[PATCH v12] vhost: fix use-after-free in fdset during shutdown

Maxime Coquelin maxime.coquelin at redhat.com
Thu Mar 5 11:50:53 CET 2026

Previous message (by thread): [PATCH v3] vhost: fix use-after-free race during cleanup
Next message (by thread): [PATCH v12] vhost: fix use-after-free in fdset during shutdown
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 18, 2026 at 10:05 AM Yehor Malikov <malikovyehor at gmail.com> wrote:
>
> From: Yehor Malikov <Yehor.Malikov at solidigm.com>
>
> The fdset_event_dispatch thread runs in a loop checking the destroy
> flag after each epoll_wait iteration. During process exit,
> rte_eal_cleanup() frees hugepage memory while the fdset thread is
> still running. Since the fdset structure was allocated with
> rte_zmalloc() (hugepage-backed), accessing it after rte_eal_cleanup()
> causes use-after-free.
>
> Switch fdset allocation from rte_zmalloc/rte_free to libc
> calloc/free. The fdset is a control-path structure that does not
> need hugepage memory. Using libc allocation ensures the fdset
> remains valid after rte_eal_cleanup() releases hugepages.
>
> Fixes: e68a6feaa3b3 ("vhost: improve fdset initialization")
>
> Signed-off-by: Yehor Malikov <Yehor.Malikov at solidigm.com>
> ---
>  .mailmap           | 1 +
>  lib/vhost/fd_man.c | 6 +++---
>  2 files changed, 4 insertions(+), 3 deletions(-)
>

Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>

Thanks,
Maxime

Previous message (by thread): [PATCH v3] vhost: fix use-after-free race during cleanup
Next message (by thread): [PATCH v12] vhost: fix use-after-free in fdset during shutdown
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list