CVE-2021-46964

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-46964
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46964.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-46964
Downstream
Related
Published
2024-02-27T19:04:07.043Z
Modified
2026-03-14T11:18:51.102482Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Reserve extra IRQ vectors

Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs.

That breaks vector allocation assumptions in qla83xxiospaceconfig(), qla24xxenablemsix() and qla2x00iospaceconfig(). Either of the functions computes maximum number of qpairs as:

ha->maxqpairs = ha->msixcount - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode)

maxqpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queuepairmap inside qla2x00allocqueues(). No allocation happens and ha->queuepair_map is left NULL but the driver thinks there are queue pairs available.

qla2xxx_queuecommand() tries to find a qpair in the map and crashes:

if (ha->mqenable) { uint32t tag; uint16t hwq; struct qla_qpair *qpair = NULL;

      tag = blk_mq_unique_tag(cmd->request);
      hwq = blk_mq_unique_tag_to_hwq(tag);
      qpair = ha->queue_pair_map[hwq]; # <- HERE

      if (qpair)
              return qla2xxx_mqueuecommand(host, cmd, qpair);

}

BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsiwq7 fcscsiscanrport [scsitransportfc] RIP: 0010:qla2xxxqueuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsiqueuerq+0x58c/0xa60 blkmqdispatchrq_list+0x2b7/0x6f0 ? __sbitmapgetword+0x2a/0x80 __blkmqscheddispatchrequests+0xb8/0x170 blkmqscheddispatchrequests+0x2b/0x50 __blkmqrunhwqueue+0x49/0xb0 __blkmqdelay_runhwqueue+0xfb/0x150 blkmqschedinsertrequest+0xbe/0x110 blkexecuterq+0x45/0x70 __scsiexecute+0x10e/0x250 scsiprobe_andaddlun+0x228/0xda0 __scsiscantarget+0xf4/0x620 ? _pmruntimeresume+0x4f/0x70 scsiscantarget+0x100/0x110 fcscsiscanrport+0xa1/0xb0 [scsitransportfc] processonework+0x1ea/0x3b0 workerthread+0x28/0x3b0 ? processonework+0x3b0/0x3b0 kthread+0x112/0x130 ? kthreadpark+0x80/0x80 retfromfork+0x22/0x30

The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts.

The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nrhwqueues is two less than the number of CPUs.

References

Affected packages

Git /

Affected ranges

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-46964.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "5.11"
            },
            {
                "fixed": "5.11.20"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "5.12"
            },
            {
                "fixed": "5.12.3"
            }
        ]
    }
]