From 25aba34bbddc0080c8e12846596d07d09f186159 Mon Sep 17 00:00:00 2001
From: Alex Waterman <alexw@nvidia.com>
Date: Fri, 29 Dec 2017 14:54:14 -0800
Subject: gpu: nvgpu: add speculative load barrier (channel IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I6b8af794ea2156f0342ea6cc925051f49dbb1d6e
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640498
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: Richard Zhao <rizhao@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/common/linux/ioctl_channel.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'drivers/gpu/nvgpu/common/linux/ioctl_channel.c')

diff --git a/drivers/gpu/nvgpu/common/linux/ioctl_channel.c b/drivers/gpu/nvgpu/common/linux/ioctl_channel.c
index e8f4c14b..b7856ca0 100644
--- a/drivers/gpu/nvgpu/common/linux/ioctl_channel.c
+++ b/drivers/gpu/nvgpu/common/linux/ioctl_channel.c
@@ -31,6 +31,7 @@
 #include <nvgpu/debug.h>
 #include <nvgpu/enabled.h>
 #include <nvgpu/error_notifier.h>
+#include <nvgpu/barrier.h>
 
 #include "gk20a/gk20a.h"
 #include "gk20a/dbg_gpu_gk20a.h"
@@ -368,6 +369,8 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
 		return -EINVAL;
 	}
 
+	nvgpu_speculation_barrier();
+
 	/* map handle */
 	va = dma_buf_vmap(dmabuf);
 	if (!va) {
@@ -661,6 +664,8 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
 			return -EINVAL;
 		}
 
+		nvgpu_speculation_barrier();
+
 		notif = dma_buf_vmap(dmabuf);
 		if (!notif) {
 			nvgpu_err(g, "failed to map notifier memory");
-- 
cgit v1.2.2