From db28d5d9c87a31dd53716ab2bad7a1571212f7e8 Mon Sep 17 00:00:00 2001 From: Jeetesh Burman Date: Thu, 19 Apr 2018 21:27:20 +0530 Subject: host1x: prevent speculative load related leak Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, insert speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Ifc618c00cee497e6d84cac01a9b73fcecbe8f260 Signed-off-by: David Gilhooley Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650036 (cherry picked from commit 164f8684deb5b15a53c60a60c7d9b8e3bf5af5be) Signed-off-by: Jeetesh Burman Reviewed-on: https://git-master.nvidia.com/r/1682714 Signed-off-by: Jeetesh Burman Reviewed-on: https://git-master.nvidia.com/r/1698611 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Bibek Basu --- drivers/video/tegra/host/host1x/host1x.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/video/tegra/host/host1x/host1x.c b/drivers/video/tegra/host/host1x/host1x.c index 522219484286..6af16bab059c 100644 --- a/drivers/video/tegra/host/host1x/host1x.c +++ b/drivers/video/tegra/host/host1x/host1x.c @@ -33,6 +33,8 @@ #include #include +#include +#include #include "dev.h" #include @@ -267,6 +269,8 @@ static int nvhost_ioctl_ctrl_module_mutex(struct nvhost_ctrl_userctx *ctx, args->lock > 1) return -EINVAL; + speculation_barrier(); + trace_nvhost_ioctl_ctrl_module_mutex(args->lock, args->id); if (args->lock && !ctx->mod_locks[args->id]) { if (args->id == 0) @@ -379,6 +383,7 @@ static int nvhost_ioctl_ctrl_syncpt_read_max(struct nvhost_ctrl_userctx *ctx, { if (args->id >= nvhost_syncpt_nb_pts(&ctx->dev->syncpt)) return -EINVAL; + speculation_barrier(); args->value = nvhost_syncpt_read_max(&ctx->dev->syncpt, args->id); return 0; } -- cgit v1.2.3