In function SendTxCommandPacket() at drivers/staging/rtl8192u/r819xU_cmdpkt.c:42, the call to dev_alloc_skb() at line 58 may return a NULL pointer when there is no enough memory, but its return value is never checked against NULL before it is dereferenced at line 59, and thus an invalid memory access error may be triggered. The related code snippets in function SendTxCommandPacket() are as followings. SendTxCommandPacket @ drivers/staging/rtl8192u/r819xU_cmdpkt.c:42 42SendTxCommandPacket( 43 struct net_device *dev, 44 void* pData, 45 u32 DataLen 46 ) 47{ ... 58 skb = dev_alloc_skb(USB_HWDESC_HEADER_LEN + DataLen + 4); //NOTE: skb should be checked against NULL 59 memcpy((unsigned char *)(skb->cb),&dev,sizeof(dev)); 60 tcb_desc = (cb_desc*)(skb->cb + MAX_DEV_ADDR_SIZE); 61 tcb_desc->queue_index = TXCMD_QUEUE; 62 tcb_desc->bCmdOrInit = DESC_PACKET_TYPE_NORMAL; 63 tcb_desc->bLastIniPkt = 0; 64 skb_reserve(skb, USB_HWDESC_HEADER_LEN); ... 80} Generally, the return value of dev_alloc_skb() shall be checked against NULL before it is used, like the following code snippets in function ieee80211_send_bar(). ieee80211_send_bar @ net/mac80211/agg-tx.c:113 113void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn) 114{ ... 121 skb = dev_alloc_skb(sizeof(*bar) + local->hw.extra_tx_headroom); 122 if (!skb) 123 return; 124 125 skb_reserve(skb, local->hw.extra_tx_headroom); ... 141} Thak you! RUC_Soft_Sec, supported by China.X.Orion