Comment 21 for bug 705562

So the why is clearer, just not the how. The crash happens because on releasing memory, there are pages with the foreign bit set (meaning those came from a special allocator). The code section in question is special to the xen patch and will take an element of the page structure as a function pointer of the destructor. This (0xc1b19960) is outside the in kernel addresses (maybe completely wrong) and causes a page fault on the instruction fetch.

Now the "only" thing left is to find out how this happens... Meanwhile, is there some reasonably easy way of triggering this at will?