On Sun, May 1, 2022 at 8:50 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > Device drivers may decide to not load firmware when probed to avoid > slowing down the boot process should the firmware filesystem not be > available yet. In this case, the firmware loading request may be done > when a device file associated with the driver is first accessed. The > credentials of the userspace process accessing the device file may be > used to validate access to the firmware files requested by the driver. > Ensure that the kernel assumes the responsibility of reading the > firmware. > > This was observed on Android for a graphic driver loading their firmware > when the device file (e.g. /dev/mali0) was first opened by userspace > (i.e. surfaceflinger). The security context of surfaceflinger was used > to validate the access to the firmware file (e.g. > /vendor/firmware/mali.bin). > > Previously, Android configurations were not setting up the > firmware_class.path command line argument and were relying on the > userspace fallback mechanism. In this case, the security context of the > userspace daemon (i.e. ueventd) was consistently used to read firmware > files. More Android devices are now found to set firmware_class.path > which gives the kernel the opportunity to read the firmware directly > (via kernel_read_file_from_path_initns). In this scenario, the current > process credentials were used, even if unrelated to the loading of the > firmware file. > > Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> # 5.10 > --- > v4: Add stable to Cc > v3: > - Add call to put_cred to avoid a memory leak. Confirmed that no new > memory leak occurs on a Pixel 4a. > - Update commit log. > v2: Add comment > > drivers/base/firmware_loader/main.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
