[PATCH] keys: discard the contents of a key on revocation
[linux-2.6.git] / security / keys / keyring.c
1 /* keyring.c: keyring handling
2  *
3  * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  */
11
12 #include <linux/module.h>
13 #include <linux/init.h>
14 #include <linux/sched.h>
15 #include <linux/slab.h>
16 #include <linux/security.h>
17 #include <linux/seq_file.h>
18 #include <linux/err.h>
19 #include <asm/uaccess.h>
20 #include "internal.h"
21
22 /*
23  * when plumbing the depths of the key tree, this sets a hard limit set on how
24  * deep we're willing to go
25  */
26 #define KEYRING_SEARCH_MAX_DEPTH 6
27
28 /*
29  * we keep all named keyrings in a hash to speed looking them up
30  */
31 #define KEYRING_NAME_HASH_SIZE  (1 << 5)
32
33 static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
34 static DEFINE_RWLOCK(keyring_name_lock);
35
36 static inline unsigned keyring_hash(const char *desc)
37 {
38         unsigned bucket = 0;
39
40         for (; *desc; desc++)
41                 bucket += (unsigned char) *desc;
42
43         return bucket & (KEYRING_NAME_HASH_SIZE - 1);
44 }
45
46 /*
47  * the keyring type definition
48  */
49 static int keyring_instantiate(struct key *keyring,
50                                const void *data, size_t datalen);
51 static int keyring_match(const struct key *keyring, const void *criterion);
52 static void keyring_revoke(struct key *keyring);
53 static void keyring_destroy(struct key *keyring);
54 static void keyring_describe(const struct key *keyring, struct seq_file *m);
55 static long keyring_read(const struct key *keyring,
56                          char __user *buffer, size_t buflen);
57
58 struct key_type key_type_keyring = {
59         .name           = "keyring",
60         .def_datalen    = sizeof(struct keyring_list),
61         .instantiate    = keyring_instantiate,
62         .match          = keyring_match,
63         .revoke         = keyring_revoke,
64         .destroy        = keyring_destroy,
65         .describe       = keyring_describe,
66         .read           = keyring_read,
67 };
68
69 /*
70  * semaphore to serialise link/link calls to prevent two link calls in parallel
71  * introducing a cycle
72  */
73 static DECLARE_RWSEM(keyring_serialise_link_sem);
74
75 /*****************************************************************************/
76 /*
77  * publish the name of a keyring so that it can be found by name (if it has
78  * one)
79  */
80 void keyring_publish_name(struct key *keyring)
81 {
82         int bucket;
83
84         if (keyring->description) {
85                 bucket = keyring_hash(keyring->description);
86
87                 write_lock(&keyring_name_lock);
88
89                 if (!keyring_name_hash[bucket].next)
90                         INIT_LIST_HEAD(&keyring_name_hash[bucket]);
91
92                 list_add_tail(&keyring->type_data.link,
93                               &keyring_name_hash[bucket]);
94
95                 write_unlock(&keyring_name_lock);
96         }
97
98 } /* end keyring_publish_name() */
99
100 /*****************************************************************************/
101 /*
102  * initialise a keyring
103  * - we object if we were given any data
104  */
105 static int keyring_instantiate(struct key *keyring,
106                                const void *data, size_t datalen)
107 {
108         int ret;
109
110         ret = -EINVAL;
111         if (datalen == 0) {
112                 /* make the keyring available by name if it has one */
113                 keyring_publish_name(keyring);
114                 ret = 0;
115         }
116
117         return ret;
118
119 } /* end keyring_instantiate() */
120
121 /*****************************************************************************/
122 /*
123  * match keyrings on their name
124  */
125 static int keyring_match(const struct key *keyring, const void *description)
126 {
127         return keyring->description &&
128                 strcmp(keyring->description, description) == 0;
129
130 } /* end keyring_match() */
131
132 /*****************************************************************************/
133 /*
134  * dispose of the data dangling from the corpse of a keyring
135  */
136 static void keyring_destroy(struct key *keyring)
137 {
138         struct keyring_list *klist;
139         int loop;
140
141         if (keyring->description) {
142                 write_lock(&keyring_name_lock);
143
144                 if (keyring->type_data.link.next != NULL &&
145                     !list_empty(&keyring->type_data.link))
146                         list_del(&keyring->type_data.link);
147
148                 write_unlock(&keyring_name_lock);
149         }
150
151         klist = rcu_dereference(keyring->payload.subscriptions);
152         if (klist) {
153                 for (loop = klist->nkeys - 1; loop >= 0; loop--)
154                         key_put(klist->keys[loop]);
155                 kfree(klist);
156         }
157
158 } /* end keyring_destroy() */
159
160 /*****************************************************************************/
161 /*
162  * describe the keyring
163  */
164 static void keyring_describe(const struct key *keyring, struct seq_file *m)
165 {
166         struct keyring_list *klist;
167
168         if (keyring->description) {
169                 seq_puts(m, keyring->description);
170         }
171         else {
172                 seq_puts(m, "[anon]");
173         }
174
175         rcu_read_lock();
176         klist = rcu_dereference(keyring->payload.subscriptions);
177         if (klist)
178                 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
179         else
180                 seq_puts(m, ": empty");
181         rcu_read_unlock();
182
183 } /* end keyring_describe() */
184
185 /*****************************************************************************/
186 /*
187  * read a list of key IDs from the keyring's contents
188  * - the keyring's semaphore is read-locked
189  */
190 static long keyring_read(const struct key *keyring,
191                          char __user *buffer, size_t buflen)
192 {
193         struct keyring_list *klist;
194         struct key *key;
195         size_t qty, tmp;
196         int loop, ret;
197
198         ret = 0;
199         klist = rcu_dereference(keyring->payload.subscriptions);
200
201         if (klist) {
202                 /* calculate how much data we could return */
203                 qty = klist->nkeys * sizeof(key_serial_t);
204
205                 if (buffer && buflen > 0) {
206                         if (buflen > qty)
207                                 buflen = qty;
208
209                         /* copy the IDs of the subscribed keys into the
210                          * buffer */
211                         ret = -EFAULT;
212
213                         for (loop = 0; loop < klist->nkeys; loop++) {
214                                 key = klist->keys[loop];
215
216                                 tmp = sizeof(key_serial_t);
217                                 if (tmp > buflen)
218                                         tmp = buflen;
219
220                                 if (copy_to_user(buffer,
221                                                  &key->serial,
222                                                  tmp) != 0)
223                                         goto error;
224
225                                 buflen -= tmp;
226                                 if (buflen == 0)
227                                         break;
228                                 buffer += tmp;
229                         }
230                 }
231
232                 ret = qty;
233         }
234
235  error:
236         return ret;
237
238 } /* end keyring_read() */
239
240 /*****************************************************************************/
241 /*
242  * allocate a keyring and link into the destination keyring
243  */
244 struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
245                           struct task_struct *ctx, unsigned long flags,
246                           struct key *dest)
247 {
248         struct key *keyring;
249         int ret;
250
251         keyring = key_alloc(&key_type_keyring, description,
252                             uid, gid, ctx,
253                             (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_ALL,
254                             flags);
255
256         if (!IS_ERR(keyring)) {
257                 ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
258                 if (ret < 0) {
259                         key_put(keyring);
260                         keyring = ERR_PTR(ret);
261                 }
262         }
263
264         return keyring;
265
266 } /* end keyring_alloc() */
267
268 /*****************************************************************************/
269 /*
270  * search the supplied keyring tree for a key that matches the criterion
271  * - perform a breadth-then-depth search up to the prescribed limit
272  * - we only find keys on which we have search permission
273  * - we use the supplied match function to see if the description (or other
274  *   feature of interest) matches
275  * - we rely on RCU to prevent the keyring lists from disappearing on us
276  * - we return -EAGAIN if we didn't find any matching key
277  * - we return -ENOKEY if we only found negative matching keys
278  * - we propagate the possession attribute from the keyring ref to the key ref
279  */
280 key_ref_t keyring_search_aux(key_ref_t keyring_ref,
281                              struct task_struct *context,
282                              struct key_type *type,
283                              const void *description,
284                              key_match_func_t match)
285 {
286         struct {
287                 struct keyring_list *keylist;
288                 int kix;
289         } stack[KEYRING_SEARCH_MAX_DEPTH];
290
291         struct keyring_list *keylist;
292         struct timespec now;
293         unsigned long possessed;
294         struct key *keyring, *key;
295         key_ref_t key_ref;
296         long err;
297         int sp, kix;
298
299         keyring = key_ref_to_ptr(keyring_ref);
300         possessed = is_key_possessed(keyring_ref);
301         key_check(keyring);
302
303         /* top keyring must have search permission to begin the search */
304         err = key_task_permission(keyring_ref, context, KEY_SEARCH);
305         if (err < 0) {
306                 key_ref = ERR_PTR(err);
307                 goto error;
308         }
309
310         key_ref = ERR_PTR(-ENOTDIR);
311         if (keyring->type != &key_type_keyring)
312                 goto error;
313
314         rcu_read_lock();
315
316         now = current_kernel_time();
317         err = -EAGAIN;
318         sp = 0;
319
320         /* start processing a new keyring */
321 descend:
322         if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
323                 goto not_this_keyring;
324
325         keylist = rcu_dereference(keyring->payload.subscriptions);
326         if (!keylist)
327                 goto not_this_keyring;
328
329         /* iterate through the keys in this keyring first */
330         for (kix = 0; kix < keylist->nkeys; kix++) {
331                 key = keylist->keys[kix];
332
333                 /* ignore keys not of this type */
334                 if (key->type != type)
335                         continue;
336
337                 /* skip revoked keys and expired keys */
338                 if (test_bit(KEY_FLAG_REVOKED, &key->flags))
339                         continue;
340
341                 if (key->expiry && now.tv_sec >= key->expiry)
342                         continue;
343
344                 /* keys that don't match */
345                 if (!match(key, description))
346                         continue;
347
348                 /* key must have search permissions */
349                 if (key_task_permission(make_key_ref(key, possessed),
350                                         context, KEY_SEARCH) < 0)
351                         continue;
352
353                 /* we set a different error code if we find a negative key */
354                 if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
355                         err = -ENOKEY;
356                         continue;
357                 }
358
359                 goto found;
360         }
361
362         /* search through the keyrings nested in this one */
363         kix = 0;
364 ascend:
365         for (; kix < keylist->nkeys; kix++) {
366                 key = keylist->keys[kix];
367                 if (key->type != &key_type_keyring)
368                         continue;
369
370                 /* recursively search nested keyrings
371                  * - only search keyrings for which we have search permission
372                  */
373                 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
374                         continue;
375
376                 if (key_task_permission(make_key_ref(key, possessed),
377                                         context, KEY_SEARCH) < 0)
378                         continue;
379
380                 /* stack the current position */
381                 stack[sp].keylist = keylist;
382                 stack[sp].kix = kix;
383                 sp++;
384
385                 /* begin again with the new keyring */
386                 keyring = key;
387                 goto descend;
388         }
389
390         /* the keyring we're looking at was disqualified or didn't contain a
391          * matching key */
392 not_this_keyring:
393         if (sp > 0) {
394                 /* resume the processing of a keyring higher up in the tree */
395                 sp--;
396                 keylist = stack[sp].keylist;
397                 kix = stack[sp].kix + 1;
398                 goto ascend;
399         }
400
401         key_ref = ERR_PTR(err);
402         goto error_2;
403
404         /* we found a viable match */
405 found:
406         atomic_inc(&key->usage);
407         key_check(key);
408         key_ref = make_key_ref(key, possessed);
409 error_2:
410         rcu_read_unlock();
411 error:
412         return key_ref;
413
414 } /* end keyring_search_aux() */
415
416 /*****************************************************************************/
417 /*
418  * search the supplied keyring tree for a key that matches the criterion
419  * - perform a breadth-then-depth search up to the prescribed limit
420  * - we only find keys on which we have search permission
421  * - we readlock the keyrings as we search down the tree
422  * - we return -EAGAIN if we didn't find any matching key
423  * - we return -ENOKEY if we only found negative matching keys
424  */
425 key_ref_t keyring_search(key_ref_t keyring,
426                          struct key_type *type,
427                          const char *description)
428 {
429         if (!type->match)
430                 return ERR_PTR(-ENOKEY);
431
432         return keyring_search_aux(keyring, current,
433                                   type, description, type->match);
434
435 } /* end keyring_search() */
436
437 EXPORT_SYMBOL(keyring_search);
438
439 /*****************************************************************************/
440 /*
441  * search the given keyring only (no recursion)
442  * - keyring must be locked by caller
443  * - caller must guarantee that the keyring is a keyring
444  */
445 key_ref_t __keyring_search_one(key_ref_t keyring_ref,
446                                const struct key_type *ktype,
447                                const char *description,
448                                key_perm_t perm)
449 {
450         struct keyring_list *klist;
451         unsigned long possessed;
452         struct key *keyring, *key;
453         int loop;
454
455         keyring = key_ref_to_ptr(keyring_ref);
456         possessed = is_key_possessed(keyring_ref);
457
458         rcu_read_lock();
459
460         klist = rcu_dereference(keyring->payload.subscriptions);
461         if (klist) {
462                 for (loop = 0; loop < klist->nkeys; loop++) {
463                         key = klist->keys[loop];
464
465                         if (key->type == ktype &&
466                             (!key->type->match ||
467                              key->type->match(key, description)) &&
468                             key_permission(make_key_ref(key, possessed),
469                                            perm) == 0 &&
470                             !test_bit(KEY_FLAG_REVOKED, &key->flags)
471                             )
472                                 goto found;
473                 }
474         }
475
476         rcu_read_unlock();
477         return ERR_PTR(-ENOKEY);
478
479  found:
480         atomic_inc(&key->usage);
481         rcu_read_unlock();
482         return make_key_ref(key, possessed);
483
484 } /* end __keyring_search_one() */
485
486 /*****************************************************************************/
487 /*
488  * find a keyring with the specified name
489  * - all named keyrings are searched
490  * - only find keyrings with search permission for the process
491  * - only find keyrings with a serial number greater than the one specified
492  */
493 struct key *find_keyring_by_name(const char *name, key_serial_t bound)
494 {
495         struct key *keyring;
496         int bucket;
497
498         keyring = ERR_PTR(-EINVAL);
499         if (!name)
500                 goto error;
501
502         bucket = keyring_hash(name);
503
504         read_lock(&keyring_name_lock);
505
506         if (keyring_name_hash[bucket].next) {
507                 /* search this hash bucket for a keyring with a matching name
508                  * that's readable and that hasn't been revoked */
509                 list_for_each_entry(keyring,
510                                     &keyring_name_hash[bucket],
511                                     type_data.link
512                                     ) {
513                         if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
514                                 continue;
515
516                         if (strcmp(keyring->description, name) != 0)
517                                 continue;
518
519                         if (key_permission(make_key_ref(keyring, 0),
520                                            KEY_SEARCH) < 0)
521                                 continue;
522
523                         /* found a potential candidate, but we still need to
524                          * check the serial number */
525                         if (keyring->serial <= bound)
526                                 continue;
527
528                         /* we've got a match */
529                         atomic_inc(&keyring->usage);
530                         read_unlock(&keyring_name_lock);
531                         goto error;
532                 }
533         }
534
535         read_unlock(&keyring_name_lock);
536         keyring = ERR_PTR(-ENOKEY);
537
538  error:
539         return keyring;
540
541 } /* end find_keyring_by_name() */
542
543 /*****************************************************************************/
544 /*
545  * see if a cycle will will be created by inserting acyclic tree B in acyclic
546  * tree A at the topmost level (ie: as a direct child of A)
547  * - since we are adding B to A at the top level, checking for cycles should
548  *   just be a matter of seeing if node A is somewhere in tree B
549  */
550 static int keyring_detect_cycle(struct key *A, struct key *B)
551 {
552         struct {
553                 struct keyring_list *keylist;
554                 int kix;
555         } stack[KEYRING_SEARCH_MAX_DEPTH];
556
557         struct keyring_list *keylist;
558         struct key *subtree, *key;
559         int sp, kix, ret;
560
561         rcu_read_lock();
562
563         ret = -EDEADLK;
564         if (A == B)
565                 goto cycle_detected;
566
567         subtree = B;
568         sp = 0;
569
570         /* start processing a new keyring */
571  descend:
572         if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
573                 goto not_this_keyring;
574
575         keylist = rcu_dereference(subtree->payload.subscriptions);
576         if (!keylist)
577                 goto not_this_keyring;
578         kix = 0;
579
580  ascend:
581         /* iterate through the remaining keys in this keyring */
582         for (; kix < keylist->nkeys; kix++) {
583                 key = keylist->keys[kix];
584
585                 if (key == A)
586                         goto cycle_detected;
587
588                 /* recursively check nested keyrings */
589                 if (key->type == &key_type_keyring) {
590                         if (sp >= KEYRING_SEARCH_MAX_DEPTH)
591                                 goto too_deep;
592
593                         /* stack the current position */
594                         stack[sp].keylist = keylist;
595                         stack[sp].kix = kix;
596                         sp++;
597
598                         /* begin again with the new keyring */
599                         subtree = key;
600                         goto descend;
601                 }
602         }
603
604         /* the keyring we're looking at was disqualified or didn't contain a
605          * matching key */
606  not_this_keyring:
607         if (sp > 0) {
608                 /* resume the checking of a keyring higher up in the tree */
609                 sp--;
610                 keylist = stack[sp].keylist;
611                 kix = stack[sp].kix + 1;
612                 goto ascend;
613         }
614
615         ret = 0; /* no cycles detected */
616
617  error:
618         rcu_read_unlock();
619         return ret;
620
621  too_deep:
622         ret = -ELOOP;
623         goto error;
624
625  cycle_detected:
626         ret = -EDEADLK;
627         goto error;
628
629 } /* end keyring_detect_cycle() */
630
631 /*****************************************************************************/
632 /*
633  * dispose of a keyring list after the RCU grace period
634  */
635 static void keyring_link_rcu_disposal(struct rcu_head *rcu)
636 {
637         struct keyring_list *klist =
638                 container_of(rcu, struct keyring_list, rcu);
639
640         kfree(klist);
641
642 } /* end keyring_link_rcu_disposal() */
643
644 /*****************************************************************************/
645 /*
646  * dispose of a keyring list after the RCU grace period, freeing the unlinked
647  * key
648  */
649 static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
650 {
651         struct keyring_list *klist =
652                 container_of(rcu, struct keyring_list, rcu);
653
654         key_put(klist->keys[klist->delkey]);
655         kfree(klist);
656
657 } /* end keyring_unlink_rcu_disposal() */
658
659 /*****************************************************************************/
660 /*
661  * link a key into to a keyring
662  * - must be called with the keyring's semaphore write-locked
663  * - discard already extant link to matching key if there is one
664  */
665 int __key_link(struct key *keyring, struct key *key)
666 {
667         struct keyring_list *klist, *nklist;
668         unsigned max;
669         size_t size;
670         int loop, ret;
671
672         ret = -EKEYREVOKED;
673         if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
674                 goto error;
675
676         ret = -ENOTDIR;
677         if (keyring->type != &key_type_keyring)
678                 goto error;
679
680         /* serialise link/link calls to prevent parallel calls causing a
681          * cycle when applied to two keyring in opposite orders */
682         down_write(&keyring_serialise_link_sem);
683
684         /* check that we aren't going to create a cycle adding one keyring to
685          * another */
686         if (key->type == &key_type_keyring) {
687                 ret = keyring_detect_cycle(keyring, key);
688                 if (ret < 0)
689                         goto error2;
690         }
691
692         /* see if there's a matching key we can displace */
693         klist = keyring->payload.subscriptions;
694
695         if (klist && klist->nkeys > 0) {
696                 struct key_type *type = key->type;
697
698                 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
699                         if (klist->keys[loop]->type == type &&
700                             strcmp(klist->keys[loop]->description,
701                                    key->description) == 0
702                             ) {
703                                 /* found a match - replace with new key */
704                                 size = sizeof(struct key *) * klist->maxkeys;
705                                 size += sizeof(*klist);
706                                 BUG_ON(size > PAGE_SIZE);
707
708                                 ret = -ENOMEM;
709                                 nklist = kmalloc(size, GFP_KERNEL);
710                                 if (!nklist)
711                                         goto error2;
712
713                                 memcpy(nklist, klist, size);
714
715                                 /* replace matched key */
716                                 atomic_inc(&key->usage);
717                                 nklist->keys[loop] = key;
718
719                                 rcu_assign_pointer(
720                                         keyring->payload.subscriptions,
721                                         nklist);
722
723                                 /* dispose of the old keyring list and the
724                                  * displaced key */
725                                 klist->delkey = loop;
726                                 call_rcu(&klist->rcu,
727                                          keyring_unlink_rcu_disposal);
728
729                                 goto done;
730                         }
731                 }
732         }
733
734         /* check that we aren't going to overrun the user's quota */
735         ret = key_payload_reserve(keyring,
736                                   keyring->datalen + KEYQUOTA_LINK_BYTES);
737         if (ret < 0)
738                 goto error2;
739
740         klist = keyring->payload.subscriptions;
741
742         if (klist && klist->nkeys < klist->maxkeys) {
743                 /* there's sufficient slack space to add directly */
744                 atomic_inc(&key->usage);
745
746                 klist->keys[klist->nkeys] = key;
747                 smp_wmb();
748                 klist->nkeys++;
749                 smp_wmb();
750         }
751         else {
752                 /* grow the key list */
753                 max = 4;
754                 if (klist)
755                         max += klist->maxkeys;
756
757                 ret = -ENFILE;
758                 if (max > 65535)
759                         goto error3;
760                 size = sizeof(*klist) + sizeof(struct key *) * max;
761                 if (size > PAGE_SIZE)
762                         goto error3;
763
764                 ret = -ENOMEM;
765                 nklist = kmalloc(size, GFP_KERNEL);
766                 if (!nklist)
767                         goto error3;
768                 nklist->maxkeys = max;
769                 nklist->nkeys = 0;
770
771                 if (klist) {
772                         nklist->nkeys = klist->nkeys;
773                         memcpy(nklist->keys,
774                                klist->keys,
775                                sizeof(struct key *) * klist->nkeys);
776                 }
777
778                 /* add the key into the new space */
779                 atomic_inc(&key->usage);
780                 nklist->keys[nklist->nkeys++] = key;
781
782                 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
783
784                 /* dispose of the old keyring list */
785                 if (klist)
786                         call_rcu(&klist->rcu, keyring_link_rcu_disposal);
787         }
788
789 done:
790         ret = 0;
791 error2:
792         up_write(&keyring_serialise_link_sem);
793 error:
794         return ret;
795
796 error3:
797         /* undo the quota changes */
798         key_payload_reserve(keyring,
799                             keyring->datalen - KEYQUOTA_LINK_BYTES);
800         goto error2;
801
802 } /* end __key_link() */
803
804 /*****************************************************************************/
805 /*
806  * link a key to a keyring
807  */
808 int key_link(struct key *keyring, struct key *key)
809 {
810         int ret;
811
812         key_check(keyring);
813         key_check(key);
814
815         down_write(&keyring->sem);
816         ret = __key_link(keyring, key);
817         up_write(&keyring->sem);
818
819         return ret;
820
821 } /* end key_link() */
822
823 EXPORT_SYMBOL(key_link);
824
825 /*****************************************************************************/
826 /*
827  * unlink the first link to a key from a keyring
828  */
829 int key_unlink(struct key *keyring, struct key *key)
830 {
831         struct keyring_list *klist, *nklist;
832         int loop, ret;
833
834         key_check(keyring);
835         key_check(key);
836
837         ret = -ENOTDIR;
838         if (keyring->type != &key_type_keyring)
839                 goto error;
840
841         down_write(&keyring->sem);
842
843         klist = keyring->payload.subscriptions;
844         if (klist) {
845                 /* search the keyring for the key */
846                 for (loop = 0; loop < klist->nkeys; loop++)
847                         if (klist->keys[loop] == key)
848                                 goto key_is_present;
849         }
850
851         up_write(&keyring->sem);
852         ret = -ENOENT;
853         goto error;
854
855 key_is_present:
856         /* we need to copy the key list for RCU purposes */
857         nklist = kmalloc(sizeof(*klist) +
858                          sizeof(struct key *) * klist->maxkeys,
859                          GFP_KERNEL);
860         if (!nklist)
861                 goto nomem;
862         nklist->maxkeys = klist->maxkeys;
863         nklist->nkeys = klist->nkeys - 1;
864
865         if (loop > 0)
866                 memcpy(&nklist->keys[0],
867                        &klist->keys[0],
868                        loop * sizeof(struct key *));
869
870         if (loop < nklist->nkeys)
871                 memcpy(&nklist->keys[loop],
872                        &klist->keys[loop + 1],
873                        (nklist->nkeys - loop) * sizeof(struct key *));
874
875         /* adjust the user's quota */
876         key_payload_reserve(keyring,
877                             keyring->datalen - KEYQUOTA_LINK_BYTES);
878
879         rcu_assign_pointer(keyring->payload.subscriptions, nklist);
880
881         up_write(&keyring->sem);
882
883         /* schedule for later cleanup */
884         klist->delkey = loop;
885         call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
886
887         ret = 0;
888
889 error:
890         return ret;
891 nomem:
892         ret = -ENOMEM;
893         up_write(&keyring->sem);
894         goto error;
895
896 } /* end key_unlink() */
897
898 EXPORT_SYMBOL(key_unlink);
899
900 /*****************************************************************************/
901 /*
902  * dispose of a keyring list after the RCU grace period, releasing the keys it
903  * links to
904  */
905 static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
906 {
907         struct keyring_list *klist;
908         int loop;
909
910         klist = container_of(rcu, struct keyring_list, rcu);
911
912         for (loop = klist->nkeys - 1; loop >= 0; loop--)
913                 key_put(klist->keys[loop]);
914
915         kfree(klist);
916
917 } /* end keyring_clear_rcu_disposal() */
918
919 /*****************************************************************************/
920 /*
921  * clear the specified process keyring
922  * - implements keyctl(KEYCTL_CLEAR)
923  */
924 int keyring_clear(struct key *keyring)
925 {
926         struct keyring_list *klist;
927         int ret;
928
929         ret = -ENOTDIR;
930         if (keyring->type == &key_type_keyring) {
931                 /* detach the pointer block with the locks held */
932                 down_write(&keyring->sem);
933
934                 klist = keyring->payload.subscriptions;
935                 if (klist) {
936                         /* adjust the quota */
937                         key_payload_reserve(keyring,
938                                             sizeof(struct keyring_list));
939
940                         rcu_assign_pointer(keyring->payload.subscriptions,
941                                            NULL);
942                 }
943
944                 up_write(&keyring->sem);
945
946                 /* free the keys after the locks have been dropped */
947                 if (klist)
948                         call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
949
950                 ret = 0;
951         }
952
953         return ret;
954
955 } /* end keyring_clear() */
956
957 EXPORT_SYMBOL(keyring_clear);
958
959 /*****************************************************************************/
960 /*
961  * dispose of the links from a revoked keyring
962  * - called with the key sem write-locked
963  */
964 static void keyring_revoke(struct key *keyring)
965 {
966         struct keyring_list *klist = keyring->payload.subscriptions;
967
968         /* adjust the quota */
969         key_payload_reserve(keyring, 0);
970
971         if (klist) {
972                 rcu_assign_pointer(keyring->payload.subscriptions, NULL);
973                 call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
974         }
975
976 } /* end keyring_revoke() */