In gnttab_end_foreign_access_ref():
If the grant reference is invalid, doing shared[ref] could cause a page fault.
In gnttab_alloc_grant_references():
If gnttab_alloc_grant_references() fails and the code using it calls gnttab_free_grant_references(), then gnttab_entry(ref) in gnttab_free_grant_references()'s while loop will cause a page fault. But, there is a check for head == GNTTAB_LIST_END before calling it. Setting the head to GNTTAB_LIST_END when gnttab_alloc_grant_references() fails prevents the page fault.
How I discovered this:
I was attempting to run a Xen DomU in a very low grant references situation, and I got the message:
"xn0: failed to allocate tx grant refs".
Looking in the code, I discovered these two were the reason of the page fault because setup_txqs() calls disconnect_txq() when it can't connect. And disconnect_txq() calls gnttab_free_grant_references() and gnttab_end_foreign_access_ref() with invalid values, causing the page fault.
Note that netfront still panics even with these fixes, but that's a different issue, and it is out of my skill set. I will submit a detailed bug report soon.