mei: fix krealloc() misuse in in mei_cl_irq_read_msg()

If krealloc() returns NULL, it doesn't free the original. So any code of the form 'foo = krealloc(foo, ...);' is almost certainly a bug. Introduced by commit fcb136e1(mei: fix reading large reposnes) Signed-off-by: N Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: N Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mei: fix krealloc() misuse in in mei_cl_irq_read_msg()
If krealloc() returns NULL, it doesn't free the original. So any code of the form 'foo = krealloc(foo, ...);' is almost certainly a bug. Introduced by commit fcb136e1(mei: fix reading large reposnes) Signed-off-by: N Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: N Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
46e407dd · Wei Yongjun · Greg Kroah-Hartman · 70135393 · 46e407dd
显示空白变更内容
内联并排

Showing with 5 addition and 5 deletion

drivers/misc/mei/interrupt.c drivers/misc/mei/interrupt.c +5 -5

未找到文件。
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -148,16 +148,16 @@ static int mei_cl_irq_read_msg(struct mei_device *dev,
 			dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
 				cb->response_buffer.size,
 				mei_hdr->length, cb->buf_idx);
-			cb->response_buffer.data =
-					krealloc(cb->response_buffer.data,
+			buffer = krealloc(cb->response_buffer.data,
 					  mei_hdr->length + cb->buf_idx,
 					  GFP_KERNEL);

-			if (!cb->response_buffer.data) {
+			if (!buffer) {
 				dev_err(&dev->pdev->dev, "allocation failed.\n");
 				list_del(&cb->list);
 				return -ENOMEM;
 			}
+			cb->response_buffer.data = buffer;
 			cb->response_buffer.size =
 				mei_hdr->length + cb->buf_idx;
 		}