CVE-2021-47140 in Linux
Summary
by MITRE • 03/25/2024
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Clear DMA ops when switching domain
Since commit 08a27c1c3ecf ("iommu: Add support to change default domain of an iommu group") a user can switch a device between IOMMU and direct DMA through sysfs. This doesn't work for AMD IOMMU at the moment because dev->dma_ops is not cleared when switching from a DMA to an identity IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an identity domain, causing an oops:
# echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind ... BUG: kernel NULL pointer dereference, address: 0000000000000028 ... Call Trace: iommu_dma_alloc e1000e_setup_tx_resources e1000e_open
Since iommu_change_dev_def_domain() calls probe_finalize() again, clear the dma_ops there like Vt-d does.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/04/2025
This vulnerability exists in the Linux kernel's IOMMU subsystem, specifically affecting AMD IOMMU implementations. The issue stems from improper handling of DMA operations when switching device domains within IOMMU groups. When a device is moved from a DMA-capable IOMMU domain to an identity domain through sysfs interface, the kernel fails to clear the device's DMA operations structure. This creates a critical inconsistency where the DMA layer attempts to utilize DMA-IOMMU operations on an identity domain that does not support such operations, resulting in kernel oops and system instability.
The technical flaw manifests when the iommu_change_dev_def_domain() function processes domain switching operations. While the function correctly handles the domain transition itself, it does not properly clear the dev->dma_ops field during the switch from a DMA domain to an identity domain. This omission causes the kernel's DMA layer to maintain references to operations that are no longer valid for the current domain type. The vulnerability is particularly dangerous because it occurs during runtime device binding operations, where the system is actively managing hardware resources and device drivers.
The operational impact of this vulnerability is severe as it can lead to immediate system crashes and kernel oops conditions. Attackers could potentially exploit this by manipulating IOMMU domain assignments through sysfs interfaces to trigger the NULL pointer dereference at address 0x0000000000000028. The error typically occurs during device initialization phases such as e1000e_open when the iommu_dma_alloc function attempts to access invalid DMA operations. This vulnerability affects systems using AMD IOMMU hardware and can compromise system stability during normal device management operations.
The fix implemented addresses this by ensuring that dma_ops are cleared during domain switching operations, similar to the approach used by Intel VT-d implementations. This solution aligns with the established pattern of clearing DMA operations when transitioning between IOMMU domain types. The resolution follows the principle of maintaining consistency in device IOMMU state management and ensures that device drivers receive appropriate DMA operation structures that match their current domain configuration. This vulnerability demonstrates the importance of proper state management in virtualization and IOMMU subsystems, where incorrect handling of device domain transitions can lead to critical system failures. The issue relates to CWE-476 which describes NULL pointer dereference vulnerabilities, and could be categorized under ATT&CK technique T1059 for system exploitation through kernel-level vulnerabilities.