Hello Michael S. Tsirkin, The patch bab632d69ee4: "vhost: vhost TX zero-copy support" from Jul 18, 2011, leads to the following static checker warning: drivers/vhost/net.c:1227 vhost_net_set_backend() warn: 'sock' can also be NULL drivers/vhost/net.c 1144 static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) 1145 { 1146 struct socket *sock, *oldsock; 1147 struct vhost_virtqueue *vq; 1148 struct vhost_net_virtqueue *nvq; 1149 struct vhost_net_ubuf_ref *ubufs, *oldubufs = NULL; 1150 int r; 1151 1152 mutex_lock(&n->dev.mutex); 1153 r = vhost_dev_check_owner(&n->dev); 1154 if (r) 1155 goto err; 1156 1157 if (index >= VHOST_NET_VQ_MAX) { 1158 r = -ENOBUFS; 1159 goto err; 1160 } 1161 vq = &n->vqs[index].vq; 1162 nvq = &n->vqs[index]; 1163 mutex_lock(&vq->mutex); 1164 1165 /* Verify that ring has been setup correctly. */ 1166 if (!vhost_vq_access_ok(vq)) { 1167 r = -EFAULT; 1168 goto err_vq; 1169 } 1170 sock = get_socket(fd); ^^^^^^^^^^^^^^^^^^^^^ "fd" comes from the ioctl, and if we pass -1 then sock is NULL. 1171 if (IS_ERR(sock)) { 1172 r = PTR_ERR(sock); 1173 goto err_vq; 1174 } 1175 1176 /* start polling new socket */ 1177 oldsock = vq->private_data; 1178 if (sock != oldsock) { 1179 ubufs = vhost_net_ubuf_alloc(vq, 1180 sock && vhost_sock_zcopy(sock)); 1181 if (IS_ERR(ubufs)) { 1182 r = PTR_ERR(ubufs); 1183 goto err_ubufs; ^^^^^^^^^^^^^^^ It leads to a NULL dereference in the error handling code. 1184 } 1185 regards, dan carpenter