Kafs 6.16.0-rc3 BUG: kernel NULL pointer dereference

David Howells dhowells at redhat.com
Tue Jul 1 06:12:23 PDT 2025


markus.suvanto at gmail.com wrote:

> > Also, would you be able to build a debugging patch into your kernel?
> > 
> 
> Yes I can.

Actually, that may not be necessary.  I think the problem is here, in this
function:

static void afs_rx_new_call(struct sock *sk, struct rxrpc_call *rxcall,
			    unsigned long user_call_ID)
{
	struct afs_call *call = (struct afs_call *)user_call_ID;
	struct afs_net *net = afs_sock2net(sk);

	call->peer = rxrpc_kernel_get_call_peer(sk->sk_socket, call->rxcall);
	call->server = afs_find_server(call->peer);
	if (!call->server)
		trace_afs_cm_no_server(call, rxrpc_kernel_remote_srx(call->peer));

	queue_work(afs_wq, &net->charge_preallocation_work);
}

call->server can end up being NULL if we don't recognise the source server.
The service functions, however, assume that call->server will be set.

We can try to test this using existing tracepoints.  Can you turn on:

echo 1 > /sys/kernel/debug/tracing/events/afs/afs_cm_no_server/enable
echo 1 > /sys/kernel/debug/tracing/events/afs/afs_cm_no_server_u/enable
echo 1 > /sys/kernel/debug/tracing/events/error_report/enable

and see if any of these turn up in the trace log?

In particular if an afs_cm_no_server trace is followed immediately after by
an error_report trace in the same process.

Thanks,
David




More information about the linux-afs mailing list