cve/published/2021/CVE-2021-46964.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46964: scsi: qla2xxx: Reserve extra IRQ vectors

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: qla2xxx: Reserve extra IRQ vectors

 Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of
 CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs.

 That breaks vector allocation assumptions in qla83xx_iospace_config(),
 qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions
 computes maximum number of qpairs as:

   ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default
                    response queue) - 1 (ATIO, in dual or pure target mode)

 max_qpairs is set to zero in case of two CPUs and initiator mode. The
 number is then used to allocate ha->queue_pair_map inside
 qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is
 left NULL but the driver thinks there are queue pairs available.

 qla2xxx_queuecommand() tries to find a qpair in the map and crashes:

   if (ha->mqenable) {
           uint32_t tag;
           uint16_t hwq;
           struct qla_qpair *qpair = NULL;

           tag = blk_mq_unique_tag(cmd->request);
           hwq = blk_mq_unique_tag_to_hwq(tag);
           qpair = ha->queue_pair_map[hwq]; # <- HERE

           if (qpair)
                   return qla2xxx_mqueuecommand(host, cmd, qpair);
   }

   BUG: kernel NULL pointer dereference, address: 0000000000000000
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not-present page
   PGD 0 P4D 0
   Oops: 0000 [#1] SMP PTI
   CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G        W         5.10.0-rc1+ #25
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
   Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]
   RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]
   Call Trace:
    scsi_queue_rq+0x58c/0xa60
    blk_mq_dispatch_rq_list+0x2b7/0x6f0
    ? __sbitmap_get_word+0x2a/0x80
    __blk_mq_sched_dispatch_requests+0xb8/0x170
    blk_mq_sched_dispatch_requests+0x2b/0x50
    __blk_mq_run_hw_queue+0x49/0xb0
    __blk_mq_delay_run_hw_queue+0xfb/0x150
    blk_mq_sched_insert_request+0xbe/0x110
    blk_execute_rq+0x45/0x70
    __scsi_execute+0x10e/0x250
    scsi_probe_and_add_lun+0x228/0xda0
    __scsi_scan_target+0xf4/0x620
    ? __pm_runtime_resume+0x4f/0x70
    scsi_scan_target+0x100/0x110
    fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]
    process_one_work+0x1ea/0x3b0
    worker_thread+0x28/0x3b0
    ? process_one_work+0x3b0/0x3b0
    kthread+0x112/0x130
    ? kthread_park+0x80/0x80
    ret_from_fork+0x22/0x30

 The driver should allocate enough vectors to provide every CPU it's own HW
 queue and still handle reserved (MB, RSP, ATIO) interrupts.

 The change fixes the crash on dual core VM and prevents unbalanced QP
 allocation where nr_hw_queues is two less than the number of CPUs.

 The Linux kernel CVE team has assigned CVE-2021-46964 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f and fixed in 5.11.20 with commit 4ecd42dec858b6632c5f024fe13e9ad6c30f2734
 	Issue introduced in 5.11 with commit a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f and fixed in 5.12.3 with commit 0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6
 	Issue introduced in 5.11 with commit a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f and fixed in 5.13 with commit f02d4086a8f36a0e1aaebf559b54cf24a177a486

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46964
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/qla2xxx/qla_isr.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734
 	https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6
 	https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46964: scsi: qla2xxx: Reserve extra IRQ vectors

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: qla2xxx: Reserve extra IRQ vectors

	Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of
	CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs.

	That breaks vector allocation assumptions in qla83xx_iospace_config(),
	qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions
	computes maximum number of qpairs as:

	ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default
	response queue) - 1 (ATIO, in dual or pure target mode)

	max_qpairs is set to zero in case of two CPUs and initiator mode. The
	number is then used to allocate ha->queue_pair_map inside
	qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is
	left NULL but the driver thinks there are queue pairs available.

	qla2xxx_queuecommand() tries to find a qpair in the map and crashes:

	if (ha->mqenable) {
	uint32_t tag;
	uint16_t hwq;
	struct qla_qpair *qpair = NULL;

	tag = blk_mq_unique_tag(cmd->request);
	hwq = blk_mq_unique_tag_to_hwq(tag);
	qpair = ha->queue_pair_map[hwq]; # <- HERE

	if (qpair)
	return qla2xxx_mqueuecommand(host, cmd, qpair);
	}

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: 0000 [#1] SMP PTI
	CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
	Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]
	RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]
	Call Trace:
	scsi_queue_rq+0x58c/0xa60
	blk_mq_dispatch_rq_list+0x2b7/0x6f0
	? __sbitmap_get_word+0x2a/0x80
	__blk_mq_sched_dispatch_requests+0xb8/0x170
	blk_mq_sched_dispatch_requests+0x2b/0x50
	__blk_mq_run_hw_queue+0x49/0xb0
	__blk_mq_delay_run_hw_queue+0xfb/0x150
	blk_mq_sched_insert_request+0xbe/0x110
	blk_execute_rq+0x45/0x70
	__scsi_execute+0x10e/0x250
	scsi_probe_and_add_lun+0x228/0xda0
	__scsi_scan_target+0xf4/0x620
	? __pm_runtime_resume+0x4f/0x70
	scsi_scan_target+0x100/0x110
	fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]
	process_one_work+0x1ea/0x3b0
	worker_thread+0x28/0x3b0
	? process_one_work+0x3b0/0x3b0
	kthread+0x112/0x130
	? kthread_park+0x80/0x80
	ret_from_fork+0x22/0x30

	The driver should allocate enough vectors to provide every CPU it's own HW
	queue and still handle reserved (MB, RSP, ATIO) interrupts.

	The change fixes the crash on dual core VM and prevents unbalanced QP
	allocation where nr_hw_queues is two less than the number of CPUs.

	The Linux kernel CVE team has assigned CVE-2021-46964 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f and fixed in 5.11.20 with commit 4ecd42dec858b6632c5f024fe13e9ad6c30f2734
	Issue introduced in 5.11 with commit a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f and fixed in 5.12.3 with commit 0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6
	Issue introduced in 5.11 with commit a6dcfe08487e5e83b6b4214c959a9577a9ed2d9f and fixed in 5.13 with commit f02d4086a8f36a0e1aaebf559b54cf24a177a486

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46964
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/qla2xxx/qla_isr.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4ecd42dec858b6632c5f024fe13e9ad6c30f2734
	https://git.kernel.org/stable/c/0f86d66b38501e3ac66cf2d9f9f8ad6838bad0e6
	https://git.kernel.org/stable/c/f02d4086a8f36a0e1aaebf559b54cf24a177a486