Re: [PATCH v2] firmware_loader: use kernel credentials when reading firmware

Qian Cai <quic_qiancai@xxxxxxxxxxx> · Wed, 27 Apr 2022 09:58:23 -0400

On Fri, Apr 22, 2022 at 11:32:15AM +1000, Thiébaud Weksteen wrote:
>  drivers/base/firmware_loader/main.c | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index 94d1789a233e..8f3c2b2cfc61 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
>  		  size_t offset, u32 opt_flags)
>  {
>  	struct firmware *fw = NULL;
> +	struct cred *kern_cred = NULL;
> +	const struct cred *old_cred;
>  	bool nondirect = false;
>  	int ret;
>  
> @@ -751,6 +753,18 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
>  	if (ret <= 0) /* error or already assigned */
>  		goto out;
>  
> +	/*
> +	 * We are about to try to access the firmware file. Because we may have been
> +	 * called by a driver when serving an unrelated request from userland, we use
> +	 * the kernel credentials to read the file.
> +	 */
> +	kern_cred = prepare_kernel_cred(NULL);

This triggers quite some leak reports from kmemleak.

unreferenced object 0xffff0801e47690c0 (size 176):
  comm "kworker/0:1", pid 14, jiffies 4294904047 (age 2208.624s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
     kmem_cache_alloc
     prepare_kernel_cred
     _request_firmware
     firmware_request_nowarn
     firmware_request_nowarn at drivers/base/firmware_loader/main.c:933
     nvkm_firmware_get [nouveau]
     nvkm_firmware_get at drivers/gpu/drm/nouveau/nvkm/core/firmware.c:92
     nvkm_firmware_load_name [nouveau]
     nvkm_acr_lsfw_load_bl_inst_data_sig [nouveau]
     gm200_gr_load [nouveau]
     gf100_gr_new_ [nouveau]
     tu102_gr_new [nouveau]
     nvkm_device_ctor [nouveau]
     nvkm_device_pci_new [nouveau]
     nouveau_drm_probe [nouveau]
     local_pci_probe
     work_for_cpu_fn
     process_one_work

> +	if (!kern_cred) {
> +		ret = -ENOMEM;
> +		goto out;
> +	}
> +	old_cred = override_creds(kern_cred);
> +
>  	ret = fw_get_filesystem_firmware(device, fw->priv, "", NULL);
>  
>  	/* Only full reads can support decompression, platform, and sysfs. */
> @@ -776,6 +790,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
>  	} else
>  		ret = assign_fw(fw, device);
>  
> +	revert_creds(old_cred);
> +
>   out:
>  	if (ret < 0) {
>  		fw_abort_batch_reqs(fw);
> -- 
> 2.36.0.rc2.479.g8af0fa9b8e-goog
> 