Subject: spufs: fix off-by-one-bugs in new mailbox accesses

Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Index: linux-2.6/arch/powerpc/platforms/cell/spufs/file.c
===================================================================
--- linux-2.6.orig/arch/powerpc/platforms/cell/spufs/file.c
+++ linux-2.6/arch/powerpc/platforms/cell/spufs/file.c
@@ -378,7 +378,7 @@ static ssize_t spufs_mbox_read(struct fi
 	udata = (void __user *)buf;
 
 	spu_acquire(ctx);
-	for (count = 0; count < len; count += 4, udata++) {
+	for (count = 0; count <= len; count += 4, udata++) {
 		int ret;
 		ret = ctx->ops->mbox_read(ctx, &mbox_data);
 		if (ret == 0)
@@ -502,7 +502,7 @@ static ssize_t spufs_ibox_read(struct fi
 	if (count)
 		goto out;
 
-	for (count = 4, udata++; count < len; count += 4, udata++) {
+	for (count = 4, udata++; (count + 4) <= len; count += 4, udata++) {
 		int ret;
 		ret = ctx->ops->ibox_read(ctx, &ibox_data);
 		if (ret == 0)
@@ -640,7 +640,7 @@ static ssize_t spufs_wbox_write(struct f
 		goto out;
 
 	/* write aѕ much as possible */
-	for (count = 4, udata++; count <= len; count +=4, udata++) {
+	for (count = 4, udata++; (count + 4) <= len; count += 4, udata++) {
 		int ret;
 		ret = __get_user(wbox_data, udata);
 		if (ret)