bitmap: fix end condition in bitmap_find_free_region

Guennadi Liakhovetski noticed that the end condition for the loop in
bitmap_find_free_region() is wrong, and the "return if error" was also
using the wrong conditional that would only trigger if the bitmap was an
exact multiple of the allocation size, which is not necessarily the case
with dma_alloc_from_coherent().

Such a failure would end up in bitmap_find_free_region() accessing
beyond the end of the bitmap.

Reported-by: Guennadi Liakhovetski <lg@denx.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 8 insertions, 8 deletions

diff --git a/lib/bitmap.c b/lib/bitmap.c
index 1338469ac849..35a1f7ff4149 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -948,15 +948,15 @@ done:
  */
 int bitmap_find_free_region(unsigned long *bitmap, int bits, int order)
 {
-        int pos;                /* scans bitmap by regions of size order */
+        int pos, end;           /* scans bitmap by regions of size order */
 
-        for (pos = 0; pos < bits; pos += (1 << order))
-                if (__reg_op(bitmap, pos, order, REG_OP_ISFREE))
-                        break;
-        if (pos == bits)
-                return -ENOMEM;
-        __reg_op(bitmap, pos, order, REG_OP_ALLOC);
-        return pos;
+        for (pos = 0 ; (end = pos + (1 << order)) <= bits; pos = end) {
+                if (!__reg_op(bitmap, pos, order, REG_OP_ISFREE))
+                        continue;
+                __reg_op(bitmap, pos, order, REG_OP_ALLOC);
+                return pos;
+        }
+        return -ENOMEM;
 }
 EXPORT_SYMBOL(bitmap_find_free_region);