gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)
Jeetesh Burman [Thu, 19 Apr 2018 15:46:37 +0000 (20:46 +0530)]
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640500
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
(cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682715
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698610
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

drivers/gpu/nvgpu/gk20a/gr_gk20a.c

index 9e032e0..db34cc0 100644 (file)
@@ -26,6 +26,7 @@
 #include <linux/dma-mapping.h>
 #include <linux/firmware.h>
 #include <linux/nvhost.h>
+#include <asm/barrier.h>
 
 #include "gk20a.h"
 #include "kind_gk20a.h"
@@ -3594,6 +3595,7 @@ int gr_gk20a_add_zbc(struct gk20a *g, struct gr_gk20a *gr,
        mutex_lock(&gr->zbc_lock);
        switch (zbc_val->type) {
        case GK20A_ZBC_TYPE_COLOR:
+               speculation_barrier();
                /* search existing tables */
                for (i = 0; i < gr->max_used_color_index; i++) {
 
@@ -3632,6 +3634,7 @@ int gr_gk20a_add_zbc(struct gk20a *g, struct gr_gk20a *gr,
                }
                break;
        case GK20A_ZBC_TYPE_DEPTH:
+               speculation_barrier();
                /* search existing tables */
                for (i = 0; i < gr->max_used_depth_index; i++) {