Kafs 6.16.0-rc3 BUG: kernel NULL pointer dereference
David Howells
dhowells at redhat.com
Tue Jul 8 07:59:31 PDT 2025
Hi Markus,
Can you try applying the attached patch? It just adds another couple of
tracepoints. And then turn on these on along with the previous:
echo 1 > /sys/kernel/debug/tracing/events/afs/afs_new_server/enable
echo 1 > /sys/kernel/debug/tracing/events/afs/afs_del_server/enable
echo 1 > /sys/kernel/debug/tracing/events/afs/afs_cm_no_server/enable
echo 1 > /sys/kernel/debug/tracing/events/afs/afs_cm_no_server_u/enable
echo 1 > /sys/kernel/debug/tracing/events/error_report/enable
What I'm trying to find out is if a server record is getting used after being
freed. We might also need to turn on:
echo 1 > /sys/kernel/debug/tracing/events/afs/afs_server/enable
but that produces a lot more output.
David
---
commit 6369b34201b112370a29234e6bf4bb489f9c48e7
Author: David Howells <dhowells at redhat.com>
Date: Tue Jul 8 15:24:46 2025 +0100
afs: Trace afs_server issues
diff --git a/fs/afs/server.c b/fs/afs/server.c
index a97562f831eb..167e37a3ae0d 100644
--- a/fs/afs/server.c
+++ b/fs/afs/server.c
@@ -141,6 +141,7 @@ static struct afs_server *afs_alloc_server(struct afs_cell *cell, const uuid_t *
server->probe_counter = 1;
server->probed_at = jiffies - LONG_MAX / 2;
+ trace_afs_new_server(server);
afs_inc_servers_outstanding(net);
_leave(" = %p", server);
return server;
@@ -403,6 +404,7 @@ static void afs_server_rcu(struct rcu_head *rcu)
static void __afs_put_server(struct afs_net *net, struct afs_server *server)
{
+ trace_afs_del_server(server);
call_rcu(&server->rcu, afs_server_rcu);
afs_dec_servers_outstanding(net);
}
diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
index 7f83d242c8e9..65421a69333d 100644
--- a/include/trace/events/afs.h
+++ b/include/trace/events/afs.h
@@ -1314,17 +1314,22 @@ TRACE_EVENT(afs_cm_no_server_u,
TP_STRUCT__entry(
__field(unsigned int, call)
__field(unsigned int, op_id)
+ __field(unsigned int, server_id)
__field_struct(uuid_t, uuid)
+ __field_struct(uuid_t, uuid2)
),
TP_fast_assign(
__entry->call = call->debug_id;
__entry->op_id = call->operation_ID;
+ __entry->server_id = call->server->debug_id;
memcpy(&__entry->uuid, uuid, sizeof(__entry->uuid));
+ __entry->uuid2 = call->server->uuid;
),
- TP_printk("c=%08x op=%u %pU",
- __entry->call, __entry->op_id, &__entry->uuid)
+ TP_printk("c=%08x op=%u S=%08x %pU %pU",
+ __entry->call, __entry->op_id, __entry->server_id,
+ &__entry->uuid, &__entry->uuid2)
);
TRACE_EVENT(afs_flock_ev,
@@ -1552,6 +1557,60 @@ TRACE_EVENT(afs_server,
__entry->active)
);
+TRACE_EVENT(afs_new_server,
+ TP_PROTO(const struct afs_server *server),
+
+ TP_ARGS(server),
+
+ TP_STRUCT__entry(
+ __field(unsigned int, server)
+ __array(char, cell_name, 28)
+ __field_struct(uuid_t, uuid)
+ __field(unsigned long, addr)
+ ),
+
+ TP_fast_assign(
+ __entry->uuid = server->uuid;
+ __entry->server = server->debug_id;
+ size_t len = umin(server->cell->name_len, sizeof(__entry->cell_name) - 1);
+ memcpy(__entry->cell_name, server->cell->name, len);
+ __entry->addr = (unsigned long)server;
+ ),
+
+ TP_printk("s=%08x %s %pU %lx",
+ __entry->server,
+ __entry->cell_name,
+ &__entry->uuid,
+ __entry->addr)
+ );
+
+TRACE_EVENT(afs_del_server,
+ TP_PROTO(const struct afs_server *server),
+
+ TP_ARGS(server),
+
+ TP_STRUCT__entry(
+ __field(unsigned int, server)
+ __array(char, cell_name, 28)
+ __field_struct(uuid_t, uuid)
+ __field(unsigned long, addr)
+ ),
+
+ TP_fast_assign(
+ __entry->uuid = server->uuid;
+ __entry->server = server->debug_id;
+ size_t len = umin(server->cell->name_len, sizeof(__entry->cell_name) - 1);
+ memcpy(__entry->cell_name, server->cell->name, len);
+ __entry->addr = (unsigned long)server;
+ ),
+
+ TP_printk("s=%08x %s %pU %lx",
+ __entry->server,
+ __entry->cell_name,
+ &__entry->uuid,
+ __entry->addr)
+ );
+
TRACE_EVENT(afs_volume,
TP_PROTO(unsigned int debug_id, afs_volid_t vid, int ref,
enum afs_volume_trace reason),
More information about the linux-afs
mailing list