Comment 2 for bug 1947557

Additional information about this (from the memory dump that I was able to get):

crash> gdb list *(wb_timer_fn+0x44)
0xffffffff991abcc4 is in wb_timer_fn (/build/impish/block/blk-wbt.c:237).
235 static int latency_exceeded(struct rq_wb *rwb, struct blk_rq_stat *stat)
236 {
237 struct backing_dev_info *bdi = rwb->rqos.q->disk->bdi;
238 struct rq_depth *rqd = &rwb->rq_depth;
239 u64 thislat;

It looks like rwb->rqos.q->disk was NULL, likely the callback wb_timer_fn() was executed after a block device has been unregistered... probably a missing del_timer_sync() somewhere in the code?

This is also confirmed by:

[ 119.987108] BUG: kernel NULL pointer dereference, address: 0000000000000098

0x98 in hex is 152 and looking at struct gendisk, offset 152 is .bdi:

crash> struct gendisk.bdi
struct gendisk {
  [152] struct backing_dev_info *bdi;
}