tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

squashfs: fix memory leak in squashfs_fill_super

If sb_min_blocksize returns 0, squashfs_fill_super exits without freeing
allocated memory (sb->s_fs_info).

Fix this by moving the call to sb_min_blocksize to before memory is
allocated.

Link: https://lkml.kernel.org/r/20250811223740.110392-1-phillip@squashfs.org.uk
Fixes: 734aa85390ea ("Squashfs: check return result of sb_min_blocksize")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: Scott GUO <scottzhguo@tencent.com>
Closes: https://lore.kernel.org/all/20250811061921.3807353-1-scott_gzh@163.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Phillip Lougher and committed by
Andrew Morton b64700d4 44958f20

+7 -7
+7 -7
fs/squashfs/super.c
··· 187 187 unsigned short flags; 188 188 unsigned int fragments; 189 189 u64 lookup_table_start, xattr_id_table_start, next_table; 190 - int err; 190 + int err, devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); 191 191 192 192 TRACE("Entered squashfs_fill_superblock\n"); 193 + 194 + if (!devblksize) { 195 + errorf(fc, "squashfs: unable to set blocksize\n"); 196 + return -EINVAL; 197 + } 193 198 194 199 sb->s_fs_info = kzalloc(sizeof(*msblk), GFP_KERNEL); 195 200 if (sb->s_fs_info == NULL) { ··· 206 201 207 202 msblk->panic_on_errors = (opts->errors == Opt_errors_panic); 208 203 209 - msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); 210 - if (!msblk->devblksize) { 211 - errorf(fc, "squashfs: unable to set blocksize\n"); 212 - return -EINVAL; 213 - } 214 - 204 + msblk->devblksize = devblksize; 215 205 msblk->devblksize_log2 = ffz(~msblk->devblksize); 216 206 217 207 mutex_init(&msblk->meta_index_mutex);