_bit(KEY_FLAG_DEAD, &key->flags); 230 key->perm = 0; 231 goto skip_dead_key; 232 } else if (key->type == &key_type_keyring && 233 key->restrict_link) { 234 goto found_restricted_keyring; 235 } 236 } 237 238 expiry = key->expiry; 239 if (expiry != TIME64_MAX) { 240 if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) 241 expiry += key_gc_delay; 242 if (expiry > limit && expiry < new_timer) { 243 kdebug("will expire %x in %lld", 244 key_serial(key), key->expiry - limit); 245 new_timer = key->expiry; 246 } 247 } 248 249 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) 250 if (key->type == key_gc_dead_keytype) 251 gc_state |= KEY_GC_FOUND_DEAD_KEY; 252 253 if ((gc_state & KEY_GC_REAPING_LINKS) || 254 unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) { 255 if (key->type == &key_type_keyring) 256 goto found_keyring; 257 } 258 259 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) 260 if (key->type == key_gc_dead_keytype) 261 goto destroy_dead_key; 262 263 skip_dead_key: 264 if (spin_is_contended(&key_serial_lock) || need_resched()) 265 goto contended; 266 } 267 268 contended: 269 spin_unlock(&key_serial_lock); 270 271 maybe_resched: 272 if (cursor) { 273 cond_resched(); 274 spin_lock(&key_serial_lock); 275 goto continue_scanning; 276 } 277 278 /* We've completed the pass. Set the timer if we need to and queue a 279 * new cycle if necessary. We keep executing cycles until we find one 280 * where we didn't reap any keys. 281 */ 282 kdebug("pass complete"); 283 284 if (new_timer != TIME64_MAX) { 285 new_timer += key_gc_delay; 286 key_schedule_gc(new_timer); 287 } 288 289 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) || 290 !list_empty(&graveyard)) { 291 /* Make sure that all pending keyring payload destructions are 292 * fulfilled and that people aren't now looking at dead or 293 * dying keys that they don't have a reference upon or a link 294 * to. 295 */ 296 kdebug("gc sync"); 297 synchronize_rcu(); 298 } 299 300 if (!list_empty(&graveyard)) { 301 kdebug("gc keys"); 302 key_gc_unused_keys(&graveyard); 303 } 304 305 if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 | 306 KEY_GC_REAPING_DEAD_2))) { 307 if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) { 308 /* No remaining dead keys: short circuit the remaining 309 * keytype reap cycles. 310 */ 311 kdebug("dead short"); 312 gc_state &= ~(KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2); 313 gc_state |= KEY_GC_REAPING_DEAD_3; 314 } else { 315 gc_state |= KEY_GC_REAP_AGAIN; 316 } 317 } 318 319 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) { 320 kdebug("dead wake"); 321 smp_mb(); 322 clear_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags); 323 wake_up_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE); 324 } 325 326 if (gc_state & KEY_GC_REAP_AGAIN) 327 schedule_work(&key_gc_work); 328 kleave(" [end %x]", gc_state); 329 return; 330 331 /* We found an unreferenced key - once we've removed it from the tree, 332 * we can safely drop the lock. 333 */ 334 found_unreferenced_key: 335 kdebug("unrefd key %d", key->serial); 336 rb_erase(&key->serial_node, &key_serial_tree); 337 spin_unlock(&key_serial_lock); 338 339 list_add_tail(&key->graveyard_link, &graveyard); 340 gc_state |= KEY_GC_REAP_AGAIN; 341 goto maybe_resched; 342 343 /* We found a restricted keyring and need to update the restriction if 344 * it is associated with the dead key type. 345 */ 346 found_restricted_keyring: 347 spin_unlock(&key_serial_lock); 348 keyring_restriction_gc(key, key_gc_dead_keytype); 349 goto maybe_resched; 350 351 /* We found a keyring and we need to check the payload for links to 352 * dead or expired keys. We don't flag another reap immediately as we 353 * have to wait for the old payload to be destroyed by RCU before we 354 * can reap the keys to which it refers. 355 */ 356 found_keyring: 357 spin_unlock(&key_serial_lock); 358 keyring_gc(key, limit); 359 goto maybe_resched; 360 361 /* We found a dead key that is still referenced. Reset its type and 362 * destroy its payload with its semaphore held. 363 */ 364 destroy_dead_key: 365 spin_unlock(&key_serial_lock); 366 kdebug("destroy key %d", key->serial); 367 down_write(&key->sem); 368 key->type = &key_type_dead; 369 if (key_gc_dead_keytype->destroy) 370 key_gc_dead_keytype->destroy(key); 371 memset(&key->payload, KEY_DESTROY, sizeof(key->payload)); 372 up_write(&key->sem); 373 goto maybe_resched; 374 } 375