Kafs 6.16.0-rc3 BUG: kernel NULL pointer dereference

Thu Jul 3 06:30:17 PDT 2025

ti, 2025-07-01 kello 21:38 +0100, David Howells kirjoitti:
> 
> > But so far I have not manage to reproduce the problem...
> 

After one day new Oops... 

[  649.016596] e1000e 0000:00:1f.6 enp0s31f6: entered promiscuous mode
[  663.841118] br0: port 1(enp6s0u1u4u1) entered learning state
[  679.200671] br0: port 1(enp6s0u1u4u1) entered forwarding state
[  679.200698] br0: topology change detected, propagating
[ 1429.519212] No record of cell editorconfig
[ 1439.957345] No record of cell editorconfig
[ 1461.695697] No record of cell editorconfig
[ 1466.692074] No record of cell tags
[ 1473.846573] No record of cell tags
[ 1491.483006] No record of cell tags
[ 1494.137288] No record of cell tags
[ 1673.982959] No record of cell editorconfig
[ 1905.387168] No record of cell editorconfig
[ 1928.201645] No record of cell editorconfig
[ 1934.459818] No record of cell editorconfig
[ 1954.963260] No record of cell editorconfig
[ 2292.862022] No record of cell tags
[ 2393.806706] No record of cell editorconfig
[ 2492.757063] No record of cell editorconfig
[ 2510.883089] No record of cell editorconfig
[ 2535.395711] No record of cell editorconfig
[ 2571.706686] No record of cell editorconfig
[ 2836.231835] No record of cell tags
[ 2847.551525] No record of cell tags
[ 2908.327035] No record of cell tags
[ 3197.086717] No record of cell editorconfig
[ 3205.499103] No record of cell tags
[ 3262.814706] No record of cell tags
[ 7164.677931] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input37
[14697.116902] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[14697.118141] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[14697.119896] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[14697.119957] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[17246.035638] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input38
[23074.119429] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input39
[32184.762104] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input40
[32473.143401] kAFS: Volume 2303380852 'tmp' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[32473.145098] kAFS: Volume 2303380852 'tmp' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[45259.933385] kAFS: Volume 2303380852 'tmp' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[45259.941174] kAFS: Volume 2303380852 'tmp' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[45510.167456] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input41
[45661.387374] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[45661.388455] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[78895.506852] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[79994.138647] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input42
[83797.351369] kAFS: Volume 2303380924 'common.portage' on server 0061c5ec-1b44-17a1-9303-110ba8c0aa77 is busy
[91458.925120] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[91458.925126] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason at zx2c4.com>. All Rights Reserved.
[91825.100394] input: JLab GO Air Sport (AVRCP) as /devices/virtual/input/input43
[103078.927457] plotter[884185]: segfault at 1d80 ip 000056341a616600 sp 00007ffc9eeb9460 error 4 in
plotter[7600,56341a614000+a000] likely on CPU 2 (core 0, socket 0)
[103078.927468] Code: 89 ee 4c 89 e7 5b 5d 41 5c e9 0c ff ff ff 0f 1f 40 00 41 80 bc 24 80 1d 00 00 00 74 de 48 83 c4 10
5b 5d 41 5c c3 0f 1f 40 00 <80> b8 80 1d 00 00 00 74 c8 48 89 ef e8 df f1 ff ff 48 89 ef 66 48
[103343.118765] No record of cell editorconfig
[103484.952321] No record of cell editorconfig
[105337.026656] ------------[ cut here ]------------
[105337.026661] refcount_t: addition on 0; use-after-free.
[105337.026670] WARNING: CPU: 0 PID: 1271387 at refcount_warn_saturate+0xe1/0x110
[105337.026678] Modules linked in: wireguard curve25519_x86_64 libchacha20poly1305 libcurve25519_generic chacha_x86_64
libchacha libpoly1305 poly1305_x86_64 uinput ccm snd_seq_dummy snd_hrtimer rfcomm snd_seq snd_seq_device af_packet
hid_logitech_hidpp hid_logitech_dj usbkbd usbmouse hid_generic usbhid cdc_ether usbnet r8152 mii uhid cmac algif_hash
algif_skcipher af_alg rmi_smbus rmi_core bridge stp llc kvmgt mdev vfio_iommu_type1 bnep vfio iommufd cachefiles
coretemp intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common intel_pmc_core_pltdrv
intel_pmc_core pmt_telemetry pmt_class intel_pmc_ssram_telemetry intel_vsec snd_soc_avs intel_tcc_cooling
snd_hda_codec_hdmi snd_soc_hda_codec snd_hda_ext_core snd_soc_core x86_pkg_temp_thermal snd_compress intel_powerclamp
uvcvideo snd_hda_codec_realtek ac97_bus kvm_intel snd_hda_codec_generic kafs snd_ctl_led snd_hda_scodec_component iwlmvm
kvm fcrypt videobuf2_vmalloc snd_pcm_dmaengine ee1004 mac80211 mei_pxp uvc mei_hdcp pcbc irqbypass
[105337.026768]  snd_hda_intel videobuf2_memops btusb snd_intel_dspcfg btrtl thinkpad_acpi btintel videobuf2_v4l2 rapl
rxrpc intel_cstate snd_hda_codec btbcm libarc4 snd_hda_core nls_iso8859_1 ip6_udp_tunnel i2c_i801 nls_cp437 e1000e krb5
btmtk videodev snd_pcm udp_tunnel bluetooth nvram iwlwifi platform_profile think_lmi intel_uncore mei_me
videobuf2_common efi_pstore snd_timer i2c_mux vfat sha3_generic firmware_attributes_class tpm_crb ptp dns_resolver
sparse_keymap jitterentropy_rng drbg wmi_bmof ansi_cprng intel_wmi_thunderbolt fat tpm_tis pps_core i2c_smbus netfs snd
cfg80211 mc intel_xhci_usb_role_switch thermal mei intel_pch_thermal rfkill crc16 soundcore tiny_power_button
tpm_tis_core battery ac tpm evdev libaescfb joydev rtc_cmos ecdh_generic bfq rng_core ecc button acpi_pad mousedev
input_leds sch_fq_codel loop fuse dm_mod configfs nfnetlink sd_mod crc32c_cryptoapi ucsi_acpi typec_ucsi roles typec uas
usb_storage scsi_mod scsi_common i915 cfbimgblt cfbfillrect cfbcopyarea drm_client_lib i2c_algo_bit fb_io_fops
[105337.026868]  cec drm_buddy iosf_mbi ttm intel_gtt agpgart drm_display_helper psmouse serio_raw atkbd drm_kms_helper
libps2 nvme polyval_clmulni vivaldi_fmap ghash_clmulni_intel drm nvme_core sha512_ssse3 drm_panel_orientation_quirks
aesni_intel xhci_pci gf128mul libaes hwmon fb font xhci_hcd lcd ledtrig_backlight i2c_core usbcore video thunderbolt
usb_common wmi i8042 serio backlight btrfs blake2b_generic xor zstd_compress raid6_pq msr efivarfs dmi_sysfs
sha1_generic sha1_ssse3 ipv6 autofs4
[105337.026924] CPU: 0 UID: 0 PID: 1271387 Comm: kworker/0:0 Not tainted 6.16.0-rc4 #1 VOLUNTARY 
[105337.026930] Hardware name: LENOVO 20HF0047MX/20HF0047MX, BIOS N1WET68W (1.47 ) 07/21/2022
[105337.026933] Workqueue: afs afs_fs_probe_dispatcher [kafs]
[105337.026964] RIP: 0010:refcount_warn_saturate+0xe1/0x110
[105337.026969] Code: 26 bc ff 0f 0b c3 cc cc cc cc 80 3d 67 ac b0 00 00 0f 85 5e ff ff ff 48 c7 c7 d0 b8 e5 b6 c6 05 53
ac b0 00 01 e8 2f 26 bc ff <0f> 0b c3 cc cc cc cc 48 c7 c7 28 b9 e5 b6 c6 05 37 ac b0 00 01 e8
[105337.026973] RSP: 0000:ffffb68ecc907de8 EFLAGS: 00010282
[105337.026976] RAX: 0000000000000000 RBX: ffffa221e350d800 RCX: 0000000000000027
[105337.026979] RDX: ffffa22586617d08 RSI: 0000000000000001 RDI: ffffa22586617d00
[105337.026981] RBP: 0000000000000004 R08: 00000000ffbfffff R09: ffffa225b47fffa8
[105337.026983] R10: 00000000ffc00000 R11: 0000000000000002 R12: 0000000000000001
[105337.026985] R13: 3ffffffffffffffe R14: ffffa22048477170 R15: 0000000000000001
[105337.026987] FS:  0000000000000000(0000) GS:ffffa225ceed2000(0000) knlGS:0000000000000000
[105337.026990] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[105337.026993] CR2: 000055561515f0a8 CR3: 00000000088e4005 CR4: 00000000003726f0
[105337.026995] Call Trace:
[105337.026998]  <TASK>
[105337.027000]  afs_get_server+0x93/0xa0 [kafs]
[105337.027030]  afs_dispatch_fs_probe+0x30/0x60 [kafs]
[105337.027056]  afs_fs_probe_dispatcher+0xd0/0x260 [kafs]
[105337.027082]  process_one_work+0x13d/0x2a0
[105337.027087]  worker_thread+0x2da/0x420
[105337.027092]  ? __pfx_worker_thread+0x10/0x10
[105337.027096]  kthread+0xdc/0x1c0
[105337.027100]  ? __pfx_kthread+0x10/0x10
[105337.027105]  ? __pfx_kthread+0x10/0x10
[105337.027109]  ret_from_fork+0x6f/0xd0
[105337.027113]  ? __pfx_kthread+0x10/0x10
[105337.027121]  ret_from_fork_asm+0x1a/0x30
[105337.027126]  </TASK>
[105337.027128] ---[ end trace 0000000000000000 ]---
[105337.027135] BUG: kernel NULL pointer dereference, address: 0000000000000022
[105337.027137] #PF: supervisor read access in kernel mode
[105337.027139] #PF: error_code(0x0000) - not-present page
[105337.027141] PGD 0 P4D 0 
[105337.027144] Oops: Oops: 0000 [#1] SMP PTI
[105337.027147] CPU: 0 UID: 0 PID: 1271387 Comm: kworker/0:0 Tainted: G        W           6.16.0-rc4 #1 VOLUNTARY 
[105337.027152] Tainted: [W]=WARN
[105337.027154] Hardware name: LENOVO 20HF0047MX/20HF0047MX, BIOS N1WET68W (1.47 ) 07/21/2022
[105337.027156] Workqueue: afs afs_fs_probe_dispatcher [kafs]
[105337.027181] RIP: 0010:afs_set_peer_appdata+0xda/0x150 [kafs]
[105337.027203] Code: e8 eb 7b e8 ff 0f b6 45 21 44 39 e8 7f e1 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 31 f6 41 ff c5 e8
cb 7b e8 ff e9 4f ff ff ff <80> 7a 21 00 74 de 48 63 c5 4c 89 e6 ff c5 48 c1 e0 04 48 8b 7c 18
[105337.027206] RSP: 0000:ffffb68ecc907d90 EFLAGS: 00010246
[105337.027209] RAX: ffffa220468f8d20 RBX: 0000000000000001 RCX: 0000000000000000
[105337.027211] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa221e350d800
[105337.027213] RBP: 0000000000000000 R08: 0000000000000060 R09: 0000000000000000
[105337.027215] R10: ffffb68ecc907dc0 R11: 0000000000000002 R12: ffffa221e350d800
[105337.027217] R13: 0000000000000000 R14: ffffa22048477170 R15: 0000000000000001
[105337.027219] FS:  0000000000000000(0000) GS:ffffa225ceed2000(0000) knlGS:0000000000000000
[105337.027221] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[105337.027224] CR2: 0000000000000022 CR3: 00000000088e4005 CR4: 00000000003726f0
[105337.027226] Call Trace:
[105337.027228]  <TASK>
[105337.027230]  afs_fs_probe_fileserver+0x9e/0x370 [kafs]
[105337.027255]  afs_dispatch_fs_probe+0x4c/0x60 [kafs]
[105337.027279]  afs_fs_probe_dispatcher+0xd0/0x260 [kafs]
[105337.027304]  process_one_work+0x13d/0x2a0
[105337.027309]  worker_thread+0x2da/0x420
[105337.027313]  ? __pfx_worker_thread+0x10/0x10
[105337.027317]  kthread+0xdc/0x1c0
[105337.027320]  ? __pfx_kthread+0x10/0x10
[105337.027324]  ? __pfx_kthread+0x10/0x10
[105337.027327]  ret_from_fork+0x6f/0xd0
[105337.027331]  ? __pfx_kthread+0x10/0x10
[105337.027334]  ret_from_fork_asm+0x1a/0x30
[105337.027339]  </TASK>
[105337.027341] Modules linked in: wireguard curve25519_x86_64 libchacha20poly1305 libcurve25519_generic chacha_x86_64
libchacha libpoly1305 poly1305_x86_64 uinput ccm snd_seq_dummy snd_hrtimer rfcomm snd_seq snd_seq_device af_packet
hid_logitech_hidpp hid_logitech_dj usbkbd usbmouse hid_generic usbhid cdc_ether usbnet r8152 mii uhid cmac algif_hash
algif_skcipher af_alg rmi_smbus rmi_core bridge stp llc kvmgt mdev vfio_iommu_type1 bnep vfio iommufd cachefiles
coretemp intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common intel_pmc_core_pltdrv
intel_pmc_core pmt_telemetry pmt_class intel_pmc_ssram_telemetry intel_vsec snd_soc_avs intel_tcc_cooling
snd_hda_codec_hdmi snd_soc_hda_codec snd_hda_ext_core snd_soc_core x86_pkg_temp_thermal snd_compress intel_powerclamp
uvcvideo snd_hda_codec_realtek ac97_bus kvm_intel snd_hda_codec_generic kafs snd_ctl_led snd_hda_scodec_component iwlmvm
kvm fcrypt videobuf2_vmalloc snd_pcm_dmaengine ee1004 mac80211 mei_pxp uvc mei_hdcp pcbc irqbypass
[105337.027417]  snd_hda_intel videobuf2_memops btusb snd_intel_dspcfg btrtl thinkpad_acpi btintel videobuf2_v4l2 rapl
rxrpc intel_cstate snd_hda_codec btbcm libarc4 snd_hda_core nls_iso8859_1 ip6_udp_tunnel i2c_i801 nls_cp437 e1000e krb5
btmtk videodev snd_pcm udp_tunnel bluetooth nvram iwlwifi platform_profile think_lmi intel_uncore mei_me
videobuf2_common efi_pstore snd_timer i2c_mux vfat sha3_generic firmware_attributes_class tpm_crb ptp dns_resolver
sparse_keymap jitterentropy_rng drbg wmi_bmof ansi_cprng intel_wmi_thunderbolt fat tpm_tis pps_core i2c_smbus netfs snd
cfg80211 mc intel_xhci_usb_role_switch thermal mei intel_pch_thermal rfkill crc16 soundcore tiny_power_button
tpm_tis_core battery ac tpm evdev libaescfb joydev rtc_cmos ecdh_generic bfq rng_core ecc button acpi_pad mousedev
input_leds sch_fq_codel loop fuse dm_mod configfs nfnetlink sd_mod crc32c_cryptoapi ucsi_acpi typec_ucsi roles typec uas
usb_storage scsi_mod scsi_common i915 cfbimgblt cfbfillrect cfbcopyarea drm_client_lib i2c_algo_bit fb_io_fops
[105337.027513]  cec drm_buddy iosf_mbi ttm intel_gtt agpgart drm_display_helper psmouse serio_raw atkbd drm_kms_helper
libps2 nvme polyval_clmulni vivaldi_fmap ghash_clmulni_intel drm nvme_core sha512_ssse3 drm_panel_orientation_quirks
aesni_intel xhci_pci gf128mul libaes hwmon fb font xhci_hcd lcd ledtrig_backlight i2c_core usbcore video thunderbolt
usb_common wmi i8042 serio backlight btrfs blake2b_generic xor zstd_compress raid6_pq msr efivarfs dmi_sysfs
sha1_generic sha1_ssse3 ipv6 autofs4
[105337.027559] CR2: 0000000000000022
[105337.027562] ---[ end trace 0000000000000000 ]---
[105337.046994] pstore: backend (efi_pstore) writing error (-28)
[105337.047006] RIP: 0010:afs_set_peer_appdata+0xda/0x150 [kafs]
[105337.047039] Code: e8 eb 7b e8 ff 0f b6 45 21 44 39 e8 7f e1 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 31 f6 41 ff c5 e8
cb 7b e8 ff e9 4f ff ff ff <80> 7a 21 00 74 de 48 63 c5 4c 89 e6 ff c5 48 c1 e0 04 48 8b 7c 18
[105337.047042] RSP: 0000:ffffb68ecc907d90 EFLAGS: 00010246
[105337.047046] RAX: ffffa220468f8d20 RBX: 0000000000000001 RCX: 0000000000000000
[105337.047048] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa221e350d800
[105337.047050] RBP: 0000000000000000 R08: 0000000000000060 R09: 0000000000000000
[105337.047051] R10: ffffb68ecc907dc0 R11: 0000000000000002 R12: ffffa221e350d800
[105337.047053] R13: 0000000000000000 R14: ffffa22048477170 R15: 0000000000000001
[105337.047055] FS:  0000000000000000(0000) GS:ffffa225ceed2000(0000) knlGS:0000000000000000
[105337.047058] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[105337.047060] CR2: 0000000000000022 CR3: 00000004c4018006 CR4: 00000000003726f0
[105337.047063] note: kworker/0:0[1271387] exited with irqs disabled
[107680.086791] head[2282535]: segfault at 2 ip 0000000000000002 sp 00007ffe1a388fc8 error 14 likely on CPU 3 (core 1,
socket 0)
[107680.086818] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.089697] systemd-coredum[2282536]: segfault at 2 ip 0000000000000002 sp 00007ffc8e86a328 error 14 likely on CPU 2
(core 0, socket 0)
[107680.089706] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.089716] coredump: 2282536(systemd-coredum): RLIMIT_CORE is set to 1, aborting core
[107680.093992] cat[2282537]: segfault at 2 ip 0000000000000002 sp 00007ffe7b06d108 error 14 likely on CPU 3 (core 1,
socket 0)
[107680.094004] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.096615] systemd-coredum[2282538]: segfault at 2 ip 0000000000000002 sp 00007ffd04944648 error 14 likely on CPU 1
(core 1, socket 0)
[107680.096625] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.096637] coredump: 2282538(systemd-coredum): RLIMIT_CORE is set to 1, aborting core
[107680.098015] sleep[2282539]: segfault at 2 ip 0000000000000002 sp 00007ffea1cb1368 error 14 likely on CPU 1 (core 1,
socket 0)
[107680.098036] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.101247] systemd-coredum[2282540]: segfault at 2 ip 0000000000000002 sp 00007ffd45d89448 error 14 likely on CPU 3
(core 1, socket 0)
[107680.101256] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.101283] coredump: 2282540(systemd-coredum): RLIMIT_CORE is set to 1, aborting core
[107680.102532] date[2282541]: segfault at 2 ip 0000000000000002 sp 00007ffe95334928 error 14 likely on CPU 2 (core 0,
socket 0)
[107680.102553] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.104867] systemd-coredum[2282542]: segfault at 2 ip 0000000000000002 sp 00007fff6c757568 error 14 likely on CPU 2
(core 0, socket 0)
[107680.104876] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[107680.104888] coredump: 2282542(systemd-coredum): RLIMIT_CORE is set to 1, aborting core

-Markus