RE: [PATCH] vhost: fix use-after-free race during cleanup

Sun, 09 Nov 2025 04:25:33 -0800 


> -----Original Message-----
> From: fengchengwen <[email protected]>
> Sent: Tuesday, 4 November 2025 11:33
> To: Shani Peretz <[email protected]>; [email protected]
> Cc: [email protected]; Maxime Coquelin <[email protected]>;
> Chenbo Xia <[email protected]>; David Marchand
> <[email protected]>
> Subject: Re: [PATCH] vhost: fix use-after-free race during cleanup
> 
> External email: Use caution opening links or attachments
> 
> 
> On 11/4/2025 4:09 PM, Shani Peretz wrote:
> > This commit fixes a use-after-free that causes the application to
> > crash on shutdown (detected by ASAN).
> >
> > The vhost library uses a background event dispatch thread that
> > monitors fds with epoll. It runs in an infinite loop, waiting for I/O
> > events and calling callbacks when they occur.
> >
> > During cleanup, a race condition existed:
> >
> >   Main Thread:                    Event Dispatch Thread:
> >   1. Remove fds from fdset        while (1) {
> >   2. Close file descriptors           epoll_wait() [gets interrupted]
> >   3. Free fdset memory                [continues loop]
> >   4. Continue...                      Accesses fdset...   CRASH
> >                                   }
> >
> > The main thread would free the fdset memory while the background
> > thread was still running and using it.
> 
> Who will free fdset memory ? I check the lib/vhost/socket.c and found there
> are no explicit free.
> 
> I think it maybe the hugepage free because the fdset use rte_zmalloc(). If 
> it's,
> please explicit add it into the commit log.

Yes you're right I double checked with a debugger and indeed the fdset memory 
is freed when hugepage free, I'll update the commit log.

> 
> >
> > The code had a `destroy` flag that the event dispatch thread checked,
> > but it was never set during cleanup, and the code never waited for the
> > thread to actually exit before freeing memory.
> >
> > This commit implements `fdset_destroy()` that will set the destroy
> > flag, wait for thread termination, and clean up all resources.
> > The socket.c is updated to call fdset_destroy() when the last
> > vhost-user socket is unregistered.
> >
> > Fixes: 0e38b42bf61c ("vhost: manage FD with epoll")
> > Cc: [email protected]
> >
> > Signed-off-by: Shani Peretz <[email protected]>
>

Reply via email to