From 37b8298a48ec65ca78048e68c8c3e1a060b8fb63 Mon Sep 17 00:00:00 2001
From: Alex Waterman <alexw@nvidia.com>
Date: Wed, 3 Jan 2018 14:57:34 -0800
Subject: gpu: nvgpu: add speculative load barrier (sched IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Iec23eb75ce2a9251c8a5c8cbdd21a32910e1a71a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640502
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: Richard Zhao <rizhao@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/common/linux/sched.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'drivers/gpu')

diff --git a/drivers/gpu/nvgpu/common/linux/sched.c b/drivers/gpu/nvgpu/common/linux/sched.c
index e6211790..a7da020c 100644
--- a/drivers/gpu/nvgpu/common/linux/sched.c
+++ b/drivers/gpu/nvgpu/common/linux/sched.c
@@ -22,6 +22,7 @@
 #include <nvgpu/kmem.h>
 #include <nvgpu/log.h>
 #include <nvgpu/bug.h>
+#include <nvgpu/barrier.h>
 
 #include "gk20a/gk20a.h"
 #include "gk20a/gr_gk20a.h"
@@ -190,6 +191,8 @@ static int gk20a_sched_dev_ioctl_get_params(struct gk20a_sched_ctrl *sched,
 	if (tsgid >= f->num_channels)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	tsg = &f->tsg[tsgid];
 	if (!nvgpu_ref_get_unless_zero(&tsg->refcount))
 		return -ENXIO;
@@ -223,6 +226,8 @@ static int gk20a_sched_dev_ioctl_tsg_set_timeslice(
 	if (tsgid >= f->num_channels)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	tsg = &f->tsg[tsgid];
 	if (!nvgpu_ref_get_unless_zero(&tsg->refcount))
 		return -ENXIO;
@@ -256,6 +261,8 @@ static int gk20a_sched_dev_ioctl_tsg_set_runlist_interleave(
 	if (tsgid >= f->num_channels)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	tsg = &f->tsg[tsgid];
 	if (!nvgpu_ref_get_unless_zero(&tsg->refcount))
 		return -ENXIO;
@@ -316,6 +323,8 @@ static int gk20a_sched_dev_ioctl_get_tsg(struct gk20a_sched_ctrl *sched,
 	if (tsgid >= f->num_channels)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	tsg = &f->tsg[tsgid];
 	if (!nvgpu_ref_get_unless_zero(&tsg->refcount))
 		return -ENXIO;
@@ -351,6 +360,8 @@ static int gk20a_sched_dev_ioctl_put_tsg(struct gk20a_sched_ctrl *sched,
 	if (tsgid >= f->num_channels)
 		return -EINVAL;
 
+	nvgpu_speculation_barrier();
+
 	nvgpu_mutex_acquire(&sched->status_lock);
 	if (!NVGPU_SCHED_ISSET(tsgid, sched->ref_tsg_bitmap)) {
 		nvgpu_mutex_release(&sched->status_lock);
-- 
cgit v1.2.2