Applied to next-virtio/for-next-net. Thanks, Maxime
On Thu, Mar 5, 2026 at 11:47 AM Maxime Coquelin <[email protected]> wrote: > > On Thu, Jan 29, 2026 at 9:35 AM Shani Peretz <[email protected]> wrote: > > > > This commit fixes a use-after-free that causes the application to crash > > on shutdown (detected by ASAN). > > > > The vhost library uses a background event dispatch thread that monitors > > fds with epoll. It runs in an infinite loop, waiting for I/O events > > and calling callbacks when they occur. > > > > During cleanup, a race condition existed: > > > > Main Thread: Event Dispatch Thread: > > 1. Remove fds from fdset while (1) { > > 2. Close file descriptors epoll_wait() [gets interrupted] > > 3. rte_eal_cleanup() [continues loop] > > 4. Unmap hugepages Accesses fdset... CRASH > > } > > > > There was no explicit cleanup of the fdset structure. > > The fdset structure is allocated with rte_zmalloc() and the memory would > > only be reclaimed at application shutdown when rte_eal_cleanup() is called, > > which invokes rte_eal_memory_detach() to unmap all the hugepage memory. > > Meanwhile, the event dispatch thread could still be running and accessing > > the fdset. > > > > The code had a `destroy` flag that the event dispatch thread checked, > > but it was never set during cleanup, and the code never waited for > > the thread to actually exit before freeing memory. > > > > To fix this, the commit implements fdset_destroy() that sets the destroy > > flag with mutex protection, waits for thread termination, and cleans up > > all resources including the fdset memory. > > > > Update socket.c to call fdset_destroy() when the last vhost-user socket > > is unregistered. > > > > Fixes: 0e38b42bf61c ("vhost: manage FD with epoll") > > Cc: [email protected] > > > > Signed-off-by: Shani Peretz <[email protected]> > > > > ----------------- > > v3: > > removed vduse implementation from this fix > > > > --- > > lib/vhost/fd_man.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- > > lib/vhost/fd_man.h | 1 + > > lib/vhost/socket.c | 7 +++++++ > > 3 files changed, 52 insertions(+), 1 deletion(-) > > > Reviewed-by: Maxime Coquelin <[email protected]> > > Thanks, > Maxime
