This is an old bug for which the fix hasn't made it into the kernel yet.
Basically, under certain conditions, try_to_free_buffer makes bh=NULL,
the next iteration of the for loop dereferences it and... oops! :-)
The following patch should fix it (thanks to Mark Hemment for pointing it
out).
Ionut
--
It is better to keep your mouth shut and be thought a fool,
than to open it and remove all doubt.
--- linux-2.1.24/fs/buffer.c.old Sun Jan 26 05:07:30 1997
+++ linux-2.1.24/fs/buffer.c Thu Jan 30 01:40:06 1997
@@ -582,6 +582,8 @@
of other sizes, this is necessary now that we
no longer have the lav code. */
try_to_free_buffer(bh,&bh,1);
+ if (!bh)
+ break;
continue;
}