Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.
To mitigate this problem, insert speculation barrier.
Bug
1964290
CVE-2017-5753
Change-Id: I7382dbcc6e9f352fafd457301beafe753925f3c4
Signed-off-by: Hien Goi <hgoi@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/
1650791
Reviewed-by: Hayden Du <haydend@nvidia.com>
(cherry picked from commit
5cabd53985a30aa818896abdb64564a74c09ab9c)
Reviewed-on: https://git-master.nvidia.com/r/
1651418
Reviewed-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Tested-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
#include <media/v4l2-dv-timings.h>
#include <media/v4l2-ctrls.h>
#include <media/ad9389b.h>
+#include <asm/barrier.h>
static int debug;
module_param(debug, int, 0644);
}
if (edid->start_block >= state->edid.segments * 2)
return -E2BIG;
+
+ speculation_barrier();
+
if (edid->blocks + edid->start_block >= state->edid.segments * 2)
edid->blocks = state->edid.segments * 2 - edid->start_block;
memcpy(edid->edid, &state->edid.data[edid->start_block * 128],
#include <media/v4l2-ctrls.h>
#include <media/v4l2-dv-timings.h>
#include <media/adv7511.h>
+#include <asm/barrier.h>
static int debug;
module_param(debug, int, 0644);
if (edid->start_block >= state->edid.segments * 2)
return -EINVAL;
+
+ speculation_barrier();
if (edid->start_block + edid->blocks > state->edid.segments * 2)
edid->blocks = state->edid.segments * 2 - edid->start_block;
#include <media/v4l2-event.h>
#include <media/v4l2-dv-timings.h>
#include <media/v4l2-of.h>
+#include <asm/barrier.h>
static int debug;
module_param(debug, int, 0644);
if (edid->start_block >= state->edid.blocks)
return -EINVAL;
+ speculation_barrier();
+
if (edid->start_block + edid->blocks > state->edid.blocks)
edid->blocks = state->edid.blocks - edid->start_block;
#include <media/v4l2-ctrls.h>
#include <media/v4l2-dv-timings.h>
#include <media/adv7842.h>
+#include <asm/barrier.h>
static int debug;
module_param(debug, int, 0644);
if (edid->start_block >= 2)
return -EINVAL;
+ speculation_barrier();
+
if (edid->start_block + edid->blocks > 2)
edid->blocks = 2 - edid->start_block;
#include <media/v4l2-mediabus.h>
#include <media/v4l2-of.h>
#include <media/v4l2-subdev.h>
+#include <asm/barrier.h>
#define DRIVER_NAME "ov2659"
if (fse->index >= ARRAY_SIZE(ov2659_framesizes))
return -EINVAL;
+ speculation_barrier();
+
while (--i)
if (fse->code == ov2659_formats[i].code)
break;
#include <media/v4l2-mediabus.h>
#include <media/v4l2-image-sizes.h>
#include <media/ov7670.h>
+#include <asm/barrier.h>
MODULE_AUTHOR("Jonathan Corbet <corbet@lwn.net>");
MODULE_DESCRIPTION("A low-level driver for OmniVision ov7670 sensors");
if (fie->index >= ARRAY_SIZE(ov7670_frame_rates))
return -EINVAL;
+ speculation_barrier();
+
/*
* Check if the width/height is valid.
*
#include <media/v4l2-subdev.h>
#include <media/v4l2-mediabus.h>
#include <media/ov9650.h>
+#include <asm/barrier.h>
static int debug;
module_param(debug, int, 0644);
if (fse->index >= ARRAY_SIZE(ov965x_framesizes))
return -EINVAL;
+ speculation_barrier();
+
while (--i)
if (fse->code == ov965x_formats[i].code)
break;
#include <media/v4l2-of.h>
#include "s5c73m3.h"
+#include <asm/barrier.h>
int s5c73m3_dbg;
module_param_named(debug, s5c73m3_dbg, int, 0644);
if (fie->index >= ARRAY_SIZE(s5c73m3_intervals))
return -EINVAL;
+ speculation_barrier();
+
mutex_lock(&state->lock);
fi = &s5c73m3_intervals[fie->index];
if (fie->width > fi->size.width || fie->height > fi->size.height)
if (fse->index >= s5c73m3_resolutions_len[idx])
return -EINVAL;
+ speculation_barrier();
+
fse->min_width = s5c73m3_resolutions[idx][fse->index].width;
fse->max_width = fse->min_width;
fse->max_height = s5c73m3_resolutions[idx][fse->index].height;
if (fse->index >= s5c73m3_resolutions_len[idx])
return -EINVAL;
+ speculation_barrier();
+
fse->min_width = s5c73m3_resolutions[idx][fse->index].width;
fse->max_width = fse->min_width;
fse->max_height = s5c73m3_resolutions[idx][fse->index].height;
#include <media/v4l2-subdev.h>
#include <media/v4l2-mediabus.h>
#include <media/s5k6aa.h>
+#include <asm/barrier.h>
static int debug;
module_param(debug, int, 0644);
if (fie->index >= ARRAY_SIZE(s5k6aa_intervals))
return -EINVAL;
+ speculation_barrier();
+
v4l_bound_align_image(&fie->width, S5K6AA_WIN_WIDTH_MIN,
S5K6AA_WIN_WIDTH_MAX, 1,
&fie->height, S5K6AA_WIN_HEIGHT_MIN,
#include <trace/events/vb2.h>
#include "videobuf2-internal.h"
+#include <asm/barrier.h>
int vb2_debug;
EXPORT_SYMBOL_GPL(vb2_debug);
return -EINVAL;
}
+ speculation_barrier();
+
vb = q->bufs[index];
if (plane >= vb->num_planes) {
#include <media/videobuf2-v4l2.h>
#include "videobuf2-internal.h"
+#include <asm/barrier.h>
/* Flags that are set by the vb2 core */
#define V4L2_BUFFER_MASK_FLAGS (V4L2_BUF_FLAG_MAPPED | V4L2_BUF_FLAG_QUEUED | \
return -EINVAL;
}
+ speculation_barrier();
+
if (q->bufs[b->index] == NULL) {
/* Should never happen */
dprintk(1, "%s: buffer is NULL\n", opname);
dprintk(1, "buffer index out of range\n");
return -EINVAL;
}
+
+ speculation_barrier();
+
vb = q->bufs[b->index];
ret = __verify_planes_array(vb, b);
projects / hercules2020 / nv-tegra / linux-4.4.git / commitdiff