From 87b7eaf3244e1a991404602c3422a4ce06bfae55 Mon Sep 17 00:00:00 2001
From: Andrew Goodbody <andrew.goodbody@linaro.org>
Date: Thu, 2 Oct 2025 11:36:09 +0100
Subject: [PATCH] fs/squashfs: Ensure memory is freed by using unwind goto

Returning immediately from sqfs_read_nest is not consistent with other
error checks in this function and can lead to memory leaks. Instead use
the unwind goto used elsewhere to ensure that the memory is freed.

This issue was found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Acked-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
---
 fs/squashfs/sqfs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 2dcdd60f683..4d3d83b7587 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -1584,8 +1584,10 @@ static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
 	table_offset = frag_entry.start - (start * ctxt.cur_dev->blksz);
 	n_blks = DIV_ROUND_UP(table_size + table_offset, ctxt.cur_dev->blksz);
 
-	if (__builtin_mul_overflow(n_blks, ctxt.cur_dev->blksz, &buf_size))
-		return -EINVAL;
+	if (__builtin_mul_overflow(n_blks, ctxt.cur_dev->blksz, &buf_size)) {
+		ret = -EINVAL;
+		goto out;
+	}
 
 	fragment = malloc_cache_aligned(buf_size);
 
-- 
2.47.3