patch 'vhost: fix use-after-free fdset during shutdown' has been queued to stable release 24.11.5

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Mar 19 23:02:17 CET 2026

Previous message (by thread): patch 'vhost: fix use-after-free race during cleanup' has been queued to stable release 24.11.5
Next message (by thread): patch 'cryptodev: fix memory corruption in secondary process' has been queued to stable release 24.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 24.11.5

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/21/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/c2043db59a1b4cca314061f60d922d29d4e34881

Thanks.

Luca Boccassi

---
>From c2043db59a1b4cca314061f60d922d29d4e34881 Mon Sep 17 00:00:00 2001
From: Yehor Malikov <yehor.malikov at solidigm.com>
Date: Wed, 18 Feb 2026 10:05:40 +0100
Subject: [PATCH] vhost: fix use-after-free fdset during shutdown

[ upstream commit 21d9fb6badad050cfee7c5d879d5e2190ad01648 ]

The fdset_event_dispatch thread runs in a loop checking the destroy
flag after each epoll_wait iteration. During process exit,
rte_eal_cleanup() frees hugepage memory while the fdset thread is
still running. Since the fdset structure was allocated with
rte_zmalloc() (hugepage-backed), accessing it after rte_eal_cleanup()
causes use-after-free.

Switch fdset allocation from rte_zmalloc/rte_free to libc
calloc/free. The fdset is a control-path structure that does not
need hugepage memory. Using libc allocation ensures the fdset
remains valid after rte_eal_cleanup() releases hugepages.

Fixes: e68a6feaa3b3 ("vhost: improve fdset initialization")

Signed-off-by: Yehor Malikov <yehor.malikov at solidigm.com>
Acked-by: David Marchand <david.marchand at redhat.com>
Acked-by: Chengwen Feng <fengchengwen at huawei.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 .mailmap           | 1 +
 lib/vhost/fd_man.c | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.mailmap b/.mailmap
index 34e86111c0..ba268411d5 100644
--- a/.mailmap
+++ b/.mailmap
@@ -1775,6 +1775,7 @@ Yaron Illouz <yaroni at radcom.com>
 Yaroslav Brustinov <ybrustin at cisco.com>
 Yash Sharma <ysharma at marvell.com>
 Yasufumi Ogawa <ogawa.yasufumi at lab.ntt.co.jp> <yasufum.o at gmail.com>
+Yehor Malikov <yehor.malikov at solidigm.com>
 Yelena Krivosheev <yelena at marvell.com>
 Yerden Zhumabekov <e_zhumabekov at sts.kz> <yerden.zhumabekov at sts.kz>
 Yevgeny Kliteynik <kliteyn at nvidia.com>
diff --git a/lib/vhost/fd_man.c b/lib/vhost/fd_man.c
index b4597dec75..f898836c54 100644
--- a/lib/vhost/fd_man.c
+++ b/lib/vhost/fd_man.c
@@ -4,13 +4,13 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <sys/epoll.h>
 #include <unistd.h>
 
 #include <rte_common.h>
 #include <rte_log.h>
-#include <rte_malloc.h>
 #include <rte_string_fns.h>
 #include <rte_thread.h>
 
@@ -94,7 +94,7 @@ fdset_init(const char *name)
 		return fdset;
 	}
 
-	fdset = rte_zmalloc(NULL, sizeof(*fdset), 0);
+	fdset = calloc(1, sizeof(*fdset));
 	if (!fdset) {
 		VHOST_FDMAN_LOG(ERR, "failed to alloc fdset %s", name);
 		goto err_unlock;
@@ -142,7 +142,7 @@ err_thread:
 err_epoll:
 	close(fdset->epfd);
 err_free:
-	rte_free(fdset);
+	free(fdset);
 err_unlock:
 	pthread_mutex_unlock(&fdsets_mutex);
 
@@ -434,5 +434,5 @@ fdset_destroy(struct fdset *pfdset)
 	pthread_mutex_unlock(&fdsets_mutex);
 
 	/* Free the fdset structure */
-	rte_free(pfdset);
+	free(pfdset);
 }
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-19 22:00:48.731164590 +0000
+++ 0025-vhost-fix-use-after-free-fdset-during-shutdown.patch	2026-03-19 22:00:47.802359368 +0000
@@ -1 +1 @@
-From 21d9fb6badad050cfee7c5d879d5e2190ad01648 Mon Sep 17 00:00:00 2001
+From c2043db59a1b4cca314061f60d922d29d4e34881 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 21d9fb6badad050cfee7c5d879d5e2190ad01648 ]
+
@@ -19 +20,0 @@
-Cc: stable at dpdk.org
@@ -31 +32 @@
-index accbb29827..4c64131628 100644
+index 34e86111c0..ba268411d5 100644
@@ -34 +35 @@
-@@ -1848,6 +1848,7 @@ Yaron Illouz <yaroni at radcom.com>
+@@ -1775,6 +1775,7 @@ Yaron Illouz <yaroni at radcom.com>

Previous message (by thread): patch 'vhost: fix use-after-free race during cleanup' has been queued to stable release 24.11.5
Next message (by thread): patch 'cryptodev: fix memory corruption in secondary process' has been queued to stable release 24.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list