On 27.04.2022 16:04, Andrew Cooper wrote:
> mfn_valid() is not a trivially simple, and contains an evaluate_nospec() for
> speculative defence. Avoid calling it redundantly, and just store the result
> of the first call.
Since it took quite some time for this to actually be committed, I did
notice it among more recent commits, and I've grown a question: Isn't
the latching of the result in a local variable undermining the supposed
speculative defense? It's not as if I could point out a particular
gadget here, but it feels like the adjustment should have specifically
justified the speculative safety ... But I guess my understanding of
all of this might still be somewhat flaky?
Jan
> @@ -902,13 +902,15 @@ get_page_from_l1e(
> return -EINVAL;
> }
>
> - if ( !mfn_valid(_mfn(mfn)) ||
> + valid = mfn_valid(_mfn(mfn));
> +
> + if ( !valid ||
> (real_pg_owner = page_get_owner_and_reference(page)) == dom_io )
> {
> int flip = 0;
>
> /* Only needed the reference to confirm dom_io ownership. */
> - if ( mfn_valid(_mfn(mfn)) )
> + if ( valid )
> put_page(page);
>
> /* DOMID_IO reverts to caller for privilege checks. */
