On Mon, Feb 5, 2018 at 4:26 PM, Ingo Molnar <[email protected]> wrote: > > * Linus Torvalds <[email protected]> wrote: > >> [...] >> >> But as the commit message says, the system call argument registers are >> also likely to be aggressively clobbered unless used, since the low >> registers are preferred for code generation (smaller code, and many of >> them are special anyway in various ways and have forced uses for >> shifts, function arguments, or just are special in general like %rax). >> >> So the actual argument registers tend to not be an issue anyway. >
> > So I submit that we should probably extend the register clearing/sanitization > to > R10 and R11 as well, because while they are technically caller-saved and > freely > clobberable, in practice they don't get clobbered all that often and there > might > be various code paths into complex system calls where these R10/R11 values > survive > just fine and can be used in Spectre gadgets. Maybe R11, but we have to be careful, since R11 is used as scratch space in a bunch of the asm. Clearing R10 is mostly useless in the syscall path because we'll just unconditionally reload it in do_syscall_64(). If we manage to change the way syscall wrappers work, then we can think about clearing R10 and maybe even more regs.
