The array ppsPMR in DEVMEMXINT_RESERVATION holds references to PMR structures (using PMRRefPMR2()), intending to prevent the PMRs' physical memory from being released. However, PMRs with PVRSRV_MEMALLOCFLAG_NO_OSPAGES_ON_ALLOC (which for OSMem PMRs internally translates to FLAG_ONDEMAND) can release their backing physical pages while references to the PMR still exist; PMRLockSysPhysAddresses() must be used to prevent a PMR's backing pages from disappearing, like in DevmemIntMapPMR2(). Therefore, it is currently possible to free a PMR's backing pages while the PMR is mapped into a DEVMEMXINT_RESERVATION, leading to physical page use-after-free.