mei: fix device reset on mei_cl_irq_read_msg allocation failure

		goto out;

	}

	if (cb->status) {

		rets = cb->status;

		goto free;

	}

	r_length = min_t(size_t, length, cb->buf_idx);

	memcpy(buf, cb->response_buffer.data, r_length);

	rets = r_length;

free:

	mei_io_cb_free(cb);

	cl->reading_state = MEI_IDLE;

	cl->read_cb = NULL;

		cl->me_client_id == mei_hdr->me_addr;

}

/**

 * mei_cl_is_reading - checks if the client

 *		is the one to read this message

 * mei_cl_is_reading - checks if the client is in reading state

 *

 * @cl: mei client

 * @mei_hdr: header of mei message

 *

 * Return: true on match and false otherwise

 * Return: true if the client is reading

 */

static bool mei_cl_is_reading(struct mei_cl *cl, struct mei_msg_hdr *mei_hdr)

static bool mei_cl_is_reading(struct mei_cl *cl)

{

	return mei_cl_hbm_equal(cl, mei_hdr) &&

		cl->state == MEI_FILE_CONNECTED &&

	return cl->state == MEI_FILE_CONNECTED &&

		cl->reading_state != MEI_READ_COMPLETE;

}

/**

 * mei_cl_irq_read_msg - process client message

 *

 * @dev: the device structure

 * @cl: reading client

 * @mei_hdr: header of mei client message

 * @complete_list: An instance of our list structure

 * @complete_list: completion list

 *

 * Return: 0 on success, <0 on failure.

 * Return: always 0

 */

static int mei_cl_irq_read_msg(struct mei_device *dev,

static int mei_cl_irq_read_msg(struct mei_cl *cl,

			       struct mei_msg_hdr *mei_hdr,

			       struct mei_cl_cb *complete_list)

{

	struct mei_cl *cl;

	struct mei_cl_cb *cb, *next;

	struct mei_device *dev = cl->dev;

	struct mei_cl_cb *cb;

	unsigned char *buffer = NULL;

	list_for_each_entry_safe(cb, next, &dev->read_list.list, list) {

		cl = cb->cl;

		if (!mei_cl_is_reading(cl, mei_hdr))

			continue;

	list_for_each_entry(cb, &dev->read_list.list, list) {

		if (cl == cb->cl)

			break;

	}

	if (&cb->list == &dev->read_list.list) {

		dev_err(dev->dev, "no reader found\n");

		goto out;

	}

	if (!mei_cl_is_reading(cl)) {

		cl_err(dev, cl, "cl is not reading state=%d reading state=%d\n",

			cl->state, cl->reading_state);

		goto out;

	}

	cl->reading_state = MEI_READING;

	if (cb->response_buffer.size == 0 ||

	    cb->response_buffer.data == NULL) {

		cl_err(dev, cl, "response buffer is not allocated.\n");

			list_del(&cb->list);

			return -ENOMEM;

		list_move_tail(&cb->list, &complete_list->list);

		cb->status = -ENOMEM;

		goto out;

	}

	if (cb->response_buffer.size < mei_hdr->length + cb->buf_idx) {

		cl_dbg(dev, cl, "message overflow. size %d len %d idx %ld\n",

				cb->response_buffer.size,

				mei_hdr->length, cb->buf_idx);

			cb->response_buffer.size, mei_hdr->length, cb->buf_idx);

		buffer = krealloc(cb->response_buffer.data,

				  mei_hdr->length + cb->buf_idx,

				  GFP_KERNEL);

		if (!buffer) {

				list_del(&cb->list);

				return -ENOMEM;

			cb->status = -ENOMEM;

			list_move_tail(&cb->list, &complete_list->list);

			goto out;

		}

		cb->response_buffer.data = buffer;

			cb->response_buffer.size =

				mei_hdr->length + cb->buf_idx;

		cb->response_buffer.size = mei_hdr->length + cb->buf_idx;

	}

	buffer = cb->response_buffer.data + cb->buf_idx;

	cb->buf_idx += mei_hdr->length;

	if (mei_hdr->msg_complete) {

			cl->status = 0;

			list_del(&cb->list);

		cl_dbg(dev, cl, "completed read length = %lu\n",

			cb->buf_idx);

			list_add_tail(&cb->list, &complete_list->list);

		}

		break;

		list_move_tail(&cb->list, &complete_list->list);

	}

	dev_dbg(dev->dev, "message read\n");

out:

	if (!buffer) {

		/* assume that mei_hdr->length <= MEI_RD_MSG_BUF_SIZE */

		BUG_ON(mei_hdr->length > MEI_RD_MSG_BUF_SIZE);

		mei_read_slots(dev, dev->rd_msg_buf, mei_hdr->length);

		dev_dbg(dev->dev, "discarding message " MEI_HDR_FMT "\n",

				MEI_HDR_PRM(mei_hdr));

			goto end;

		}

	} else {

		ret = mei_cl_irq_read_msg(dev, mei_hdr, cmpl_list);

		if (ret) {

			dev_err(dev->dev, "mei_cl_irq_read_msg failed = %d\n",

					ret);

			goto end;

		}

		ret = mei_cl_irq_read_msg(cl, mei_hdr, cmpl_list);

	}

reset_slots:

	/* reset the number of slots and header */

	*slots = mei_count_full_read_slots(dev);

		schedule_delayed_work(&dev->timer_work, 2 * HZ);

	mutex_unlock(&dev->device_lock);

}

		goto out;

	}

	if (cl->read_cb) {

	cb = cl->read_cb;

	if (cb) {

		/* read what left */

		if (cb->buf_idx > *offset)

			goto copy_buffer;

	if (MEI_READ_COMPLETE != cl->reading_state &&

		!waitqueue_active(&cl->rx_wait)) {

		if (file->f_flags & O_NONBLOCK) {

			rets = -EAGAIN;

			goto out;

		rets = -ENODEV;

		goto out;

	}

	if (cl->reading_state != MEI_READ_COMPLETE) {

		rets = 0;

		goto out;

	}

	/* now copy the data to user space */

copy_buffer:

	/* now copy the data to user space */

	if (cb->status) {

		rets = cb->status;

		dev_dbg(dev->dev, "read operation failed %d\n", rets);

		goto free;

	}

	dev_dbg(dev->dev, "buf.size = %d buf.idx= %ld\n",

	    cb->response_buffer.size, cb->buf_idx);

	if (length == 0 || ubuf == NULL || *offset > cb->buf_idx) {

 * @buf_idx: last read index

 * @read_time: last read operation time stamp (iamthif)

 * @file_object: pointer to file structure

 * @status: io status of the cb

 * @internal: communication between driver and FW flag

 */

struct mei_cl_cb {

	unsigned long buf_idx;

	unsigned long read_time;

	struct file *file_object;

	int status;

	u32 internal:1;

};