[POWERPC] spufs: fix another off-by-one bug in spufs_mbox_read

Currently, spufs_mbox_read transfers more bytes than requested on a
read.  If you ask for four bytes, you get eight.  This fixes it to
transfer the largest multiple of four bytes that is less than or equal
to the number you asked for.

Note: one nasty property of this file in spufs is that you can only
read multiples of four bytes in the first place, since there is no way
to atomically put back a few bytes into the hardware register.  Thus,
reading less than four bytes returns -EINVAL.  Asking for more than
four returns the largest possible multiple of four.
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>

arch/powerpc/platforms/cell/spufs/file.c

@@ -385,7 +385,7 @@ static ssize_t spufs_mbox_read(struct file *file, char __user *buf,
 	udata = (void __user *)buf;
 
 	spu_acquire(ctx);
-	for (count = 0; count <= len; count += 4, udata++) {
+	for (count = 0; (count + 4) <= len; count += 4, udata++) {
 		int ret;
 		ret = ctx->ops->mbox_read(ctx, &mbox_data);
 		if (ret == 0)