Spectre variant 2 also relies on me being able to poison the branch target buffer. loongson had a similar issue where errant BTB entries would cause hangs, and they then claimed this at kernel entry clears out their BTB:*
jal 1f nop 1: jal 1f nop 1: jal 1f nop 1: jal 1f nop 1: A question is whether that works for other branch predictors, and how many we would need. * https://github.com/torvalds/linux/blob/2d6349944d967129c1da3c47287376f10121dbe1/arch/mips/include/asm/stackframe.h#L152-L164