The Microsoft c++ guide talks about it at a high level docs.microsoft.com/en-us/cpp… but haven't seen much more since then, have wondered if you could find a good use of that to fetch arbitrary addresses for cross thread disclosures

Actually, I didn't read the example closely enough. It was an SSB case, and we have an option specifically for that with Respectre. So I threw the example into mm/memory.c and compiled it with the verbose mode on:

Had to add noinline to InitializeIndex to make it match the description, but here's the resulting disasm:

The fence gets inserted via asm alternatives at boot where you see the xchg ax,ax in the code

That's amazing, would love to know how many extra barriers get inserted in say an Ubuntu kernel. No way you could find them all through code review!

don't have current numbers at hand, but on a 5.4.13-allyes-amd64 config respectre reported about 33k v4 instances as above. that was over 1.5y ago, so not quite representative of the current code but you get the idea.

Okay, that's even more than I would have expected, nice work!

I think the number he gave you there was for SSB_ALL (see: nitter.vloup.ch/spendergrsec/sta…), for performance you don't really want a ton of fences.