Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e1251465 authored by Michael Ellerman's avatar Michael Ellerman Committed by Paul Mackerras
Browse files

[POWERPC] Fix loop logic in irq_alloc_virt() 



There's a bug in irq_alloc_virt() if it's asked for more than 1 interrupt,
if it can't find a slot it might look past the end of the irq_map.
To be clear: the bug is that the continue affects the inner for loop,
not the outer one, so i becomes j + 1 and then we continue the inner
loop without checking if i is still <= limit.

This fixes it. No one in the kernel actually calls this with count >
1, so it's not critical.

Signed-off-by: default avatarMichael Ellerman <michael@ellerman.id.au>
Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
parent 94983cb7

arch/powerpc/kernel/irq.c

+10 −9
Original line number Diff line number Diff line
@@ -777,7 +777,6 @@ unsigned int irq_alloc_virt(struct irq_host *host, 
{

	unsigned long flags;

	unsigned int i, j, found = NO_IRQ;

	unsigned int limit = irq_virq_count - count;



	if (count == 0 || count > (irq_virq_count - NUM_ISA_INTERRUPTS))

		return NO_IRQ;
@@ -794,15 +793,17 @@ unsigned int irq_alloc_virt(struct irq_host *host, 
	/* Look for count consecutive numbers in the allocatable

	 * (non-legacy) space

	 */

	for (i = NUM_ISA_INTERRUPTS; i <= limit; ) {

		for (j = i; j < (i + count); j++)

			if (irq_map[j].host != NULL) {

				i = j + 1;

				continue;

			}

		found = i;

	for (i = NUM_ISA_INTERRUPTS, j = 0; i < irq_virq_count; i++) {

		if (irq_map[i].host != NULL)

			j = 0;

		else

			j++;



		if (j == count) {

			found = i - count + 1;

			break;

		}

	}

	if (found == NO_IRQ) {

		spin_unlock_irqrestore(&irq_big_lock, flags);

		return NO_IRQ;