From 25aba34bbddc0080c8e12846596d07d09f186159 Mon Sep 17 00:00:00 2001
From: Alex Waterman <alexw@nvidia.com>
Date: Fri, 29 Dec 2017 14:54:14 -0800
Subject: gpu: nvgpu: add speculative load barrier (channel IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I6b8af794ea2156f0342ea6cc925051f49dbb1d6e
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640498
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: Richard Zhao <rizhao@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c')

diff --git a/drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c
index 40529471..114386a2 100644
--- a/drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/css_gr_gk20a.c
@@ -31,13 +31,13 @@
 #include <nvgpu/dma.h>
 #include <nvgpu/mm.h>
 #include <nvgpu/sizes.h>
+#include <nvgpu/barrier.h>
+#include <nvgpu/log.h>
+#include <nvgpu/bug.h>
 
 #include "gk20a.h"
 #include "css_gr_gk20a.h"
 
-#include <nvgpu/log.h>
-#include <nvgpu/bug.h>
-
 #include <nvgpu/hw/gk20a/hw_perf_gk20a.h>
 #include <nvgpu/hw/gk20a/hw_mc_gk20a.h>
 
@@ -501,6 +501,8 @@ int gr_gk20a_css_attach(struct channel_gk20a *ch,
 	    perfmon_count > CSS_MAX_PERFMON_IDS - CSS_FIRST_PERFMON_ID)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	gr = &g->gr;
 
 	nvgpu_mutex_acquire(&gr->cs_lock);
-- 
cgit v1.2.2