gpu: nvgpu: add speculative load barrier (dbg IOCTLs)

Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: I982225e754cc5d430c19f4cc542302e52243bd38 Signed-off-by: Alex Waterman <alexw@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1640501 Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
2025-12-25 11:04:51 +03:00 · 2018-01-02 16:57:36 -08:00
parent 4967570033
commit ee9694a67b
1 changed files with 6 additions and 1 deletions
--- a/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
+++ b/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
@@ -256,6 +256,8 @@ static int nvgpu_dbg_gpu_ioctl_write_single_sm_error_state(
 	if (sm_id >= gr->no_of_sm)
 		return -EINVAL;

+	nvgpu_speculation_barrier();
+
 	if (args->sm_error_state_record_size > 0) {
 		size_t read_size = sizeof(sm_error_state_record);

@@ -312,6 +314,8 @@ static int nvgpu_dbg_gpu_ioctl_read_single_sm_error_state(
 	if (sm_id >= gr->no_of_sm)
 		return -EINVAL;

+	nvgpu_speculation_barrier();
+
 	sm_error_state = gr->sm_error_states + sm_id;
 	sm_error_state_record.hww_global_esr =
 		sm_error_state->hww_global_esr;
@@ -1432,10 +1436,11 @@ static int nvgpu_dbg_gpu_ioctl_clear_single_sm_error_state(
 		return -EINVAL;

 	sm_id = args->sm_id;
-
 	if (sm_id >= gr->no_of_sm)
 		return -EINVAL;

+	nvgpu_speculation_barrier();
+
 	err = gk20a_busy(g);
 	if (err)
 		return err;