On Tue, Jan 14, 2020 at 10:57:06AM +0200, Gal Pressman wrote: > When destroying a DMA mmapped object, there is no need to delay the > pages freeing to dealloc_ucontext as the kernel itself will keep > reference count for these pages. Why does the commit message talk about dealloc_ucontext but doesn't change dealloc_ucontext? > + free_pages_exact(cq->cpu_addr, cq->size); > rdma_user_mmap_entry_remove(cq->mmap_entry); This is out of order, the pages can't be freed until the entry is removed. There is also a bug in rdma_user_mmap_entry_remove(), entry->driver_removed needs to be set while holding the xa_lock or this is not the required fence. Jason
