Hi, all: when reviewing function usX2Y_rate_set, here may exist a NULL pointer deference if kmalloc_array failed or usb_alloc_urb failed, in cleanup, we should judge whether us->urb[i] is NULL first. static int usX2Y_rate_set(struct usX2Ydev *usX2Y, int rate) { us = kzalloc(sizeof(*us) + sizeof(struct urb*) * NOOF_SETRATE_URBS, GFP_KERNEL); if (NULL == us) { err = -ENOMEM; goto cleanup; } usbdata = kmalloc_array(NOOF_SETRATE_URBS, sizeof(int), GFP_KERNEL); if (NULL == usbdata) { err = -ENOMEM; goto cleanup; } for (i = 0; i < NOOF_SETRATE_URBS; ++i) { if (NULL == (us->urb[i] = usb_alloc_urb(0, GFP_KERNEL))) { err = -ENOMEM; goto cleanup; } ... } ... cleanup: if (us) { us->submitted = 2*NOOF_SETRATE_URBS; for (i = 0; i < NOOF_SETRATE_URBS; ++i) { struct urb *urb = us->urb[i]; if (urb->status) { if (!err) err = -ENODEV; usb_kill_urb(urb); } usb_free_urb(urb);