1 files changed, 85 insertions, 0 deletions
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 3dba81c2eba3..ac977f661a79 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1000,3 +1000,88 @@ static void keyring_revoke(struct key *keyring)
        }
 } /* end keyring_revoke() */
+/*
+ * Determine whether a key is dead
+ */
+static bool key_is_dead(struct key *key, time_t limit)
+{
+        return test_bit(KEY_FLAG_DEAD, &key->flags) ||
+                (key->expiry > 0 && key->expiry <= limit);
+}
+/*
+ * Collect garbage from the contents of a keyring
+ */
+void keyring_gc(struct key *keyring, time_t limit)
+{
+        struct keyring_list *klist, *new;
+        struct key *key;
+        int loop, keep, max;
+        kenter("%x", key_serial(keyring));
+        down_write(&keyring->sem);
+        klist = keyring->payload.subscriptions;
+        if (!klist)
+                goto just_return;
+        /* work out how many subscriptions we're keeping */
+        keep = 0;
+        for (loop = klist->nkeys - 1; loop >= 0; loop--)
+                if (!key_is_dead(klist->keys[loop], limit));
+                        keep++;
+        if (keep == klist->nkeys)
+                goto just_return;
+        /* allocate a new keyring payload */
+        max = roundup(keep, 4);
+        new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
+                      GFP_KERNEL);
+        if (!new)
+                goto just_return;
+        new->maxkeys = max;
+        new->nkeys = 0;
+        new->delkey = 0;
+        /* install the live keys
+         * - must take care as expired keys may be updated back to life
+         */
+        keep = 0;
+        for (loop = klist->nkeys - 1; loop >= 0; loop--) {
+                key = klist->keys[loop];
+                if (!key_is_dead(key, limit)) {
+                        if (keep >= max)
+                                goto discard_new;
+                        new->keys[keep++] = key_get(key);
+                }
+        }
+        new->nkeys = keep;
+        /* adjust the quota */
+        key_payload_reserve(keyring,
+                            sizeof(struct keyring_list) +
+                            KEYQUOTA_LINK_BYTES * keep);
+        if (keep == 0) {
+                rcu_assign_pointer(keyring->payload.subscriptions, NULL);
+                kfree(new);
+        } else {
+                rcu_assign_pointer(keyring->payload.subscriptions, new);
+        }
+        up_write(&keyring->sem);
+        call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
+        kleave(" [yes]");
+        return;
+discard_new:
+        new->nkeys = keep;
+        keyring_clear_rcu_disposal(&new->rcu);
+just_return:
+        up_write(&keyring->sem);
+        kleave(" [no]");
+}

diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 3dba81c2eba3..ac977f661a79 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c
@@ -1000,3 +1000,88 @@ static void keyring_revoke(struct key *keyring)
1000	}	1000	}
1001		1001
1002	} /* end keyring_revoke() */	1002	} /* end keyring_revoke() */
		1003
		1004	/*
		1005	* Determine whether a key is dead
		1006	*/
		1007	static bool key_is_dead(struct key *key, time_t limit)
		1008	{
		1009	return test_bit(KEY_FLAG_DEAD, &key->flags) \|\|
		1010	(key->expiry > 0 && key->expiry <= limit);
		1011	}
		1012
		1013	/*
		1014	* Collect garbage from the contents of a keyring
		1015	*/
		1016	void keyring_gc(struct key *keyring, time_t limit)
		1017	{
		1018	struct keyring_list klist, new;
		1019	struct key *key;
		1020	int loop, keep, max;
		1021
		1022	kenter("%x", key_serial(keyring));
		1023
		1024	down_write(&keyring->sem);
		1025
		1026	klist = keyring->payload.subscriptions;
		1027	if (!klist)
		1028	goto just_return;
		1029
		1030	/* work out how many subscriptions we're keeping */
		1031	keep = 0;
		1032	for (loop = klist->nkeys - 1; loop >= 0; loop--)
		1033	if (!key_is_dead(klist->keys[loop], limit));
		1034	keep++;
		1035
		1036	if (keep == klist->nkeys)
		1037	goto just_return;
		1038
		1039	/* allocate a new keyring payload */
		1040	max = roundup(keep, 4);
		1041	new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
		1042	GFP_KERNEL);
		1043	if (!new)
		1044	goto just_return;
		1045	new->maxkeys = max;
		1046	new->nkeys = 0;
		1047	new->delkey = 0;
		1048
		1049	/* install the live keys
		1050	* - must take care as expired keys may be updated back to life
		1051	*/
		1052	keep = 0;
		1053	for (loop = klist->nkeys - 1; loop >= 0; loop--) {
		1054	key = klist->keys[loop];
		1055	if (!key_is_dead(key, limit)) {
		1056	if (keep >= max)
		1057	goto discard_new;
		1058	new->keys[keep++] = key_get(key);
		1059	}
		1060	}
		1061	new->nkeys = keep;
		1062
		1063	/* adjust the quota */
		1064	key_payload_reserve(keyring,
		1065	sizeof(struct keyring_list) +
		1066	KEYQUOTA_LINK_BYTES * keep);
		1067
		1068	if (keep == 0) {
		1069	rcu_assign_pointer(keyring->payload.subscriptions, NULL);
		1070	kfree(new);
		1071	} else {
		1072	rcu_assign_pointer(keyring->payload.subscriptions, new);
		1073	}
		1074
		1075	up_write(&keyring->sem);
		1076
		1077	call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
		1078	kleave(" [yes]");
		1079	return;
		1080
		1081	discard_new:
		1082	new->nkeys = keep;
		1083	keyring_clear_rcu_disposal(&new->rcu);
		1084	just_return:
		1085	up_write(&keyring->sem);
		1086	kleave(" [no]");
		1087	}