| The vulnerability lies in the Linux kernel's IOMMU (Input-Output Memory Management Unit) driver for AMD platforms. Specifically, when switching a device from a DMA (Direct Memory Access) domain to an identity IOMMU domain using sysfs, the `dev->dma_ops` is not cleared, causing the DMA layer to attempt to use the dma-iommu ops on an identity domain. This leads to a NULL pointer dereference and subsequent kernel oops. |
| |
| The issue arises because the `iommu_change_dev_def_domain()` function calls `probe_finalize()` again, but does not clear the `dma_ops` like Vt-d (Virtualization Technology for Directed I/O) does. To fix this, the `dma_ops` needs to be cleared in `iommu_change_dev_def_domain()`. |
| |
| The vulnerability was introduced in Linux kernel version 5.11 with commit 08a27c1c3ecf and was fixed in versions 5.12.9 (with commit f3f2cf46291a) and 5.13 (with commit d6177a6556f8). The affected file is `drivers/iommu/amd/iommu.c`. To mitigate this issue, updating to the latest stable kernel version is recommended. |
| |
