Re: [PATCH] iommu: Fix bypass of IOMMU readiness check for multi-IOMMU devices

[Robin Murphy]

On 2026-03-23 1:09 pm, Tudor Ambarus wrote:
> Commit da33e87bd2bf ("iommu: Handle yet another race around
> registration") introduced a readiness check in `iommu_fwspec_init()` to
> prevent client drivers from configuring their IOMMUs before
> `bus_iommu_probe()` has completed.
>
> To optimize the replay path, the readiness check was conditionally
> gated behind `!dev->iommu`:
>      if (!dev->iommu && !READ_ONCE(iommu->ready))
>          return -EPROBE_DEFER;
>
> However, this assumption breaks down for devices that map to multiple
> IOMMU instances. During the initialization loop over multiple IOMMUs in
> `of_iommu_configure_device()`, the first IOMMU successfully allocates
> `dev->iommu`. When `iommu_fwspec_init()` is called for the second
> IOMMU, `!dev->iommu` evaluates to false, short-circuiting the logic and
> entirely bypassing the `iommu->ready` check.
>
> If the second IOMMU is still executing its `bus_iommu_probe()`
> concurrently, this allows the client driver to proceed prematurely,
> resulting in a late IOMMU probe warning:
>      dev: late IOMMU probe at driver bind, something fishy here!
>      WARNING: drivers/iommu/iommu.c:645 at __iommu_probe_device
>
> Fix this by making the `iommu->ready` check unconditional, ensuring
> that a device will defer its probe until *all* of its required IOMMUs
> are fully registered and ready.

...which is obviously wrong, since the whole point is that we *do* want 
of_iommu_xlate() to succeed in the bus_iommu_probe() path before the 
IOMMU driver has finished registering, because that's how we get probe 
to actually happen correctly in the expected order. This change would 
effectively undo the whole thing, except leaving ACPI systems without 
IOMMU functionality at all - it'll only be sort-of-working for you 
because DT still has the sketchy iommu_probe_device() replay in the 
driver bind path.

Honestly we just need to get rid of that replay call, which is the root 
of almost all of the problems, but I don't know what to do about all the 
remaining of_dma_configure() abusers that are relying on it... :(

Thanks,
Robin.

> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: da33e87bd2bf ("iommu: Handle yet another race around registration")
> Fixes: bcb81ac6ae3c ("iommu: Get DT/ACPI parsing into the proper probe path")
> Signed-off-by: Tudor Ambarus <tudor.ambarus@xxxxxxxxxx>
> ---
> The warning was observed using an Android 6.19 tree, using downstream
> drivers (exynos-decon and samsung-sysmmu-v9).
> ---
>   drivers/iommu/iommu.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
> index 78756c3f3c40..e61927b4d41f 100644
> --- a/drivers/iommu/iommu.c
> +++ b/drivers/iommu/iommu.c
> @@ -3042,7 +3042,7 @@ int iommu_fwspec_init(struct device *dev, struct fwnode_handle *iommu_fwnode)
>   
>   	if (!iommu)
>   		return driver_deferred_probe_check_state(dev);
> -	if (!dev->iommu && !READ_ONCE(iommu->ready))
> +	if (!READ_ONCE(iommu->ready))
>   		return -EPROBE_DEFER;
>   
>   	if (fwspec)
>
> ---
> base-commit: ca3bbc9287400c1274d87ee57a16e3126ba2969a
> change-id: 20260320-iommu-ready-check-4976863957c2
>
> Best regards,