[PATCH stable 6.12 0/2] iommu/vt-d+dma: fix stale DMA PTE WARN on IOVA reuse (regression v6.12.75)
From: avinash pal
Date: Thu Apr 23 2026 - 06:10:02 EST
Two-patch series addressing the stale-DMA-PTE WARN_ON regression that
hits kernels 6.12.75 and 6.12.76 when Intel IOMMU is enabled.
Bugzilla : https://bugzilla.kernel.org/show_bug.cgi?id=221389
Unaffected: v6.12.74 (confirmed: Giovanni Pancotti, 2026-04-22)
Affected : v6.12.76 (WARN on ATA/SCSI DMA workloads)
Workaround: intel_iommu=off
Root cause
==========
The lazy-flush path in __iommu_dma_unmap_sg() releases an IOVA back to
the allocator via free_iova_fast() before iommu_iotlb_sync() drains the
hardware TLB. A concurrent map() on the same domain receives the same
IOVA and hits a live PTE in __domain_mapping():
CPU 0 (unmap, lazy path) CPU 1 (concurrent map)
────────────────────────── ───────────────────────────────
iommu_unmap(iova)
free_iova_fast(iova) ← live
alloc_iova_fast() → same iova
__domain_mapping()
dma_pte_present() == true
WARN_ON_ONCE() ← hit
Patches
=======
1/2 iommu/vt-d: fail map loudly on stale DMA PTE
- Replaces bare WARN(1,...) with pr_err_ratelimited + WARN_ON_ONCE
- Prints vPFN + old PTE value for debugging
- Returns -EEXIST; no silent double-map
2/2 iommu/dma: sync IOTLB before releasing IOVA on sg unmap
- Adds iommu_iotlb_sync() before free_iova_fast() on lazy path
- Closes the race window; strict-mode path already does this
ACTION NEEDED by reviewer: run
git log v6.12.74..v6.12.76 -- drivers/iommu/dma-iommu.c
to identify the offending commit for the Fixes: tag in patch 2/2.
avinash pal (2):
iommu/vt-d: fail map loudly on stale DMA PTE
iommu/dma: sync IOTLB before releasing IOVA on sg unmap
drivers/iommu/dma-iommu.c | 9 +++++++
drivers/iommu/intel/iommu.c | 50 ++++++++++++++++++++++++++++---------
2 files changed, 47 insertions(+), 12 deletions(-)
base-commit: 444b39ef6108313e8452010b22aaba588e8fb92b
--
2.53.0