Hi,
I was working on the following syzbot bug:
https://syzkaller.appspot.com/bug?extid=ce3af36144a13b018cc7
Upon debugging I found that in this case the buffer_head is having count
0 and then when __brelse is called it tries to free it. A simple
solution to this problem would be to remove the warn call. SInce in any
case the buffers only get freed if the count is present and consequently
the pointers are also set to null. Additionally we could add a check in
the has_bh_in_lru to also consider the counter.
Link :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/buffer.c?id=d192f5382581d972c4ae1b4d72e0b59b34cadeb9#n1509