From d56b0972b07c3f70456dee48c620a1469931ffd7 Mon Sep 17 00:00:00 2001
From: David Gilhooley <dgilhooley@nvidia.com>
Date: Thu, 29 Mar 2018 14:27:38 -0700
Subject: [PATCH] platform: nvadsp: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, use array_index_nospec.

Bug 2060857
CVE-2017-5753

Change-Id: I3b79ab2df0cff5eb7f94f8056cfdfb98ac69037a
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1684649
Reviewed-by: Bo Yan <byan@nvidia.com>
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/platform/tegra/nvadsp/mailbox.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/tegra/nvadsp/mailbox.c b/drivers/platform/tegra/nvadsp/mailbox.c
index 753265a7..3b197a6e 100644
--- a/drivers/platform/tegra/nvadsp/mailbox.c
+++ b/drivers/platform/tegra/nvadsp/mailbox.c
@@ -14,6 +14,7 @@
  */
 
 #include "dev.h"
+#include <linux/nospec.h>
 #include <asm/barrier.h>
 
 #define NVADSP_MAILBOX_START	512
@@ -187,7 +188,9 @@ status_t nvadsp_mbox_open(struct nvadsp_mbox *mbox, uint16_t *mid,
 			ret = -ERANGE;
 			goto out;
 		}
-		speculation_barrier();
+
+		*mid = array_index_nospec(*mid, NVADSP_MAILBOX_MAX);
+
 		if (nvadsp_drv_data->mboxes[*mid]) {
 			pr_debug("%s: mailbox %d already opened.\n",
 				 __func__, *mid);