I'm looking at afs_syscall_pioctl and I can't figure out how it could possibly work, except by accident. I think all calls to afs_HandlePioctl require a VTOAFS() on the first arg. That's what the old Transarc code did.