In function parse_subframe() at drivers/staging/rtl8192e/rtllib_rx.c:735, the call to dev_alloc_skb() at line 780 may return a NULL pointer when there is no enough memory, but its return value is never checked against NULL before it is dereferenced in function skb_reserve()(called at line 781), and thus an invalid memory access error may be triggered. Besides, there exists the same issue when dev_alloc_skb () is called at line 828. The related code snippets in function parse_subframe() are as followings. parse_subframe @ drivers/staging/rtl8192e/rtllib_rx.c:735 735static u8 parse_subframe(struct rtllib_device *ieee, struct sk_buff *skb, 736 struct rtllib_rx_stats *rx_stats, 737 struct rtllib_rxb *rxb, u8 *src, u8 *dst) 738{ ... 779 /* Allocate new skb for releasing to upper layer */ 780 sub_skb = dev_alloc_skb(RTLLIB_SKBBUFFER_SIZE); //NOTE: sub_skb should be checked against NULL 781 skb_reserve(sub_skb, 12); ... 827 /* Allocate new skb for releasing to upper layer */ 828 sub_skb = dev_alloc_skb(nSubframe_Length + 12); //NOTE: sub_skb should be checked against NULL 829 skb_reserve(sub_skb, 12); ... 857} Generally, the return value of dev_alloc_skb() shall be checked against NULL before it is used, like the following code snippets in function ieee80211_send_bar(). ieee80211_send_bar @ net/mac80211/agg-tx.c:113 113void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn) 114{ ... 121 skb = dev_alloc_skb(sizeof(*bar) + local->hw.extra_tx_headroom); 122 if (!skb) 123 return; 124 125 skb_reserve(skb, local->hw.extra_tx_headroom); ... 141} Thak you! RUC_Soft_Sec, supported by China.X.Orion