On 25 Apr 2017 at 12:23, Peter Zijlstra wrote: > So what avoids this: simple, you noted it yourself in your previous mail: > Well, your setup (panic_on_warn et al) would have it panic the box. That > will effectively stop the exploit by virtue of stopping everything. with that in mind the actual code looks like this: > CPU0 CPU1 > > > lock inc %[val]; # 0x7fffffff > jo 2f >1: ... > > lock dec %[val]; # 0x80000000 > jo 2f > 1: ... > > > > >2: mov $0x7fffffff, %[val] panic() > jmp 1b > > 2: mov $0x80000000, %[val] panic() > jmp 1b > ... and we never get this far.
