The function ext4_release_io_end() can be called by ext4_put_io_end_defer() with the EXT4_IO_UNWRITTEN flag set and io_end->size is 0. In that case, it's safe to release the io_end structure, since if io_end->size is zero, there is no unwritten region to release. This can be reproduced using generic/300, although not very reliably, and almost never using a freshly rebooted kernel. Google-Bug-Id: 15054006 Signed-off-by: "Theodore Ts'o" <tytso@xxxxxxx> --- fs/ext4/page-io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c index de6fe969f773..15125e5b4827 100644 --- a/fs/ext4/page-io.c +++ b/fs/ext4/page-io.c @@ -153,7 +153,7 @@ static void ext4_release_io_end(ext4_io_end_t *io_end) struct bio *bio, *next_bio; BUG_ON(!list_empty(&io_end->list)); - BUG_ON(io_end->flag & EXT4_IO_END_UNWRITTEN); + BUG_ON((io_end->flag & EXT4_IO_END_UNWRITTEN) && io_end->size); WARN_ON(io_end->handle); for (bio = io_end->bio; bio; bio = next_bio) { -- 2.24.1