[POWERPC] Fix loop logic in irq_alloc_virt()

There's a bug in irq_alloc_virt() if it's asked for more than 1 interrupt,
if it can't find a slot it might look past the end of the irq_map.
To be clear: the bug is that the continue affects the inner for loop,
not the outer one, so i becomes j + 1 and then we continue the inner
loop without checking if i is still <= limit.

This fixes it. No one in the kernel actually calls this with count >
1, so it's not critical.

Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>

diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
index b443233..c3f58f2 100644 (file)
--- a/arch/powerpc/kernel/irq.c
+++ b/arch/powerpc/kernel/irq.c
@@ -777,7 +777,6 @@ unsigned int irq_alloc_virt(struct irq_host *host,
 {
        unsigned long flags;
        unsigned int i, j, found = NO_IRQ;
-       unsigned int limit = irq_virq_count - count;
 
        if (count == 0 || count > (irq_virq_count - NUM_ISA_INTERRUPTS))
                return NO_IRQ;
@@ -794,14 +793,16 @@ unsigned int irq_alloc_virt(struct irq_host *host,
        /* Look for count consecutive numbers in the allocatable
         * (non-legacy) space
         */
-       for (i = NUM_ISA_INTERRUPTS; i <= limit; ) {
-               for (j = i; j < (i + count); j++)
-                       if (irq_map[j].host != NULL) {
-                               i = j + 1;
-                               continue;
-                       }
-               found = i;
-               break;
+       for (i = NUM_ISA_INTERRUPTS, j = 0; i < irq_virq_count; i++) {
+               if (irq_map[i].host != NULL)
+                       j = 0;
+               else
+                       j++;
+
+               if (j == count) {
+                       found = i - count + 1;
+                       break;
+               }
        }
        if (found == NO_IRQ) {
                spin_unlock_irqrestore(&irq_big_lock, flags);