vlib: crash in linux_epoll_input_inline for accessing free file index [VPP-1412]

[vpp.git] / src / vlib / unix / input.c

diff --git a/src/vlib/unix/input.c b/src/vlib/unix/input.c
index 0a61c05..8be0770 100644 (file)
--- a/src/vlib/unix/input.c
+++ b/src/vlib/unix/input.c
@@ -247,11 +247,40 @@ linux_epoll_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
   for (e = em->epoll_events; e < em->epoll_events + n_fds_ready; e++)
     {
       u32 i = e->data.u32;
-      clib_file_t *f = pool_elt_at_index (fm->file_pool, i);
+      clib_file_t *f = fm->file_pool + i;
       clib_error_t *errors[4];
       int n_errors = 0;
 
-      if (PREDICT_TRUE (!(e->events & EPOLLERR)))
+      if (PREDICT_FALSE (pool_is_free (fm->file_pool, f)))
+       {
+         /*
+          * Under rare scenerop, epoll may still post us events for the
+          * deleted file descriptor. We just deal with it and throw away the
+          * events for the corresponding file descriptor.
+          */
+         if (e->events & EPOLLIN)
+           {
+             errors[n_errors] =
+               clib_error_return (0, "epoll event EPOLLIN dropped due "
+                                  "to free index %u", i);
+             n_errors++;
+           }
+         if (e->events & EPOLLOUT)
+           {
+             errors[n_errors] =
+               clib_error_return (0, "epoll event EPOLLOUT dropped due "
+                                  "to free index %u", i);
+             n_errors++;
+           }
+         if (e->events & EPOLLERR)
+           {
+             errors[n_errors] =
+               clib_error_return (0, "epoll event EPOLLERR dropped due "
+                                  "to free index %u", i);
+             n_errors++;
+           }
+       }
+      else if (PREDICT_TRUE (!(e->events & EPOLLERR)))
        {
          if (e->events & EPOLLIN)
            {