On Thu, May 30, 2019 at 2:24 PM Michal Hocko <mho...@kernel.org> wrote: > I understand the general mechanism of spectre v1. What I was asking for > is an example of where userspace directly controls the allocation size > as this is usually bounded to an in kernel object size. I can see how > and N * sizeof(object) where N is controlled by the userspace could be > the target. But calling that out explicitly would be appreciated.
In the syscall call poll, the user can control the `nfds`, when call the function `do_sys_poll` it can pass the nfds to function `do_sys_poll`, and pass to variable `len`, although there exit compare instruction llike `len = min_t(unsigned int, nfds, N_STACK_PPS)`, `len = min(todo, POLLFD_PER_PAGE);`, but it can also bypass by speculation, as the speculation windows are large, and in the next `size = sizeof(struct poll_list) + sizeof(struct pollfd) * len`, which can indirect control the size. > Please mention that in the changelog as well. ok, thanks for suggestion.
