From ee9694a67b221fd0884af62b0b1fa31aba176785 Mon Sep 17 00:00:00 2001
From: Alex Waterman <alexw@nvidia.com>
Date: Tue, 2 Jan 2018 16:57:36 -0800
Subject: gpu: nvgpu: add speculative load barrier (dbg IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I982225e754cc5d430c19f4cc542302e52243bd38
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640501
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/common/linux/ioctl_dbg.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c b/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
index ebb869c3..eb6156da 100644
--- a/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
+++ b/drivers/gpu/nvgpu/common/linux/ioctl_dbg.c
@@ -256,6 +256,8 @@ static int nvgpu_dbg_gpu_ioctl_write_single_sm_error_state(
 	if (sm_id >= gr->no_of_sm)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	if (args->sm_error_state_record_size > 0) {
 		size_t read_size = sizeof(sm_error_state_record);
 
@@ -312,6 +314,8 @@ static int nvgpu_dbg_gpu_ioctl_read_single_sm_error_state(
 	if (sm_id >= gr->no_of_sm)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	sm_error_state = gr->sm_error_states + sm_id;
 	sm_error_state_record.hww_global_esr =
 		sm_error_state->hww_global_esr;
@@ -1432,10 +1436,11 @@ static int nvgpu_dbg_gpu_ioctl_clear_single_sm_error_state(
 		return -EINVAL;
 
 	sm_id = args->sm_id;
-
 	if (sm_id >= gr->no_of_sm)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	err = gk20a_busy(g);
 	if (err)
 		return err;
-- 
cgit v1.2.2