mei: fix double freeing of a cb during link reset

[cascardo/linux.git] / drivers / misc / mei / client.c

diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c
index af6816b..a9cdb92 100644 (file)
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -1645,7 +1645,7 @@ int mei_cl_write(struct mei_cl *cl, struct mei_cl_cb *cb, bool blocking)
        if (rets < 0 && rets != -EINPROGRESS) {
                pm_runtime_put_noidle(dev->dev);
                cl_err(dev, cl, "rpm: get failed %d\n", rets);
-               return rets;
+               goto free;
        }
 
        cb->buf_idx = 0;
@@ -1724,6 +1724,8 @@ err:
        cl_dbg(dev, cl, "rpm: autosuspend\n");
        pm_runtime_mark_last_busy(dev->dev);
        pm_runtime_put_autosuspend(dev->dev);
+free:
+       mei_io_cb_free(cb);
 
        return rets;
 }