gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640500
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
index 0932778d..68ad7bcd 100644
--- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
@@ -3809,6 +3809,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
                                 "invalid zbc color table index");
                         return -EINVAL;
                 }
+
+                nvgpu_speculation_barrier();
                 for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) {
                         query_params->color_l2[i] =
                                 gr->zbc_col_tbl[index].color_l2[i];
@@ -3824,6 +3826,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr,
                                 "invalid zbc depth table index");
                         return -EINVAL;
                 }
+
+                nvgpu_speculation_barrier();
                 query_params->depth = gr->zbc_dep_tbl[index].depth;
                 query_params->format = gr->zbc_dep_tbl[index].format;
                 query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt;