From f293fa670fd2f4fbe170f1e372e9aa237283c67a Mon Sep 17 00:00:00 2001 From: James Huang Date: Thu, 1 Feb 2018 14:58:59 +0800 Subject: [PATCH] gpu: nvgpu: add speculative load barrier (ctrl IOCTLs) Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f Signed-off-by: Alex Waterman Reviewed-on: https://git-master.nvidia.com/r/1640500 Reviewed-by: mobile promotions Tested-by: mobile promotions Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650050 GVS: Gerrit_Virtual_Submit Reviewed-by: Hayden Du --- drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c index 58c11a305..879349a73 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c @@ -35,6 +35,8 @@ #include #include +#include + #include "gk20a.h" #include "kind_gk20a.h" #include "gr_ctx_gk20a.h" @@ -4181,6 +4183,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr, "invalid zbc color table index\n"); return -EINVAL; } + + speculation_barrier(); for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) { query_params->color_l2[i] = gr->zbc_col_tbl[index].color_l2[i]; @@ -4196,6 +4200,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr, "invalid zbc depth table index\n"); return -EINVAL; } + + speculation_barrier(); query_params->depth = gr->zbc_dep_tbl[index].depth; query_params->format = gr->zbc_dep_tbl[index].format; query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt;