218ac107c5
find_next_zero_bit() incorrectly handles cases when:
- total bitmap size < 32
- rest of bits to process
static inline int find_next_zero_bit(void *addr, int size, int offset)
{
unsigned long *p = ((unsigned long *)addr) + (offset >> 5);
unsigned long result = offset & ~31UL;
unsigned long tmp;
if (offset >= size)
return size;
size -= result;
offset &= 31UL;
if (offset) {
tmp = *(p++);
tmp |= ~0UL >> (32-offset);
if (size < 32)
[1]
goto found_first;
if (~tmp)
goto found_middle;
size -= 32;
result += 32;
}
while (size & ~31UL) {
tmp = *(p++);
if (~tmp)
goto found_middle;
result += 32;
size -= 32;
}
[2]
if (!size)
return result;
tmp = *p;
found_first:
[3] tmp |= ~0UL >> size;
^^^ algo can reach above line from from points:
[1] offset > 0 and size < 32, tmp[offset-1..0] bits set to 1
[2] size < 32 - rest of bits to process
in both cases bits to search are tmp[size-1..0], but line [3] will simply
set all tmp[31-size..0] bits to 1 and ffz(tmp) below will fail.
example: bitmap size = 16, offset = 0, bitmap is empty.
code will go through the point [2], tmp = 0x0
after line [3] => tmp = 0xFFFF and ffz(tmp) will return 16.
found_middle:
return result + ffz(tmp);
}
Fix it by correctly seting tmp[31..size] bits to 1 in the above case [3].
Fixes:
|
||
---|---|---|
.. | ||
cpu | ||
dts | ||
include | ||
lib | ||
mach-aspeed | ||
mach-at91 | ||
mach-bcm283x | ||
mach-davinci | ||
mach-exynos | ||
mach-highbank | ||
mach-imx | ||
mach-integrator | ||
mach-keystone | ||
mach-kirkwood | ||
mach-meson | ||
mach-mvebu | ||
mach-omap2 | ||
mach-orion5x | ||
mach-qemu | ||
mach-rmobile | ||
mach-rockchip | ||
mach-s5pc1xx | ||
mach-snapdragon | ||
mach-socfpga | ||
mach-sti | ||
mach-stm32 | ||
mach-stm32mp | ||
mach-sunxi | ||
mach-tegra | ||
mach-uniphier | ||
mach-versatile | ||
mach-zynq | ||
thumb1/include/asm/proc-armv | ||
config.mk | ||
Kconfig | ||
Kconfig.debug | ||
Makefile |