On 23.12.2019 19:08, George Dunlap wrote: > What about the attached series of patches (compile-tested only)?
This ... >+#define nospec_clip(index, size) \ >+ ({ \ >+ bool clipped = (index >= size); \ >+ index = array_index_nospec(index, size); \ >+ clipped; \ >+ }) ... in particular may misguide people on its use: If the clipped "index" gets stored in a register, all is going to be fine (afaict), but if it ends up in memory, there's be new (mis-)speculation opportunities. Some of the clipping done in the patches is already not fully safe against this, but in some other cases (especially once array_access_nospec() would be used where possible) would at least make things as safe as they can be made without compiler aid. (As an aside, the suggested macro, if we were to put it in, would need proper parenthesization of the macro parameter uses.) Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel