[PATCH] vhost: fix use-after-free race during cleanup

Shani Peretz shperetz at nvidia.com
Sun Nov 9 13:25:12 CET 2025

Previous message (by thread): [PATCH] vhost: fix use-after-free race during cleanup
Next message (by thread): [PATCH v2] vhost: fix use-after-free race during cleanup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


> -----Original Message-----
> From: fengchengwen <fengchengwen at huawei.com>
> Sent: Tuesday, 4 November 2025 11:33
> To: Shani Peretz <shperetz at nvidia.com>; dev at dpdk.org
> Cc: stable at dpdk.org; Maxime Coquelin <maxime.coquelin at redhat.com>;
> Chenbo Xia <chenbox at nvidia.com>; David Marchand
> <david.marchand at redhat.com>
> Subject: Re: [PATCH] vhost: fix use-after-free race during cleanup
> 
> External email: Use caution opening links or attachments
> 
> 
> On 11/4/2025 4:09 PM, Shani Peretz wrote:
> > This commit fixes a use-after-free that causes the application to
> > crash on shutdown (detected by ASAN).
> >
> > The vhost library uses a background event dispatch thread that
> > monitors fds with epoll. It runs in an infinite loop, waiting for I/O
> > events and calling callbacks when they occur.
> >
> > During cleanup, a race condition existed:
> >
> >   Main Thread:                    Event Dispatch Thread:
> >   1. Remove fds from fdset        while (1) {
> >   2. Close file descriptors           epoll_wait() [gets interrupted]
> >   3. Free fdset memory                [continues loop]
> >   4. Continue...                      Accesses fdset...   CRASH
> >                                   }
> >
> > The main thread would free the fdset memory while the background
> > thread was still running and using it.
> 
> Who will free fdset memory ? I check the lib/vhost/socket.c and found there
> are no explicit free.
> 
> I think it maybe the hugepage free because the fdset use rte_zmalloc(). If it's,
> please explicit add it into the commit log.

Yes you're right I double checked with a debugger and indeed the fdset memory is freed when hugepage free, I'll update the commit log.

> 
> >
> > The code had a `destroy` flag that the event dispatch thread checked,
> > but it was never set during cleanup, and the code never waited for the
> > thread to actually exit before freeing memory.
> >
> > This commit implements `fdset_destroy()` that will set the destroy
> > flag, wait for thread termination, and clean up all resources.
> > The socket.c is updated to call fdset_destroy() when the last
> > vhost-user socket is unregistered.
> >
> > Fixes: 0e38b42bf61c ("vhost: manage FD with epoll")
> > Cc: stable at dpdk.org
> >
> > Signed-off-by: Shani Peretz <shperetz at nvidia.com>
>

Previous message (by thread): [PATCH] vhost: fix use-after-free race during cleanup
Next message (by thread): [PATCH v2] vhost: fix use-after-free race during cleanup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list