CVE-2021-46964

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: qla2xxx: Reserve extra IRQ vectors<br /> <br /> Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of<br /> CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs.<br /> <br /> That breaks vector allocation assumptions in qla83xx_iospace_config(),<br /> qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions<br /> computes maximum number of qpairs as:<br /> <br /> ha-&gt;max_qpairs = ha-&gt;msix_count - 1 (MB interrupt) - 1 (default<br /> response queue) - 1 (ATIO, in dual or pure target mode)<br /> <br /> max_qpairs is set to zero in case of two CPUs and initiator mode. The<br /> number is then used to allocate ha-&gt;queue_pair_map inside<br /> qla2x00_alloc_queues(). No allocation happens and ha-&gt;queue_pair_map is<br /> left NULL but the driver thinks there are queue pairs available.<br /> <br /> qla2xxx_queuecommand() tries to find a qpair in the map and crashes:<br /> <br /> if (ha-&gt;mqenable) {<br /> uint32_t tag;<br /> uint16_t hwq;<br /> struct qla_qpair *qpair = NULL;<br /> <br /> tag = blk_mq_unique_tag(cmd-&gt;request);<br /> hwq = blk_mq_unique_tag_to_hwq(tag);<br /> qpair = ha-&gt;queue_pair_map[hwq]; #