Unfortunately not: when I change the code like so:
bool async;
uint32_t opcode_early = req->args->opcode;
if (test_and_set_bit(FR_FINISHED, &req->flags))
goto put_request;
async = req->args->end;
…gdb only reports:
(gdb) bt
#0 0x000000a700000001 in ?? ()
#1 0xffffffff8137fc99 in fuse_copy_finish (cs=0x20000ffffffff) at
fs/fuse/dev.c:681
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
But maybe that’s a hint in and of itself?
On Wed, Feb 12, 2020 at 9:34 AM Miklos Szeredi <miklos@xxxxxxxxxx> wrote:
>
> On Wed, Feb 12, 2020 at 8:58 AM Michael Stapelberg
> <michael+lkml@xxxxxxxxxxxxx> wrote:
>
> > (gdb) p *req->args
> > $5 = {
> > nodeid = 18446683600620026424,
> > opcode = 2167928246,
> > in_numargs = 65535,
> > out_numargs = 65535,
> > force = false,
> > noreply = false,
> > nocreds = false,
> > in_pages = false,
> > out_pages = false,
> > out_argvar = true,
> > page_zeroing = true,
> > page_replace = false,
> > in_args = {{
> > size = 978828800,
> > value = 0x2fafce0
> > }, {
> > size = 978992728,
> > value = 0xffffffff8138efaa <fuse_alloc_forget+26>
> > }, {
> > size = 50002688,
> > value = 0xffffffff8138635f <fuse_lookup_name+255>
> > }},
> > out_args = {{
> > size = 570,
> > value = 0xffffc90002fafb10
> > }, {
> > size = 6876,
> > value = 0x3000000001adc
> > }},
> > end = 0x1000100000001
> > }
>
> Okay, that looks like rubbish, the request was possibly freed and overwritten.
>
> > Independently, as a separate test, I have also modified the source like this:
> >
> > bool async;
> > bool async_early = req->args->end;
> >
> > if (test_and_set_bit(FR_FINISHED, &req->flags))
> > goto put_request;
> >
> > async = req->args->end;
> >
> > …and printed the value of async and async_early. async is true,
> > async_early is false.
>
> Can you save and print out the value of req->opcode before the
> test_and_set_bit()?
>
> Thanks,
> Miklos
