diff options
author | Jeetesh Burman <jburman@nvidia.com> | 2018-04-19 21:27:20 +0530 |
---|---|---|
committer | Winnie Hsu <whsu@nvidia.com> | 2018-04-28 23:31:29 -0700 |
commit | db28d5d9c87a31dd53716ab2bad7a1571212f7e8 (patch) | |
tree | 07b12e6020b84c1db10c42004a7eccc769aa8b3e /drivers | |
parent | 0eb5e1ea3339a378f8150cdf9592ece4193f3850 (diff) |
host1x: prevent speculative load related leak
Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.
To mitigate this problem, insert speculation barrier.
bug 2039126
CVE-2017-5753
Change-Id: Ifc618c00cee497e6d84cac01a9b73fcecbe8f260
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650036
(cherry picked from commit 164f8684deb5b15a53c60a60c7d9b8e3bf5af5be)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682714
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698611
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/video/tegra/host/host1x/host1x.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/video/tegra/host/host1x/host1x.c b/drivers/video/tegra/host/host1x/host1x.c index 522219484286..6af16bab059c 100644 --- a/drivers/video/tegra/host/host1x/host1x.c +++ b/drivers/video/tegra/host/host1x/host1x.c @@ -33,6 +33,8 @@ #include <linux/tegra-soc.h> #include <linux/tegra_pm_domains.h> +#include <linux/version.h> +#include <asm/barrier.h> #include "dev.h" #include <trace/events/nvhost.h> @@ -267,6 +269,8 @@ static int nvhost_ioctl_ctrl_module_mutex(struct nvhost_ctrl_userctx *ctx, args->lock > 1) return -EINVAL; + speculation_barrier(); + trace_nvhost_ioctl_ctrl_module_mutex(args->lock, args->id); if (args->lock && !ctx->mod_locks[args->id]) { if (args->id == 0) @@ -379,6 +383,7 @@ static int nvhost_ioctl_ctrl_syncpt_read_max(struct nvhost_ctrl_userctx *ctx, { if (args->id >= nvhost_syncpt_nb_pts(&ctx->dev->syncpt)) return -EINVAL; + speculation_barrier(); args->value = nvhost_syncpt_read_max(&ctx->dev->syncpt, args->id); return 0; } |