FWIW, the bug I mentioned was bug 1203505. It hits in the very similar code path (around domain_detach_iommu), so I wonder how this still remains in the new kernel.