/* Keyring handling
 *
 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include <linux/module.h>
#include <linux/init.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/security.h>
#include <linux/seq_file.h>
#include <linux/err.h>
#include <keys/keyring-type.h>
#include <linux/uaccess.h>
#include "internal.h"

#define rcu_dereference_locked_keyring(keyring)                         \
        (rcu_dereference_protected(                                     \
                (keyring)->payload.subscriptions,                       \
                rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))

#define rcu_deref_link_locked(klist, index, keyring)                    \
        (rcu_dereference_protected(                                     \
                (klist)->keys[index],                                   \
                rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))

#define MAX_KEYRING_LINKS                                               \
        min_t(size_t, USHRT_MAX - 1,                                    \
              ((PAGE_SIZE - sizeof(struct keyring_list)) / sizeof(struct key *)))

#define KEY_LINK_FIXQUOTA 1UL

/*
 * When plumbing the depths of the key tree, this sets a hard limit
 * set on how deep we're willing to go.
 */
#define KEYRING_SEARCH_MAX_DEPTH 6

/*
 * We keep all named keyrings in a hash to speed looking them up.
 */
#define KEYRING_NAME_HASH_SIZE  (1 << 5)

static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
static DEFINE_RWLOCK(keyring_name_lock);

static inline unsigned keyring_hash(const char *desc)
{
        unsigned bucket = 0;

        for (; *desc; desc++)
                bucket += (unsigned char)*desc;

        return bucket & (KEYRING_NAME_HASH_SIZE - 1);
}

/*
 * The keyring key type definition.  Keyrings are simply keys of this type and
 * can be treated as ordinary keys in addition to having their own special
 * operations.
 */
static int keyring_instantiate(struct key *keyring,
                               struct key_preparsed_payload *prep);
static int keyring_match(const struct key *keyring, const void *criterion);
static void keyring_revoke(struct key *keyring);
static void keyring_destroy(struct key *keyring);
static void keyring_describe(const struct key *keyring, struct seq_file *m);
static long keyring_read(const struct key *keyring,
                         char __user *buffer, size_t buflen);

struct key_type key_type_keyring = {
        .name           = "keyring",
        .def_datalen    = sizeof(struct keyring_list),
        .instantiate    = keyring_instantiate,
        .match          = keyring_match,
        .revoke         = keyring_revoke,
        .destroy        = keyring_destroy,
        .describe       = keyring_describe,
        .read           = keyring_read,
};
EXPORT_SYMBOL(key_type_keyring);

/*
 * Semaphore to serialise link/link calls to prevent two link calls in parallel
 * introducing a cycle.
 */
static DECLARE_RWSEM(keyring_serialise_link_sem);

/*
 * Publish the name of a keyring so that it can be found by name (if it has
 * one).
 */
static void keyring_publish_name(struct key *keyring)
{
        int bucket;

        if (keyring->description) {
                bucket = keyring_hash(keyring->description);

                write_lock(&keyring_name_lock);

                if (!keyring_name_hash[bucket].next)
                        INIT_LIST_HEAD(&keyring_name_hash[bucket]);

                list_add_tail(&keyring->type_data.link,
                              &keyring_name_hash[bucket]);

                write_unlock(&keyring_name_lock);
        }
}

/*
 * Initialise a keyring.
 *
 * Returns 0 on success, -EINVAL if given any data.
 */
static int keyring_instantiate(struct key *keyring,
                               struct key_preparsed_payload *prep)
{
        int ret;

        ret = -EINVAL;
        if (prep->datalen == 0) {
                /* make the keyring available by name if it has one */
                keyring_publish_name(keyring);
                ret = 0;
        }

        return ret;
}

/*
 * Match keyrings on their name
 */
static int keyring_match(const struct key *keyring, const void *description)
{
        return keyring->description &&
                strcmp(keyring->description, description) == 0;
}

/*
 * Clean up a keyring when it is destroyed.  Unpublish its name if it had one
 * and dispose of its data.
 *
 * The garbage collector detects the final key_put(), removes the keyring from
 * the serial number tree and then does RCU synchronisation before coming here,
 * so we shouldn't need to worry about code poking around here with the RCU
 * readlock held by this time.
 */
static void keyring_destroy(struct key *keyring)
{
        struct keyring_list *klist;
        int loop;

        if (keyring->description) {
                write_lock(&keyring_name_lock);

                if (keyring->type_data.link.next != NULL &&
                    !list_empty(&keyring->type_data.link))
                        list_del(&keyring->type_data.link);

                write_unlock(&keyring_name_lock);
        }

        klist = rcu_access_pointer(keyring->payload.subscriptions);
        if (klist) {
                for (loop = klist->nkeys - 1; loop >= 0; loop--)
                        key_put(rcu_access_pointer(klist->keys[loop]));
                kfree(klist);
        }
}

/*
 * Describe a keyring for /proc.
 */
static void keyring_describe(const struct key *keyring, struct seq_file *m)
{
        struct keyring_list *klist;

        if (keyring->description)
                seq_puts(m, keyring->description);
        else
                seq_puts(m, "[anon]");

        if (key_is_instantiated(keyring)) {
                rcu_read_lock();
                klist = rcu_dereference(keyring->payload.subscriptions);
                if (klist)
                        seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
                else
                        seq_puts(m, ": empty");
                rcu_read_unlock();
        }
}

/*
 * Read a list of key IDs from the keyring's contents in binary form
 *
 * The keyring's semaphore is read-locked by the caller.
 */
static long keyring_read(const struct key *keyring,
                         char __user *buffer, size_t buflen)
{
        struct keyring_list *klist;
        struct key *key;
        size_t qty, tmp;
        int loop, ret;

        ret = 0;
        klist = rcu_dereference_locked_keyring(keyring);
        if (klist) {
                /* calculate how much data we could return */
                qty = klist->nkeys * sizeof(key_serial_t);

                if (buffer && buflen > 0) {
                        if (buflen > qty)
                                buflen = qty;

                        /* copy the IDs of the subscribed keys into the
                         * buffer */
                        ret = -EFAULT;

                        for (loop = 0; loop < klist->nkeys; loop++) {
                                key = rcu_deref_link_locked(klist, loop,
                                                            keyring);

                                tmp = sizeof(key_serial_t);
                                if (tmp > buflen)
                                        tmp = buflen;

                                if (copy_to_user(buffer,
                                                 &key->serial,
                                                 tmp) != 0)
                                        goto error;

                                buflen -= tmp;
                                if (buflen == 0)
                                        break;
                                buffer += tmp;
                        }
                }

                ret = qty;
        }

error:
        return ret;
}

/*
 * Allocate a keyring and link into the destination keyring.
 */
struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
                          const struct cred *cred, key_perm_t perm,
                          unsigned long flags, struct key *dest)
{
        struct key *keyring;
        int ret;

        keyring = key_alloc(&key_type_keyring, description,
                            uid, gid, cred, perm, flags);
        if (!IS_ERR(keyring)) {
                ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
                if (ret < 0) {
                        key_put(keyring);
                        keyring = ERR_PTR(ret);
                }
        }

        return keyring;
}
EXPORT_SYMBOL(keyring_alloc);

/**
 * keyring_search_aux - Search a keyring tree for a key matching some criteria
 * @keyring_ref: A pointer to the keyring with possession indicator.
 * @cred: The credentials to use for permissions checks.
 * @type: The type of key to search for.
 * @description: Parameter for @match.
 * @match: Function to rule on whether or not a key is the one required.
 * @no_state_check: Don't check if a matching key is bad
 *
 * Search the supplied keyring tree for a key that matches the criteria given.
 * The root keyring and any linked keyrings must grant Search permission to the
 * caller to be searchable and keys can only be found if they too grant Search
 * to the caller. The possession flag on the root keyring pointer controls use
 * of the possessor bits in permissions checking of the entire tree.  In
 * addition, the LSM gets to forbid keyring searches and key matches.
 *
 * The search is performed as a breadth-then-depth search up to the prescribed
 * limit (KEYRING_SEARCH_MAX_DEPTH).
 *
 * Keys are matched to the type provided and are then filtered by the match
 * function, which is given the description to use in any way it sees fit.  The
 * match function may use any attributes of a key that it wishes to to
 * determine the match.  Normally the match function from the key type would be
 * used.
 *
 * RCU is used to prevent the keyring key lists from disappearing without the
 * need to take lots of locks.
 *
 * Returns a pointer to the found key and increments the key usage count if
 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
 * specified keyring wasn't a keyring.
 *
 * In the case of a successful return, the possession attribute from
 * @keyring_ref is propagated to the returned key reference.
 */
key_ref_t keyring_search_aux(key_ref_t keyring_ref,
                             const struct cred *cred,
                             struct key_type *type,
                             const void *description,
                             key_match_func_t match,
                             bool no_state_check)
{
        struct {
                /* Need a separate keylist pointer for RCU purposes */
                struct key *keyring;
                struct keyring_list *keylist;
                int kix;
        } stack[KEYRING_SEARCH_MAX_DEPTH];

        struct keyring_list *keylist;
        struct timespec now;
        unsigned long possessed, kflags;
        struct key *keyring, *key;
        key_ref_t key_ref;
        long err;
        int sp, nkeys, kix;

        keyring = key_ref_to_ptr(keyring_ref);
        possessed = is_key_possessed(keyring_ref);
        key_check(keyring);

        /* top keyring must have search permission to begin the search */
        err = key_task_permission(keyring_ref, cred, KEY_SEARCH);
        if (err < 0) {
                key_ref = ERR_PTR(err);
                goto error;
        }

        key_ref = ERR_PTR(-ENOTDIR);
        if (keyring->type != &key_type_keyring)
                goto error;

        rcu_read_lock();

        now = current_kernel_time();
        err = -EAGAIN;
        sp = 0;

        /* firstly we should check to see if this top-level keyring is what we
         * are looking for */
        key_ref = ERR_PTR(-EAGAIN);
        kflags = keyring->flags;
        if (keyring->type == type && match(keyring, description)) {
                key = keyring;
                if (no_state_check)
                        goto found;

                /* check it isn't negative and hasn't expired or been
                 * revoked */
                if (kflags & (1 << KEY_FLAG_REVOKED))
                        goto error_2;
                if (key->expiry && now.tv_sec >= key->expiry)
                        goto error_2;
                key_ref = ERR_PTR(key->type_data.reject_error);
                if (kflags & (1 << KEY_FLAG_NEGATIVE))
                        goto error_2;
                goto found;
        }

        /* otherwise, the top keyring must not be revoked, expired, or
         * negatively instantiated if we are to search it */
        key_ref = ERR_PTR(-EAGAIN);
        if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
                      (1 << KEY_FLAG_REVOKED) |
                      (1 << KEY_FLAG_NEGATIVE)) ||
            (keyring->expiry && now.tv_sec >= keyring->expiry))
                goto error_2;

        /* start processing a new keyring */
descend:
        kflags = keyring->flags;
        if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
                      (1 << KEY_FLAG_REVOKED)))
                goto not_this_keyring;

        keylist = rcu_dereference(keyring->payload.subscriptions);
        if (!keylist)
                goto not_this_keyring;

        /* iterate through the keys in this keyring first */
        nkeys = keylist->nkeys;
        smp_rmb();
        for (kix = 0; kix < nkeys; kix++) {
                key = rcu_dereference(keylist->keys[kix]);
                kflags = key->flags;

                /* ignore keys not of this type */
                if (key->type != type)
                        continue;

                /* skip invalidated, revoked and expired keys */
                if (!no_state_check) {
                        if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
                                      (1 << KEY_FLAG_REVOKED)))
                                continue;

                        if (key->expiry && now.tv_sec >= key->expiry)
                                continue;
                }

                /* keys that don't match */
                if (!match(key, description))
                        continue;

                /* key must have search permissions */
                if (key_task_permission(make_key_ref(key, possessed),
                                        cred, KEY_SEARCH) < 0)
                        continue;

                if (no_state_check)
                        goto found;

                /* we set a different error code if we pass a negative key */
                if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
                        err = key->type_data.reject_error;
                        continue;
                }

                goto found;
        }

        /* search through the keyrings nested in this one */
        kix = 0;
ascend:
        nkeys = keylist->nkeys;
        smp_rmb();
        for (; kix < nkeys; kix++) {
                key = rcu_dereference(keylist->keys[kix]);
                if (key->type != &key_type_keyring)
                        continue;

                /* recursively search nested keyrings
                 * - only search keyrings for which we have search permission
                 */
                if (sp >= KEYRING_SEARCH_MAX_DEPTH)
                        continue;

                if (key_task_permission(make_key_ref(key, possessed),
                                        cred, KEY_SEARCH) < 0)
                        continue;

                /* stack the current position */
                stack[sp].keyring = keyring;
                stack[sp].keylist = keylist;
                stack[sp].kix = kix;
                sp++;

                /* begin again with the new keyring */
                keyring = key;
                goto descend;
        }

        /* the keyring we're looking at was disqualified or didn't contain a
         * matching key */
not_this_keyring:
        if (sp > 0) {
                /* resume the processing of a keyring higher up in the tree */
                sp--;
                keyring = stack[sp].keyring;
                keylist = stack[sp].keylist;
                kix = stack[sp].kix + 1;
                goto ascend;
        }

        key_ref = ERR_PTR(err);
        goto error_2;

        /* we found a viable match */
found:
        atomic_inc(&key->usage);
        key->last_used_at = now.tv_sec;
        keyring->last_used_at = now.tv_sec;
        while (sp > 0)
                stack[--sp].keyring->last_used_at = now.tv_sec;
        key_check(key);
        key_ref = make_key_ref(key, possessed);
error_2:
        rcu_read_unlock();
error:
        return key_ref;
}

/**
 * keyring_search - Search the supplied keyring tree for a matching key
 * @keyring: The root of the keyring tree to be searched.
 * @type: The type of keyring we want to find.
 * @description: The name of the keyring we want to find.
 *
 * As keyring_search_aux() above, but using the current task's credentials and
 * type's default matching function.
 */
key_ref_t keyring_search(key_ref_t keyring,
                         struct key_type *type,
                         const char *description)
{
        if (!type->match)
                return ERR_PTR(-ENOKEY);

        return keyring_search_aux(keyring, current->cred,
                                  type, description, type->match, false);
}
EXPORT_SYMBOL(keyring_search);

/*
 * Search the given keyring only (no recursion).
 *
 * The caller must guarantee that the keyring is a keyring and that the
 * permission is granted to search the keyring as no check is made here.
 *
 * RCU is used to make it unnecessary to lock the keyring key list here.
 *
 * Returns a pointer to the found key with usage count incremented if
 * successful and returns -ENOKEY if not found.  Revoked keys and keys not
 * providing the requested permission are skipped over.
 *
 * If successful, the possession indicator is propagated from the keyring ref
 * to the returned key reference.
 */
key_ref_t __keyring_search_one(key_ref_t keyring_ref,
                               const struct key_type *ktype,
                               const char *description,
                               key_perm_t perm)
{
        struct keyring_list *klist;
        unsigned long possessed;
        struct key *keyring, *key;
        int nkeys, loop;

        keyring = key_ref_to_ptr(keyring_ref);
        possessed = is_key_possessed(keyring_ref);

        rcu_read_lock();

        klist = rcu_dereference(keyring->payload.subscriptions);
        if (klist) {
                nkeys = klist->nkeys;
                smp_rmb();
                for (loop = 0; loop < nkeys ; loop++) {
                        key = rcu_dereference(klist->keys[loop]);
                        if (key->type == ktype &&
                            (!key->type->match ||
                             key->type->match(key, description)) &&
                            key_permission(make_key_ref(key, possessed),
                                           perm) == 0 &&
                            !(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
                                            (1 << KEY_FLAG_REVOKED)))
                            )
                                goto found;
                }
        }

        rcu_read_unlock();
        return ERR_PTR(-ENOKEY);

found:
        atomic_inc(&key->usage);
        keyring->last_used_at = key->last_used_at =
                current_kernel_time().tv_sec;
        rcu_read_unlock();
        return make_key_ref(key, possessed);
}

/*
 * Find a keyring with the specified name.
 *
 * All named keyrings in the current user namespace are searched, provided they
 * grant Search permission directly to the caller (unless this check is
 * skipped).  Keyrings whose usage points have reached zero or who have been
 * revoked are skipped.
 *
 * Returns a pointer to the keyring with the keyring's refcount having being
 * incremented on success.  -ENOKEY is returned if a key could not be found.
 */
struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
{
        struct key *keyring;
        int bucket;

        if (!name)
                return ERR_PTR(-EINVAL);

        bucket = keyring_hash(name);

        read_lock(&keyring_name_lock);

        if (keyring_name_hash[bucket].next) {
                /* search this hash bucket for a keyring with a matching name
                 * that's readable and that hasn't been revoked */
                list_for_each_entry(keyring,
                                    &keyring_name_hash[bucket],
                                    type_data.link
                                    ) {
                        if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
                                continue;

                        if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
                                continue;

                        if (strcmp(keyring->description, name) != 0)
                                continue;

                        if (!skip_perm_check &&
                            key_permission(make_key_ref(keyring, 0),
                                           KEY_SEARCH) < 0)
                                continue;

                        /* we've got a match but we might end up racing with
                         * key_cleanup() if the keyring is currently 'dead'
                         * (ie. it has a zero usage count) */
                        if (!atomic_inc_not_zero(&keyring->usage))
                                continue;
                        keyring->last_used_at = current_kernel_time().tv_sec;
                        goto out;
                }
        }

        keyring = ERR_PTR(-ENOKEY);
out:
        read_unlock(&keyring_name_lock);
        return keyring;
}

/*
 * See if a cycle will will be created by inserting acyclic tree B in acyclic
 * tree A at the topmost level (ie: as a direct child of A).
 *
 * Since we are adding B to A at the top level, checking for cycles should just
 * be a matter of seeing if node A is somewhere in tree B.
 */
static int keyring_detect_cycle(struct key *A, struct key *B)
{
        struct {
                struct keyring_list *keylist;
                int kix;
        } stack[KEYRING_SEARCH_MAX_DEPTH];

        struct keyring_list *keylist;
        struct key *subtree, *key;
        int sp, nkeys, kix, ret;

        rcu_read_lock();

        ret = -EDEADLK;
        if (A == B)
                goto cycle_detected;

        subtree = B;
        sp = 0;

        /* start processing a new keyring */
descend:
        if (test_bit(KEY_FLAG_REVOKED, &subtree->flags))
                goto not_this_keyring;

        keylist = rcu_dereference(subtree->payload.subscriptions);
        if (!keylist)
                goto not_this_keyring;
        kix = 0;

ascend:
        /* iterate through the remaining keys in this keyring */
        nkeys = keylist->nkeys;
        smp_rmb();
        for (; kix < nkeys; kix++) {
                key = rcu_dereference(keylist->keys[kix]);

                if (key == A)
                        goto cycle_detected;

                /* recursively check nested keyrings */
                if (key->type == &key_type_keyring) {
                        if (sp >= KEYRING_SEARCH_MAX_DEPTH)
                                goto too_deep;

                        /* stack the current position */
                        stack[sp].keylist = keylist;
                        stack[sp].kix = kix;
                        sp++;

                        /* begin again with the new keyring */
                        subtree = key;
                        goto descend;
                }
        }

        /* the keyring we're looking at was disqualified or didn't contain a
         * matching key */
not_this_keyring:
        if (sp > 0) {
                /* resume the checking of a keyring higher up in the tree */
                sp--;
                keylist = stack[sp].keylist;
                kix = stack[sp].kix + 1;
                goto ascend;
        }

        ret = 0; /* no cycles detected */

error:
        rcu_read_unlock();
        return ret;

too_deep:
        ret = -ELOOP;
        goto error;

cycle_detected:
        ret = -EDEADLK;
        goto error;
}

/*
 * Dispose of a keyring list after the RCU grace period, freeing the unlinked
 * key
 */
static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
{
        struct keyring_list *klist =
                container_of(rcu, struct keyring_list, rcu);

        if (klist->delkey != USHRT_MAX)
                key_put(rcu_access_pointer(klist->keys[klist->delkey]));
        kfree(klist);
}

/*
 * Preallocate memory so that a key can be linked into to a keyring.
 */
int __key_link_begin(struct key *keyring, const struct key_type *type,
                     const char *description, unsigned long *_prealloc)
        __acquires(&keyring->sem)
        __acquires(&keyring_serialise_link_sem)
{
        struct keyring_list *klist, *nklist;
        unsigned long prealloc;
        unsigned max;
        time_t lowest_lru;
        size_t size;
        int loop, lru, ret;

        kenter("%d,%s,%s,", key_serial(keyring), type->name, description);

        if (keyring->type != &key_type_keyring)
                return -ENOTDIR;

        down_write(&keyring->sem);

        ret = -EKEYREVOKED;
        if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
                goto error_krsem;

        /* serialise link/link calls to prevent parallel calls causing a cycle
         * when linking two keyring in opposite orders */
        if (type == &key_type_keyring)
                down_write(&keyring_serialise_link_sem);

        klist = rcu_dereference_locked_keyring(keyring);

        /* see if there's a matching key we can displace */
        lru = -1;
        if (klist && klist->nkeys > 0) {
                lowest_lru = TIME_T_MAX;
                for (loop = klist->nkeys - 1; loop >= 0; loop--) {
                        struct key *key = rcu_deref_link_locked(klist, loop,
                                                                keyring);
                        if (key->type == type &&
                            strcmp(key->description, description) == 0) {
                                /* Found a match - we'll replace the link with
                                 * one to the new key.  We record the slot
                                 * position.
                                 */
                                klist->delkey = loop;
                                prealloc = 0;
                                goto done;
                        }
                        if (key->last_used_at < lowest_lru) {
                                lowest_lru = key->last_used_at;
                                lru = loop;
                        }
                }
        }

        /* If the keyring is full then do an LRU discard */
        if (klist &&
            klist->nkeys == klist->maxkeys &&
            klist->maxkeys >= MAX_KEYRING_LINKS) {
                kdebug("LRU discard %d\n", lru);
                klist->delkey = lru;
                prealloc = 0;
                goto done;
        }

        /* check that we aren't going to overrun the user's quota */
        ret = key_payload_reserve(keyring,
                                  keyring->datalen + KEYQUOTA_LINK_BYTES);
        if (ret < 0)
                goto error_sem;

        if (klist && klist->nkeys < klist->maxkeys) {
                /* there's sufficient slack space to append directly */
                klist->delkey = klist->nkeys;
                prealloc = KEY_LINK_FIXQUOTA;
        } else {
                /* grow the key list */
                max = 4;
                if (klist) {
                        max += klist->maxkeys;
                        if (max > MAX_KEYRING_LINKS)
                                max = MAX_KEYRING_LINKS;
                        BUG_ON(max <= klist->maxkeys);
                }

                size = sizeof(*klist) + sizeof(struct key *) * max;

                ret = -ENOMEM;
                nklist = kmalloc(size, GFP_KERNEL);
                if (!nklist)
                        goto error_quota;

                nklist->maxkeys = max;
                if (klist) {
                        memcpy(nklist->keys, klist->keys,
                               sizeof(struct key *) * klist->nkeys);
                        nklist->delkey = klist->nkeys;
                        nklist->nkeys = klist->nkeys + 1;
                        klist->delkey = USHRT_MAX;
                } else {
                        nklist->nkeys = 1;
                        nklist->delkey = 0;
                }

                /* add the key into the new space */
                RCU_INIT_POINTER(nklist->keys[nklist->delkey], NULL);
                prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
        }

done:
        *_prealloc = prealloc;
        kleave(" = 0");
        return 0;

error_quota:
        /* undo the quota changes */
        key_payload_reserve(keyring,
                            keyring->datalen - KEYQUOTA_LINK_BYTES);
error_sem:
        if (type == &key_type_keyring)
                up_write(&keyring_serialise_link_sem);
error_krsem:
        up_write(&keyring->sem);
        kleave(" = %d", ret);
        return ret;
}

/*
 * Check already instantiated keys aren't going to be a problem.
 *
 * The caller must have called __key_link_begin(). Don't need to call this for
 * keys that were created since __key_link_begin() was called.
 */
int __key_link_check_live_key(struct key *keyring, struct key *key)
{
        if (key->type == &key_type_keyring)
                /* check that we aren't going to create a cycle by linking one
                 * keyring to another */
                return keyring_detect_cycle(keyring, key);
        return 0;
}

/*
 * Link a key into to a keyring.
 *
 * Must be called with __key_link_begin() having being called.  Discards any
 * already extant link to matching key if there is one, so that each keyring
 * holds at most one link to any given key of a particular type+description
 * combination.
 */
void __key_link(struct key *keyring, struct key *key,
                unsigned long *_prealloc)
{
        struct keyring_list *klist, *nklist;
        struct key *discard;

        nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA);
        *_prealloc = 0;

        kenter("%d,%d,%p", keyring->serial, key->serial, nklist);

        klist = rcu_dereference_locked_keyring(keyring);

        atomic_inc(&key->usage);
        keyring->last_used_at = key->last_used_at =
                current_kernel_time().tv_sec;

        /* there's a matching key we can displace or an empty slot in a newly
         * allocated list we can fill */
        if (nklist) {
                kdebug("reissue %hu/%hu/%hu",
                       nklist->delkey, nklist->nkeys, nklist->maxkeys);

                RCU_INIT_POINTER(nklist->keys[nklist->delkey], key);

                rcu_assign_pointer(keyring->payload.subscriptions, nklist);

                /* dispose of the old keyring list and, if there was one, the
                 * displaced key */
                if (klist) {
                        kdebug("dispose %hu/%hu/%hu",
                               klist->delkey, klist->nkeys, klist->maxkeys);
                        call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
                }
        } else if (klist->delkey < klist->nkeys) {
                kdebug("replace %hu/%hu/%hu",
                       klist->delkey, klist->nkeys, klist->maxkeys);

                discard = rcu_dereference_protected(
                        klist->keys[klist->delkey],
                        rwsem_is_locked(&keyring->sem));
                rcu_assign_pointer(klist->keys[klist->delkey], key);
                /* The garbage collector will take care of RCU
                 * synchronisation */
                key_put(discard);
        } else {
                /* there's sufficient slack space to append directly */
                kdebug("append %hu/%hu/%hu",
                       klist->delkey, klist->nkeys, klist->maxkeys);

                RCU_INIT_POINTER(klist->keys[klist->delkey], key);
                smp_wmb();
                klist->nkeys++;
        }
}

/*
 * Finish linking a key into to a keyring.
 *
 * Must be called with __key_link_begin() having being called.
 */
void __key_link_end(struct key *keyring, struct key_type *type,
                    unsigned long prealloc)
        __releases(&keyring->sem)
        __releases(&keyring_serialise_link_sem)
{
        BUG_ON(type == NULL);
        BUG_ON(type->name == NULL);
        kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);

        if (type == &key_type_keyring)
                up_write(&keyring_serialise_link_sem);

        if (prealloc) {
                if (prealloc & KEY_LINK_FIXQUOTA)
                        key_payload_reserve(keyring,
                                            keyring->datalen -
                                            KEYQUOTA_LINK_BYTES);
                kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
        }
        up_write(&keyring->sem);
}

/**
 * key_link - Link a key to a keyring
 * @keyring: The keyring to make the link in.
 * @key: The key to link to.
 *
 * Make a link in a keyring to a key, such that the keyring holds a reference
 * on that key and the key can potentially be found by searching that keyring.
 *
 * This function will write-lock the keyring's semaphore and will consume some
 * of the user's key data quota to hold the link.
 *
 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
 * full, -EDQUOT if there is insufficient key data quota remaining to add
 * another link or -ENOMEM if there's insufficient memory.
 *
 * It is assumed that the caller has checked that it is permitted for a link to
 * be made (the keyring should have Write permission and the key Link
 * permission).
 */

int key_link(struct key *keyring, struct key *key)
{
        unsigned long prealloc;
        int ret;

        key_check(keyring);
        key_check(key);

        ret = __key_link_begin(keyring, key->type, key->description, &prealloc);
        if (ret == 0) {
                ret = __key_link_check_live_key(keyring, key);
                if (ret == 0)
                        __key_link(keyring, key, &prealloc);
                __key_link_end(keyring, key->type, prealloc);
        }

        return ret;
}
EXPORT_SYMBOL(key_link);

/**
 * key_unlink - Unlink the first link to a key from a keyring.
 * @keyring: The keyring to remove the link from.
 * @key: The key the link is to.
 *
 * Remove a link from a keyring to a key.
 *
 * This function will write-lock the keyring's semaphore.
 *
 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
 * memory.
 *
 * It is assumed that the caller has checked that it is permitted for a link to
 * be removed (the keyring should have Write permission; no permissions are
 * required on the key).
 */
int key_unlink(struct key *keyring, struct key *key)
{
        struct keyring_list *klist, *nklist;
        int loop, ret;

        key_check(keyring);
        key_check(key);

        ret = -ENOTDIR;
        if (keyring->type != &key_type_keyring)
                goto error;

        down_write(&keyring->sem);

        klist = rcu_dereference_locked_keyring(keyring);
        if (klist) {
                /* search the keyring for the key */
                for (loop = 0; loop < klist->nkeys; loop++)
                        if (rcu_access_pointer(klist->keys[loop]) == key)
                                goto key_is_present;
        }

        up_write(&keyring->sem);
        ret = -ENOENT;
        goto error;

key_is_present:
        /* we need to copy the key list for RCU purposes */
        nklist = kmalloc(sizeof(*klist) +
                         sizeof(struct key *) * klist->maxkeys,
                         GFP_KERNEL);
        if (!nklist)
                goto nomem;
        nklist->maxkeys = klist->maxkeys;
        nklist->nkeys = klist->nkeys - 1;

        if (loop > 0)
                memcpy(&nklist->keys[0],
                       &klist->keys[0],
                       loop * sizeof(struct key *));

        if (loop < nklist->nkeys)
                memcpy(&nklist->keys[loop],
                       &klist->keys[loop + 1],
                       (nklist->nkeys - loop) * sizeof(struct key *));

        /* adjust the user's quota */
        key_payload_reserve(keyring,
                            keyring->datalen - KEYQUOTA_LINK_BYTES);

        rcu_assign_pointer(keyring->payload.subscriptions, nklist);

        up_write(&keyring->sem);

        /* schedule for later cleanup */
        klist->delkey = loop;
        call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);

        ret = 0;

error:
        return ret;
nomem:
        ret = -ENOMEM;
        up_write(&keyring->sem);
        goto error;
}
EXPORT_SYMBOL(key_unlink);

/*
 * Dispose of a keyring list after the RCU grace period, releasing the keys it
 * links to.
 */
static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
{
        struct keyring_list *klist;
        int loop;

        klist = container_of(rcu, struct keyring_list, rcu);

        for (loop = klist->nkeys - 1; loop >= 0; loop--)
                key_put(rcu_access_pointer(klist->keys[loop]));

        kfree(klist);
}

/**
 * keyring_clear - Clear a keyring
 * @keyring: The keyring to clear.
 *
 * Clear the contents of the specified keyring.
 *
 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
 */
int keyring_clear(struct key *keyring)
{
        struct keyring_list *klist;
        int ret;

        ret = -ENOTDIR;
        if (keyring->type == &key_type_keyring) {
                /* detach the pointer block with the locks held */
                down_write(&keyring->sem);

                klist = rcu_dereference_locked_keyring(keyring);
                if (klist) {
                        /* adjust the quota */
                        key_payload_reserve(keyring,
                                            sizeof(struct keyring_list));

                        rcu_assign_pointer(keyring->payload.subscriptions,
                                           NULL);
                }

                up_write(&keyring->sem);

                /* free the keys after the locks have been dropped */
                if (klist)
                        call_rcu(&klist->rcu, keyring_clear_rcu_disposal);

                ret = 0;
        }

        return ret;
}
EXPORT_SYMBOL(keyring_clear);

/*
 * Dispose of the links from a revoked keyring.
 *
 * This is called with the key sem write-locked.
 */
static void keyring_revoke(struct key *keyring)
{
        struct keyring_list *klist;

        klist = rcu_dereference_locked_keyring(keyring);

        /* adjust the quota */
        key_payload_reserve(keyring, 0);

        if (klist) {
                rcu_assign_pointer(keyring->payload.subscriptions, NULL);
                call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
        }
}

/*
 * Collect garbage from the contents of a keyring, replacing the old list with
 * a new one with the pointers all shuffled down.
 *
 * Dead keys are classed as oned that are flagged as being dead or are revoked,
 * expired or negative keys that were revoked or expired before the specified
 * limit.
 */
void keyring_gc(struct key *keyring, time_t limit)
{
        struct keyring_list *klist, *new;
        struct key *key;
        int loop, keep, max;

        kenter("{%x,%s}", key_serial(keyring), keyring->description);

        down_write(&keyring->sem);

        klist = rcu_dereference_locked_keyring(keyring);
        if (!klist)
                goto no_klist;

        /* work out how many subscriptions we're keeping */
        keep = 0;
        for (loop = klist->nkeys - 1; loop >= 0; loop--)
                if (!key_is_dead(rcu_deref_link_locked(klist, loop, keyring),
                                 limit))
                        keep++;

        if (keep == klist->nkeys)
                goto just_return;

        /* allocate a new keyring payload */
        max = roundup(keep, 4);
        new = kmalloc(sizeof(struct keyring_list) + max * sizeof(struct key *),
                      GFP_KERNEL);
        if (!new)
                goto nomem;
        new->maxkeys = max;
        new->nkeys = 0;
        new->delkey = 0;

        /* install the live keys
         * - must take care as expired keys may be updated back to life
         */
        keep = 0;
        for (loop = klist->nkeys - 1; loop >= 0; loop--) {
                key = rcu_deref_link_locked(klist, loop, keyring);
                if (!key_is_dead(key, limit)) {
                        if (keep >= max)
                                goto discard_new;
                        RCU_INIT_POINTER(new->keys[keep++], key_get(key));
                }
        }
        new->nkeys = keep;

        /* adjust the quota */
        key_payload_reserve(keyring,
                            sizeof(struct keyring_list) +
                            KEYQUOTA_LINK_BYTES * keep);

        if (keep == 0) {
                rcu_assign_pointer(keyring->payload.subscriptions, NULL);
                kfree(new);
        } else {
                rcu_assign_pointer(keyring->payload.subscriptions, new);
        }

        up_write(&keyring->sem);

        call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
        kleave(" [yes]");
        return;

discard_new:
        new->nkeys = keep;
        keyring_clear_rcu_disposal(&new->rcu);
        up_write(&keyring->sem);
        kleave(" [discard]");
        return;

just_return:
        up_write(&keyring->sem);
        kleave(" [no dead]");
        return;

no_klist:
        up_write(&keyring->sem);
        kleave(" [no_klist]");
        return;

nomem:
        up_write(&keyring->sem);
        kleave(" [oom]");
}