mei: fix krealloc() misuse in in mei_cl_irq_read_msg()

If krealloc() returns NULL, it doesn't free the original. So any code of the form 'foo = krealloc(foo, ...);' is almost certainly a bug. Introduced by commit fcb136e1(mei: fix reading large reposnes) Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mei: fix krealloc() misuse in in mei_cl_irq_read_msg()
If krealloc() returns NULL, it doesn't free the original. So any code of the form 'foo = krealloc(foo, ...);' is almost certainly a bug. Introduced by commit fcb136e1(mei: fix reading large reposnes) Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
46e407dd · Wei Yongjun · Greg Kroah-Hartman · 70135393 · 46e407dd
Commit 46e407dd authored Apr 23, 2013 by Wei Yongjun Committed by Greg Kroah-Hartman Apr 23, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

drivers/misc/mei/interrupt.c drivers/misc/mei/interrupt.c +5 -5

No files found.
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -148,16 +148,16 @@ static int mei_cl_irq_read_msg(struct mei_device *dev,
 			dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
 				cb->response_buffer.size,
 				mei_hdr->length, cb->buf_idx);
-			cb->response_buffer.data =
-					krealloc(cb->response_buffer.data,
-					mei_hdr->length + cb->buf_idx,
-					GFP_KERNEL);
+			buffer = krealloc(cb->response_buffer.data,
+					  mei_hdr->length + cb->buf_idx,
+					  GFP_KERNEL);

-			if (!cb->response_buffer.data) {
+			if (!buffer) {
 				dev_err(&dev->pdev->dev, "allocation failed.\n");
 				list_del(&cb->list);
 				return -ENOMEM;
 			}
+			cb->response_buffer.data = buffer;
 			cb->response_buffer.size =
 				mei_hdr->length + cb->buf_idx;
 		}