提交 46e407dd 编写于 作者: W Wei Yongjun 提交者: Greg Kroah-Hartman

mei: fix krealloc() misuse in in mei_cl_irq_read_msg()

If krealloc() returns NULL, it doesn't free the original. So any code
of the form 'foo = krealloc(foo, ...);' is almost certainly a bug.

Introduced by commit fcb136e1(mei: fix
reading large reposnes)
Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: NTomas Winkler <tomas.winkler@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 70135393
......@@ -148,16 +148,16 @@ static int mei_cl_irq_read_msg(struct mei_device *dev,
dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
cb->response_buffer.size,
mei_hdr->length, cb->buf_idx);
cb->response_buffer.data =
krealloc(cb->response_buffer.data,
mei_hdr->length + cb->buf_idx,
GFP_KERNEL);
buffer = krealloc(cb->response_buffer.data,
mei_hdr->length + cb->buf_idx,
GFP_KERNEL);
if (!cb->response_buffer.data) {
if (!buffer) {
dev_err(&dev->pdev->dev, "allocation failed.\n");
list_del(&cb->list);
return -ENOMEM;
}
cb->response_buffer.data = buffer;
cb->response_buffer.size =
mei_hdr->length + cb->buf_idx;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册