From 0eb5e1ea3339a378f8150cdf9592ece4193f3850 Mon Sep 17 00:00:00 2001
From: Jeetesh Burman <jburman@nvidia.com>
Date: Thu, 19 Apr 2018 21:16:37 +0530
Subject: gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640500
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
(cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682715
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698610
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
index 9e032e03a153..db34cc0e85e9 100644
--- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c
@@ -26,6 +26,7 @@
 #include <linux/dma-mapping.h>
 #include <linux/firmware.h>
 #include <linux/nvhost.h>
+#include <asm/barrier.h>
 
 #include "gk20a.h"
 #include "kind_gk20a.h"
@@ -3594,6 +3595,7 @@ int gr_gk20a_add_zbc(struct gk20a *g, struct gr_gk20a *gr,
 	mutex_lock(&gr->zbc_lock);
 	switch (zbc_val->type) {
 	case GK20A_ZBC_TYPE_COLOR:
+		speculation_barrier();
 		/* search existing tables */
 		for (i = 0; i < gr->max_used_color_index; i++) {
 
@@ -3632,6 +3634,7 @@ int gr_gk20a_add_zbc(struct gk20a *g, struct gr_gk20a *gr,
 		}
 		break;
 	case GK20A_ZBC_TYPE_DEPTH:
+		speculation_barrier();
 		/* search existing tables */
 		for (i = 0; i < gr->max_used_depth_index; i++) {
 
-- 
cgit v1.2.3