Hi Sheng,

I'm not claiming to understand the details, but this looks like use
(dereference of pte via dma_pte_addr) after release (free_pgtable_page
of dmar_domain->pgd aka pte) to me:

static int intel_iommu_attach_device(struct iommu_domain *domain,
				     struct device *dev)
{
	[...]
		pte = dmar_domain->pgd;
		if (dma_pte_present(pte)) {
			free_pgtable_page(dmar_domain->pgd);
			dmar_domain->pgd = (struct dma_pte *)
				phys_to_virt(dma_pte_addr(pte));
		}

At least it crashes here right on pte->val access. Swap both lines?

Jan