On Mon, Oct 06, 2025 at 01:51:37PM -0400, Felix Kuehling wrote: > OK. We made an incorrect assumption that we can reuse a page if the > driver isn't tracking it as allocated to any of our SVM ranges (i.e., > after dev_pagemap_ops.migrate_to_ram() migrated all data out of the > page). However, we neglected that other parts of the kernel can still > hold references to a page even after that.
Yes, that sounds completely incorrect. > As I understand it, it's a race condition. The driver is done with the > page and its migrate_to_ram() call has completed. But do_swap_page > hasn't called put_page yet. At the same time, another thread is trying > to reuse the page, migrating data back to VRAM. Which means the driver is not properly tracking freed pages. I don't think the code you showed makes alot of sense, if someone else has a reference on the page it could be for many reasons. If you take a non-free page and treat it as free and safe to use you probably are adding a security bug. Jason
