On Mon, Oct 09, 2023 at 05:27:04PM -0700, Sean Christopherson wrote: > If the last reference is effectively held by guest_memfd, it would be: > > kvm_gmem_release(), a.k.a. file_operations.release() > | > -> kvm_put_kvm() > | > -> kvm_destroy_vm() > | > -> module_put(kvm_chardev_ops.owner); ... and now your thread gets preempted and loses CPU; before you get it back, some joker calls delete_module(), and page of code containing kvm_gmem_release() is unmapped. Even though an address within that page is stored as return address in a frame on your thread's stack. That thread gets the timeslice again and proceeds to return into unmapped page. Oops...
