[PATCH] vhost: fix use-after-free race during cleanup

[fengchengwen]

On 11/4/2025 4:09 PM, Shani Peretz wrote:
> This commit fixes a use-after-free that causes the application
> to crash on shutdown (detected by ASAN).
> 
> The vhost library uses a background event dispatch thread that monitors
> fds with epoll. It runs in an infinite loop, waiting for I/O events
> and calling callbacks when they occur.
> 
> During cleanup, a race condition existed:
> 
>   Main Thread:                    Event Dispatch Thread:
>   1. Remove fds from fdset        while (1) {
>   2. Close file descriptors           epoll_wait() [gets interrupted]
>   3. Free fdset memory                [continues loop]
>   4. Continue...                      Accesses fdset...   CRASH
>                                   }
> 
> The main thread would free the fdset memory while the background thread
> was still running and using it.

Who will free fdset memory ? I check the lib/vhost/socket.c and found there are no explicit free.

I think it maybe the hugepage free because the fdset use rte_zmalloc(). If it's, please explicit
add it into the commit log.

> 
> The code had a `destroy` flag that the event dispatch thread checked,
> but it was never set during cleanup, and the code never waited for
> the thread to actually exit before freeing memory.
> 
> This commit implements `fdset_destroy()` that will set the destroy
> flag, wait for thread termination, and clean up all resources.
> The socket.c is updated to call fdset_destroy() when the last vhost-user
> socket is unregistered.
> 
> Fixes: 0e38b42bf61c ("vhost: manage FD with epoll")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Shani Peretz <shperetz at nvidia.com>