diff options
| author | John David Anglin <dave.anglin@bell.net> | 2021-12-21 13:21:22 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-12-29 12:20:46 +0100 |
| commit | ceeeb3a197463950827a81b41443ed30e6e82002 (patch) | |
| tree | 94c85c656ac0792537575e471aaa59ea5ca10cc7 | |
| parent | eb84855d3e8799b67cdbadc7a5c53997cbfc3580 (diff) | |
| download | linux-stable-ceeeb3a197463950827a81b41443ed30e6e82002.tar.gz linux-stable-ceeeb3a197463950827a81b41443ed30e6e82002.tar.bz2 linux-stable-ceeeb3a197463950827a81b41443ed30e6e82002.zip | |
parisc: Correct completer in lws start
commit 8f66fce0f46560b9e910787ff7ad0974441c4f9c upstream.
The completer in the "or,ev %r1,%r30,%r30" instruction is reversed, so we are
not clipping the LWS number when we are called from a 32-bit process (W=0).
We need to nulify the following depdi instruction when the least-significant
bit of %r30 is 1.
If the %r20 register is not clipped, a user process could perform a LWS call
that would branch to an undefined location in the kernel and potentially crash
the machine.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Cc: stable@vger.kernel.org # 4.19+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | arch/parisc/kernel/syscall.S | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S index 61a647a55c69..1ae007ec65c5 100644 --- a/arch/parisc/kernel/syscall.S +++ b/arch/parisc/kernel/syscall.S @@ -478,7 +478,7 @@ lws_start: extrd,u %r1,PSW_W_BIT,1,%r1 /* sp must be aligned on 4, so deposit the W bit setting into * the bottom of sp temporarily */ - or,ev %r1,%r30,%r30 + or,od %r1,%r30,%r30 /* Clip LWS number to a 32-bit value for 32-bit processes */ depdi 0, 31, 32, %r20 |