Received-SPF: pass (google.com: domain of linux-kernel+bounces-41080-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Date: Fri, 26 Jan 2024 22:42:20 -0800
From: Eric Biggers <ebiggers@kernel.org>
To: Luis Henriques <lhenriques@suse.de>
Cc: David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko@kernel.org>, keyrings@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v2] keys: update key quotas in key_put()
Message-ID: <20240127064220.GB11935@sol.localdomain>
References: <2744563.1702303367@warthog.procyon.org.uk>
 <20240115120300.27606-1-lhenriques@suse.de>
 <20240124221225.GD1088@sol.localdomain>
 <87bk988450.fsf@suse.de>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87bk988450.fsf@suse.de>

On Fri, Jan 26, 2024 at 04:12:59PM +0000, Luis Henriques wrote:
> Eric Biggers <ebiggers@kernel.org> writes:
> 
> > On Mon, Jan 15, 2024 at 12:03:00PM +0000, Luis Henriques wrote:
> >> Delaying key quotas update when key's refcount reaches 0 in key_put() has
> >> been causing some issues in fscrypt testing.  This patches fixes this test
> >> flakiness by dealing with the quotas immediately, but leaving all the other
> >> clean-ups to the key garbage collector.  Unfortunately, this means that we
> >> also need to switch to the irq-version of the spinlock that protects quota.
> >> 
> >> Signed-off-by: Luis Henriques <lhenriques@suse.de>
> >> ---
> >> Hi David!
> >> 
> >> I have these changes in my local disk for a while; I wanted to send them
> >> before EOY break but... yeah, it didn't happen.  Anyway, I'm still sending
> >> it as an RFC as I'm probably missing something.
> >> 
> >>  security/keys/gc.c     |  8 --------
> >>  security/keys/key.c    | 32 ++++++++++++++++++++++----------
> >>  security/keys/keyctl.c | 11 ++++++-----
> >>  3 files changed, 28 insertions(+), 23 deletions(-)
> >
> > This patch seems reasonable to me, though I'm still thinking about changing
> > fs/crypto/ to manage its key quotas itself which would avoid the issue entirely.
> >
> > Note that as I said before, fs/crypto/ does key_put() on a whole keyring at
> > once, in order to release the quota of the keys in the keyring.  Do you plan to
> > also change fs/crypto/ to keyring_clear() the keyring before putting it?
> > Without that, I don't think the problem is solved, as the quota release will
> > still happen asynchronously due to the keyring being cleared asynchronously.
> 
> Ah, good point.  In the meantime I had forgotten everything about this
> code and missed that.  So, I can send another patch to fs/crypto to add
> that extra call once (or if) this patch is accepted.
> 
> If I'm reading the code correctly, the only place where this extra call is
> required is on fscrypt_put_master_key():
> 
> diff --git a/fs/crypto/keyring.c b/fs/crypto/keyring.c
> index 0edf0b58daa7..4afd32f1aed9 100644
> --- a/fs/crypto/keyring.c
> +++ b/fs/crypto/keyring.c
> @@ -74,6 +74,7 @@ void fscrypt_put_master_key(struct fscrypt_master_key *mk)
>  	 * that concurrent keyring lookups can no longer find it.
>  	 */
>  	WARN_ON_ONCE(refcount_read(&mk->mk_active_refs) != 0);
> +	keyring_clear(mk->mk_users);
>  	key_put(mk->mk_users);
>  	mk->mk_users = NULL;

This will need a NULL check, since keyring_clear() doesn't accept NULL:

	if (mk->mk_users) {
		keyring_clear(mk->mk_users);
		key_put(mk->mk_users);
		mk->mk_users = NULL;
	}

>  	call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key);
> 
> On the other hand, if you're really working towards dropping this code
> entirely, maybe there's not point doing that.

Well, it depends whether this patch (the one for security/keys/) is accepted or
not.  If it's accepted, I think it makes sense to add the keyring_clear() and
otherwise keep the fs/crypto/ code as-is.  If it's not accepted, I think I'll
have to make fs/crypto/ handle the quotas itself.

- Eric