From: Sebastien Buisson <sbuisson@ddn.com>
Date: Wed, 23 Dec 2015 20:18:57 +0000 (+0100)
Subject: LU-7604 gss: handle revoked keys properly
X-Git-Tag: 2.7.65~23
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=fa4646291c7059597bd5d682f0c6c89b65ecf97e

LU-7604 gss: handle revoked keys properly

Revoked keys are no longer returned by request_key kernel
function. So it is now necessary to remove revoked keys from
keyring when flushing context.
Moreover, if a revoked key is present, do not consider it
matches when searching for a valid key with request_key. That
way it will be replaced with a valid, newly created one.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I0fbaf01f6a8f50e9fb06eef96c74e73c25de257f
Reviewed-on: http://review.whamcloud.com/17721
Tested-by: Jenkins
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Tested-by: James Nunez <james.a.nunez@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
---

diff --git a/lustre/ptlrpc/gss/gss_keyring.c b/lustre/ptlrpc/gss/gss_keyring.c
index e722d3c..67188f5 100644
--- a/lustre/ptlrpc/gss/gss_keyring.c
+++ b/lustre/ptlrpc/gss/gss_keyring.c
@@ -874,28 +874,30 @@ void flush_user_ctx_cache_kr(struct ptlrpc_sec *sec,
 
         construct_key_desc(desc, sizeof(desc), sec, uid);
 
-        /* there should be only one valid key, but we put it in the
-         * loop in case of any weird cases */
-        for (;;) {
-                key = request_key(&gss_key_type, desc, NULL);
-                if (IS_ERR(key)) {
-                        CDEBUG(D_SEC, "No more key found for current user\n");
-                        break;
-                }
+	/* there should be only one valid key, but we put it in the
+	 * loop in case of any weird cases */
+	for (;;) {
+		key = request_key(&gss_key_type, desc, NULL);
+		if (IS_ERR(key)) {
+			CDEBUG(D_SEC, "No more key found for current user\n");
+			break;
+		}
 
-                down_write(&key->sem);
+		down_write(&key->sem);
 
-                kill_key_locked(key);
+		kill_key_locked(key);
 
-                /* kill_key_locked() should usually revoke the key, but we
-                 * revoke it again to make sure, e.g. some case the key may
-                 * not well coupled with a context. */
-                key_revoke_locked(key);
+		/* kill_key_locked() should usually revoke the key, but we
+		 * revoke it again to make sure, e.g. some case the key may
+		 * not well coupled with a context. */
+		key_revoke_locked(key);
 
-                up_write(&key->sem);
+		up_write(&key->sem);
 
-                key_put(key);
-        }
+		request_key_unlink(key);
+
+		key_put(key);
+	}
 }
 
 /*
@@ -1412,7 +1414,8 @@ out:
 static int
 gss_kt_match(const struct key *key, const void *desc)
 {
-	return (strcmp(key->description, (const char *) desc) == 0);
+	return strcmp(key->description, (const char *) desc) == 0 &&
+		!test_bit(KEY_FLAG_REVOKED, &key->flags);
 }
 #else /* ! HAVE_KEY_MATCH_DATA */
 static bool
@@ -1420,7 +1423,8 @@ gss_kt_match(const struct key *key, const struct key_match_data *match_data)
 {
 	const char *desc = match_data->raw_data;
 
-	return (strcmp(key->description, desc) == 0);
+	return strcmp(key->description, desc) == 0 &&
+		!test_bit(KEY_FLAG_REVOKED, &key->flags);
 }
 
 /*