Linus Torvalds writes: (Summary) The code is
1a: 8b 3a mov (%edx),%edi
1c: 8d 8f 40 16 00 00 lea 0x1640(%edi),%ecx
22: 39 ca cmp %ecx,%edx
24: 74 49 je 0x6f
26: b9 01 00 00 00 mov $0x1,%ecx
2b:* 39 97 80 24 00 00 cmp %edx,0x2480(%edi) <-- trapping instruction 31: 74 3c je 0x6f
31: 74 3c je 0x6f
and that first "je" is the test for "link == &link->ap->link" (which only takes the address relative to "link->ap" - thus the "lea"), and that cmp that oopses is indeed loading that actual slave_link value.
1a: 8b 3a mov (%edx),%edi
1c: 8d 8f 40 16 00 00 lea 0x1640(%edi),%ecx
22: 39 ca cmp %ecx,%edx
24: 74 49 je 0x6f
26: b9 01 00 00 00 mov $0x1,%ecx
2b:* 39 97 80 24 00 00 cmp %edx,0x2480(%edi) <-- trapping instruction 31: 74 3c je 0x6f
31: 74 3c je 0x6f
and that first "je" is the test for "link == &link->ap->link" (which only takes the address relative to "link->ap" - thus the "lea"), and that cmp that oopses is indeed loading that actual slave_link value.
