From: Ard Biesheuvel ardb@kernel.org
mainline inclusion from mainline-5.11-rc1 commit 4e79f0211b473f8e1eab8211a9fd50cc41a3a061 category: bugfix bugzilla: 46882 CVE: NA
------------------------------------------------- When running in BE mode on LPAE hardware with a PA-to-VA translation that exceeds 4 GB, we patch bits 39:32 of the offset into the wrong byte of the opcode. So fix that, by rotating the offset in r0 to the right by 8 bits, which will put the 8-bit immediate in bits 31:24.
Note that this will also move bit #22 in its correct place when applying the rotation to the constant #0x400000.
Fixes: d9a790df8e984 ("ARM: 7883/1: fix mov to mvn conversion in case of 64 bit phys_addr_t and BE") Acked-by: Nicolas Pitre nico@fluxnic.net Reviewed-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Ard Biesheuvel ardb@kernel.org (cherry picked from commit 4e79f0211b473f8e1eab8211a9fd50cc41a3a061) Signed-off-by: Zhao Hongjiang zhaohongjiang@huawei.com --- arch/arm/kernel/head.S | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S index dfc95659bb89..45488589fea8 100644 --- a/arch/arm/kernel/head.S +++ b/arch/arm/kernel/head.S @@ -675,12 +675,8 @@ ARM_BE8(rev16 ip, ip) ldrcc r7, [r4], #4 @ use branch for delay slot bcc 1b bx lr -#else -#ifdef CONFIG_CPU_ENDIAN_BE8 - moveq r0, #0x00004000 @ set bit 22, mov to mvn instruction #else moveq r0, #0x400000 @ set bit 22, mov to mvn instruction -#endif b 2f 1: ldr ip, [r7, r3] #ifdef CONFIG_CPU_ENDIAN_BE8 @@ -689,7 +685,7 @@ ARM_BE8(rev16 ip, ip) tst ip, #0x000f0000 @ check the rotation field orrne ip, ip, r6, lsl #24 @ mask in offset bits 31-24 biceq ip, ip, #0x00004000 @ clear bit 22 - orreq ip, ip, r0 @ mask in offset bits 7-0 + orreq ip, ip, r0, ror #8 @ mask in offset bits 7-0 #else bic ip, ip, #0x000000ff tst ip, #0xf00 @ check the rotation field