From 496757003302994f1136225b2f25e7599fc14eb5 Mon Sep 17 00:00:00 2001 From: Alex Waterman Date: Tue, 2 Jan 2018 15:20:46 -0800 Subject: gpu: nvgpu: add speculative load barrier (ctrl IOCTLs) Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f Signed-off-by: Alex Waterman Reviewed-on: https://git-master.nvidia.com/r/1640500 Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c index 0932778d..68ad7bcd 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c @@ -3809,6 +3809,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr, "invalid zbc color table index"); return -EINVAL; } + + nvgpu_speculation_barrier(); for (i = 0; i < GK20A_ZBC_COLOR_VALUE_SIZE; i++) { query_params->color_l2[i] = gr->zbc_col_tbl[index].color_l2[i]; @@ -3824,6 +3826,8 @@ int gr_gk20a_query_zbc(struct gk20a *g, struct gr_gk20a *gr, "invalid zbc depth table index"); return -EINVAL; } + + nvgpu_speculation_barrier(); query_params->depth = gr->zbc_dep_tbl[index].depth; query_params->format = gr->zbc_dep_tbl[index].format; query_params->ref_cnt = gr->zbc_dep_tbl[index].ref_cnt; -- cgit v1.2.2