On Sat, Sep 03, 2022 at 07:16:40PM -0700, Dan Williams wrote: > + pfn = dax_to_pfn(entry); > + pgmap = get_dev_pagemap_many(pfn, NULL, PHYS_PFN(size)); > + if (!pgmap) > + return VM_FAULT_SIGBUS; I'm not sure this makes sense to me, why do we need to hold this reference here? The entire point of normal struct page refcounting is that once we put the pte we can have the refcount elevated by anything So this can't be protective because when we get here: > + page = pfn_to_page(dax_to_pfn(entry)); > + put_dev_pagemap_many(page->pgmap, PHYS_PFN(size)); We don't know that all the page references have gone away. When the pgrefcount reaches zero we call from free_zone_device_page() page->pgmap->ops->page_free(page); Shouldn't we be managing the pgmap at this point instead? Ie when we make the pageref go from 0->1 we incr the pgmap and when it goes from 1->0 we decr it? Otherwise, what prevents the above from UAFing? Jason
