cve-2021-46964
Vulnerability from cvelistv5
Published
2024-02-27 18:47
Modified
2024-11-04 11:56
Severity ?
EPSS score ?
Summary
scsi: qla2xxx: Reserve extra IRQ vectors
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:43.024Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6" }, { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-46964", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-10T16:01:34.918435Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-11T17:33:46.679Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/scsi/qla2xxx/qla_isr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4ecd42dec858", "status": "affected", "version": "a6dcfe08487e", "versionType": "git" }, { "lessThan": "0f86d66b3850", "status": "affected", "version": "a6dcfe08487e", "versionType": "git" }, { "lessThan": "f02d4086a8f3", "status": "affected", "version": "a6dcfe08487e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/scsi/qla2xxx/qla_isr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.11" }, { "lessThan": "5.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.11.*", "status": "unaffected", "version": "5.11.20", "versionType": "semver" }, { "lessThanOrEqual": "5.12.*", "status": "unaffected", "version": "5.12.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Reserve extra IRQ vectors\n\nCommit a6dcfe08487e (\"scsi: qla2xxx: Limit interrupt vectors to number of\nCPUs\") lowers the number of allocated MSI-X vectors to the number of CPUs.\n\nThat breaks vector allocation assumptions in qla83xx_iospace_config(),\nqla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions\ncomputes maximum number of qpairs as:\n\n ha-\u003emax_qpairs = ha-\u003emsix_count - 1 (MB interrupt) - 1 (default\n response queue) - 1 (ATIO, in dual or pure target mode)\n\nmax_qpairs is set to zero in case of two CPUs and initiator mode. The\nnumber is then used to allocate ha-\u003equeue_pair_map inside\nqla2x00_alloc_queues(). No allocation happens and ha-\u003equeue_pair_map is\nleft NULL but the driver thinks there are queue pairs available.\n\nqla2xxx_queuecommand() tries to find a qpair in the map and crashes:\n\n if (ha-\u003emqenable) {\n uint32_t tag;\n uint16_t hwq;\n struct qla_qpair *qpair = NULL;\n\n tag = blk_mq_unique_tag(cmd-\u003erequest);\n hwq = blk_mq_unique_tag_to_hwq(tag);\n qpair = ha-\u003equeue_pair_map[hwq]; # \u003c- HERE\n\n if (qpair)\n return qla2xxx_mqueuecommand(host, cmd, qpair);\n }\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP PTI\n CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014\n Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]\n RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]\n Call Trace:\n scsi_queue_rq+0x58c/0xa60\n blk_mq_dispatch_rq_list+0x2b7/0x6f0\n ? __sbitmap_get_word+0x2a/0x80\n __blk_mq_sched_dispatch_requests+0xb8/0x170\n blk_mq_sched_dispatch_requests+0x2b/0x50\n __blk_mq_run_hw_queue+0x49/0xb0\n __blk_mq_delay_run_hw_queue+0xfb/0x150\n blk_mq_sched_insert_request+0xbe/0x110\n blk_execute_rq+0x45/0x70\n __scsi_execute+0x10e/0x250\n scsi_probe_and_add_lun+0x228/0xda0\n __scsi_scan_target+0xf4/0x620\n ? __pm_runtime_resume+0x4f/0x70\n scsi_scan_target+0x100/0x110\n fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]\n process_one_work+0x1ea/0x3b0\n worker_thread+0x28/0x3b0\n ? process_one_work+0x3b0/0x3b0\n kthread+0x112/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nThe driver should allocate enough vectors to provide every CPU it\u0027s own HW\nqueue and still handle reserved (MB, RSP, ATIO) interrupts.\n\nThe change fixes the crash on dual core VM and prevents unbalanced QP\nallocation where nr_hw_queues is two less than the number of CPUs." } ], "providerMetadata": { "dateUpdated": "2024-11-04T11:56:46.423Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734" }, { "url": "https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6" }, { "url": "https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486" } ], "title": "scsi: qla2xxx: Reserve extra IRQ vectors", "x_generator": { "engine": "bippy-9e1c9544281a" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2021-46964", "datePublished": "2024-02-27T18:47:02.404Z", "dateReserved": "2024-02-27T18:42:55.942Z", "dateUpdated": "2024-11-04T11:56:46.423Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-46964\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-27T19:04:07.043\",\"lastModified\":\"2024-02-28T14:06:45.783\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: qla2xxx: Reserve extra IRQ vectors\\n\\nCommit a6dcfe08487e (\\\"scsi: qla2xxx: Limit interrupt vectors to number of\\nCPUs\\\") lowers the number of allocated MSI-X vectors to the number of CPUs.\\n\\nThat breaks vector allocation assumptions in qla83xx_iospace_config(),\\nqla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions\\ncomputes maximum number of qpairs as:\\n\\n ha-\u003emax_qpairs = ha-\u003emsix_count - 1 (MB interrupt) - 1 (default\\n response queue) - 1 (ATIO, in dual or pure target mode)\\n\\nmax_qpairs is set to zero in case of two CPUs and initiator mode. The\\nnumber is then used to allocate ha-\u003equeue_pair_map inside\\nqla2x00_alloc_queues(). No allocation happens and ha-\u003equeue_pair_map is\\nleft NULL but the driver thinks there are queue pairs available.\\n\\nqla2xxx_queuecommand() tries to find a qpair in the map and crashes:\\n\\n if (ha-\u003emqenable) {\\n uint32_t tag;\\n uint16_t hwq;\\n struct qla_qpair *qpair = NULL;\\n\\n tag = blk_mq_unique_tag(cmd-\u003erequest);\\n hwq = blk_mq_unique_tag_to_hwq(tag);\\n qpair = ha-\u003equeue_pair_map[hwq]; # \u003c- HERE\\n\\n if (qpair)\\n return qla2xxx_mqueuecommand(host, cmd, qpair);\\n }\\n\\n BUG: kernel NULL pointer dereference, address: 0000000000000000\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n PGD 0 P4D 0\\n Oops: 0000 [#1] SMP PTI\\n CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014\\n Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]\\n RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]\\n Call Trace:\\n scsi_queue_rq+0x58c/0xa60\\n blk_mq_dispatch_rq_list+0x2b7/0x6f0\\n ? __sbitmap_get_word+0x2a/0x80\\n __blk_mq_sched_dispatch_requests+0xb8/0x170\\n blk_mq_sched_dispatch_requests+0x2b/0x50\\n __blk_mq_run_hw_queue+0x49/0xb0\\n __blk_mq_delay_run_hw_queue+0xfb/0x150\\n blk_mq_sched_insert_request+0xbe/0x110\\n blk_execute_rq+0x45/0x70\\n __scsi_execute+0x10e/0x250\\n scsi_probe_and_add_lun+0x228/0xda0\\n __scsi_scan_target+0xf4/0x620\\n ? __pm_runtime_resume+0x4f/0x70\\n scsi_scan_target+0x100/0x110\\n fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]\\n process_one_work+0x1ea/0x3b0\\n worker_thread+0x28/0x3b0\\n ? process_one_work+0x3b0/0x3b0\\n kthread+0x112/0x130\\n ? kthread_park+0x80/0x80\\n ret_from_fork+0x22/0x30\\n\\nThe driver should allocate enough vectors to provide every CPU it\u0027s own HW\\nqueue and still handle reserved (MB, RSP, ATIO) interrupts.\\n\\nThe change fixes the crash on dual core VM and prevents unbalanced QP\\nallocation where nr_hw_queues is two less than the number of CPUs.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: qla2xxx: reservar vectores IRQ adicionales el commit a6dcfe08487e (\\\"scsi: qla2xxx: limitar los vectores de interrupci\u00f3n al n\u00famero de CPU\\\") reduce el n\u00famero de vectores MSI-X asignados al n\u00famero de CPU. Eso rompe los supuestos de asignaci\u00f3n de vectores en qla83xx_iospace_config(), qla24xx_enable_msix() y qla2x00_iospace_config(). Cualquiera de las funciones calcula el n\u00famero m\u00e1ximo de qpairs como: ha-\u0026gt;max_qpairs = ha-\u0026gt;msix_count - 1 (interrupci\u00f3n de MB) - 1 (cola de respuesta predeterminada) - 1 (ATIO, en modo de destino dual o puro) max_qpairs se establece en cero en caso de dos CPU y modo iniciador. Luego, el n\u00famero se usa para asignar ha-\u0026gt;queue_pair_map dentro de qla2x00_alloc_queues(). No se produce ninguna asignaci\u00f3n y ha-\u0026gt;queue_pair_map se deja NULL pero el controlador cree que hay pares de colas disponibles. qla2xxx_queuecommand() intenta encontrar un qpair en el mapa y falla: if (ha-\u0026gt;mqenable) { uint32_t tag; uint16_t hwq; estructura qla_qpair *qpair = NULL; etiqueta = blk_mq_unique_tag(cmd-\u0026gt;solicitud); hwq = blk_mq_unique_tag_to_hwq(etiqueta); qpair = ha-\u0026gt;queue_pair_map[hwq]; # \u0026lt;- AQU\u00cd si (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000000 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Vaya: 0000 [#1] CPU SMP PTI: 0 PID: 72 Comunicaciones: kworker/u4:3 Contaminado: GW 5.10.0-rc1+ #25 Nombre del hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 01/04/2014 Cola de trabajo : scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Seguimiento de llamadas: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0 x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] Process_one_work+0x1ea/0x3b0 trabajador_thread+0x28/0x3b0 ? proceso_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 El controlador debe asignar suficientes vectores para proporcionar a cada CPU su propia cola de hardware y a\u00fan manejar interrupciones reservadas (MB, RSP, ATIO). El cambio corrige el fallo en la m\u00e1quina virtual de doble n\u00facleo y evita la asignaci\u00f3n de QP desequilibrada donde nr_hw_queues es dos menos que la cantidad de CPU.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.