On Fri, Jan 12, 2018 at 10:21:43AM -0800, Dan Williams wrote: > > That just sounds wrong. What if the speculation starts *after* the > > access_ok() check? Then the barrier has no purpose. > > > > Most access_ok/get_user/copy_from_user calls are like this: > > > > if (copy_from_user(...uptr..)) /* or access_ok() or get_user() */ > > return -EFAULT; > > > > So in other words, the usercopy function is called *before* the branch. > > > > But to halt speculation, the lfence needs to come *after* the branch. > > So putting lfences *before* the branch doesn't solve anything. > > > > So what am I missing? > > We're trying to prevent a pointer under user control from being > de-referenced inside the kernel, before we know it has been limited to > something safe. In the following sequence the branch we are worried > about speculating is the privilege check: > > if (access_ok(uptr)) /* <--- Privelege Check */ > if (copy_from_user_(uptr)) > > The cpu can speculatively skip that access_ok() check and cause a read > of kernel memory. Converting your example code to assembly: call access_ok # no speculation which started before this point is allowed to continue past this point test %rax, %rax jne error_path dereference_uptr: (do nefarious things with the user pointer) error_path: mov -EINVAL, %rax ret So the CPU is still free to speculately execute the dereference_uptr block because the lfence was before the 'jne error_path' branch. -- Josh
