diff options
author | David Howells <dhowells@redhat.com> | 2012-01-17 15:39:40 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2012-01-17 18:41:27 -0500 |
commit | efde8b6e16f11e7d1681c68d86c7fd51053cada7 (patch) | |
tree | 4fb5e80428c4f36c5da35ff3319cd71c1771451c /security | |
parent | 25add8cf99c9ec8b8dc0acd8b9241e963fc0d29c (diff) |
KEYS: Add missing smp_rmb() primitives to the keyring search code
Add missing smp_rmb() primitives to the keyring search code.
When keyring payloads are appended to without replacement (thus using up spare
slots in the key pointer array), an smp_wmb() is issued between the pointer
assignment and the increment of the key count (nkeys).
There should be corresponding read barriers between the read of nkeys and
dereferences of keys[n] when n is dependent on the value of nkeys.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/gc.c | 4 | ||||
-rw-r--r-- | security/keys/keyring.c | 22 |
2 files changed, 18 insertions, 8 deletions
diff --git a/security/keys/gc.c b/security/keys/gc.c index bf4d8da5a795..a42b45531aac 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c | |||
@@ -145,7 +145,9 @@ static void key_gc_keyring(struct key *keyring, time_t limit) | |||
145 | if (!klist) | 145 | if (!klist) |
146 | goto unlock_dont_gc; | 146 | goto unlock_dont_gc; |
147 | 147 | ||
148 | for (loop = klist->nkeys - 1; loop >= 0; loop--) { | 148 | loop = klist->nkeys; |
149 | smp_rmb(); | ||
150 | for (loop--; loop >= 0; loop--) { | ||
149 | key = klist->keys[loop]; | 151 | key = klist->keys[loop]; |
150 | if (test_bit(KEY_FLAG_DEAD, &key->flags) || | 152 | if (test_bit(KEY_FLAG_DEAD, &key->flags) || |
151 | (key->expiry > 0 && key->expiry <= limit)) | 153 | (key->expiry > 0 && key->expiry <= limit)) |
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 37a7f3b28852..d605f75292e4 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -319,7 +319,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref, | |||
319 | struct key *keyring, *key; | 319 | struct key *keyring, *key; |
320 | key_ref_t key_ref; | 320 | key_ref_t key_ref; |
321 | long err; | 321 | long err; |
322 | int sp, kix; | 322 | int sp, nkeys, kix; |
323 | 323 | ||
324 | keyring = key_ref_to_ptr(keyring_ref); | 324 | keyring = key_ref_to_ptr(keyring_ref); |
325 | possessed = is_key_possessed(keyring_ref); | 325 | possessed = is_key_possessed(keyring_ref); |
@@ -380,7 +380,9 @@ descend: | |||
380 | goto not_this_keyring; | 380 | goto not_this_keyring; |
381 | 381 | ||
382 | /* iterate through the keys in this keyring first */ | 382 | /* iterate through the keys in this keyring first */ |
383 | for (kix = 0; kix < keylist->nkeys; kix++) { | 383 | nkeys = keylist->nkeys; |
384 | smp_rmb(); | ||
385 | for (kix = 0; kix < nkeys; kix++) { | ||
384 | key = keylist->keys[kix]; | 386 | key = keylist->keys[kix]; |
385 | kflags = key->flags; | 387 | kflags = key->flags; |
386 | 388 | ||
@@ -421,7 +423,9 @@ descend: | |||
421 | /* search through the keyrings nested in this one */ | 423 | /* search through the keyrings nested in this one */ |
422 | kix = 0; | 424 | kix = 0; |
423 | ascend: | 425 | ascend: |
424 | for (; kix < keylist->nkeys; kix++) { | 426 | nkeys = keylist->nkeys; |
427 | smp_rmb(); | ||
428 | for (; kix < nkeys; kix++) { | ||
425 | key = keylist->keys[kix]; | 429 | key = keylist->keys[kix]; |
426 | if (key->type != &key_type_keyring) | 430 | if (key->type != &key_type_keyring) |
427 | continue; | 431 | continue; |
@@ -515,7 +519,7 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref, | |||
515 | struct keyring_list *klist; | 519 | struct keyring_list *klist; |
516 | unsigned long possessed; | 520 | unsigned long possessed; |
517 | struct key *keyring, *key; | 521 | struct key *keyring, *key; |
518 | int loop; | 522 | int nkeys, loop; |
519 | 523 | ||
520 | keyring = key_ref_to_ptr(keyring_ref); | 524 | keyring = key_ref_to_ptr(keyring_ref); |
521 | possessed = is_key_possessed(keyring_ref); | 525 | possessed = is_key_possessed(keyring_ref); |
@@ -524,7 +528,9 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref, | |||
524 | 528 | ||
525 | klist = rcu_dereference(keyring->payload.subscriptions); | 529 | klist = rcu_dereference(keyring->payload.subscriptions); |
526 | if (klist) { | 530 | if (klist) { |
527 | for (loop = 0; loop < klist->nkeys; loop++) { | 531 | nkeys = klist->nkeys; |
532 | smp_rmb(); | ||
533 | for (loop = 0; loop < nkeys ; loop++) { | ||
528 | key = klist->keys[loop]; | 534 | key = klist->keys[loop]; |
529 | 535 | ||
530 | if (key->type == ktype && | 536 | if (key->type == ktype && |
@@ -622,7 +628,7 @@ static int keyring_detect_cycle(struct key *A, struct key *B) | |||
622 | 628 | ||
623 | struct keyring_list *keylist; | 629 | struct keyring_list *keylist; |
624 | struct key *subtree, *key; | 630 | struct key *subtree, *key; |
625 | int sp, kix, ret; | 631 | int sp, nkeys, kix, ret; |
626 | 632 | ||
627 | rcu_read_lock(); | 633 | rcu_read_lock(); |
628 | 634 | ||
@@ -645,7 +651,9 @@ descend: | |||
645 | 651 | ||
646 | ascend: | 652 | ascend: |
647 | /* iterate through the remaining keys in this keyring */ | 653 | /* iterate through the remaining keys in this keyring */ |
648 | for (; kix < keylist->nkeys; kix++) { | 654 | nkeys = keylist->nkeys; |
655 | smp_rmb(); | ||
656 | for (; kix < nkeys; kix++) { | ||
649 | key = keylist->keys[kix]; | 657 | key = keylist->keys[kix]; |
650 | 658 | ||
651 | if (key == A) | 659 | if (key == A) |