commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.
A comment warning against this bug is there, but the code is not doing what
the comment says. Therefore it is possible that an EPOLLHUP races against
irq_bypass_register_consumer. The EPOLLHUP handler schedules irqfd_shutdown,
and if that runs soon enough, you get a use-after-free.
Reported-by: syzbot <firstname.lastname@example.org>
Signed-off-by: Paolo Bonzini <email@example.com>
Reviewed-by: David Hildenbrand <firstname.lastname@example.org>
Signed-off-by: Sudip Mukherjee <email@example.com>
Signed-off-by: Greg Kroah-Hartman <firstname.lastname@example.org>