In watchdog_open(), data is initialized as NULL. After the loop "list_for_each_entry" on lines 1302-1307, data may not be assigned, thus data is still NULL. In this case, data is used on line 1310: watchdog_is_open = test_and_set_bit(0, &data->watchdog_is_open); and on line 1317: kref_get(&data->kref); and on line 1326: watchdog_enable(data); Thus, possible null-pointer dereferences may occur. To fix these bugs, data is checked after the loop. If it is NULL, the mutex lock is released and -EINVAL is returned. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> --- drivers/hwmon/w83793.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hwmon/w83793.c b/drivers/hwmon/w83793.c index 46f5dfec8d0a..f299716d5d94 100644 --- a/drivers/hwmon/w83793.c +++ b/drivers/hwmon/w83793.c @@ -1306,6 +1306,11 @@ static int watchdog_open(struct inode *inode, struct file *filp) } } + if (!data) { + mutex_unlock(&watchdog_data_mutex); + return -EINVAL; + } + /* Check, if device is already open */ watchdog_is_open = test_and_set_bit(0, &data->watchdog_is_open); -- 2.17.0