The clearing of the OKM memory buffer in case of an error is already performed by the HKDF implementation crypto_hkdf_expand. Thus, the code clearing is not needed any more in the file system code base. Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> --- fs/crypto/hkdf.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c index ae236b42b1f0..c48dd8ca3a46 100644 --- a/fs/crypto/hkdf.c +++ b/fs/crypto/hkdf.c @@ -102,13 +102,10 @@ int fscrypt_hkdf_expand(const struct fscrypt_hkdf *hkdf, u8 context, .iov_base = (u8 *)info, .iov_len = infolen, } }; - int err = crypto_hkdf_expand(hkdf->hmac_tfm, - info_iov, ARRAY_SIZE(info_iov), - okm, okmlen); - if (unlikely(err)) - memzero_explicit(okm, okmlen); /* so caller doesn't need to */ - return err; + return crypto_hkdf_expand(hkdf->hmac_tfm, + info_iov, ARRAY_SIZE(info_iov), + okm, okmlen); } void fscrypt_destroy_hkdf(struct fscrypt_hkdf *hkdf) -- 2.26.2