On Wed, 3 Jan 2018 16:39:31 -0800 Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Wed, Jan 3, 2018 at 4:15 PM, Dan Williams <dan.j.williams@xxxxxxxxx> wrote: > > The 'if_nospec' primitive marks locations where the kernel is disabling > > speculative execution that could potentially access privileged data. It > > is expected to be paired with a 'nospec_{ptr,load}' where the user > > controlled value is actually consumed. > > I'm much less worried about these "nospec_load/if" macros, than I am > about having a sane way to determine when they should be needed. > > Is there such a sane model right now, or are we talking "people will > randomly add these based on strong feelings"? There are people trying to tune coverity and other tool rules to identify cases, and some of the work so far was done that way. For x86 we didn't find too many so far so either the needed pattern is uncommon or .... 8) Given you can execute over a hundred basic instructions in a speculation window it does need to be a tool that can explore not just in function but across functions. That's really tough for the compiler itself to do without help. What remains to be seen is if there are other patterns that affect different processors. In the longer term the compiler itself needs to know what is and isn't safe (ie you need to be able to write things like void foo(tainted __user int *x) and have the compiler figure out what level of speculation it can do and (on processors with those features like IA64) when it can and can't do various kinds of non-trapping loads. Alan