Spectre variant 2 also relies on me being able to poison the branch target buffer. loongson had a similar issue where errant BTB entries would cause hangs, and they then claimed this at kernel entry clears out their BTB:*
jal 1f
nop
1: jal 1f
nop
1: jal 1f
nop
1: jal 1f
nop
1:
A question is whether that works for other branch predictors, and
how many we would need.
*
https://github.com/torvalds/linux/blob/2d6349944d967129c1da3c47287376f10121dbe1/arch/mips/include/asm/stackframe.h#L152-L164
