Forwarded: Re: [syzbot] [nbd?] KASAN: slab-use-after-free Write in recv_work (3)
From: syzbot
Date: Mon Nov 03 2025 - 00:49:32 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx.
***
Subject: Re: [syzbot] [nbd?] KASAN: slab-use-after-free Write in recv_work (3)
Author: lizhi.xu@xxxxxxxxxxxxx
#syz test
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index a853c65ac65d..d5de9bac68f1 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1024,9 +1024,9 @@ static void recv_work(struct work_struct *work)
nbd_mark_nsock_dead(nbd, nsock, 1);
mutex_unlock(&nsock->tx_lock);
- nbd_config_put(nbd);
atomic_dec(&config->recv_threads);
wake_up(&config->recv_wq);
+ nbd_config_put(nbd);
kfree(args);
}
@@ -1540,7 +1540,10 @@ static int nbd_start_device(struct nbd_device *nbd)
args->index = i;
queue_work(nbd->recv_workq, &args->work);
}
- return nbd_set_size(nbd, config->bytesize, nbd_blksize(config));
+ error = nbd_set_size(nbd, config->bytesize, nbd_blksize(config));
+ if (error)
+ flush_workqueue(nbd->recv_workq);
+ return error;
}
static int nbd_start_device_ioctl(struct nbd_device *nbd)
@@ -2355,6 +2358,7 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info)
}
mutex_unlock(&nbd_index_mutex);
+ mutex_lock(&nbd->config_lock);
config = nbd_get_config_unlocked(nbd);
if (!config) {
dev_err(nbd_to_dev(nbd),
@@ -2363,7 +2367,6 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info)
return -EINVAL;
}
- mutex_lock(&nbd->config_lock);
if (!test_bit(NBD_RT_BOUND, &config->runtime_flags) ||
!nbd->pid) {
dev_err(nbd_to_dev(nbd),