On Sat, Jan 6, 2018 at 5:20 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Sat, Jan 6, 2018 at 3:31 PM, Dan Williams <dan.j.williams@xxxxxxxxx> wrote: >> >> I assume if we put this in uaccess_begin() we also need audit for >> paths that use access_ok but don't do on to call uaccess_begin()? A >> quick glance shows a few places where we are open coding the stac(). >> Perhaps land the lfence in stac() directly? > > Yeah, we should put it in uaccess_begin(), and in the actual user > accessor helpers that do stac. Some of them probably should be changed > to use uaccess_begin() instead while at it. > > One question for the CPU people: do we actually care and need to do > this for things that might *write* to something? The speculative write > obviously is killed, but does it perhaps bring in a cacheline even > when killed? As far as I understand a write could trigger a request-for-ownership read for the target cacheline. > Because maybe we don't need the lfence in put_user(), only in get_user()? Even though writes can trigger reads, as far as I can see the write needs to be dependent on the first out-of-bounds read: if (x < max) y = array1[x]; put_user(array2 + y, z); ...in other words that first read should be annotated with nospec_array_ptr() making an lfence in put_user() or other writes moot. yp = nospec_array_ptr(array1, x, max); if (yp) y = *yp; put_user(array2 + y, z);