Hello,
On Wed, 18 Feb 2026 at 09:02, Yehor Malikov <[email protected]> wrote:
>
> From: Yehor Malikov <[email protected]>
>
> The fdset_event_dispatch thread runs in a loop checking the destroy
> flag after each epoll_wait iteration. During process exit,
> rte_eal_cleanup() frees hugepage memory while the fdset thread is
> still running. Since the fdset structure was allocated with
> rte_zmalloc() (hugepage-backed), accessing it after rte_eal_cleanup()
> causes use-after-free.
>
> Switch fdset allocation from rte_zmalloc/rte_free to libc
> calloc/free. The fdset is a control-path structure that does not
> need hugepage memory. Using libc allocation ensures the fdset
> remains valid after rte_eal_cleanup() releases hugepages.
>
> Fixes: e68a6feaa3b3 ("vhost: improve fdset initialization")
>
> Signed-off-by: Yehor Malikov <[email protected]>
On the principle, the fix lgtm and deserves being backported.
The commit e68a6feaa3b3 ("vhost: improve fdset initialization") has
been there since v24.07.
Is this something that you hit easily?
> diff --git a/lib/vhost/fd_man.c b/lib/vhost/fd_man.c
> index f9147edee7..fae6d787b6 100644
> --- a/lib/vhost/fd_man.c
> +++ b/lib/vhost/fd_man.c
> @@ -8,9 +8,10 @@
> #include <sys/epoll.h>
> #include <unistd.h>
>
> +#include <stdlib.h>
> +
Nit: this can be fixed when applying, stdlib.h header include can go
in the first block with other libc includes.
--
David Marchand
