[PATCH v3] vhost: fix use-after-free race during cleanup

Maxime Coquelin maxime.coquelin at redhat.com
Thu Mar 5 14:51:15 CET 2026

Previous message (by thread): [PATCH v3] vhost: fix use-after-free race during cleanup
Next message (by thread): [PATCH v12] vhost: fix use-after-free in fdset during shutdown
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Applied to next-virtio/for-next-net.

Thanks,
Maxime

On Thu, Mar 5, 2026 at 11:47 AM Maxime Coquelin
<maxime.coquelin at redhat.com> wrote:
>
> On Thu, Jan 29, 2026 at 9:35 AM Shani Peretz <shperetz at nvidia.com> wrote:
> >
> > This commit fixes a use-after-free that causes the application to crash
> > on shutdown (detected by ASAN).
> >
> > The vhost library uses a background event dispatch thread that monitors
> > fds with epoll. It runs in an infinite loop, waiting for I/O events
> > and calling callbacks when they occur.
> >
> > During cleanup, a race condition existed:
> >
> >   Main Thread:                    Event Dispatch Thread:
> >   1. Remove fds from fdset        while (1) {
> >   2. Close file descriptors           epoll_wait() [gets interrupted]
> >   3. rte_eal_cleanup()                [continues loop]
> >   4. Unmap hugepages                  Accesses fdset...   CRASH
> >                                   }
> >
> > There was no explicit cleanup of the fdset structure.
> > The fdset structure is allocated with rte_zmalloc() and the memory would
> > only be reclaimed at application shutdown when rte_eal_cleanup() is called,
> > which invokes rte_eal_memory_detach() to unmap all the hugepage memory.
> > Meanwhile, the event dispatch thread could still be running and accessing
> > the fdset.
> >
> > The code had a `destroy` flag that the event dispatch thread checked,
> > but it was never set during cleanup, and the code never waited for
> > the thread to actually exit before freeing memory.
> >
> > To fix this, the commit implements fdset_destroy() that sets the destroy
> > flag with mutex protection, waits for thread termination, and cleans up
> > all resources including the fdset memory.
> >
> > Update socket.c to call fdset_destroy() when the last vhost-user socket
> > is unregistered.
> >
> > Fixes: 0e38b42bf61c ("vhost: manage FD with epoll")
> > Cc: stable at dpdk.org
> >
> > Signed-off-by: Shani Peretz <shperetz at nvidia.com>
> >
> > -----------------
> > v3:
> > removed vduse implementation from this fix
> >
> > ---
> >  lib/vhost/fd_man.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
> >  lib/vhost/fd_man.h |  1 +
> >  lib/vhost/socket.c |  7 +++++++
> >  3 files changed, 52 insertions(+), 1 deletion(-)
> >
> Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
>
> Thanks,
> Maxime

Previous message (by thread): [PATCH v3] vhost: fix use-after-free race during cleanup
Next message (by thread): [PATCH v12] vhost: fix use-after-free in fdset during shutdown
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list