From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: keyrings-bounces@linux-nfs.org From: David Howells In-Reply-To: <20141114153923.21180.66516.stgit@warthog.procyon.org.uk> References: <20141114153923.21180.66516.stgit@warthog.procyon.org.uk> <20141030174612.10093.61557.stgit@manet.1015granger.net> To: chuck.lever@oracle.com MIME-Version: 1.0 Date: Mon, 17 Nov 2014 15:08:14 +0000 Message-ID: <8829.1416236894@warthog.procyon.org.uk> Cc: neilb@suse.de, linux-nfs@vger.kernel.org, keyrings@linux-nfs.org Subject: Re: [Keyrings] [PATCH] KEYS: Simplify KEYRING_SEARCH_{NO, DO}_STATE_CHECK flags List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Sender: keyrings-bounces@linux-nfs.org Errors-To: keyrings-bounces@linux-nfs.org List-ID: I'm not sure this patch actually solves your problem. > request_key_and_link() depends on getting an -EAGAIN result code to know > when to perform an upcall to refresh an expired key. request_key_and_link() should return EKEYEXPIRED if it meets an expired key until that key gets gc'd. What we lack is that bit to upcall to refresh the expired key. /sbin/request-key can support it - the first column has 'create' for key creation and can hold other values for updating a key and KEYCTL_UPDATE can be allowed to unexpire a key. Possibly I should be only returning EKEYEXPIRED if the key instantiation was rejected so and simply invalidate the key if it's in-memory expiration occurs. Making this so will cause failures in the testsuite, but I think that's okay. Another option is to allow keys to be specifically marked at immediate-gc-on-expire such that you never see them in the expired state unless you're holding a ref on one inside the kernel. David _______________________________________________ Keyrings mailing list Keyrings@linux-nfs.org To change your subscription to this list, please see http://linux-nfs.org/cgi-bin/mailman/listinfo/keyrings