Hi Shani, Thanks for the fix, more comments below:
On Tue, Nov 4, 2025 at 10:50 AM fengchengwen <[email protected]> wrote: > > On 11/4/2025 4:09 PM, Shani Peretz wrote: > > This commit fixes a use-after-free that causes the application > > to crash on shutdown (detected by ASAN). > > > > The vhost library uses a background event dispatch thread that monitors > > fds with epoll. It runs in an infinite loop, waiting for I/O events > > and calling callbacks when they occur. > > > > During cleanup, a race condition existed: > > > > Main Thread: Event Dispatch Thread: > > 1. Remove fds from fdset while (1) { > > 2. Close file descriptors epoll_wait() [gets interrupted] > > 3. Free fdset memory [continues loop] > > 4. Continue... Accesses fdset... CRASH > > } > > > > The main thread would free the fdset memory while the background thread > > was still running and using it. > > Who will free fdset memory ? I check the lib/vhost/socket.c and found there > are no explicit free. > > I think it maybe the hugepage free because the fdset use rte_zmalloc(). If > it's, please explicit > add it into the commit log. I agree with Feng, it would be good to provide more information on who is freeing the memory. > > > > The code had a `destroy` flag that the event dispatch thread checked, > > but it was never set during cleanup, and the code never waited for > > the thread to actually exit before freeing memory. > > > > This commit implements `fdset_destroy()` that will set the destroy > > flag, wait for thread termination, and clean up all resources. > > The socket.c is updated to call fdset_destroy() when the last vhost-user > > socket is unregistered. > > > > Fixes: 0e38b42bf61c ("vhost: manage FD with epoll") > > Cc: [email protected] > > > > Signed-off-by: Shani Peretz <[email protected]> > > We also need to call fdset_destroy in vduse_device_destroy() if it is destorying the last VDUSE device. We might need to add a counter to struct vduse to know whether this is the last device. Other than that, the patch looks good to me. Thanks, Maxime
