Bug#1135313: Logspam: "AMD-Vi: Completion-Wait loop timed out"

Sun, 03 May 2026 23:11:50 -0700 

Control: tags -1 + moreinfo

Hi,

On Mon, May 04, 2026 at 06:05:09AM +0200, Friedemann Stoyan wrote:
> On  1.05.26 07:51, Salvatore Bonaccorso wrote:
>  
> Hello Salvatore,
> 
> > I'm sorry to hear about this regression caused with the lastest urgent
> > security update for the kernel. Would you be able to bisect the
> > changes between 6.12.74 and 6.12.85 to identify which commit triggers
> > this specifically?
> 
> Bisecting returns this commit:
> 
> $ git bisect bad
> Bisecting: 0 revisions left to test after this (roughly 0 steps)
> [715c263119fd1b918a9fcbd8a36ea5b604a46324] iommu/amd: move wait_on_sem() out 
> of spinlock
> 
> 
> $ git bisect log
> git bisect start
> # status: waiting for both good and bad commits
> # good: [444b39ef6108313e8452010b22aaba588e8fb92b] Linux 6.12.74
> git bisect good 444b39ef6108313e8452010b22aaba588e8fb92b
> # status: waiting for bad commit, 1 good commit known
> # bad: [18cd79ce247a35c2938698145d1834a09b5f7777] Linux 6.12.85
> git bisect bad 18cd79ce247a35c2938698145d1834a09b5f7777
> # bad: [aa9ebc084505fb26dd90f4d7a249045aad152043] unshare: fix unshare_fs() 
> handling
> git bisect bad aa9ebc084505fb26dd90f4d7a249045aad152043
> # bad: [26c82ec5add2139e9c043d505bb413d8925426ca] wifi: rtw89: wow: add 
> reason codes for disassociation in WoWLAN mode
> git bisect bad 26c82ec5add2139e9c043d505bb413d8925426ca
> # good: [0c74a63b797ca495e8d48645103bc2b1eb634adf] clk: qcom: gcc-x1e80100: 
> Update the SDCC RCGs to use shared_floor_ops
> git bisect good 0c74a63b797ca495e8d48645103bc2b1eb634adf
> # good: [5f15fa06dccb6034777aaefd8ccfb2993fb9d9bf] libperf: Don't remove -g 
> when EXTRA_CFLAGS are used
> git bisect good 5f15fa06dccb6034777aaefd8ccfb2993fb9d9bf
> # good: [1ba3a56f4854fab439e5bfe694062f9024a324ea] media: chips-media: wave5: 
> Process ready frames when CMD_STOP sent to Encoder
> git bisect good 1ba3a56f4854fab439e5bfe694062f9024a324ea
> # good: [0fa0a82274c8471f9168b4ac338580981da86078] HID: multitouch: add 
> eGalaxTouch EXC3188 support
> git bisect good 0fa0a82274c8471f9168b4ac338580981da86078
> # good: [bfefacf1996f00fd2d60d99a89e5a73ae7cc9037] ASoC: fsl: imx-rpmsg: use 
> snd_soc_find_dai_with_mutex() in probe
> git bisect good bfefacf1996f00fd2d60d99a89e5a73ae7cc9037
> # good: [46216a48cd89d5b38fa3c1872ab10a07c369a350] wifi: rtw89: ser: enable 
> error IMR after recovering from L1
> git bisect good 46216a48cd89d5b38fa3c1872ab10a07c369a350
> # good: [65bc40fea4fd6f5f07db550f4fdf4dee7f42116f] iommu/arm-smmu-v3: Improve 
> CMDQ lock fairness and efficiency
> git bisect good 65bc40fea4fd6f5f07db550f4fdf4dee7f42116f
> # good: [b82073564373e68c6ae3a96039fae14cd002a496] wifi: libertas: fix 
> WARNING in usb_tx_block
> git bisect good b82073564373e68c6ae3a96039fae14cd002a496
> # bad: [faac634c2795cb4e2170e329680e7a6f766110ff] wifi: rtw89: mac: correct 
> page number for CSI response
> git bisect bad faac634c2795cb4e2170e329680e7a6f766110ff
> 
> 
> I'm not sure if that's relevant: It is an older AMD Zen2 CPU:
> 
> smpboot: CPU0: AMD Ryzen 5 PRO 4650G with Radeon Graphics (family: 0x17, 
> model: 0x60, stepping: 0x1)
> 
> It doesn't matter whether iommu.strict is on or off.

Thank you very much for doing this work, much appreciated. Can you
check, applying the following upstream change will fix the problem?

https://git.kernel.org/linus/9e249c48412828e807afddc21527eb734dc9bd3d
?

The commit is not applying cleanly, attached is an attempt of a
backport, but I could not yet test it. If you can, and it builds and
fixes the problem please report back as well so we can confirm the
backport request upstream. if it does not work we need to look
further.

Regards,
Salvatore

>From f79e62825e1e421c94c81151858b2d757f7f454a Mon Sep 17 00:00:00 2001
From: Ankit Soni <[email protected]>
Date: Thu, 22 Jan 2026 15:30:38 +0000
Subject: [PATCH] iommu/amd: serialize sequence allocation under concurrent TLB
 invalidations

commit upstream 9e249c48412828e807afddc21527eb734dc9bd3d.

With concurrent TLB invalidations, completion wait randomly gets timed out
because cmd_sem_val was incremented outside the IOMMU spinlock, allowing
CMD_COMPL_WAIT commands to be queued out of sequence and breaking the
ordering assumption in wait_on_sem().
Move the cmd_sem_val increment under iommu->lock so completion sequence
allocation is serialized with command queuing.
And remove the unnecessary return.

Fixes: d2a0cac10597 ("iommu/amd: move wait_on_sem() out of spinlock")

Tested-by: Srikanth Aithal <[email protected]>
Reported-by: Srikanth Aithal <[email protected]>
Signed-off-by: Ankit Soni <[email protected]>
Reviewed-by: Vasant Hegde <[email protected]>
Signed-off-by: Joerg Roedel <[email protected]>
[Salvatore Bonaccorso: Backport for context changes in v6.12.y]
Signed-off-by: Salvatore Bonaccorso <[email protected]>
---
 drivers/iommu/amd/amd_iommu_types.h |  2 +-
 drivers/iommu/amd/init.c            |  2 +-
 drivers/iommu/amd/iommu.c           | 18 ++++++++++++------
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h
index a14ee649d3da..df2aa1c4fafc 100644
--- a/drivers/iommu/amd/amd_iommu_types.h
+++ b/drivers/iommu/amd/amd_iommu_types.h
@@ -781,7 +781,7 @@ struct amd_iommu {
 
 	u32 flags;
 	volatile u64 *cmd_sem;
-	atomic64_t cmd_sem_val;
+	u64 cmd_sem_val;
 
 #ifdef CONFIG_AMD_IOMMU_DEBUGFS
 	/* DebugFS Info */
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index e1816ae8699d..78e9ceda2338 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -1742,7 +1742,7 @@ static int __init init_iommu_one(struct amd_iommu *iommu, struct ivhd_header *h,
 	iommu->pci_seg = pci_seg;
 
 	raw_spin_lock_init(&iommu->lock);
-	atomic64_set(&iommu->cmd_sem_val, 0);
+	iommu->cmd_sem_val = 0;
 
 	/* Add IOMMU to internal data structures */
 	list_add_tail(&iommu->list, &amd_iommu_list);
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index fecca5c32e8a..d0e53a03eff0 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -1252,6 +1252,12 @@ static int iommu_queue_command(struct amd_iommu *iommu, struct iommu_cmd *cmd)
 	return iommu_queue_command_sync(iommu, cmd, true);
 }
 
+static u64 get_cmdsem_val(struct amd_iommu *iommu)
+{
+	lockdep_assert_held(&iommu->lock);
+	return ++iommu->cmd_sem_val;
+}
+
 /*
  * This function queues a completion wait command into the command
  * buffer of an IOMMU
@@ -1266,11 +1272,11 @@ static int iommu_completion_wait(struct amd_iommu *iommu)
 	if (!iommu->need_sync)
 		return 0;
 
-	data = atomic64_add_return(1, &iommu->cmd_sem_val);
-	build_completion_wait(&cmd, iommu, data);
-
 	raw_spin_lock_irqsave(&iommu->lock, flags);
 
+	data = get_cmdsem_val(iommu);
+	build_completion_wait(&cmd, iommu, data);
+
 	ret = __iommu_queue_command_sync(iommu, &cmd, false);
 	raw_spin_unlock_irqrestore(&iommu->lock, flags);
 
@@ -2929,10 +2935,11 @@ static void iommu_flush_irt_and_complete(struct amd_iommu *iommu, u16 devid)
 		return;
 
 	build_inv_irt(&cmd, devid);
-	data = atomic64_add_return(1, &iommu->cmd_sem_val);
-	build_completion_wait(&cmd2, iommu, data);
 
 	raw_spin_lock_irqsave(&iommu->lock, flags);
+	data = get_cmdsem_val(iommu);
+	build_completion_wait(&cmd2, iommu, data);
+
 	ret = __iommu_queue_command_sync(iommu, &cmd, true);
 	if (ret)
 		goto out_err;
@@ -2946,7 +2953,6 @@ static void iommu_flush_irt_and_complete(struct amd_iommu *iommu, u16 devid)
 
 out_err:
 	raw_spin_unlock_irqrestore(&iommu->lock, flags);
-	return;
 }
 
 static void set_dte_irq_entry(struct amd_iommu *iommu, u16 devid,
-- 
2.53.0

Reply via email to