[PATCH v12] vhost: fix use-after-free in fdset during shutdown

[Maxime Coquelin]

Applied to next-virtio/for-next-net.

Please note that I had to solve a trivial build issue due another
other patch from Shani I applied just before.
Feel free to check my branch to confirm this is OK to you.

Thanks,
Maxime

On Thu, Mar 5, 2026 at 11:50 AM Maxime Coquelin
<maxime.coquelin at redhat.com> wrote:
>
> On Wed, Feb 18, 2026 at 10:05 AM Yehor Malikov <malikovyehor at gmail.com> wrote:
> >
> > From: Yehor Malikov <Yehor.Malikov at solidigm.com>
> >
> > The fdset_event_dispatch thread runs in a loop checking the destroy
> > flag after each epoll_wait iteration. During process exit,
> > rte_eal_cleanup() frees hugepage memory while the fdset thread is
> > still running. Since the fdset structure was allocated with
> > rte_zmalloc() (hugepage-backed), accessing it after rte_eal_cleanup()
> > causes use-after-free.
> >
> > Switch fdset allocation from rte_zmalloc/rte_free to libc
> > calloc/free. The fdset is a control-path structure that does not
> > need hugepage memory. Using libc allocation ensures the fdset
> > remains valid after rte_eal_cleanup() releases hugepages.
> >
> > Fixes: e68a6feaa3b3 ("vhost: improve fdset initialization")
> >
> > Signed-off-by: Yehor Malikov <Yehor.Malikov at solidigm.com>
> > ---
> >  .mailmap           | 1 +
> >  lib/vhost/fd_man.c | 6 +++---
> >  2 files changed, 4 insertions(+), 3 deletions(-)
> >
>
> Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
>
> Thanks,
> Maxime