On Fri, Jan 5, 2018 at 7:09 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jan 5, 2018 at 6:52 PM, Linus Torvalds > <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: >> >> The fact is, we have to stop speculating when access_ok() does *not* >> fail - because that's when we'll actually do the access. And it's that >> access that needs to be non-speculative. > > I also suspect we should probably do this entirely differently. > > Maybe the whole lfence can be part of uaccess_begin() instead (ie > currently 'stac()'). That would fit the existing structure better, I > think. And it would avoid any confusion about the whole "when to stop > speculation". I assume if we put this in uaccess_begin() we also need audit for paths that use access_ok but don't do on to call uaccess_begin()? A quick glance shows a few places where we are open coding the stac(). Perhaps land the lfence in stac() directly?