5.10-stable patches

added patches:
	io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch

diff --git a/queue-5.10/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch b/queue-5.10/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch
new file mode 100644 (file)
index 0000000..0bdfc52
--- /dev/null
+++ b/queue-5.10/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch
@@ -0,0 +1,52 @@
+From 4f1ddce4042ea4b3d8a3d14d1b4745d408b68090 Mon Sep 17 00:00:00 2001
+From: Longxuan Yu <ylong030@ucr.edu>
+Date: Sun, 12 Apr 2026 16:38:20 +0800
+Subject: io_uring/poll: fix signed comparison in io_poll_get_ownership()
+
+From: Longxuan Yu <ylong030@ucr.edu>
+
+Commit 326941b22806cbf2df1fbfe902b7908b368cce42 usptream.
+
+io_poll_get_ownership() uses a signed comparison to check whether
+poll_refs has reached the threshold for the slowpath:
+
+    if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+
+atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
+(BIT(31)) is set in poll_refs, the value becomes negative in
+signed arithmetic, so the >= 128 comparison always evaluates to
+false and the slowpath is never taken.
+
+Fix this by casting the atomic_read() result to unsigned int
+before the comparison, so that the cancel flag is treated as a
+large positive value and correctly triggers the slowpath.
+
+Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
+Cc: stable@vger.kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Signed-off-by: Longxuan Yu <ylong030@ucr.edu>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -5378,7 +5378,7 @@ static bool io_poll_get_ownership_slowpa
+  */
+ static inline bool io_poll_get_ownership(struct io_kiocb *req)
+ {
+-      if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
++      if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+               return io_poll_get_ownership_slowpath(req);
+       return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
+ }

diff --git a/queue-5.10/series b/queue-5.10/series
index be012de4f1788bb72363fecaa99c163a341c6dd8..94338720698082a8a3ebdcf427e34e29931d67c8 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -211,3 +211,4 @@ thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch
 drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch
 drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch
 fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch
+io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch