mei: fix krealloc() misuse in in mei_cl_irq_read_msg()
If krealloc() returns NULL, it doesn't free the original. So any code
of the form 'foo = krealloc(foo, ...);' is almost certainly a bug.
Introduced by commit fcb136e1ac5774909e0d85189f721b8dfa800e0f(mei: fix
reading large reposnes)
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c
index 5ee2f07..1473cfd 100644
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -148,16 +148,16 @@
dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
cb->response_buffer.size,
mei_hdr->length, cb->buf_idx);
- cb->response_buffer.data =
- krealloc(cb->response_buffer.data,
- mei_hdr->length + cb->buf_idx,
- GFP_KERNEL);
+ buffer = krealloc(cb->response_buffer.data,
+ mei_hdr->length + cb->buf_idx,
+ GFP_KERNEL);
- if (!cb->response_buffer.data) {
+ if (!buffer) {
dev_err(&dev->pdev->dev, "allocation failed.\n");
list_del(&cb->list);
return -ENOMEM;
}
+ cb->response_buffer.data = buffer;
cb->response_buffer.size =
mei_hdr->length + cb->buf_idx;
}