DMAR: ERROR: DMA PTE for vPFN 0x7bf32 already set

Status changed to 'Confirmed' because the bug affects multiple users.

Please give mainline kernel a try:
https://wiki.ubuntu.com/Kernel/MainlineBuilds

I tried the latest currently available 5.15 kernel (https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.15.36/amd64/, 5.15.36-051536-generic #202204271420 SMP Wed Apr 27 16:37:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux). The problem still occurs there.

Is this related?

https://lists.linuxfoundation.org/pipermail/iommu/2021-October/059955.html
https://lists.linuxfoundation.org/pipermail/iommu/2021-November/060249.html

If this question was meant for me: I cannot really say, in my case no VMs are involved at all.

I hit this bug upgrading my home server (proliant microserver gen8) and it seems to be causing memory corruption when it occurs ( at least in combination with zfs ). Using zfs mirrored root I experienced this issue after only a few minutes uptime, with DMAR messages flooding the log and very high CPU usage.

After rebooting with intel_iommu=off things are back to normal, but a zfs scrub indicated several thousand checksum errors detected on the root volume, some of them unrecoverable that had to be restored from backup, and a separate zfs RAIDZ1 volume experienced corrupted metadata and had to be rolled back with some data loss.

With regards to the patch here:
https://lists.linuxfoundation.org/pipermail/iommu/2021-October/060115.html

It is mentioned this issue can occur if you are passing through a PCI device to a virtual machine guest. This patch seems like it never made it into the kernel. So I am curious if you are using any virtual machines on this host, and if any of them are mapping PCI devices from the host in.

In my case the host is not running any virtual machines. I have another similar HPE Gen9 server (without the HPE Smart HBA H240 SATA controller) that doesn't have the problem. So in my case I suspect the H240 controller is (at least part of) the problem.

@phdonnelly, are you using VMs and/or do you have an H240 controller?

Not running any VMs but I did have SR-IOV and VT-X enabled in the BIOS. Server has a HP B120i which is a fakeraid device and the drives are accessed as simple AHCI devices.

This is likely the issue addressed in upstream stable v5.15.6 commit 724ee060 - the links in that commit message seem to be very close:

commit 724ee060d0aba28f072fc7357a20366b0a519593
Author: Alex Williamson <email address hidden>
Date: Fri Nov 26 21:55:56 2021 +0800

    iommu/vt-d: Fix unmap_pages support

    [ Upstream commit 86dc40c7ea9c22f64571e0e45f695de73a0e2644 ]

    When supporting only the .map and .unmap callbacks of iommu_ops,
    the IOMMU driver can make assumptions about the size and alignment
    used for mappings based on the driver provided pgsize_bitmap. VT-d
    previously used essentially PAGE_MASK for this bitmap as any power
    of two mapping was acceptably filled by native page sizes.

    However, with the .map_pages and .unmap_pages interface we're now
    getting page-size and count arguments. If we simply combine these
    as (page-size * count) and make use of the previous map/unmap
    functions internally, any size and alignment assumptions are very
    different.

    As an example, a given vfio device assignment VM will often create
    a 4MB mapping at IOVA pfn [0x3fe00 - 0x401ff]. On a system that
    does not support IOMMU super pages, the unmap_pages interface will
    ask to unmap 1024 4KB pages at the base IOVA. dma_pte_clear_level()
    will recurse down to level 2 of the page table where the first half
    of the pfn range exactly matches the entire pte level. We clear the
    pte, increment the pfn by the level size, but (oops) the next pte is
    on a new page, so we exit the loop an pop back up a level. When we
    then update the pfn based on that higher level, we seem to assume
    that the previous pfn value was at the start of the level. In this
    case the level size is 256K pfns, which we add to the base pfn and
    get a results of 0x7fe00, which is clearly greater than 0x401ff,
    so we're done. Meanwhile we never cleared the ptes for the remainder
    of the range. When the VM remaps this range, we're overwriting valid
    ptes and the VT-d driver complains loudly, as reported by the user
    report linked below.

    The fix for this seems relatively simple, if each iteration of the
    loop in dma_pte_clear_level() is assumed to clear to the end of the
    level pte page, then our next pfn should be calculated from level_pfn
    rather than our working pfn.

    Fixes: 3f34f1259776 ("iommu/vt-d: Implement map/unmap_pages() iommu_ops callback")
    Reported-by: Ajay Garg <email address hidden>
    Signed-off-by: Alex Williamson <email address hidden>
    Tested-by: Giovanni Cabiddu <email address hidden>
    Link: https://<email address hidden>/
    Link: https://lore.kernel.org/r/163659074748.1617923.12716161410774184024.stgit@omen
    Signed-off-by: Lu Baolu <email address hidden>
    Link: https://<email address hidden>
    Signed-off-by: Joerg Roedel <email address hidden>
    Signed-off-by: Sasha Levin <email address hidden>

We found this exact same issue affecting several users with Unraid and kernel 5.15, they just needed to have VT-d enabled, it mostly affected HP servers of the same era, for example:

ProLiant MicroServer Gen8
ProLiant ML350p Gen8
ProLiant ML310e Gen8
ProLiant ML350 Gen9
ProLiant ML10 v2

but there was also a Lenovo X3100 M5, a Dell PowerEdge R710 and even a 6th gen i5 Asrock desktop board, so can't rule out any Intel based computer with VT-d enabled being affected sooner or later, but the HP servers listed were much more prone to the issue, we could sometimes trigger the bug in seconds, couple of minutes tops, by doing something i/o intensive, like for example starting a parity sync or check, problem started like above:

DMAR: ERROR: DMA PTE for vPFN xxxxxx already set (to xxxxxx not xxxxxx)

Then it started corrupting data, some times more severely than others, it happened with both filesystems typically used with Unraid, XFS and btrfs, though usually it was mostly found with btrfs since it started detecting data corruption errors, also btrfs is more vulnerable to memory corruption so it was more common to find a fatally damaged filesystem after some use.

Limetech found that changing iommu to pass-through mode instead of DMA translation mode fixed the problem, this can be done by changing this kernel option:

CONFIG_IOMMU_DEFAULT_PASSTHROUGH: Passthrough

Same as adding iommu=pt (or iommu.passtrough=1) to the kernel boot options.

They also found this document explaining the difference between the two modes:

https://lenovopress.com/lp1467.pdf

Iommu pass-through mode bypasses the DMA translation, so it makes sense that any DMA remapping errors like the above stop happening, also note that we didn't find, at least as of today, any issues with PCIe device pass-through to a VM by using this mode, and according to the pdf above it's also being adopted as the new default by other Linux OSes.

P.S. the above mentioned commit (v5.15.6 commit 724ee060) doesn't help, we still saw this issue with kernel 5.15.46 if iommu DMA translation mode was enabled.

Thanks a lot for Comment 11.

I also think that the mentioned patch does not solve the data corruption issue. From the comments I read here and in the mentioned links the patch can fix issues like
DMAR: ERROR: DMA PTE for vPFN xxxxxx already set (to yyyyyy not yyyyyy)

But there seems to be another issue where the log message looks like
DMAR: ERROR: DMA PTE for vPFN xxxxxx already set (to yyyyyy not zzzzzz)

@jbastos5 - does this match your observations?

I am running a MicroServer Gen8 (Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz), having four WD RED drives attached to the built-in controller. They are forming a md_raid5. Since I upgraded to Ubuntu 22.04 I saw crashes of syncthing due to a corrupt database. I have now also found files (e.g. Ubuntu ISO images) that became corrupt. I see no hint for a hardware failure (of course I have to trust smartctl here). The DMA error in my case always showed two different addresses (to yyyyyy not zzzzzz). The stack trace next to the error messages indicated iommu and raid (as far as I remember, unfortunately I haven't stored them). I have disabled iommu in the grub configuration and the errors and syncthing crashes are gone.

Since the issue causes data corruption, in my opinion it should be raised in priority.

> But there seems to be another issue where the log message looks like
> DMAR: ERROR: DMA PTE for vPFN xxxxxx already set (to yyyyyy not zzzzzz)

> @jbastos5 - does this match your observations?

Yes it does, a few examples from different servers:

DMAR: ERROR: DMA PTE for vPFN 0xb5f80 already set (to b5f80003 not 14c3c5803)

DMAR: ERROR: DMA PTE for vPFN 0xb0780 already set (to b0780003 not 28dc74801)

DMAR: ERROR: DMA PTE for vPFN 0xfffc0 already set (to 106340003 not 17bcfa003)

We also confirmed this bug is still present with kernel 5.18.3