Jia-Ju Bai <baijiaju1990@xxxxxxxxx> wrote: > In ath6kl_htc_mbox_create(), when kzalloc() on line 2855 fails, > target->dev is assigned to NULL, and ath6kl_htc_mbox_cleanup(target) is > called on line 2885. > > In ath6kl_htc_mbox_cleanup(), target->dev is used on line 2895: > ath6kl_hif_cleanup_scatter(target->dev->ar); > > Thus, a null-pointer dereference may occur. > > To fix this bug, kfree(target) is called and NULL is returned when > kzalloc() on line 2855 fails. > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. 0e7bf23e4967 ath6kl: Fix a possible null-pointer dereference in ath6kl_htc_mbox_create() -- https://patchwork.kernel.org/patch/11063157/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
