Re: [PATCH v3] staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

[Dan Carpenter]

On Tue, Apr 14, 2026 at 10:55:56AM +0300, Dan Carpenter wrote:
> On Tue, Apr 14, 2026 at 10:46:13AM +0300, Andy Shevchenko wrote:
> > On Tue, Apr 14, 2026 at 12:43:06PM +0530, Shyam Sunder Reddy Padira wrote:
> > > The return value of kzalloc_flex() is used without
> > > ensuring that the allocation succeeded, and the
> > > pointer is dereferenced unconditionally.
> > > 
> > > Guard the access to the allocated structure to
> > > avoid a potential NULL pointer dereference if the
> > > allocation fails.
> > 
> > You have a procedural issue here: please avoid sending a new patch version in
> > the same email thread. It makes things harder to follow. For example, I usually
> > mark the entire thread as read if I see some comments and don't want to go into
> > the details. It effectively means that I will never see the new version that
> > already was in the same thread!
> > 
> > ...
> > 
> > > --- a/drivers/staging/rtl8723bs/os_dep/osdep_service.c
> > > +++ b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
> > > @@ -194,7 +194,8 @@ struct rtw_cbuf *rtw_cbuf_alloc(u32 size)
> > >  	struct rtw_cbuf *cbuf;
> > >  
> > >  	cbuf = kzalloc_flex(*cbuf, bufs, size);
> > > -	cbuf->size = size;
> > > +	if (cbuf)
> > > +		cbuf->size = size;
> > >  
> > >  	return cbuf;
> > 
> > Now to the code. This is still buggy. The problem is that the size is not
> > validated and when it's 0, the same issue (dereference of invalid pointer)
> > will happen.
> > 
> > Dan, JFYI k*alloc*(0) returns not NULL and not valid pointer.
> 
> kzalloc_flex() basically can't return the ZERO_SIZE pointer.

I meant ZERO_SIZE_PTR.

regards,
dan carpenter