Re: [PATCH] atm: zatm: Fix potential Spectre v1

From: David Miller
Date: Thu May 03 2018 - 15:25:14 EST


From: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
Date: Thu, 3 May 2018 12:09:40 -0700

> Just for (my) info: all of these types of patches are to prevent
> what is loaded in cache when the index is out of range, right?
> Not some random pool_info[random], but pool_info[valid, i.e., 0].
>
> Since the value of pool is already sanity checked and -EINVAL is
> returned when it's out of range.

Well, the whole point is that the cpu can speculate execution past the
range check and execute the indexed read anyways. So even if the
value is "sanity checked" the cpu can execute ahead and load things
into the cache, just cancelling the register state updates later when
the range check is fully resolved.