Re: [PATCH v2] firmware_loader: use kernel credentials when reading firmware

Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> · Wed, 27 Apr 2022 16:18:51 +0200

On Wed, Apr 27, 2022 at 09:58:23AM -0400, Qian Cai wrote:
> On Fri, Apr 22, 2022 at 11:32:15AM +1000, Thiébaud Weksteen wrote:
> >  drivers/base/firmware_loader/main.c | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> > 
> > diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> > index 94d1789a233e..8f3c2b2cfc61 100644
> > --- a/drivers/base/firmware_loader/main.c
> > +++ b/drivers/base/firmware_loader/main.c
> > @@ -735,6 +735,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> >  		  size_t offset, u32 opt_flags)
> >  {
> >  	struct firmware *fw = NULL;
> > +	struct cred *kern_cred = NULL;
> > +	const struct cred *old_cred;
> >  	bool nondirect = false;
> >  	int ret;
> >  
> > @@ -751,6 +753,18 @@ _request_firmware(const struct firmware **firmware_p, const char *name,
> >  	if (ret <= 0) /* error or already assigned */
> >  		goto out;
> >  
> > +	/*
> > +	 * We are about to try to access the firmware file. Because we may have been
> > +	 * called by a driver when serving an unrelated request from userland, we use
> > +	 * the kernel credentials to read the file.
> > +	 */
> > +	kern_cred = prepare_kernel_cred(NULL);
> 
> This triggers quite some leak reports from kmemleak.
> 
> unreferenced object 0xffff0801e47690c0 (size 176):
>   comm "kworker/0:1", pid 14, jiffies 4294904047 (age 2208.624s)
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>      kmem_cache_alloc
>      prepare_kernel_cred
>      _request_firmware
>      firmware_request_nowarn
>      firmware_request_nowarn at drivers/base/firmware_loader/main.c:933
>      nvkm_firmware_get [nouveau]
>      nvkm_firmware_get at drivers/gpu/drm/nouveau/nvkm/core/firmware.c:92
>      nvkm_firmware_load_name [nouveau]
>      nvkm_acr_lsfw_load_bl_inst_data_sig [nouveau]
>      gm200_gr_load [nouveau]
>      gf100_gr_new_ [nouveau]
>      tu102_gr_new [nouveau]
>      nvkm_device_ctor [nouveau]
>      nvkm_device_pci_new [nouveau]
>      nouveau_drm_probe [nouveau]
>      local_pci_probe
>      work_for_cpu_fn
>      process_one_work

Ugh, yeah, a put_cred() is not called after this.

I'll go revert this commit for now as it needs more work.

thanks,

greg k-h