gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f Signed-off-by: Alex Waterman <alexw@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1640500 Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com> Tested-by: mobile promotions <svcmobile_promotions@nvidia.com> Signed-off-by: James Huang <jamehuang@nvidia.com> Reviewed-on: https://git-master.nvidia.com/r/1650050 GVS: Gerrit_Virtual_Submit Reviewed-by: Hayden Du <haydend@nvidia.com>
2025-12-24 02:22:34 +03:00 · 2018-02-01 14:58:59 +08:00
parent 85494f6428
commit f293fa670f
1 changed files with 6 additions and 0 deletions
--- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
@@ -35,6 +35,8 @@
 #include <nvgpu/timers.h>
 #include <nvgpu/nvgpu_common.h>

+#include <asm/barrier.h>
+
 #include "gk20a.h"
 #include "kind_gk20a.h"
 #include "gr_ctx_gk20a.h"
@@ -4181,6 +4183,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
 				"invalid zbc color table index\n");
 			return -EINVAL;
 		}
+
+		speculation_barrier();
 		for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) {
 			query_params->color_l2[i] =
 				gr->zbc_col_tbl[index].color_l2[i];
@@ -4196,6 +4200,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
 				"invalid zbc depth table index\n");
 			return -EINVAL;
 		}
+
+		speculation_barrier();
 		query_params->depth = gr->zbc_dep_tbl[index].depth;
 		query_params->format = gr->zbc_dep_tbl[index].format;
 		query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt;