gpu: nvgpu: add speculative load barrier (channel IOCTLs)

Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: I6b8af794ea2156f0342ea6cc925051f49dbb1d6e Signed-off-by: Alex Waterman <alexw@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1640498 Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> Reviewed-by: Richard Zhao <rizhao@nvidia.com> GVS: Gerrit_Virtual_Submit Reviewed-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-24 10:34:43 +03:00 · 2017-12-29 14:54:14 -08:00
parent 43dbbaaad7
commit 25aba34bbd
2 changed files with 10 additions and 3 deletions
--- a/drivers/gpu/nvgpu/common/linux/ioctl_channel.c
+++ b/drivers/gpu/nvgpu/common/linux/ioctl_channel.c
@@ -31,6 +31,7 @@
 #include <nvgpu/debug.h>
 #include <nvgpu/enabled.h>
 #include <nvgpu/error_notifier.h>
+#include <nvgpu/barrier.h>

 #include "gk20a/gk20a.h"
 #include "gk20a/dbg_gpu_gk20a.h"
@@ -368,6 +369,8 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
 		return -EINVAL;
 	}

+	nvgpu_speculation_barrier();
+
 	/* map handle */
 	va = dma_buf_vmap(dmabuf);
 	if (!va) {
@@ -661,6 +664,8 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
 			return -EINVAL;
 		}

+		nvgpu_speculation_barrier();
+
 		notif = dma_buf_vmap(dmabuf);
 		if (!notif) {
 			nvgpu_err(g, "failed to map notifier memory");