On Fri, Jan 12, 2018 at 07:23:53AM +0000, David Woodhouse wrote:
> On Thu, 2018-01-11 at 17:32 -0800, Ashok Raj wrote:
> >
> > @@ -4910,6 +4935,14 @@ static void svm_vcpu_run(struct kvm_vcpu
> > *vcpu)
> >
> > clgi();
> >
> > + if (boot_cpu_has(X86_FEATURE_SPEC_CTRL)) {
> > + /*
> > + * FIXME: lockdep_assert_irqs_disabled();
> > + */
> > + WARN_ON_ONCE(!irqs_disabled());
> > + spec_ctrl_set(svm->spec_ctrl);
> > + }
> > +
> > local_irq_enable();
> >
>
> Same comments here as we've had previously. If you do this without an
> 'else lfence' then you need a comment showing that you've proved it's
> safe.
>
> And I don't think even using static_cpu_has() is good enough. We don't
> already "rely" on that for anything but optimisations, AFAICT. Turning
> a missed GCC optimisation into a security hole is not a good idea.
I disagree, and if you worry about that, we should write a testcase. But
we rely on GCC for correct code generation in lots of places, this isn't
different.
