From: Stephen Hemminger <stephen@networkplumber.org>
To: Yehor Malikov <malikovyehor@gmail.com>
Cc: dev@dpdk.org, maxime.coquelin@redhat.com, chenbox@nvidia.com,
Yehor Malikov <Yehor.Malikov@solidigm.com>
Subject: Re: [PATCH v6] vhost: fix use-after-free in fdset during shutdown
Date: Wed, 4 Feb 2026 17:17:19 -0800 [thread overview]
Message-ID: <20260204171719.347924a1@phoenix.local> (raw)
In-Reply-To: <20260204230502.24983-1-malikovyehor@gmail.com>
On Thu, 5 Feb 2026 00:05:02 +0100
Yehor Malikov <malikovyehor@gmail.com> wrote:
> From: Yehor Malikov <Yehor.Malikov@solidigm.com>
>
> The fdset_event_dispatch thread runs in a loop checking the destroy
> flag after each epoll_wait iteration. During process exit,
> rte_eal_cleanup() frees hugepages memory while the fdset thread is
> still running, causing use-after-free when accessing the fdset
> structure.
>
> Add fdset_deinit() function to stop the dispatch thread by setting
> the destroy flag and waiting for thread completion. Resource cleanup
> (epoll fd, fdsets array, memory) is intentionally skipped since the
> function is only called during process exit when the OS will reclaim
> all resources anyway, avoiding potential deadlocks from mutex
> operations in destructor context.
>
> Use symmetric RTE_FINI destructors for both vhost-user and VDUSE fdsets
> to ensure proper cleanup before EAL teardown.
>
> Fixes: e68a6feaa3b3 ("vhost: improve fdset initialization")
>
> Signed-off-by: Yehor Malikov <Yehor.Malikov@solidigm.com>
I understand why this is important but not sure if it will work as
you expect. I asked AI to help give a better explanation (so don't trust it
to be right).
Good question. Yes, there are potential concerns:
**RTE_FINI ordering is undefined.** There's no guarantee about the order destructors run relative to each other or to EAL cleanup. The commit message says the goal is to stop the fdset thread "before EAL teardown" but `RTE_FINI` doesn't actually guarantee that - it just registers an `__attribute__((destructor))` function.
**Possible scenarios:**
1. **EAL cleanup runs first** - If `rte_eal_cleanup()` frees hugepages before the `RTE_FINI` destructor runs, we're back to the original bug. The destructor would then call `fdset_deinit()` on already-freed memory.
2. **Destructor runs during active vhost operations** - If the application is still doing vhost work when exit starts, the destructor could stop the dispatch thread while callbacks are expected to run. The `busy` flag helps with `fdset_del()` synchronization, but abrupt thread termination during shutdown could leave things inconsistent.
3. **Fork concerns** - After `fork()`, the child has the same destructor registered but the dispatch thread doesn't exist in the child (threads aren't inherited). `rte_thread_join()` on an invalid/non-existent thread ID could behave unexpectedly.
**What would be more robust:**
The proper fix would be to integrate with EAL cleanup directly - register a callback via `rte_eal_cleanup_register()` (if that exists) or have vhost explicitly clean up its fdsets in a documented shutdown sequence before `rte_eal_cleanup()` is called, rather than relying on destructor ordering.
Worth raising with the author: has this been tested with different linking scenarios (static vs dynamic) and confirmed the destructor actually runs before EAL teardown in practice?
next prev parent reply other threads:[~2026-02-05 1:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 18:03 [PATCH] vhost: fix use-after-free in fdset during shutdown Yehor Malikov
2026-02-04 18:48 ` [PATCH v2] " malikovyehor
2026-02-04 18:58 ` [PATCH v3] " Yehor Malikov
2026-02-04 20:34 ` Stephen Hemminger
2026-02-04 21:32 ` Yehor Malikov
2026-02-04 21:35 ` [PATCH v4] " Yehor Malikov
2026-02-04 22:00 ` [PATCH v5] " Yehor Malikov
2026-02-04 23:05 ` [PATCH v6] " Yehor Malikov
2026-02-05 1:17 ` Stephen Hemminger [this message]
2026-02-05 11:16 ` [PATCH v7] " Yehor Malikov
2026-02-05 11:20 ` Yehor Malikov
2026-02-05 18:30 ` [PATCH v8] " Yehor Malikov
2026-02-05 18:35 ` [PATCH v9] " Yehor Malikov
2026-02-16 10:17 ` Yehor Malikov
2026-02-17 14:31 ` David Marchand
2026-02-18 7:50 ` [PATCH v10] " Yehor Malikov
2026-02-18 8:01 ` [PATCH v11] " Yehor Malikov
2026-02-18 8:52 ` David Marchand
2026-02-18 9:05 ` [PATCH v12] " Yehor Malikov
2026-02-18 10:27 ` David Marchand
2026-02-27 9:00 ` fengchengwen
2026-03-05 10:50 ` Maxime Coquelin
2026-03-05 13:52 ` Maxime Coquelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260204171719.347924a1@phoenix.local \
--to=stephen@networkplumber.org \
--cc=Yehor.Malikov@solidigm.com \
--cc=chenbox@nvidia.com \
--cc=dev@dpdk.org \
--cc=malikovyehor@gmail.com \
--cc=maxime.coquelin@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.