Re: [PATCH RESEND] fs/epoll: fix the edge-triggered mode for nested epoll

From: Roman Penyaev
Date: Mon Sep 02 2019 - 11:37:01 EST


Hi,

This is indeed a bug. (quick side note: could you please remove efd[1]
from your test, because it is not related to the reproduction of a
current bug).

Your patch lacks a good description, what exactly you've fixed. Let
me speak out loud and please correct me if I'm wrong, my understanding
of epoll internals has become a bit rusty: when epoll fds are nested
an attempt to harvest events (ep_scan_ready_list() call) produces a
second (repeated) event from an internal fd up to an external fd:

epoll_wait(efd[0], ...):
ep_send_events():
ep_scan_ready_list(depth=0):
ep_send_events_proc():
ep_item_poll():
ep_scan_ready_list(depth=1):
ep_poll_safewake():
ep_poll_callback()
list_add_tail(&epi, &epi->rdllist);
^^^^^^
repeated event


In your patch you forbid wakeup for the cases, where depth != 0, i.e.
for all nested cases. That seems clear. But what if we can go further
and remove the whole chunk, which seems excessive:

@@ -885,26 +886,11 @@ static __poll_t ep_scan_ready_list(struct eventpoll *ep,

-
- if (!list_empty(&ep->rdllist)) {
- /*
- * Wake up (if active) both the eventpoll wait list and
- * the ->poll() wait list (delayed after we release the lock).
- */
- if (waitqueue_active(&ep->wq))
- wake_up(&ep->wq);
- if (waitqueue_active(&ep->poll_wait))
- pwake++;
- }
write_unlock_irq(&ep->lock);

if (!ep_locked)
mutex_unlock(&ep->mtx);

- /* We have to call this outside the lock */
- if (pwake)
- ep_poll_safewake(&ep->poll_wait);


I reason like that: by the time we've reached the point of scanning events
for readiness all wakeups from ep_poll_callback have been already fired and
new events have been already accounted in ready list (ep_poll_callback() calls
the same ep_poll_safewake()). Here, frankly, I'm not 100% sure and probably
missing some corner cases.

Thoughts?

PS. You call list_empty(&ep->rdllist) without ep->lock taken, that is fine,
but you should be _careful_, so list_empty_careful(&ep->rdllist) call
instead.

--
Roman



On 2019-09-02 07:20, hev wrote:
From: Heiher <r@xxxxxx>

The structure of event pools:
efd[1]: { efd[2] (EPOLLIN) } efd[0]: { efd[2] (EPOLLIN | EPOLLET) }
| |
+-----------------+-----------------+
|
v
efd[2]: { sfd[0] (EPOLLIN) }

When sfd[0] to be readable:
* the epoll_wait(efd[0], ..., 0) should return efd[2]'s events on first call,
and returns 0 on next calls, because efd[2] is added in edge-triggered mode.
* the epoll_wait(efd[1], ..., 0) should returns efd[2]'s events on every calls
until efd[2] is not readable (epoll_wait(efd[2], ...) => 0), because efd[1]
is added in level-triggered mode.
* the epoll_wait(efd[2], ..., 0) should returns sfd[0]'s events on every calls
until sfd[0] is not readable (read(sfd[0], ...) => EAGAIN), because sfd[0]
is added in level-triggered mode.

Test code:
#include <stdio.h>
#include <unistd.h>
#include <sys/epoll.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
int sfd[2];
int efd[3];
int nfds;
struct epoll_event e;

if (socketpair(AF_UNIX, SOCK_STREAM, 0, sfd) < 0)
goto out;

efd[0] = epoll_create(1);
if (efd[0] < 0)
goto out;

efd[1] = epoll_create(1);
if (efd[1] < 0)
goto out;

efd[2] = epoll_create(1);
if (efd[2] < 0)
goto out;

e.events = EPOLLIN;
if (epoll_ctl(efd[2], EPOLL_CTL_ADD, sfd[0], &e) < 0)
goto out;

e.events = EPOLLIN;
if (epoll_ctl(efd[1], EPOLL_CTL_ADD, efd[2], &e) < 0)
goto out;

e.events = EPOLLIN | EPOLLET;
if (epoll_ctl(efd[0], EPOLL_CTL_ADD, efd[2], &e) < 0)
goto out;

if (write(sfd[1], "w", 1) != 1)
goto out;

nfds = epoll_wait(efd[0], &e, 1, 0);
if (nfds != 1)
goto out;

nfds = epoll_wait(efd[0], &e, 1, 0);
if (nfds != 0)
goto out;

nfds = epoll_wait(efd[1], &e, 1, 0);
if (nfds != 1)
goto out;

nfds = epoll_wait(efd[1], &e, 1, 0);
if (nfds != 1)
goto out;

nfds = epoll_wait(efd[2], &e, 1, 0);
if (nfds != 1)
goto out;

nfds = epoll_wait(efd[2], &e, 1, 0);
if (nfds != 1)
goto out;

close(efd[2]);
close(efd[1]);
close(efd[0]);
close(sfd[0]);
close(sfd[1]);

printf("PASS\n");
return 0;

out:
printf("FAIL\n");
return -1;
}

Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Davide Libenzi <davidel@xxxxxxxxxxxxxxx>
Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx>
Cc: Dominik Brodowski <linux@xxxxxxxxxxxxxxxxxxxx>
Cc: Eric Wong <e@xxxxxxxxx>
Cc: Jason Baron <jbaron@xxxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: Roman Penyaev <rpenyaev@xxxxxxx>
Cc: Sridhar Samudrala <sridhar.samudrala@xxxxxxxxx>
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: linux-fsdevel@xxxxxxxxxxxxxxx
Signed-off-by: hev <r@xxxxxx>
---
fs/eventpoll.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index d7f1f5011fac..a44cb27c636c 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -672,6 +672,7 @@ static __poll_t ep_scan_ready_list(struct eventpoll *ep,
{
__poll_t res;
int pwake = 0;
+ int nwake = 0;
struct epitem *epi, *nepi;
LIST_HEAD(txlist);

@@ -685,6 +686,9 @@ static __poll_t ep_scan_ready_list(struct eventpoll *ep,
if (!ep_locked)
mutex_lock_nested(&ep->mtx, depth);

+ if (!depth || list_empty(&ep->rdllist))
+ nwake = 1;
+
/*
* Steal the ready list, and re-init the original one to the
* empty list. Also, set ep->ovflist to NULL so that events
@@ -739,7 +743,7 @@ static __poll_t ep_scan_ready_list(struct eventpoll *ep,
list_splice(&txlist, &ep->rdllist);
__pm_relax(ep->ws);

- if (!list_empty(&ep->rdllist)) {
+ if (nwake && !list_empty(&ep->rdllist)) {
/*
* Wake up (if active) both the eventpoll wait list and
* the ->poll() wait list (delayed after we release the lock).