Tejun Heo wrote: > On Sun, May 27, 2018 at 11:21:25AM +0900, Tetsuo Handa wrote: > > syzbot is still hitting NULL pointer dereference at wb_workfn() [1]. > > This might be because we overlooked that delayed_work_timer_fn() does not > > check WB_registered before calling __queue_work() while mod_delayed_work() > > does not wait for already started delayed_work_timer_fn() because it uses > > del_timer() rather than del_timer_sync(). > > It shouldn't be that as dwork timer is an irq safe timer. Even if > that's the case, the right thing to do would be fixing workqueue > rather than reaching into workqueue internals from backing-dev code. > Do you think that there is possibility that __queue_work() is almost concurrently executed from two CPUs, one from mod_delayed_work(bdi_wq, &wb->dwork, 0) from wb_shutdown() path (which is called without spin_lock_bh(&wb->work_lock)) and the other from delayed_work_timer_fn() path (which is called without checking WB_registered bit under spin_lock_bh(&wb->work_lock)) ?
