    commit b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 upstream.
    Syzbot reports crashes in kvm_irqfd_assign(), caused by use-after-free
    when kvm_irqfd_assign() and kvm_irqfd_deassign() run in parallel
    for one specific eventfd. When the assign path hasn't finished but irqfd
    has been added to kvm->irqfds.items list, another thead may deassign the
    eventfd and free struct kvm_kernel_irqfd(). The assign path then uses
    the struct kvm_kernel_irqfd that has been freed by deassign path. To avoid
    such issue, keep irqfd under kvm->irq_srcu protection after the irqfd
    has been added to kvm->irqfds.items list, and call synchronize_srcu()
    in irq_shutdown() to make sure that irqfd has been fully initialized in
    the assign path.
    Reported-by: 's avatarDmitry Vyukov <dvyukov@google.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: 's avatarTianyu Lan <tianyu.lan@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarPaolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
