Bug 44631

Function get_skb() may return a NULL pointer, and its return value shall be checked before used. But in function send_flowc() after get_skb() is called(at drivers/infiniband/hw/cxgb4/cm.c:362), the return value is immediately used as a parameter of __skb_put() without NULL check. Besides, there is no check before the parameter is dereferenced in the callee function __skb_put(). So an invalid memory access may be triggered.
The related code snippets in send_flowc() are as following.
send_flowc() @@drivers/infiniband/hw/cxgb4/cm.c:362
 362        skb = get_skb(skb, flowclen, GFP_KERNEL);
 363        flowc = (struct fw_flowc_wr *)__skb_put(skb, flowclen);

And the implementation of get_skb() are as following.
get_skb() drivers/infiniband/hw/cxgb4/cm.c:301
 301static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
 302{
 303        if (skb && !skb_is_nonlinear(skb) && !skb_cloned(skb)) {
 304                skb_trim(skb, 0);
 305                skb_get(skb);
 306                skb_reset_transport_header(skb);
 307        } else {
 308                skb = alloc_skb(len, gfp);
 309        }
 310        return skb;
 311}

Following is a call instance of snd_flowc.
act_establish @@drivers/infiniband/hw/cxgb4/cm.c:695
 695        /* start MPA negotiation */
 696        send_flowc(ep, NULL);

So from the source code we can see that potential NULL dereference fault exists when path act_establish()->send_flowc()->get_skb()->alloc_skb() is executed.

Thank you

RUC_Soft_Sec