From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keir Fraser Subject: Re: Xen-unstable panic: FATAL PAGE FAULT Date: Wed, 1 Sep 2010 09:49:18 +0100 Message-ID: References: <4C7E24BE02000078000139EC@vpn.id2.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="B_3366179364_4129556" Return-path: In-Reply-To: <4C7E24BE02000078000139EC@vpn.id2.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Jan Beulich Cc: MaoXiaoyun , xen devel List-Id: xen-devel@lists.xenproject.org --B_3366179364_4129556 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit On 01/09/2010 09:02, "Jan Beulich" wrote: >> Well I agree with your logic anyway. So I don't see that this can be the >> cause of MaoXiaoyun's bug. At least not directly. But then I'm stumped as to >> why the page arithmetic and checks in free_heap_pages are (apparently) >> resulting in a page pointer way outside the frame-table region and actually >> in the directmap region. > > There must be some unchecked use of PAGE_LIST_NULL, i.e. > running off a list end without taking notice (0xffff8315ffffffe4 > exactly corresponds with that). Okay, my next guess then is that we are deleting a chunk from the wrong list head. I don't see any check that the adjacent chunks we are considering to merge are from the same node and zone. I suppose the zone logic does just work as we're dealing with 2**x aligned and sized regions. But, shouldn't the merging logic in free_heap_pages be checking that the merging candidate is from the same NUMA node? I see I have an ASSERTion later in the same function, but it's too weak and wishful I suspect. MaoXiaoyun: can you please test with the attached patch? If I'm right, you will crash on one of the BUG_ON checks that I added, rather than crashing on a pointer dereference. You may even crash during boot. Anyhow, what is interesting is whether this patch always makes you crash on BUG_ON before you would normally crash on pointer dereference. If so this is trivial to fix. Thanks, Keir --B_3366179364_4129556 Content-Type: application/octet-stream; name="00-bugcheck" Content-Disposition: attachment; filename="00-bugcheck" Content-Transfer-Encoding: base64 ZGlmZiAtciA1NzNkZGY1Y2MxNDUgeGVuL2NvbW1vbi9wYWdlX2FsbG9jLmMKLS0tIGEveGVu L2NvbW1vbi9wYWdlX2FsbG9jLmMJVHVlIEF1ZyAzMSAxOToxNjoyMyAyMDEwICswMTAwCisr KyBiL3hlbi9jb21tb24vcGFnZV9hbGxvYy5jCVdlZCBTZXAgMDEgMDk6NDE6NDIgMjAxMCAr MDEwMApAQCAtNTgxLDYgKzU4MSw4IEBACiAgICAgICAgICAgICAgICAgICFwYWdlX3N0YXRl X2lzKHBnLW1hc2ssIGZyZWUpIHx8CiAgICAgICAgICAgICAgICAgIChQRk5fT1JERVIocGct bWFzaykgIT0gb3JkZXIpICkKICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAg IEJVR19PTihwYWdlX3RvX3pvbmUocGctbWFzaykgIT0gem9uZSk7CisgICAgICAgICAgICBC VUdfT04ocGh5c190b19uaWQocGFnZV90b19tYWRkcihwZy1tYXNrKSkgIT0gbm9kZSk7CiAg ICAgICAgICAgICBwZyAtPSBtYXNrOwogICAgICAgICAgICAgcGFnZV9saXN0X2RlbChwZywg JmhlYXAobm9kZSwgem9uZSwgb3JkZXIpKTsKICAgICAgICAgfQpAQCAtNTkxLDYgKzU5Myw4 IEBACiAgICAgICAgICAgICAgICAgICFwYWdlX3N0YXRlX2lzKHBnK21hc2ssIGZyZWUpIHx8 CiAgICAgICAgICAgICAgICAgIChQRk5fT1JERVIocGcrbWFzaykgIT0gb3JkZXIpICkKICAg ICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgIEJVR19PTihwYWdlX3RvX3pvbmUo cGcrbWFzaykgIT0gem9uZSk7CisgICAgICAgICAgICBCVUdfT04ocGh5c190b19uaWQocGFn ZV90b19tYWRkcihwZyttYXNrKSkgIT0gbm9kZSk7CiAgICAgICAgICAgICBwYWdlX2xpc3Rf ZGVsKHBnICsgbWFzaywgJmhlYXAobm9kZSwgem9uZSwgb3JkZXIpKTsKICAgICAgICAgfQog Cg== --B_3366179364_4129556 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --B_3366179364_4129556--