On Fri, Jan 05, 2018 at 06:52:07PM -0800, Linus Torvalds wrote:
> On Fri, Jan 5, 2018 at 5:10 PM, Dan Williams <dan.j.willi...@intel.com> wrote:
> > From: Andi Kleen <a...@linux.intel.com>
> >
> > When access_ok fails we should always stop speculating.
> > Add the required barriers to the x86 access_ok macro.
>
> Honestly, this seems completely bogus.
>
> The description is pure garbage afaik.
>
> The fact is, we have to stop speculating when access_ok() does *not*
> fail - because that's when we'll actually do the access. And it's that
> access that needs to be non-speculative.
>
> That actually seems to be what the code does (it stops speculation
> when __range_not_ok() returns false, but access_ok() is
> !__range_not_ok()). But the explanation is crap, and dangerous.
The description also seems to be missing the "why", as it's not
self-evident (to me, at least).
Isn't this (access_ok/uaccess_begin/ASM_STAC) too early for the lfence?
i.e., wouldn't the pattern be:
get_user(uval, uptr);
if (uval < array_size) {
lfence();
foo = a2[a1[uval] * 256];
}
Shouldn't the lfence come much later, *after* reading the variable and
comparing it and branching accordingly?
--
Josh
