patch 'vhost: fix use-after-free fdset during shutdown' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Thu Mar 19 11:02:35 CET 2026

Previous message (by thread): patch 'vhost: fix use-after-free race during cleanup' has been queued to stable release 25.11.1
Next message (by thread): patch 'cryptodev: fix memory corruption in secondary process' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/23/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/9ca80a829bd3b2764690716e323324250e9f7683

Thanks.

Kevin

---
>From 9ca80a829bd3b2764690716e323324250e9f7683 Mon Sep 17 00:00:00 2001
From: Yehor Malikov <yehor.malikov at solidigm.com>
Date: Wed, 18 Feb 2026 10:05:40 +0100
Subject: [PATCH] vhost: fix use-after-free fdset during shutdown

[ upstream commit 21d9fb6badad050cfee7c5d879d5e2190ad01648 ]

The fdset_event_dispatch thread runs in a loop checking the destroy
flag after each epoll_wait iteration. During process exit,
rte_eal_cleanup() frees hugepage memory while the fdset thread is
still running. Since the fdset structure was allocated with
rte_zmalloc() (hugepage-backed), accessing it after rte_eal_cleanup()
causes use-after-free.

Switch fdset allocation from rte_zmalloc/rte_free to libc
calloc/free. The fdset is a control-path structure that does not
need hugepage memory. Using libc allocation ensures the fdset
remains valid after rte_eal_cleanup() releases hugepages.

Fixes: e68a6feaa3b3 ("vhost: improve fdset initialization")

Signed-off-by: Yehor Malikov <yehor.malikov at solidigm.com>
Acked-by: David Marchand <david.marchand at redhat.com>
Acked-by: Chengwen Feng <fengchengwen at huawei.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 .mailmap           | 1 +
 lib/vhost/fd_man.c | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.mailmap b/.mailmap
index 0a136fe444..8f8f17593b 100644
--- a/.mailmap
+++ b/.mailmap
@@ -1845,4 +1845,5 @@ Yaroslav Brustinov <ybrustin at cisco.com>
 Yash Sharma <ysharma at marvell.com>
 Yasufumi Ogawa <ogawa.yasufumi at lab.ntt.co.jp> <yasufum.o at gmail.com>
+Yehor Malikov <yehor.malikov at solidigm.com>
 Yelena Krivosheev <yelena at marvell.com>
 Yerden Zhumabekov <e_zhumabekov at sts.kz> <yerden.zhumabekov at sts.kz>
diff --git a/lib/vhost/fd_man.c b/lib/vhost/fd_man.c
index b4597dec75..f898836c54 100644
--- a/lib/vhost/fd_man.c
+++ b/lib/vhost/fd_man.c
@@ -5,4 +5,5 @@
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <sys/epoll.h>
@@ -11,5 +12,4 @@
 #include <rte_common.h>
 #include <rte_log.h>
-#include <rte_malloc.h>
 #include <rte_string_fns.h>
 #include <rte_thread.h>
@@ -95,5 +95,5 @@ fdset_init(const char *name)
 	}
 
-	fdset = rte_zmalloc(NULL, sizeof(*fdset), 0);
+	fdset = calloc(1, sizeof(*fdset));
 	if (!fdset) {
 		VHOST_FDMAN_LOG(ERR, "failed to alloc fdset %s", name);
@@ -143,5 +143,5 @@ err_epoll:
 	close(fdset->epfd);
 err_free:
-	rte_free(fdset);
+	free(fdset);
 err_unlock:
 	pthread_mutex_unlock(&fdsets_mutex);
@@ -435,4 +435,4 @@ fdset_destroy(struct fdset *pfdset)
 
 	/* Free the fdset structure */
-	rte_free(pfdset);
+	free(pfdset);
 }
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-19 10:01:08.215763511 +0000
+++ 0037-vhost-fix-use-after-free-fdset-during-shutdown.patch	2026-03-19 10:01:07.105331261 +0000
@@ -1 +1 @@
-From 21d9fb6badad050cfee7c5d879d5e2190ad01648 Mon Sep 17 00:00:00 2001
+From 9ca80a829bd3b2764690716e323324250e9f7683 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 21d9fb6badad050cfee7c5d879d5e2190ad01648 ]
+
@@ -19 +20,0 @@
-Cc: stable at dpdk.org
@@ -31 +32 @@
-index accbb29827..4c64131628 100644
+index 0a136fe444..8f8f17593b 100644
@@ -34 +35 @@
-@@ -1849,4 +1849,5 @@ Yaroslav Brustinov <ybrustin at cisco.com>
+@@ -1845,4 +1845,5 @@ Yaroslav Brustinov <ybrustin at cisco.com>

Previous message (by thread): patch 'vhost: fix use-after-free race during cleanup' has been queued to stable release 25.11.1
Next message (by thread): patch 'cryptodev: fix memory corruption in secondary process' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list