diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go
index b99268b..e68e463 100644
--- a/gocryptfs-xray/xray_main.go
+++ b/gocryptfs-xray/xray_main.go
@@ -154,10 +154,19 @@ func dumpMasterKey(fn string, fido2Path string) {
 		pw = readpassword.Once(nil, nil, "")
 	}
 	masterkey, err := cf.DecryptMasterKey(pw)
-	fmt.Println(hex.EncodeToString(masterkey))
+	// Purge password from memory
 	for i := range pw {
 		pw[i] = 0
 	}
+	if err != nil {
+		tlog.Fatal.Println(err)
+		os.Exit(exitcodes.LoadConf)
+	}
+	fmt.Println(hex.EncodeToString(masterkey))
+	// Purge masterkey from memory
+	for i := range masterkey {
+		masterkey[i] = 0
+	}
 }
 
 func inspectCiphertext(fd *os.File, aessiv bool) {
diff --git a/internal/fusefrontend/file.go b/internal/fusefrontend/file.go
index 716a0db..ef043ae 100644
--- a/internal/fusefrontend/file.go
+++ b/internal/fusefrontend/file.go
@@ -277,16 +277,13 @@ func (f *File) Read(ctx context.Context, buf []byte, off int64) (resultData fuse
 // Empty writes do nothing and are allowed.
 func (f *File) doWrite(data []byte, off int64) (uint32, syscall.Errno) {
 	fileWasEmpty := false
-	// Get the file ID, create a new one if it does not exist yet.
-	var fileID []byte
 	// The caller has exclusively locked ContentLock, which blocks all other
 	// readers and writers. No need to take IDLock.
-	if f.fileTableEntry.ID != nil {
-		fileID = f.fileTableEntry.ID
-	} else {
-		// If the file ID is not cached, read it from disk
+	//
+	// If the file ID is not cached, read it from disk
+	if f.fileTableEntry.ID == nil {
 		var err error
-		fileID, err = f.readFileID()
+		fileID, err := f.readFileID()
 		// Write a new file header if the file is empty
 		if err == io.EOF {
 			fileID, err = f.createHeader()
diff --git a/internal/fusefrontend/node.go b/internal/fusefrontend/node.go
index 8a3cfa2..7280624 100644
--- a/internal/fusefrontend/node.go
+++ b/internal/fusefrontend/node.go
@@ -354,23 +354,25 @@ func (n *Node) Symlink(ctx context.Context, target, name string, out *fuse.Entry
 	if !rn.args.PlaintextNames && nametransform.IsLongContent(cName) {
 		err = rn.nameTransform.WriteLongNameAt(dirfd, cName, name)
 		if err != nil {
-			errno = fs.ToErrno(err)
-			return
+			return nil, fs.ToErrno(err)
 		}
 		// Create "gocryptfs.longfile." symlink
 		err = syscallcompat.SymlinkatUser(cTarget, dirfd, cName, ctx2)
 		if err != nil {
 			nametransform.DeleteLongNameAt(dirfd, cName)
+			return nil, fs.ToErrno(err)
 		}
 	} else {
 		// Create symlink
 		err = syscallcompat.SymlinkatUser(cTarget, dirfd, cName, ctx2)
+		if err != nil {
+			return nil, fs.ToErrno(err)
+		}
 	}
 
 	st, err := syscallcompat.Fstatat2(dirfd, cName, unix.AT_SYMLINK_NOFOLLOW)
 	if err != nil {
-		errno = fs.ToErrno(err)
-		return
+		return nil, fs.ToErrno(err)
 	}
 	// Report the plaintext size, not the encrypted blob size
 	st.Size = int64(len(target))
diff --git a/internal/fusefrontend/prepare_syscall_test.go b/internal/fusefrontend/prepare_syscall_test.go
index 28e655c..693f62a 100644
--- a/internal/fusefrontend/prepare_syscall_test.go
+++ b/internal/fusefrontend/prepare_syscall_test.go
@@ -63,8 +63,8 @@ func TestPrepareAtSyscall(t *testing.T) {
 	syscall.Close(dirfd)
 
 	dirfd, cName, errno = rn.prepareAtSyscall("dir1")
-	if err != nil {
-		t.Fatal(err)
+	if errno != 0 {
+		t.Fatal(errno)
 	}
 	if cName == "" {
 		t.Fatal("cName should not be empty")
diff --git a/internal/syscallcompat/open_nofollow_test.go b/internal/syscallcompat/open_nofollow_test.go
index 1eeac3a..0d3ac3d 100644
--- a/internal/syscallcompat/open_nofollow_test.go
+++ b/internal/syscallcompat/open_nofollow_test.go
@@ -33,6 +33,7 @@ func TestOpenNofollow(t *testing.T) {
 	os.Symlink(tmpDir+"/d1.renamed", tmpDir+"/d1")
 	fd, err = OpenDirNofollow(tmpDir, "d1/d2/d3")
 	if err == nil {
+		syscall.Close(fd)
 		t.Fatalf("should have failed")
 	}
 	if err != syscall.ELOOP && err != syscall.ENOTDIR {
diff --git a/tests/defaults/acl_test.go b/tests/defaults/acl_test.go
index b3826e8..f3c707e 100644
--- a/tests/defaults/acl_test.go
+++ b/tests/defaults/acl_test.go
@@ -109,6 +109,9 @@ func TestAcl543(t *testing.T) {
 		t.Fatal(err)
 	}
 	fi, err := os.Stat(fn1)
+	if err != nil {
+		t.Fatal(err)
+	}
 	if fi.Mode() != modeWant {
 		t.Fatalf("mode changed from %o to %o", modeWant, fi.Mode())
 	}
@@ -178,7 +181,7 @@ func TestXattrOverflow(t *testing.T) {
 	if sz != len(val) {
 		t.Errorf("wrong sz: want %d have %d", len(val), sz)
 	}
-	sz, err = unix.Lgetxattr(fn, attr, make([]byte, 1))
+	_, err = unix.Lgetxattr(fn, attr, make([]byte, 1))
 	if err != syscall.ERANGE {
 		t.Error(err)
 	}
@@ -195,7 +198,7 @@ func TestXattrOverflow(t *testing.T) {
 	if sz != szWant {
 		t.Errorf("wrong sz: want %d have %d", szWant, sz)
 	}
-	sz, err = unix.Llistxattr(fn, make([]byte, 1))
+	_, err = unix.Llistxattr(fn, make([]byte, 1))
 	if err != syscall.ERANGE {
 		t.Error(err)
 	}
diff --git a/tests/defaults/main_test.go b/tests/defaults/main_test.go
index 2513860..ddaca68 100644
--- a/tests/defaults/main_test.go
+++ b/tests/defaults/main_test.go
@@ -363,6 +363,9 @@ func TestMd5sumMaintainers(t *testing.T) {
 
 	cmd := exec.Command("md5sum", fn, fn, fn, fn)
 	out2, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatal(err)
+	}
 	out := string(out2)
 
 	// 195191 zero bytes have this md5sum
diff --git a/tests/xattr/xattr_fd_test.go b/tests/xattr/xattr_fd_test.go
index d3f02c5..7415e54 100644
--- a/tests/xattr/xattr_fd_test.go
+++ b/tests/xattr/xattr_fd_test.go
@@ -28,7 +28,9 @@ func TestFdXattr(t *testing.T) {
 	defer syscall.Close(fd)
 	buf := make([]byte, 1000)
 	sz, err := unix.Flistxattr(fd, buf)
-	if sz != 0 {
+	if err != nil {
+		t.Error(err)
+	} else if sz != 0 {
 		t.Errorf("expected zero size, got %d", sz)
 	}
 	val1 := []byte("123456789")
@@ -64,7 +66,9 @@ func TestFdXattr(t *testing.T) {
 		t.Error(err)
 	}
 	sz, err = unix.Flistxattr(fd, buf)
-	if sz != 0 {
+	if err != nil {
+		t.Error(err)
+	} else if sz != 0 {
 		t.Errorf("expected zero size, got %d", sz)
 	}
 }