From 104f0df7f4b957b53c4faf843248be25c65ce941 Mon Sep 17 00:00:00 2001
From: Steven Luong <sluong@cisco.com>
Date: Wed, 21 Oct 2020 12:54:29 -0700
Subject: [PATCH] memif: handle unexpected EPOLLOUT for RX queue

Getting an unexpected EPOLLOUT for RX queue and crashing due to missing
callback function on write_function to handle EPOLLOUT.

(gdb) f 5
f 5
    node=<optimized out>, vm=0x7f948bbe4540 <vlib_global_main>) at /vpp/src/vlib/unix/input.c:325
325		      errors[n_errors] = f->write_function (f);
(gdb) p *e
p *e
$21 = {events = 4, data = {ptr = 0x23, fd = 35, u32 = 35, u64 = 35}}
(gdb) p file_main.file_pool[e->data.fd]
p file_main.file_pool[e->data.fd]
$22 = {file_descriptor = 37, flags = 1, polling_thread_index = 0, private_data = 65536,
  read_function = 0x7f944a87b140 <memif_int_fd_read_ready>, write_function = 0x0,
  error_function = 0x0, description = 0x7f944be22400 "memif0/1 rx 0 int", read_events = 0,
  write_events = 1, error_events = 0}
(gdb)

File descriptors are recycled. It is likely that the EPOLLOUT is meant
for the previous owner of the same file descriptor number which memif
recycled and memif RX did not expect to receive an EPOLLOUT. For
defensive play, we create a dummy callback function to ignore the
EPOLLOUT instead of crashing.

Type: fix

Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I535cadbb9b71d3db2995b118c59a12c71f10af09
---
 src/plugins/memif/memif.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/plugins/memif/memif.c b/src/plugins/memif/memif.c
index 3a2ed36c2dc..e9bdf42bc2f 100644
--- a/src/plugins/memif/memif.c
+++ b/src/plugins/memif/memif.c
@@ -193,6 +193,17 @@ memif_disconnect (memif_if_t * mif, clib_error_t * err)
   clib_fifo_free (mif->msg_queue);
 }
 
+static clib_error_t *
+memif_int_fd_write_ready (clib_file_t * uf)
+{
+  memif_main_t *mm = &memif_main;
+  u16 qid = uf->private_data & 0xFFFF;
+  memif_if_t *mif = vec_elt_at_index (mm->interfaces, uf->private_data >> 16);
+
+  memif_log_warn (mif, "unexpected EPOLLOUT on RX for queue %u", qid);
+  return 0;
+}
+
 static clib_error_t *
 memif_int_fd_read_ready (clib_file_t * uf)
 {
@@ -255,6 +266,7 @@ memif_connect (memif_if_t * mif)
   /* *INDENT-ON* */
 
   template.read_function = memif_int_fd_read_ready;
+  template.write_function = memif_int_fd_write_ready;
 
   /* *INDENT-OFF* */
   vec_foreach_index (i, mif->tx_queues)
-- 
2.16.6