|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Crashing kernel with dom0/libxc gnttab/gntshr
On Fri, 2013-08-02 at 14:50 +0100, Stefano Stabellini wrote: > On Tue, 30 Jul 2013, Daniel De Graaf wrote: > > On 07/30/2013 12:58 PM, David Vrabel wrote: > > [...] > > > > > > [ 902.729307] BUG: Bad page map in process vchan-node1 pte:12bfff167 > > > pmd:b9b5c067 > > > [ 902.729312] page:ffffea0004afffc0 count:1 mapcount:-1 mapping: > > > (null) index:0xffffffffffffffff > > > > > > I think this is the test for page_mapcount(page) < 0 in zap_pte_range(). > > > This has looked up the page using the PTE it is trying to clear. Has > > > it found the correct page? Since the MFN is currently mapped into the > > > same domain, has the m2p_override stuff confused the look up and it is > > > checking the grantee page not the granter? > > > > > > David > > > > I think something like this is happening, since while reproducing this > > on my test system, some linked list corruption was found that I believe > > to be the cause of this problem. The gnttab_map_refs function on PV uses > > m2p_add_override on the page, which threads page->lru to an > > m2p_overrides list. However, something else is using page->lru during > > the use of gntdev, as shown by the following debug patch: > > I have never managed to prove that something else is trying to use > page->lru while the m2p_override is using it. Isn't it very much dependent on the actual original owner of the page? A lot of these fields are free to use by the code which actually called alloc_page, but for a facility like the m2p_override which can consume pages from a variety of sources you'd need to be careful about what each of those callers was doing. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |