Returning immediately from sqfs_read_nest is not consistent with other error checks in this function and can lead to memory leaks. Instead use the unwind goto used elsewhere to ensure that the memory is freed.
This issue was found by Smatch. Signed-off-by: Andrew Goodbody <[email protected]> --- fs/squashfs/sqfs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index 2dcdd60f68343f801bd73e318568fb030434ed31..4d3d83b75873f4d66f2dbd544ae6715f66f5d289 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -1584,8 +1584,10 @@ static int sqfs_read_nest(const char *filename, void *buf, loff_t offset, table_offset = frag_entry.start - (start * ctxt.cur_dev->blksz); n_blks = DIV_ROUND_UP(table_size + table_offset, ctxt.cur_dev->blksz); - if (__builtin_mul_overflow(n_blks, ctxt.cur_dev->blksz, &buf_size)) - return -EINVAL; + if (__builtin_mul_overflow(n_blks, ctxt.cur_dev->blksz, &buf_size)) { + ret = -EINVAL; + goto out; + } fragment = malloc_cache_aligned(buf_size); --- base-commit: da47ddebd16a7e1047da8537fbf01558d2a89fcf change-id: 20251002-fs_squashfs-ef3fa4928e33 Best regards, -- Andrew Goodbody <[email protected]>
