1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Key garbage collector
3 *
4 * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #include <linux/slab.h>
9 #include <linux/security.h>
10 #include <keys/keyring-type.h>
11 #include "internal.h"
12
13 /*
14 * Delay between key revocation/expiry in seconds
15 */
16 unsigned key_gc_delay = 5 * 60;
17
18 /*
19 * Reaper for unused keys.
20 */
21 static void key_garbage_collector(struct work_struct *work);
22 DECLARE_WORK(key_gc_work, key_garbage_collector);
23
24 /*
25 * Reaper for links from keyrings to dead keys.
26 */
27 static void key_gc_timer_func(struct timer_list *);
28 static DEFINE_TIMER(key_gc_timer, key_gc_timer_func);
29
30 static time64_t key_gc_next_run = TIME64_MAX;
31 static struct key_type *key_gc_dead_keytype;
32
33 static unsigned long key_gc_flags;
34 #define KEY_GC_KEY_EXPIRED 0 /* A key expired and needs unlinking */
35 #define KEY_GC_REAP_KEYTYPE 1 /* A keytype is being unregistered */
36 #define KEY_GC_REAPING_KEYTYPE 2 /* Cleared when keytype reaped */
37
38
39 /*
40 * Any key whose type gets unregistered will be re-typed to this if it can't be
41 * immediately unlinked.
42 */
43 struct key_type key_type_dead = {
44 .name = ".dead",
45 };
46
47 /*
48 * Schedule a garbage collection run.
49 * - time precision isn't particularly important
50 */
51 void key_schedule_gc(time64_t gc_at)
52 {
53 unsigned long expires;
54 time64_t now = ktime_get_real_seconds();
55
56 kenter("%lld", gc_at - now);
57
58 if (gc_at <= now || test_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) {
59 kdebug("IMMEDIATE");
60 schedule_work(&key_gc_work);
61 } else if (gc_at < key_gc_next_run) {
62 kdebug("DEFERRED");
63 key_gc_next_run = gc_at;
64 expires = jiffies + (gc_at - now) * HZ;
65 mod_timer(&key_gc_timer, expires);
66 }
67 }
68
69 /*
70 * Set the expiration time on a key.
71 */
72 void key_set_expiry(struct key *key, time64_t expiry)
73 {
74 key->expiry = expiry;
75 if (expiry != TIME64_MAX) {
76 if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
77 expiry += key_gc_delay;
78 key_schedule_gc(expiry);
79 }
80 }
81
82 /*
83 * Schedule a dead links collection run.
84 */
85 void key_schedule_gc_links(void)
86 {
87 set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags);
88 schedule_work(&key_gc_work);
89 }
90
91 /*
92 * Some key's cleanup time was met after it expired, so we need to get the
93 * reaper to go through a cycle finding expired keys.
94 */
95 static void key_gc_timer_func(struct timer_list *unused)
96 {
97 kenter("");
98 key_gc_next_run = TIME64_MAX;
99 key_schedule_gc_links();
100 }
101
102 /*
103 * Reap keys of dead type.
104 *
105 * We use three flags to make sure we see three complete cycles of the garbage
106 * collector: the first to mark keys of that type as being dead, the second to
107 * collect dead links and the third to clean up the dead keys. We have to be
108 * careful as there may already be a cycle in progress.
109 *
110 * The caller must be holding key_types_sem.
111 */
112 void key_gc_keytype(struct key_type *ktype)
113 {
114 kenter("%s", ktype->name);
115
116 key_gc_dead_keytype = ktype;
117 set_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
118 smp_mb();
119 set_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags);
120
121 kdebug("schedule");
122 schedule_work(&key_gc_work);
123
124 kdebug("sleep");
125 wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE,
126 TASK_UNINTERRUPTIBLE);
127
128 key_gc_dead_keytype = NULL;
129 kleave("");
130 }
131
132 /*
133 * Garbage collect a list of unreferenced, detached keys
134 */
135 static noinline void key_gc_unused_keys(struct list_head *keys)
136 {
137 while (!list_empty(keys)) {
138 struct key *key =
139 list_entry(keys->next, struct key, graveyard_link);
140 short state = key->state;
141
142 list_del(&key->graveyard_link);
143
144 kdebug("- %u", key->serial);
145 key_check(key);
146
147 #ifdef CONFIG_KEY_NOTIFICATIONS
148 remove_watch_list(key->watchers, key->serial);
149 key->watchers = NULL;
150 #endif
151
152 /* Throw away the key data if the key is instantiated */
153 if (state == KEY_IS_POSITIVE && key->type->destroy)
154 key->type->destroy(key);
155
156 security_key_free(key);
157
158 atomic_dec(&key->user->nkeys);
159 if (state != KEY_IS_UNINSTANTIATED)
160 atomic_dec(&key->user->nikeys);
161
162 key_user_put(key->user);
163 key_put_tag(key->domain_tag);
164 kfree(key->description);
165
166 memzero_explicit(key, sizeof(*key));
167 kmem_cache_free(key_jar, key);
168 }
169 }
170
171 /*
172 * Garbage collector for unused keys.
173 *
174 * This is done in process context so that we don't have to disable interrupts
175 * all over the place. key_put() schedules this rather than trying to do the
176 * cleanup itself, which means key_put() doesn't have to sleep.
177 */
178 static void key_garbage_collector(struct work_struct *work)
179 {
180 static LIST_HEAD(graveyard);
181 static u8 gc_state; /* Internal persistent state */
182 #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
183 #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
184 #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */
185 #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */
186 #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */
187 #define KEY_GC_FOUND_DEAD_KEY 0x80 /* - We found at least one dead key */
188
189 struct rb_node *cursor;
190 struct key *key;
191 time64_t new_timer, limit, expiry;
192
193 kenter("[%lx,%x]", key_gc_flags, gc_state);
194
195 limit = ktime_get_real_seconds();
196
197 /* Work out what we're going to be doing in this pass */
198 gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
199 gc_state <<= 1;
200 if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
201 gc_state |= KEY_GC_REAPING_LINKS;
202
203 if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
204 gc_state |= KEY_GC_REAPING_DEAD_1;
205 kdebug("new pass %x", gc_state);
206
207 new_timer = TIME64_MAX;
208
209 /* As only this function is permitted to remove things from the key
210 * serial tree, if cursor is non-NULL then it will always point to a
211 * valid node in the tree - even if lock got dropped.
212 */
213 spin_lock(&key_serial_lock);
214 cursor = rb_first(&key_serial_tree);
215
216 continue_scanning:
217 while (cursor) {
218 key = rb_entry(cursor, struct key, serial_node);
219 cursor = rb_next(cursor);
220
221 if (refcount_read(&key->usage) == 0)
222 goto found_unreferenced_key;
223
224 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_1)) {
225 if (key->type == key_gc_dead_keytype) {
226 gc_state |= KEY_GC_FOUND_DEAD_KEY;
227 set_bit(KEY_FLAG_DEAD, &key->flags);
228 key->perm = 0;
229 goto skip_dead_key;
230 } else if (key->type == &key_type_keyring &&
231 key->restrict_link) {
232 goto found_restricted_keyring;
233 }
234 }
235
236 expiry = key->expiry;
237 if (expiry != TIME64_MAX) {
238 if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
239 expiry += key_gc_delay;
240 if (expiry > limit && expiry < new_timer) {
241 kdebug("will expire %x in %lld",
242 key_serial(key), key->expiry - limit);
243 new_timer = key->expiry;
244 }
245 }
246
247 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2))
248 if (key->type == key_gc_dead_keytype)
249 gc_state |= KEY_GC_FOUND_DEAD_KEY;
250
251 if ((gc_state & KEY_GC_REAPING_LINKS) ||
252 unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
253 if (key->type == &key_type_keyring)
254 goto found_keyring;
255 }
256
257 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3))
258 if (key->type == key_gc_dead_keytype)
259 goto destroy_dead_key;
260
261 skip_dead_key:
262 if (spin_is_contended(&key_serial_lock) || need_resched())
263 goto contended;
264 }
265
266 contended:
267 spin_unlock(&key_serial_lock);
268
269 maybe_resched:
270 if (cursor) {
271 cond_resched();
272 spin_lock(&key_serial_lock);
273 goto continue_scanning;
274 }
275
276 /* We've completed the pass. Set the timer if we need to and queue a
277 * new cycle if necessary. We keep executing cycles until we find one
278 * where we didn't reap any keys.
279 */
280 kdebug("pass complete");
281
282 if (new_timer != TIME64_MAX) {
283 new_timer += key_gc_delay;
284 key_schedule_gc(new_timer);
285 }
286
287 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) ||
288 !list_empty(&graveyard)) {
289 /* Make sure that all pending keyring payload destructions are
290 * fulfilled and that people aren't now looking at dead or
291 * dying keys that they don't have a reference upon or a link
292 * to.
293 */
294 kdebug("gc sync");
295 synchronize_rcu();
296 }
297
298 if (!list_empty(&graveyard)) {
299 kdebug("gc keys");
300 key_gc_unused_keys(&graveyard);
301 }
302
303 if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
304 KEY_GC_REAPING_DEAD_2))) {
305 if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
306 /* No remaining dead keys: short circuit the remaining
307 * keytype reap cycles.
308 */
309 kdebug("dead short");
310 gc_state &= ~(KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2);
311 gc_state |= KEY_GC_REAPING_DEAD_3;
312 } else {
313 gc_state |= KEY_GC_REAP_AGAIN;
314 }
315 }
316
317 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_3)) {
318 kdebug("dead wake");
319 smp_mb();
320 clear_bit(KEY_GC_REAPING_KEYTYPE, &key_gc_flags);
321 wake_up_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE);
322 }
323
324 if (gc_state & KEY_GC_REAP_AGAIN)
325 schedule_work(&key_gc_work);
326 kleave(" [end %x]", gc_state);
327 return;
328
329 /* We found an unreferenced key - once we've removed it from the tree,
330 * we can safely drop the lock.
331 */
332 found_unreferenced_key:
333 kdebug("unrefd key %d", key->serial);
334 rb_erase(&key->serial_node, &key_serial_tree);
335 spin_unlock(&key_serial_lock);
336
337 list_add_tail(&key->graveyard_link, &graveyard);
338 gc_state |= KEY_GC_REAP_AGAIN;
339 goto maybe_resched;
340
341 /* We found a restricted keyring and need to update the restriction if
342 * it is associated with the dead key type.
343 */
344 found_restricted_keyring:
345 spin_unlock(&key_serial_lock);
346 keyring_restriction_gc(key, key_gc_dead_keytype);
347 goto maybe_resched;
348
349 /* We found a keyring and we need to check the payload for links to
350 * dead or expired keys. We don't flag another reap immediately as we
351 * have to wait for the old payload to be destroyed by RCU before we
352 * can reap the keys to which it refers.
353 */
354 found_keyring:
355 spin_unlock(&key_serial_lock);
356 keyring_gc(key, limit);
357 goto maybe_resched;
358
359 /* We found a dead key that is still referenced. Reset its type and
360 * destroy its payload with its semaphore held.
361 */
362 destroy_dead_key:
363 spin_unlock(&key_serial_lock);
364 kdebug("destroy key %d", key->serial);
365 down_write(&key->sem);
366 key->type = &key_type_dead;
367 if (key_gc_dead_keytype->destroy)
368 key_gc_dead_keytype->destroy(key);
369 memset(&key->payload, KEY_DESTROY, sizeof(key->payload));
370 up_write(&key->sem);
371 goto maybe_resched;
372 }
373
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.