On 23.10.19 15:58, Andrew Cooper wrote:
evaluate_nospec() is incredibly fragile, and this is one giant bodge.To correctly protect jumps, the generated code needs to be of the form: cmp/test <cond> jcc 1f lfence ... 1: lfence ... Critically, the lfence must be at the head of both basic blocks, later in the instruction stream than the conditional jump in need of protection. When a static inline is involved, the optimiser decides to be clever and rearranges the code as: pred: lfence <calculate cond> ret call pred cmp $0, %eax jcc 1f ... 1: ... which breaks the speculative safety. Any use of evaluate_nospec() needs all static inline predicates which use it to be declared always_inline to prevent the optimiser having the flexibility to generate unsafe code. Signed-off-by: Andrew Cooper <[email protected]>
Release-acked-by: Juergen Gross <[email protected]> Juergen _______________________________________________ Xen-devel mailing list [email protected] https://lists.xenproject.org/mailman/listinfo/xen-devel
