media: isc: prevent speculative load related leak
James Huang [Thu, 1 Feb 2018 03:53:29 +0000 (11:53 +0800)]
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I3fdea370a0c713ec84dc3fb58fb6b9891880190a
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640354
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650059
(cherry picked from commit efac96bc2e7f333211bbcb7950a2ab1559890ff0)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682748
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/media/platform/tegra/auto/isc_mgr.c

index 2da29ab..c35e467 100644 (file)
@@ -38,6 +38,8 @@
 #include <media/isc-dev.h>
 #include <media/isc-mgr.h>
 
+#include <asm/barrier.h>
+
 #include "isc-mgr-priv.h"
 
 #define PW_ON(flag)    ((flag) ? 0 : 1)
@@ -247,6 +249,7 @@ int isc_mgr_power_up(struct isc_mgr_priv *isc_mgr, unsigned long arg)
                goto pwr_up_end;
 
        if (arg < pd->num_pwr_gpios) {
+               speculation_barrier();
                gpio_set_value(pd->pwr_gpios[arg], PW_ON(pd->pwr_flags[arg]));
                isc_mgr->pwr_state |= BIT(arg);
                return 0;
@@ -271,6 +274,7 @@ int isc_mgr_power_down(struct isc_mgr_priv *isc_mgr, unsigned long arg)
        dev_dbg(isc_mgr->dev, "%s - %lx\n", __func__, arg);
 
        if (arg < pd->num_pwr_gpios) {
+               speculation_barrier();
                gpio_set_value(pd->pwr_gpios[arg], PW_OFF(pd->pwr_flags[arg]));
                isc_mgr->pwr_state &= ~BIT(arg);
                return 0;