staging: ccree: NULLify backup_info when unused

commit 46df8824982e4fb0198776078d4a8c3e2d531464 upstream.

backup_info field is only allocated for decrypt code path.
The field was not nullified when not used causing a kfree
in an error handling path to attempt to free random
addresses as uncovered in stress testing.

Fixes: 737aed947f9b ("staging: ccree: save ciphertext for CTS IV")
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/ccree/ssi_cipher.c b/drivers/staging/ccree/ssi_cipher.c
index ee85cbf7c9ae8b3b8d4af4584e449fd609c769f1..980ff42128b474b56b4e7c91abeb0bebcebf8c04 100644 (file)
--- a/drivers/staging/ccree/ssi_cipher.c
+++ b/drivers/staging/ccree/ssi_cipher.c
@@ -908,6 +908,7 @@ static int ssi_ablkcipher_decrypt(struct ablkcipher_request *req)
        scatterwalk_map_and_copy(req_ctx->backup_info, req->src,
                                 (req->nbytes - ivsize), ivsize, 0);
        req_ctx->is_giv = false;
+       req_ctx->backup_info = NULL;
 
        return ssi_blkcipher_process(tfm, req_ctx, req->dst, req->src, req->nbytes, req->info, ivsize, (void *)req, DRV_CRYPTO_DIRECTION_DECRYPT);
 }