* [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
[not found] <cover.1775965597.git.ylong030@ucr.edu>
@ 2026-04-12 8:38 ` Ren Wei
2026-04-14 10:50 ` Pavel Begunkov
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ren Wei @ 2026-04-12 8:38 UTC (permalink / raw)
To: io-uring
Cc: axboe, asml.silence, yifanwucs, tomapufckgml, yuantan098, bird,
zcliangcn, ylong030, n05ec
From: Longxuan Yu <ylong030@ucr.edu>
io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:
if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.
Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.
Fixes: aa43477b0402 ("io_uring: poll rework")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Longxuan Yu <ylong030@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
io_uring/poll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/poll.c b/io_uring/poll.c
index 2e9ee47d7..b98439107 100644
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -93,7 +93,7 @@ static bool io_poll_get_ownership_slowpath(struct io_kiocb *req)
*/
static inline bool io_poll_get_ownership(struct io_kiocb *req)
{
- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
return io_poll_get_ownership_slowpath(req);
return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-04-12 8:38 ` [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership() Ren Wei
@ 2026-04-14 10:50 ` Pavel Begunkov
2026-04-15 20:08 ` Jens Axboe
2026-04-15 20:09 ` Jens Axboe
2 siblings, 0 replies; 6+ messages in thread
From: Pavel Begunkov @ 2026-04-14 10:50 UTC (permalink / raw)
To: Ren Wei, io-uring
Cc: axboe, yifanwucs, tomapufckgml, yuantan098, bird, zcliangcn,
ylong030
On 4/12/26 09:38, Ren Wei wrote:
> From: Longxuan Yu <ylong030@ucr.edu>
>
> io_poll_get_ownership() uses a signed comparison to check whether
> poll_refs has reached the threshold for the slowpath:
>
> if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
>
> atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
> (BIT(31)) is set in poll_refs, the value becomes negative in
> signed arithmetic, so the >= 128 comparison always evaluates to
> false and the slowpath is never taken.
>
> Fix this by casting the atomic_read() result to unsigned int
> before the comparison, so that the cancel flag is treated as a
> large positive value and correctly triggers the slowpath.
Looks good, thanks for the patch
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-04-12 8:38 ` [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership() Ren Wei
2026-04-14 10:50 ` Pavel Begunkov
@ 2026-04-15 20:08 ` Jens Axboe
2026-04-15 20:09 ` Jens Axboe
2 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2026-04-15 20:08 UTC (permalink / raw)
To: io-uring, Ren Wei
Cc: asml.silence, yifanwucs, tomapufckgml, yuantan098, bird,
zcliangcn, ylong030
On Sun, 12 Apr 2026 16:38:20 +0800, Ren Wei wrote:
> io_poll_get_ownership() uses a signed comparison to check whether
> poll_refs has reached the threshold for the slowpath:
>
> if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
>
> atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
> (BIT(31)) is set in poll_refs, the value becomes negative in
> signed arithmetic, so the >= 128 comparison always evaluates to
> false and the slowpath is never taken.
>
> [...]
Applied, thanks!
[1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
commit: 326941b22806cbf2df1fbfe902b7908b368cce42
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-04-12 8:38 ` [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership() Ren Wei
2026-04-14 10:50 ` Pavel Begunkov
2026-04-15 20:08 ` Jens Axboe
@ 2026-04-15 20:09 ` Jens Axboe
2026-04-16 1:50 ` Yuan Tan
2 siblings, 1 reply; 6+ messages in thread
From: Jens Axboe @ 2026-04-15 20:09 UTC (permalink / raw)
To: Ren Wei, io-uring
Cc: asml.silence, yifanwucs, tomapufckgml, yuantan098, bird,
zcliangcn, ylong030
On 4/12/26 2:38 AM, Ren Wei wrote:
> From: Longxuan Yu <ylong030@ucr.edu>
>
> io_poll_get_ownership() uses a signed comparison to check whether
> poll_refs has reached the threshold for the slowpath:
>
> if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
>
> atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
> (BIT(31)) is set in poll_refs, the value becomes negative in
> signed arithmetic, so the >= 128 comparison always evaluates to
> false and the slowpath is never taken.
>
> Fix this by casting the atomic_read() result to unsigned int
> before the comparison, so that the cancel flag is treated as a
> large positive value and correctly triggers the slowpath.
>
> Fixes: aa43477b0402 ("io_uring: poll rework")
Is this correct? Seems it should be:
Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
--
Jens Axboe
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-04-15 20:09 ` Jens Axboe
@ 2026-04-16 1:50 ` Yuan Tan
2026-04-16 15:28 ` Jens Axboe
0 siblings, 1 reply; 6+ messages in thread
From: Yuan Tan @ 2026-04-16 1:50 UTC (permalink / raw)
To: Jens Axboe, Ren Wei, io-uring
Cc: asml.silence, yifanwucs, tomapufckgml, bird, zcliangcn, ylong030
On 4/15/26 13:09, Jens Axboe wrote:
> On 4/12/26 2:38 AM, Ren Wei wrote:
>> From: Longxuan Yu <ylong030@ucr.edu>
>>
>> io_poll_get_ownership() uses a signed comparison to check whether
>> poll_refs has reached the threshold for the slowpath:
>>
>> if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
>>
>> atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
>> (BIT(31)) is set in poll_refs, the value becomes negative in
>> signed arithmetic, so the >= 128 comparison always evaluates to
>> false and the slowpath is never taken.
>>
>> Fix this by casting the atomic_read() result to unsigned int
>> before the comparison, so that the cancel flag is treated as a
>> large positive value and correctly triggers the slowpath.
>>
>> Fixes: aa43477b0402 ("io_uring: poll rework")
> Is this correct? Seems it should be:
>
> Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
>
I just double check it. Yes we were wrong. Correct bug inducing commit is
a26a35e9019f ("io_uring: make poll refs more robust").
Thanks for pointing it out.
Do we need to send a v2 to fix this?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-04-16 1:50 ` Yuan Tan
@ 2026-04-16 15:28 ` Jens Axboe
0 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2026-04-16 15:28 UTC (permalink / raw)
To: Yuan Tan, Ren Wei, io-uring
Cc: asml.silence, yifanwucs, tomapufckgml, bird, zcliangcn, ylong030
On 4/15/26 7:50 PM, Yuan Tan wrote:
>
> On 4/15/26 13:09, Jens Axboe wrote:
>> On 4/12/26 2:38 AM, Ren Wei wrote:
>>> From: Longxuan Yu <ylong030@ucr.edu>
>>>
>>> io_poll_get_ownership() uses a signed comparison to check whether
>>> poll_refs has reached the threshold for the slowpath:
>>>
>>> if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
>>>
>>> atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
>>> (BIT(31)) is set in poll_refs, the value becomes negative in
>>> signed arithmetic, so the >= 128 comparison always evaluates to
>>> false and the slowpath is never taken.
>>>
>>> Fix this by casting the atomic_read() result to unsigned int
>>> before the comparison, so that the cancel flag is treated as a
>>> large positive value and correctly triggers the slowpath.
>>>
>>> Fixes: aa43477b0402 ("io_uring: poll rework")
>> Is this correct? Seems it should be:
>>
>> Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
>>
> I just double check it. Yes we were wrong. Correct bug inducing commit is
>
> a26a35e9019f ("io_uring: make poll refs more robust").
>
> Thanks for pointing it out.
>
>
> Do we need to send a v2 to fix this?
No need, I corrected it already while applying yesterday.
--
Jens Axboe
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-16 15:28 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1775965597.git.ylong030@ucr.edu>
2026-04-12 8:38 ` [PATCH 1/1] io_uring/poll: fix signed comparison in io_poll_get_ownership() Ren Wei
2026-04-14 10:50 ` Pavel Begunkov
2026-04-15 20:08 ` Jens Axboe
2026-04-15 20:09 ` Jens Axboe
2026-04-16 1:50 ` Yuan Tan
2026-04-16 15:28 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox