4.7-stable review patch. If anyone has any objections, please let me know.
------------------ From: Eric Biggers <ebigg...@google.com> commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd upstream. If crypt_alloc_tfms() had to allocate multiple tfms and it failed before the last allocation, then it would call crypt_free_tfms() and could free pointers from uninitialized memory -- due to the crypt_free_tfms() check for non-zero cc->tfms[i]. Fix by allocating zeroed memory. Signed-off-by: Eric Biggers <ebigg...@google.com> Signed-off-by: Mike Snitzer <snit...@redhat.com> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> --- drivers/md/dm-crypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -1453,7 +1453,7 @@ static int crypt_alloc_tfms(struct crypt unsigned i; int err; - cc->tfms = kmalloc(cc->tfms_count * sizeof(struct crypto_skcipher *), + cc->tfms = kzalloc(cc->tfms_count * sizeof(struct crypto_skcipher *), GFP_KERNEL); if (!cc->tfms) return -ENOMEM;