diff options
author | Alex Waterman <alexw@nvidia.com> | 2018-01-03 17:57:34 -0500 |
---|---|---|
committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2018-01-25 17:25:47 -0500 |
commit | 37b8298a48ec65ca78048e68c8c3e1a060b8fb63 (patch) | |
tree | 762777e70ca5d0b0fedf8cb1968060628a54659d /drivers | |
parent | ee9694a67b221fd0884af62b0b1fa31aba176785 (diff) |
gpu: nvgpu: add speculative load barrier (sched IOCTLs)
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.
To mitigate this problem insert a speculation barrier.
bug 2039126
CVE-2017-5753
Change-Id: Iec23eb75ce2a9251c8a5c8cbdd21a32910e1a71a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640502
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: Richard Zhao <rizhao@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/gpu/nvgpu/common/linux/sched.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/drivers/gpu/nvgpu/common/linux/sched.c b/drivers/gpu/nvgpu/common/linux/sched.c index e6211790..a7da020c 100644 --- a/drivers/gpu/nvgpu/common/linux/sched.c +++ b/drivers/gpu/nvgpu/common/linux/sched.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #include <nvgpu/kmem.h> | 22 | #include <nvgpu/kmem.h> |
23 | #include <nvgpu/log.h> | 23 | #include <nvgpu/log.h> |
24 | #include <nvgpu/bug.h> | 24 | #include <nvgpu/bug.h> |
25 | #include <nvgpu/barrier.h> | ||
25 | 26 | ||
26 | #include "gk20a/gk20a.h" | 27 | #include "gk20a/gk20a.h" |
27 | #include "gk20a/gr_gk20a.h" | 28 | #include "gk20a/gr_gk20a.h" |
@@ -190,6 +191,8 @@ static int gk20a_sched_dev_ioctl_get_params(struct gk20a_sched_ctrl *sched, | |||
190 | if (tsgid >= f->num_channels) | 191 | if (tsgid >= f->num_channels) |
191 | return -EINVAL; | 192 | return -EINVAL; |
192 | 193 | ||
194 | nvgpu_speculation_barrier(); | ||
195 | |||
193 | tsg = &f->tsg[tsgid]; | 196 | tsg = &f->tsg[tsgid]; |
194 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) | 197 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) |
195 | return -ENXIO; | 198 | return -ENXIO; |
@@ -223,6 +226,8 @@ static int gk20a_sched_dev_ioctl_tsg_set_timeslice( | |||
223 | if (tsgid >= f->num_channels) | 226 | if (tsgid >= f->num_channels) |
224 | return -EINVAL; | 227 | return -EINVAL; |
225 | 228 | ||
229 | nvgpu_speculation_barrier(); | ||
230 | |||
226 | tsg = &f->tsg[tsgid]; | 231 | tsg = &f->tsg[tsgid]; |
227 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) | 232 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) |
228 | return -ENXIO; | 233 | return -ENXIO; |
@@ -256,6 +261,8 @@ static int gk20a_sched_dev_ioctl_tsg_set_runlist_interleave( | |||
256 | if (tsgid >= f->num_channels) | 261 | if (tsgid >= f->num_channels) |
257 | return -EINVAL; | 262 | return -EINVAL; |
258 | 263 | ||
264 | nvgpu_speculation_barrier(); | ||
265 | |||
259 | tsg = &f->tsg[tsgid]; | 266 | tsg = &f->tsg[tsgid]; |
260 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) | 267 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) |
261 | return -ENXIO; | 268 | return -ENXIO; |
@@ -316,6 +323,8 @@ static int gk20a_sched_dev_ioctl_get_tsg(struct gk20a_sched_ctrl *sched, | |||
316 | if (tsgid >= f->num_channels) | 323 | if (tsgid >= f->num_channels) |
317 | return -EINVAL; | 324 | return -EINVAL; |
318 | 325 | ||
326 | nvgpu_speculation_barrier(); | ||
327 | |||
319 | tsg = &f->tsg[tsgid]; | 328 | tsg = &f->tsg[tsgid]; |
320 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) | 329 | if (!nvgpu_ref_get_unless_zero(&tsg->refcount)) |
321 | return -ENXIO; | 330 | return -ENXIO; |
@@ -351,6 +360,8 @@ static int gk20a_sched_dev_ioctl_put_tsg(struct gk20a_sched_ctrl *sched, | |||
351 | if (tsgid >= f->num_channels) | 360 | if (tsgid >= f->num_channels) |
352 | return -EINVAL; | 361 | return -EINVAL; |
353 | 362 | ||
363 | nvgpu_speculation_barrier(); | ||
364 | |||
354 | nvgpu_mutex_acquire(&sched->status_lock); | 365 | nvgpu_mutex_acquire(&sched->status_lock); |
355 | if (!NVGPU_SCHED_ISSET(tsgid, sched->ref_tsg_bitmap)) { | 366 | if (!NVGPU_SCHED_ISSET(tsgid, sched->ref_tsg_bitmap)) { |
356 | nvgpu_mutex_release(&sched->status_lock); | 367 | nvgpu_mutex_release(&sched->status_lock); |