Hi, Jens,
> +static int io_poll_add(struct io_kiocb *req, const struct io_uring_sqe *sqe)
> +{
[...]
> + /* one for removal from waitqueue, one for this function */
> + refcount_set(&req->refs, 2);
> +
> + mask = vfs_poll(poll->file, &ipt.pt) & poll->events;
> + if (unlikely(!poll->head)) {
> + /* we did not manage to set up a waitqueue, done */
> + goto out;
> + }
> +
> + spin_lock_irq(&ctx->completion_lock);
> + spin_lock(&poll->head->lock);
> + if (poll->woken) {
> + /* wake_up context handles the rest */
> + mask = 0;
> + ipt.error = 0;
> + } else if (mask || ipt.error) {
> + /* if we get an error or a mask we are done */
> + WARN_ON_ONCE(list_empty(&poll->wait.entry));
> + list_del_init(&poll->wait.entry);
> + } else {
> + /* actually waiting for an event */
> + list_add_tail(&req->list, &ctx->cancel_list);
> + }
> + spin_unlock(&poll->head->lock);
> + spin_unlock_irq(&ctx->completion_lock);
> +
> +out:
> + if (unlikely(ipt.error)) {
> + if (!(flags & IOSQE_FIXED_FILE))
> + fput(poll->file);
> + return ipt.error;
> + }
You need to drop the reference count on the req inside that if block.
-Jeff
> +
> + if (mask)
> + io_poll_complete(req, mask);
> + io_free_req(req);
> + return 0;
> +}
