From 878f9261432c272bdc8468b7aa3889e0ded5fa02 Mon Sep 17 00:00:00 2001
From: Paul Ponchon <pponchon@cisco.com>
Date: Fri, 3 Oct 2025 16:23:10 +0200
Subject: [PATCH] vppinfra: add CLOEXEC flag to memfd create calls

This commit adds a MFD_CLOEXEC flag to avoid memory leaks through child process
when VPP crashes.

Type: fix
Change-Id: Icd155102884f6e96bbe62149cc07f7cbfca77854
Signed-off-by: Paul Ponchon <pponchon@cisco.com>
---
 src/vppinfra/linux/mem.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/vppinfra/linux/mem.c b/src/vppinfra/linux/mem.c
index 651ea107b4d..bc7e0470dc1 100644
--- a/src/vppinfra/linux/mem.c
+++ b/src/vppinfra/linux/mem.c
@@ -248,6 +248,10 @@ clib_mem_vm_create_fd (clib_mem_page_sz_t log2_page_size, char *fmt, ...)
       memfd_flags = MFD_HUGETLB | log2_page_size << MFD_HUGE_SHIFT;
     }
 
+  /* Set FD_CLOEXEC flag on memory file descriptor, such that mapped memory
+   * doesn't leak through child processes if VPP crashes. */
+  memfd_flags |= MFD_CLOEXEC;
+
   va_start (va, fmt);
   s = va_format (0, fmt, &va);
   va_end (va);
-- 
2.16.6