gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)
James Huang [Thu, 1 Feb 2018 06:58:59 +0000 (14:58 +0800)]
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640500
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
(cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682715
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/gpu/nvgpu/gk20a/gr_gk20a.c

index e515cbe..7a87b85 100644 (file)
@@ -29,6 +29,8 @@
 #include <linux/nvhost.h>
 #include <trace/events/gk20a.h>
 
+#include <asm/barrier.h>
+
 #include "gk20a.h"
 #include "kind_gk20a.h"
 #include "gr_ctx_gk20a.h"
@@ -3647,6 +3649,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
                                "invalid zbc color table index\n");
                        return -EINVAL;
                }
+
+               speculation_barrier();
                for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) {
                        query_params->color_l2[i] =
                                gr->zbc_col_tbl[index].color_l2[i];
@@ -3662,6 +3666,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
                                "invalid zbc depth table index\n");
                        return -EINVAL;
                }
+
+               speculation_barrier();
                query_params->depth = gr->zbc_dep_tbl[index].depth;
                query_params->format = gr->zbc_dep_tbl[index].format;
                query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt;