On Thu, Jan 29, 2026 at 9:35 AM Shani Peretz <[email protected]> wrote: > > This commit fixes a use-after-free that causes the application to crash > on shutdown (detected by ASAN). > > The vhost library uses a background event dispatch thread that monitors > fds with epoll. It runs in an infinite loop, waiting for I/O events > and calling callbacks when they occur. > > During cleanup, a race condition existed: > > Main Thread: Event Dispatch Thread: > 1. Remove fds from fdset while (1) { > 2. Close file descriptors epoll_wait() [gets interrupted] > 3. rte_eal_cleanup() [continues loop] > 4. Unmap hugepages Accesses fdset... CRASH > } > > There was no explicit cleanup of the fdset structure. > The fdset structure is allocated with rte_zmalloc() and the memory would > only be reclaimed at application shutdown when rte_eal_cleanup() is called, > which invokes rte_eal_memory_detach() to unmap all the hugepage memory. > Meanwhile, the event dispatch thread could still be running and accessing > the fdset. > > The code had a `destroy` flag that the event dispatch thread checked, > but it was never set during cleanup, and the code never waited for > the thread to actually exit before freeing memory. > > To fix this, the commit implements fdset_destroy() that sets the destroy > flag with mutex protection, waits for thread termination, and cleans up > all resources including the fdset memory. > > Update socket.c to call fdset_destroy() when the last vhost-user socket > is unregistered. > > Fixes: 0e38b42bf61c ("vhost: manage FD with epoll") > Cc: [email protected] > > Signed-off-by: Shani Peretz <[email protected]> > > ----------------- > v3: > removed vduse implementation from this fix > > --- > lib/vhost/fd_man.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- > lib/vhost/fd_man.h | 1 + > lib/vhost/socket.c | 7 +++++++ > 3 files changed, 52 insertions(+), 1 deletion(-) > Reviewed-by: Maxime Coquelin <[email protected]>
Thanks, Maxime
