| The Linux kernel is vulnerable to a NULL pointer dereference bug in the QLA2XXX SCSI driver, which can lead to a crash. The issue occurs because the driver allocates too few MSI-X vectors, causing an incorrect calculation of the maximum number of queue pairs (qpairs) available. This leads to a situation where the driver thinks there are qpairs available when in fact there are none, resulting in a NULL pointer dereference. |
| |
| The bug is triggered by the `qla2xxx_queuecommand` function, which tries to find a qpair in the map and crashes with a NULL pointer dereference error. This occurs because the `ha->queue_pair_map` array is not allocated properly due to the incorrect calculation of the maximum number of qpairs. |
| |
| The fix for this issue involves reserving extra IRQ vectors to provide every CPU its own HW queue and handle reserved interrupts. The Linux kernel CVE team has assigned CVE-2021-46964 to this issue, which was introduced in version 5.11 and fixed in versions 5.11.20, 5.12.3, and 5.13. |
| |
| Affected files include `drivers/scsi/qla2xxx/qla_isr.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to fix this issue, rather than cherry-picking individual commits. |
| |
