Hi,
At 15:16 -0400 on 12 Oct (1192202184), Roger Cruz wrote:
> I'm trying to debug a problem where a page is being freed via the
> free_domheap_pages() routine and it is triggering a bug check for this
> condition:
>
> BUG_ON((pg[i].u.inuse.type_info & PGT_count_mask) != 0);
>
> I have printed the page_info fields for type_info and it shows large
> numbers there with the count_info equals to 0.
>
> (XEN) page_alloc.c:902: pg=0xf869f570, i=0x0, type_info = 0xe800005d,
> count info = 0x0, domid=0x2 order=0x0
OK, so this page has a type-count of 93! I'd guess that not only is
there a point where a count_info+type_info increment is matched by a
count_info-only decrement, but it's happened quite a few times before
you've tripped over it. :(
> I found the spot where type_info is incremented (get_page_type). The
> routine is getting called due to a page fault:
>
> [<ff12889c>] get_page_type+0x16c/0x460
> (XEN) [<ff127f77>] get_page_from_l1e+0x187/0x430
> (XEN) [<ff169d49>] shadow_set_l1e+0xe9/0x1d0
> (XEN) [<ff16baf9>] sh_page_fault__shadow_3_guest_3+0x3f9/0xf80
> (XEN) [<ff15c076>] vmx_vmexit_handler+0x786/0x1680
> (XEN) [<ff15cf87>] vmx_asm_vmexit_handler+0x17/0x20
Seems reasonable. The shadow code has mapped the page for the guest,
with type PGT_writeable_page, matching up with the guest's pagetable
contents.
> At this point, you need a little background info. The page in question
> belongs to HVM domain 2 and have modified the hypervisor to allow me to
> map it (via grant_table) into another HVM (domain 1). Domain 1 is the
> one causing the crash as it tries to unmap the previously mapped
> grant_table reference.
>
> (XEN) Xen call trace:
> (XEN) [<ff10e465>] free_domheap_pages+0xb5/0x310
> (XEN) [<ff10963d>] do_grant_table_op+0x196d/0x1ae0
> (XEN) [<ff13de32>] hvm_do_hypercall+0xb2/0x1e0
> (XEN) [<ff15ba95>] vmx_vmexit_handler+0x305/0x1680
> (XEN) [<ff15ce27>] vmx_asm_vmexit_handler+0x17/0x20
That's a grant mapping being pulled down. Can you find out from the
symbols in your build whether this is a read-only or read-write mapping
being pulled down?
> So I can state that the page is mapped correctly and useable and as it
> is accessed, it incurs page faults which increment the type_info count
> but don't appear to increment count_info.
I very much doubt it. get_page_from_l1e() uses get_page_and_type(),
which increments the count_info first, then the type_info.
Can you trace the grant mappings that you've introduced and check
whether the grants are being introduced as read-write and removed as
read-only?
Cheers,
Tim.
--
Tim Deegan <Tim.Deegan@xxxxxxxxxxxxx>, XenSource UK Limited
Registered office c/o EC2Y 5EB, UK; company number 05334508
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home