mei: fix krealloc() misuse in in mei_cl_irq_read_msg()

If krealloc() returns NULL, it doesn't free the original. So any code of the form 'foo = krealloc(foo, ...);' is almost certainly a bug. Introduced by commit fcb136e1ac5774909e0d85189f721b8dfa800e0f(mei: fix reading large reposnes) Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-12-04 18:13:04 +00:00 · 2013-04-23 10:44:35 +08:00 · 2013-04-23 10:44:35 +08:00 · 46e407dd34
commit 46e407dd34
parent 7013539381
1 changed files with 5 additions and 5 deletions
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@ -148,16 +148,16 @@ static int mei_cl_irq_read_msg(struct mei_device *dev,
 			dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
 				cb->response_buffer.size,
 				mei_hdr->length, cb->buf_idx);
-			cb->response_buffer.data =
-					krealloc(cb->response_buffer.data,
-					mei_hdr->length + cb->buf_idx,
-					GFP_KERNEL);
+			buffer = krealloc(cb->response_buffer.data,
+					  mei_hdr->length + cb->buf_idx,
+					  GFP_KERNEL);

-			if (!cb->response_buffer.data) {
+			if (!buffer) {
 				dev_err(&dev->pdev->dev, "allocation failed.\n");
 				list_del(&cb->list);
 				return -ENOMEM;
 			}
+			cb->response_buffer.data = buffer;
 			cb->response_buffer.size =
 				mei_hdr->length + cb->buf_idx;
 		}