Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751977AbcDUKBB (ORCPT ); Thu, 21 Apr 2016 06:01:01 -0400 Received: from mail-wm0-f50.google.com ([74.125.82.50]:37522 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751417AbcDUKA7 (ORCPT ); Thu, 21 Apr 2016 06:00:59 -0400 MIME-Version: 1.0 In-Reply-To: References: <20160420211456.GE4775@htj.duckdns.org> From: Dmitry Vyukov Date: Thu, 21 Apr 2016 12:00:38 +0200 Message-ID: Subject: Re: fs: GPF in locked_inode_to_wb_and_lock_list To: Andrey Ryabinin Cc: Tejun Heo , Alexander Viro , "linux-fsdevel@vger.kernel.org" , LKML , syzkaller , Kostya Serebryany , Alexander Potapenko Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 695 Lines: 19 On Thu, Apr 21, 2016 at 11:45 AM, Andrey Ryabinin wrote: > 2016-04-21 11:35 GMT+03:00 Dmitry Vyukov : >> >> ffffffff818884dd: 48 8b 03 mov (%rbx),%rax >> >> So whatever load "&wb->bdi->wb" produces is a NULL deref. (is it wb >> that is NULL?) > > Yes it's NULL wb, because there is only one load: > mov (%rbx),%rax => rax = wb->bdi > add $0x50,%rax => rax = &bdi->wb I bet that wb becomes NULL on the second iteration of the loop. The loop loops in case of a race with another thread, so it would also explain why it is difficult to reproduce. Tejun, does it make any sense to you?