Under rare scenario, epoll may still post an event to VPP although the file descriptor is already deleted via epoll_ctl (EPOLL_CTL_DEL) and the file descriptor is close. VPP tries to access the free file index entry and crash.

static_always_inline uword
linux_epoll_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_frame_t * frame, u32 thread_index)
{

...

for (e = em->epoll_events; e < em->epoll_events + n_fds_ready; e++)
{
u32 i = e->data.u32;
clib_file_t *f = pool_elt_at_index (fm->file_pool, i);  <== crash here for accessing free index