Function get_skb() may return a NULL pointer, and its return value shall be checked before used. But in function send_flowc() after get_skb() is called(at drivers/infiniband/hw/cxgb4/cm.c:362), the return value is immediately used as a parameter of __skb_put() without NULL check. Besides, there is no check before the parameter is dereferenced in the callee function __skb_put(). So an invalid memory access may be triggered. The related code snippets in send_flowc() are as following. send_flowc() @@drivers/infiniband/hw/cxgb4/cm.c:362 362 skb = get_skb(skb, flowclen, GFP_KERNEL); 363 flowc = (struct fw_flowc_wr *)__skb_put(skb, flowclen); And the implementation of get_skb() are as following. get_skb() drivers/infiniband/hw/cxgb4/cm.c:301 301static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp) 302{ 303 if (skb && !skb_is_nonlinear(skb) && !skb_cloned(skb)) { 304 skb_trim(skb, 0); 305 skb_get(skb); 306 skb_reset_transport_header(skb); 307 } else { 308 skb = alloc_skb(len, gfp); 309 } 310 return skb; 311} Following is a call instance of snd_flowc. act_establish @@drivers/infiniband/hw/cxgb4/cm.c:695 695 /* start MPA negotiation */ 696 send_flowc(ep, NULL); So from the source code we can see that potential NULL dereference fault exists when path act_establish()->send_flowc()->get_skb()->alloc_skb() is executed. Thank you RUC_Soft_Sec
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive. Thank you RUC_Soft_Sec
RUC_Soft_SEC I fixed this issue a few days ago. Can you please close this bug. Thanks Nick