On Fri, Jan 05, 2018 at 06:52:07PM -0800, Linus Torvalds wrote: > On Fri, Jan 5, 2018 at 5:10 PM, Dan Williams <dan.j.williams@xxxxxxxxx> wrote: > > From: Andi Kleen <ak@xxxxxxxxxxxxxxx> > > > > When access_ok fails we should always stop speculating. > > Add the required barriers to the x86 access_ok macro. > > Honestly, this seems completely bogus. > > The description is pure garbage afaik. > > The fact is, we have to stop speculating when access_ok() does *not* > fail - because that's when we'll actually do the access. And it's that > access that needs to be non-speculative. > > That actually seems to be what the code does (it stops speculation > when __range_not_ok() returns false, but access_ok() is > !__range_not_ok()). But the explanation is crap, and dangerous. The description also seems to be missing the "why", as it's not self-evident (to me, at least). Isn't this (access_ok/uaccess_begin/ASM_STAC) too early for the lfence? i.e., wouldn't the pattern be: get_user(uval, uptr); if (uval < array_size) { lfence(); foo = a2[a1[uval] * 256]; } Shouldn't the lfence come much later, *after* reading the variable and comparing it and branching accordingly? -- Josh