gpu: nvgpu: add speculative load barrier (dbg IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I982225e754cc5d430c19f4cc542302e52243bd38
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640501
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c b/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
index ebb869c3..eb6156da 100644
--- a/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
+++ b/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
@@ -256,6 +256,8 @@ static int nvgpu_dbg_gpu_ioctl_write_single_sm_error_state(
         if (sm_id >= gr->no_of_sm)
                 return -EINVAL;
 
+        nvgpu_speculation_barrier();
+
         if (args->sm_error_state_record_size > 0) {
                 size_t read_size = sizeof(sm_error_state_record);
 
@@ -312,6 +314,8 @@ static int nvgpu_dbg_gpu_ioctl_read_single_sm_error_state(
         if (sm_id >= gr->no_of_sm)
                 return -EINVAL;
 
+        nvgpu_speculation_barrier();
+
         sm_error_state = gr->sm_error_states + sm_id;
         sm_error_state_record.hww_global_esr =
                 sm_error_state->hww_global_esr;
@@ -1432,10 +1436,11 @@ static int nvgpu_dbg_gpu_ioctl_clear_single_sm_error_state(
                 return -EINVAL;
 
         sm_id = args->sm_id;
-
         if (sm_id >= gr->no_of_sm)
                 return -EINVAL;
 
+        nvgpu_speculation_barrier();
+
         err = gk20a_busy(g);
         if (err)
                 return err;