gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
Reviewed-by: Hayden Du <haydend@nvidia.com>
(cherry picked from commit f293fa670f)
Reviewed-on: https://git-master.nvidia.com/r/1650742
GVS: Gerrit_Virtual_Submit
Reviewed-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Tested-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

drivers/gpu/nvgpu/gk20a/gr_gk20a.c

@@ -35,6 +35,8 @@
 #include <nvgpu/timers.h>
 #include <nvgpu/nvgpu_common.h>
 
+#include <asm/barrier.h>
+
 #include "gk20a.h"
 #include "kind_gk20a.h"
 #include "gr_ctx_gk20a.h"
@@ -4181,6 +4183,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
 				"invalid zbc color table index\n");
 			return -EINVAL;
 		}
+
+		speculation_barrier();
 		for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) {
 			query_params->color_l2[i] =
 				gr->zbc_col_tbl[index].color_l2[i];
@@ -4196,6 +4200,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
 				"invalid zbc depth table index\n");
 			return -EINVAL;
 		}
+
+		speculation_barrier();
 		query_params->depth = gr->zbc_dep_tbl[index].depth;
 		query_params->format = gr->zbc_dep_tbl[index].format;
 		query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt;