1 files changed, 15 insertions, 1 deletions

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index cc081ccfcaa3..195078225aa5 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -696,6 +696,11 @@ static void kvm_destroy_devices(struct kvm *kvm)
 {
         struct kvm_device *dev, *tmp;
 
+        /*
+         * We do not need to take the kvm->lock here, because nobody else
+         * has a reference to the struct kvm at this point and therefore
+         * cannot access the devices list anyhow.
+         */
         list_for_each_entry_safe(dev, tmp, &kvm->devices, vm_node) {
                 list_del(&dev->vm_node);
                 dev->ops->destroy(dev);
@@ -2832,19 +2837,28 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
         dev->ops = ops;
         dev->kvm = kvm;
 
+        mutex_lock(&kvm->lock);
         ret = ops->create(dev, cd->type);
         if (ret < 0) {
+                mutex_unlock(&kvm->lock);
                 kfree(dev);
                 return ret;
         }
+        list_add(&dev->vm_node, &kvm->devices);
+        mutex_unlock(&kvm->lock);
+
+        if (ops->init)
+                ops->init(dev);
 
         ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
         if (ret < 0) {
                 ops->destroy(dev);
+                mutex_lock(&kvm->lock);
+                list_del(&dev->vm_node);
+                mutex_unlock(&kvm->lock);
                 return ret;
         }
 
-        list_add(&dev->vm_node, &kvm->devices);
         kvm_get_kvm(kvm);
         cd->fd = ret;
         return 0;