--- x/drivers/vhost/vsock.c
+++ y/drivers/vhost/vsock.c
@@ -55,6 +55,7 @@ struct vhost_vsock {
 	struct list_head send_pkt_list;	/* host->guest pending packets */
 
 	atomic_t queued_replies;
+	int cleanup;
 
 	u32 guest_cid;
 	bool seqpacket_allow;
@@ -262,6 +263,9 @@ vhost_transport_do_send_pkt(struct vhost
 out:
 	mutex_unlock(&vq->mutex);
 
+	if (vsock->cleanup)
+		return;
+
 	if (restart_tx)
 		vhost_poll_queue(&tx_vq->poll);
 }
@@ -678,6 +682,7 @@ static int vhost_vsock_dev_open(struct i
 	}
 
 	vsock->guest_cid = 0; /* no CID assigned yet */
+	vsock->cleanup = 0;
 
 	atomic_set(&vsock->queued_replies, 0);
 
@@ -741,6 +746,8 @@ static int vhost_vsock_dev_release(struc
 {
 	struct vhost_vsock *vsock = file->private_data;
 
+	vsock->cleanup = 1;
+
 	mutex_lock(&vhost_vsock_mutex);
 	if (vsock->guest_cid)
 		hash_del_rcu(&vsock->hash);
--- x/drivers/vhost/vhost.c
+++ y/drivers/vhost/vhost.c
@@ -692,6 +692,10 @@ void vhost_dev_cleanup(struct vhost_dev
 {
 	int i;
 
+	wake_up_interruptible_poll(&dev->wait, EPOLLIN | EPOLLRDNORM);
+	vhost_dev_stop(dev);
+	vhost_work_dev_flush(dev);
+
 	for (i = 0; i < dev->nvqs; ++i) {
 		if (dev->vqs[i]->error_ctx)
 			eventfd_ctx_put(dev->vqs[i]->error_ctx);
@@ -711,7 +715,6 @@ void vhost_dev_cleanup(struct vhost_dev
 	vhost_iotlb_free(dev->iotlb);
 	dev->iotlb = NULL;
 	vhost_clear_msg(dev);
-	wake_up_interruptible_poll(&dev->wait, EPOLLIN | EPOLLRDNORM);
 	WARN_ON(!llist_empty(&dev->work_list));
 	if (dev->worker) {
 		kthread_stop(dev->worker);