[ This is old, but maybe the driver is still really actively maintained so maybe someone knows the answer. - dan ] Hello Marvell Developers, The patch 5e6e3a92b9a4: "wireless: mwifiex: initial commit for Marvell mwifiex driver" from Mar 21, 2011, leads to the following static checker warning: drivers/net/wireless/marvell/mwifiex/11n.c:505 mwifiex_11n_delete_tx_ba_stream_tbl_entry() error: we previously assumed 'tx_ba_tsr_tbl' could be null (see line 498) drivers/net/wireless/marvell/mwifiex/11n.c 472 /* 473 * This function checks if the given pointer is valid entry of 474 * Tx BA Stream table. 475 */ 476 static int mwifiex_is_tx_ba_stream_ptr_valid(struct mwifiex_private *priv, 477 struct mwifiex_tx_ba_stream_tbl *tx_tbl_ptr) ^^^^^^^^^^ This is always NULL. 478 { 479 struct mwifiex_tx_ba_stream_tbl *tx_ba_tsr_tbl; 480 481 list_for_each_entry(tx_ba_tsr_tbl, &priv->tx_ba_stream_tbl_ptr, list) { 482 if (tx_ba_tsr_tbl == tx_tbl_ptr) ^^^^^^^^^^^^^ tx_ba_tsr_tbl is the list iterator, which is never NULL so this will never return true. 483 return true; 484 } 485 486 return false; 487 } 488 489 /* 490 * This function deletes the given entry in Tx BA Stream table. 491 * 492 * The function also performs a validity check on the supplied 493 * pointer before trying to delete. 494 */ 495 void mwifiex_11n_delete_tx_ba_stream_tbl_entry(struct mwifiex_private *priv, 496 struct mwifiex_tx_ba_stream_tbl *tx_ba_tsr_tbl) 497 { 498 if (!tx_ba_tsr_tbl && ^^^^^^^^^^^^^ Check for NULL 499 mwifiex_is_tx_ba_stream_ptr_valid(priv, tx_ba_tsr_tbl)) ^^^^^^^^^^^^^ Which is passed to here. So maybe the NULL check is reversed? 500 return; 501 502 mwifiex_dbg(priv->adapter, INFO, 503 "info: tx_ba_tsr_tbl %p\n", tx_ba_tsr_tbl); 504 505 list_del(&tx_ba_tsr_tbl->list); ^^^^^^^^^^^^^^^^^^^ Unchecked NULL dereference 506 507 kfree(tx_ba_tsr_tbl); 508 } regards, dan carpenter