CVE-2021-46964: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as: ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode) max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available. qla2xxx_queuecommand() tries to find a qpair in the map and crashes: if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL; tag = blk_mq_unique_tag(cmd->request); hwq = blk_mq_unique_tag_to_hwq(tag); qpair = ha->queue_pair_map[hwq]; # <- HERE if (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts. The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs.
AI Analysis
Technical Summary
CVE-2021-46964 is a vulnerability in the Linux kernel's qla2xxx SCSI driver, which manages QLogic Fibre Channel Host Bus Adapters (HBAs). The issue arises from a recent kernel commit that limited the number of MSI-X interrupt vectors allocated to the number of CPUs. This change inadvertently broke assumptions in the driver's interrupt vector allocation logic, specifically in functions qla83xx_iospace_config(), qla24xx_enable_msix(), and qla2x00_iospace_config(). The driver calculates the maximum number of queue pairs (qpairs) based on the number of MSI-X vectors minus reserved vectors for mailbox interrupts, default response queues, and ATIO (in target modes). In systems with two CPUs operating in initiator mode, this calculation results in zero qpairs. Consequently, the driver does not allocate memory for ha->queue_pair_map, leaving it NULL, but still attempts to access it later in qla2xxx_queuecommand(). This leads to a NULL pointer dereference and kernel crash (BUG), causing a denial of service (DoS) on affected systems. The crash occurs during SCSI command processing, impacting storage I/O operations. The root cause is insufficient allocation of MSI-X vectors to cover all CPUs and reserved interrupts, leading to unbalanced queue pair allocation. The fix involves ensuring enough vectors are allocated to provide each CPU with its own hardware queue while reserving vectors for mailbox, response, and ATIO interrupts. This vulnerability affects Linux kernel versions containing the problematic commit and impacts systems using QLogic HBAs managed by the qla2xxx driver, particularly in virtualized environments with dual-core CPUs. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and storage infrastructure using QLogic Fibre Channel HBAs with affected Linux kernel versions. The kernel crash caused by the NULL pointer dereference results in a denial of service, disrupting critical storage operations. This can lead to downtime for enterprise applications, data unavailability, and potential cascading failures in storage networks. Organizations relying on virtualized environments with dual-core CPUs are particularly susceptible, as the bug manifests under these conditions. The impact is heightened in sectors with high storage demands such as finance, healthcare, telecommunications, and manufacturing, where data availability and integrity are paramount. Additionally, the disruption of storage I/O could affect backup systems, disaster recovery processes, and overall business continuity. Although no remote code execution or privilege escalation is indicated, the DoS effect on storage systems can cause significant operational and financial damage. The lack of known exploits reduces immediate threat levels, but unpatched systems remain vulnerable to accidental or targeted triggering of the crash.
Mitigation Recommendations
European organizations should take the following specific steps to mitigate this vulnerability: 1) Identify all Linux systems using the qla2xxx driver with affected kernel versions, especially those with QLogic Fibre Channel HBAs. 2) Apply the official Linux kernel patches that fix the MSI-X vector allocation logic as soon as they become available from trusted sources or Linux distributions. 3) For virtualized environments, consider increasing CPU cores temporarily or adjusting VM configurations to avoid the dual-core initiator mode scenario until patches are applied. 4) Monitor kernel logs for signs of qla2xxx driver crashes or NULL pointer dereferences to detect potential exploitation or accidental triggering. 5) Implement rigorous change management and testing procedures for kernel updates to minimize downtime. 6) Maintain up-to-date backups and disaster recovery plans to mitigate the impact of potential DoS events. 7) Engage with hardware vendors to confirm compatibility and firmware updates for QLogic HBAs that may complement kernel fixes. 8) Limit access to systems with affected drivers to trusted personnel to reduce risk of intentional triggering. These measures go beyond generic advice by focusing on the specific driver, hardware, and environment conditions that trigger the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2021-46964: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Reserve extra IRQ vectors Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs. That breaks vector allocation assumptions in qla83xx_iospace_config(), qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions computes maximum number of qpairs as: ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default response queue) - 1 (ATIO, in dual or pure target mode) max_qpairs is set to zero in case of two CPUs and initiator mode. The number is then used to allocate ha->queue_pair_map inside qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is left NULL but the driver thinks there are queue pairs available. qla2xxx_queuecommand() tries to find a qpair in the map and crashes: if (ha->mqenable) { uint32_t tag; uint16_t hwq; struct qla_qpair *qpair = NULL; tag = blk_mq_unique_tag(cmd->request); hwq = blk_mq_unique_tag_to_hwq(tag); qpair = ha->queue_pair_map[hwq]; # <- HERE if (qpair) return qla2xxx_mqueuecommand(host, cmd, qpair); } BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc] RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx] Call Trace: scsi_queue_rq+0x58c/0xa60 blk_mq_dispatch_rq_list+0x2b7/0x6f0 ? __sbitmap_get_word+0x2a/0x80 __blk_mq_sched_dispatch_requests+0xb8/0x170 blk_mq_sched_dispatch_requests+0x2b/0x50 __blk_mq_run_hw_queue+0x49/0xb0 __blk_mq_delay_run_hw_queue+0xfb/0x150 blk_mq_sched_insert_request+0xbe/0x110 blk_execute_rq+0x45/0x70 __scsi_execute+0x10e/0x250 scsi_probe_and_add_lun+0x228/0xda0 __scsi_scan_target+0xf4/0x620 ? __pm_runtime_resume+0x4f/0x70 scsi_scan_target+0x100/0x110 fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc] process_one_work+0x1ea/0x3b0 worker_thread+0x28/0x3b0 ? process_one_work+0x3b0/0x3b0 kthread+0x112/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 The driver should allocate enough vectors to provide every CPU it's own HW queue and still handle reserved (MB, RSP, ATIO) interrupts. The change fixes the crash on dual core VM and prevents unbalanced QP allocation where nr_hw_queues is two less than the number of CPUs.
AI-Powered Analysis
Technical Analysis
CVE-2021-46964 is a vulnerability in the Linux kernel's qla2xxx SCSI driver, which manages QLogic Fibre Channel Host Bus Adapters (HBAs). The issue arises from a recent kernel commit that limited the number of MSI-X interrupt vectors allocated to the number of CPUs. This change inadvertently broke assumptions in the driver's interrupt vector allocation logic, specifically in functions qla83xx_iospace_config(), qla24xx_enable_msix(), and qla2x00_iospace_config(). The driver calculates the maximum number of queue pairs (qpairs) based on the number of MSI-X vectors minus reserved vectors for mailbox interrupts, default response queues, and ATIO (in target modes). In systems with two CPUs operating in initiator mode, this calculation results in zero qpairs. Consequently, the driver does not allocate memory for ha->queue_pair_map, leaving it NULL, but still attempts to access it later in qla2xxx_queuecommand(). This leads to a NULL pointer dereference and kernel crash (BUG), causing a denial of service (DoS) on affected systems. The crash occurs during SCSI command processing, impacting storage I/O operations. The root cause is insufficient allocation of MSI-X vectors to cover all CPUs and reserved interrupts, leading to unbalanced queue pair allocation. The fix involves ensuring enough vectors are allocated to provide each CPU with its own hardware queue while reserving vectors for mailbox, response, and ATIO interrupts. This vulnerability affects Linux kernel versions containing the problematic commit and impacts systems using QLogic HBAs managed by the qla2xxx driver, particularly in virtualized environments with dual-core CPUs. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and storage infrastructure using QLogic Fibre Channel HBAs with affected Linux kernel versions. The kernel crash caused by the NULL pointer dereference results in a denial of service, disrupting critical storage operations. This can lead to downtime for enterprise applications, data unavailability, and potential cascading failures in storage networks. Organizations relying on virtualized environments with dual-core CPUs are particularly susceptible, as the bug manifests under these conditions. The impact is heightened in sectors with high storage demands such as finance, healthcare, telecommunications, and manufacturing, where data availability and integrity are paramount. Additionally, the disruption of storage I/O could affect backup systems, disaster recovery processes, and overall business continuity. Although no remote code execution or privilege escalation is indicated, the DoS effect on storage systems can cause significant operational and financial damage. The lack of known exploits reduces immediate threat levels, but unpatched systems remain vulnerable to accidental or targeted triggering of the crash.
Mitigation Recommendations
European organizations should take the following specific steps to mitigate this vulnerability: 1) Identify all Linux systems using the qla2xxx driver with affected kernel versions, especially those with QLogic Fibre Channel HBAs. 2) Apply the official Linux kernel patches that fix the MSI-X vector allocation logic as soon as they become available from trusted sources or Linux distributions. 3) For virtualized environments, consider increasing CPU cores temporarily or adjusting VM configurations to avoid the dual-core initiator mode scenario until patches are applied. 4) Monitor kernel logs for signs of qla2xxx driver crashes or NULL pointer dereferences to detect potential exploitation or accidental triggering. 5) Implement rigorous change management and testing procedures for kernel updates to minimize downtime. 6) Maintain up-to-date backups and disaster recovery plans to mitigate the impact of potential DoS events. 7) Engage with hardware vendors to confirm compatibility and firmware updates for QLogic HBAs that may complement kernel fixes. 8) Limit access to systems with affected drivers to trusted personnel to reduce risk of intentional triggering. These measures go beyond generic advice by focusing on the specific driver, hardware, and environment conditions that trigger the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.942Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe990d
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:13:15 PM
Last updated: 8/8/2025, 10:42:37 PM
Views: 17
Related Threats
CVE-2025-54475: CWE-89: Improper Neutralization of Special Elements used in an SQL Command in joomsky.com JS Jobs component for Joomla
HighCVE-2025-54474: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dj-extensions.com DJ-Classifieds component for Joomla
HighCVE-2025-54473: CWE-434 Unrestricted Upload of File with Dangerous Type in phoca.cz phoca.cz - Phoca Commander for Joomla
CriticalCVE-2025-9050: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.