> On 18. Feb 2022, at 16:12, Jason Gunthorpe <jgg@xxxxxxxx> wrote: > > On Thu, Feb 17, 2022 at 07:48:20PM +0100, Jakob Koschel wrote: >> It is unsafe to assume that tmp != mdev can only evaluate to false >> if the break within the list iterator is hit. >> >> When the break is not hit, tmp is set to an address derived from the >> head element. If mdev would match with that value of tmp it would allow >> continuing beyond the safety check even if mdev was never found within >> the list > > I think due to other construction this is not actually possible, but I > guess it is technically correct > > This seems like just a straight up style fix with nothing to do with > speculative execution though. Why not just send it as a proper patch? > > Jason Thank you for your feedback. I've raised some confusion here, I'm sorry about that. The idea was to change list_for_each_entry() to set 'pos' to NULL when the list terminates to avoid invalid usage in speculation. This will break this code and I therefore included the suggested change in this RFC. This RFC was not intended to be merged as is. However, in this example, 'tmp' will be a out-of-bounds pointer if the loop did finish without hitting the break, so the check past the loop *could* match 'mdev' even though no break was ever met. I've now realized that this is probably not realistic iff mdev always points to a valid struct mdev_device. (It's a slightly different scenario on PATCH 03/13). Jakob
