gpu: nvgpu: add speculative load barrier (channel IOCTLs)

Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: I6b8af794ea2156f0342ea6cc925051f49dbb1d6e Signed-off-by: Alex Waterman <alexw@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1640498 Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com> Reviewed-by: Richard Zhao <rizhao@nvidia.com> GVS: Gerrit_Virtual_Submit Reviewed-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com> Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-24 10:34:43 +03:00 · 2017-12-29 14:54:14 -08:00
parent 43dbbaaad7
commit 25aba34bbd
2 changed files with 10 additions and 3 deletions
--- a/drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c
@@ -31,13 +31,13 @@
 #include <nvgpu/dma.h>
 #include <nvgpu/mm.h>
 #include <nvgpu/sizes.h>
+#include <nvgpu/barrier.h>
+#include <nvgpu/log.h>
+#include <nvgpu/bug.h>

 #include "gk20a.h"
 #include "css_gr_gk20a.h"

-#include <nvgpu/log.h>
-#include <nvgpu/bug.h>
-
 #include <nvgpu/hw/gk20a/hw_perf_gk20a.h>
 #include <nvgpu/hw/gk20a/hw_mc_gk20a.h>

@@ -501,6 +501,8 @@ int gr_gk20a_css_attach(struct channel_gk20a *ch,
 	    perfmon_count > CSS_MAX_PERFMON_IDS - CSS_FIRST_PERFMON_ID)
 		return -EINVAL;

+	nvgpu_speculation_barrier();
+
 	gr = &g->gr;

 	nvgpu_mutex_acquire(&gr->cs_lock);