From 55f8ac57b99a64f0053fcd1e91ab709777be5fba Mon Sep 17 00:00:00 2001
From: James Huang <jamehuang@nvidia.com>
Date: Thu, 1 Feb 2018 14:58:59 +0800
Subject: [PATCH] gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
Reviewed-by: Hayden Du <haydend@nvidia.com>
(cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a)
Reviewed-on: https://git-master.nvidia.com/r/1650742
GVS: Gerrit_Virtual_Submit
Reviewed-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Tested-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
index 58c11a305..879349a73 100644
--- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
@@ -35,6 +35,8 @@
 #include <nvgpu/timers.h>
 #include <nvgpu/nvgpu_common.h>
 
+#include <asm/barrier.h>
+
 #include "gk20a.h"
 #include "kind_gk20a.h"
 #include "gr_ctx_gk20a.h"
@@ -4181,6 +4183,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
 				"invalid zbc color table index\n");
 			return -EINVAL;
 		}
+
+		speculation_barrier();
 		for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) {
 			query_params->color_l2[i] =
 				gr->zbc_col_tbl[index].color_l2[i];
@@ -4196,6 +4200,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
 				"invalid zbc depth table index\n");
 			return -EINVAL;
 		}
+
+		speculation_barrier();
 		query_params->depth = gr->zbc_dep_tbl[index].depth;
 		query_params->format = gr->zbc_dep_tbl[index].format;
 		query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt;