mei: fix krealloc() misuse in in mei_cl_irq_read_msg()

If krealloc() returns NULL, it doesn't free the original. So any code
of the form 'foo = krealloc(foo, ...);' is almost certainly a bug.

Introduced by commit fcb136e1ac5774909e0d85189f721b8dfa800e0f(mei: fix
reading large reposnes)

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c
index 5ee2f07c929dd432d2ed4450f1dbdb17f5a9f8d2..1473cfdbc4269e39933f65952bc178728609d01c 100644 (file)
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -148,16 +148,16 @@ static int mei_cl_irq_read_msg(struct mei_device *dev,
                        dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
                                cb->response_buffer.size,
                                mei_hdr->length, cb->buf_idx);
-                       cb->response_buffer.data =
-                                       krealloc(cb->response_buffer.data,
-                                       mei_hdr->length + cb->buf_idx,
-                                       GFP_KERNEL);
+                       buffer = krealloc(cb->response_buffer.data,
+                                         mei_hdr->length + cb->buf_idx,
+                                         GFP_KERNEL);
 
-                       if (!cb->response_buffer.data) {
+                       if (!buffer) {
                                dev_err(&dev->pdev->dev, "allocation failed.\n");
                                list_del(&cb->list);
                                return -ENOMEM;
                        }
+                       cb->response_buffer.data = buffer;
                        cb->response_buffer.size =
                                mei_hdr->length + cb->buf_idx;
                }