Post Syndicated from original https://lwn.net/Articles/889183/

Jann Horn describes
in great detail the process he went through to exploit a tiny race
window in the kernel.

Luckily for us, the race window contains the first few memory
accesses to the struct file; therefore, by making sure that the
struct file is not present in the fastest CPU caches, we can widen
the race window by as much time as the memory accesses take. The
standard way to do this is to use an eviction pattern / eviction
set; but instead we can also make the cache line dirty on another
core.