CVE-2021-47140

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
25/03/2024
Last modified:
19/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd: Clear DMA ops when switching domain<br /> <br /> Since commit 08a27c1c3ecf ("iommu: Add support to change default domain<br /> of an iommu group") a user can switch a device between IOMMU and direct<br /> DMA through sysfs. This doesn&amp;#39;t work for AMD IOMMU at the moment because<br /> dev-&gt;dma_ops is not cleared when switching from a DMA to an identity<br /> IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an<br /> identity domain, causing an oops:<br /> <br /> # echo 0000:00:05.0 &gt; /sys/sys/bus/pci/drivers/e1000e/unbind<br /> # echo identity &gt; /sys/bus/pci/devices/0000:00:05.0/iommu_group/type<br /> # echo 0000:00:05.0 &gt; /sys/sys/bus/pci/drivers/e1000e/bind<br /> ...<br /> BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> ...<br /> Call Trace:<br /> iommu_dma_alloc<br /> e1000e_setup_tx_resources<br /> e1000e_open<br /> <br /> Since iommu_change_dev_def_domain() calls probe_finalize() again, clear<br /> the dma_ops there like Vt-d does.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.12.9 (excluding)
cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*