v1: https://lore.kernel.org/r/20260511135737.2285411-1-congei42@163.com

v1 fixed the irqfd UAF by serialising deassign with the shutdown work
through list_empty() + cancel_work_sync().  Fei Li pointed out that the
lifetime rules were still distributed across several places.  v2
restructures the lifetime along the same lines KVM irqfd uses:
deassign/deinit only logically deactivate the irqfd, and the shutdown
work is the sole owner of struct hsm_irqfd.

Changes since v1:
 - Introduce HSM_IRQFD_FLAG_SHUTDOWN guarded by test_and_set_bit() so
   the cleanup work is queued at most once over the irqfd's lifetime,
   removing the cancel_work_sync()-based ownership negotiation.
 - hsm_irqfd_shutdown_work() now performs list_del_init() (if needed),
   eventfd_ctx_remove_wait_queue(), eventfd_ctx_put() and kfree(); the
   deassign/deinit paths no longer call any of these directly.
 - acrn_irqfd_deassign() and acrn_irqfd_deinit() only list_del_init()
   the irqfd under irqfds_lock and queue the cleanup work; both flush
   vm->irqfd_wq before returning / before destroy_workqueue().
 - acrn_irqfd_deinit() now uses list_for_each_entry_safe(irqfd, next,
   ...) so both iterators are referenced, incidentally fixing the
   -Wunused-variable warning reported by the kernel test robot on v1
   (https://lore.kernel.org/oe-kbuild-all/202605151636.lR13SqEN-lkp@intel.com/).
 - acrn_irqfd_assign() now holds vm->irqfds_lock across the duplicate
   check, vfs_poll() (which installs the eventfd waitqueue entry via
   hsm_irqfd_poll_func) and list_add_tail(), so the irqfd is never
   visible on vm->irqfds before its waitqueue entry has been installed.

Sicong Huang (1):
  virt: acrn: Fix irqfd use-after-free during eventfd shutdown

 drivers/virt/acrn/irqfd.c | 71 ++++++++++++++++++++++++---------------
 1 file changed, 44 insertions(+), 27 deletions(-)


base-commit: 7fd2df204f342fc17d1a0bfcd474b24232fb0f32
-- 
2.34.1