Kafs 6.16.0-rc3 BUG: kernel NULL pointer dereference
David Howells
dhowells at redhat.com
Mon Jun 30 08:41:18 PDT 2025
Okay, for reference, given:
> RIP: 0010:afs_deliver_cb_init_call_back_state3+0x38/0x190 [kafs]
> ...
> RAX: 0000000000000000 RBX: ffff8b065a065200 RCX: 0000000000000010
> RDX: ffff8b094950ff70 RSI: ffff8b09e2c5dc40 RDI: ffff8b094950ff70
and:
0000000000004090 <afs_deliver_cb_init_call_back_state3>:
4090: push %rbx
4091: mov %rdi,%rbx
4094: movzbl 0x170(%rdi),%eax
409b: test %al,%al
409d: je 40e9
409f: cmp $0x1,%al
40a1: je 4152
40a7: mov 0x148(%rbx),%eax
40ad: cmp $0x5,%eax
40b0: jne 41fd
40b6: mov 0xa0(%rbx),%rax
40bd: mov 0xb0(%rbx),%rdx
40c4: lea 0x10(%rax),%rcx
40c8: mov 0x10(%rax),%rax <-----
It looks like call->server is NULL at this point. RBX holds call, RAX holds
call->server (is NULL) and RCX holds &call->server->_uuid (is 0x10).
This is the line on which the oops occurred:
if (memcmp(call->request, &call->server->_uuid, sizeof(call->server->_uuid)) != 0) {
David
More information about the linux-afs
mailing list