On 15/10/2017 13:30, BALATON Zoltan wrote: > I've got a bit further with this but still could use some hints to find > what is happening. Here are some more details I've found so far. > > The memory map I have (see below) is a bit complex but the interesting > part is that I have sii3112.bar5 as an mmio region with sii3112.bar0-4 > as io region aliases into this. The crash is happening when the firmware > is accessing one of these aliased io regions when > > tlb_set_page_with_attrs: vaddr=d8001000 paddr=0x0000000c08001000 prot=3 > idx=1 > > is called in accel/tcg/cputlb.c:616 which then calls > > 635 section = address_space_translate_for_iotlb(cpu, asidx, > paddr, &xlat, &sz); > > this in turn calls address_space_translate_internal which calls > > 441 section = address_space_lookup_region(d, addr, resolve_subpage); > > that eventually gets the cached section at exec.c:411 > > 411 MemoryRegionSection *section = atomic_read(&d->mru_section); > > When this is not a region covering the address as verifed by
Could it be that the cached region is only for a small part of the page, while phys_page_find returns a subpage (and resolve_subpage is false)? Maybe it's enough to skip mru_section if resolve_subpage is false. Thanks, Paolo
