For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [nbd?] KASAN: slab-use-after-free Write in recv_work (3)
Author: lizhi.xu@windriver.com

#syz test

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index a853c65ac65d..d5de9bac68f1 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1024,9 +1024,9 @@ static void recv_work(struct work_struct *work)
 	nbd_mark_nsock_dead(nbd, nsock, 1);
 	mutex_unlock(&nsock->tx_lock);
 
-	nbd_config_put(nbd);
 	atomic_dec(&config->recv_threads);
 	wake_up(&config->recv_wq);
+	nbd_config_put(nbd);
 	kfree(args);
 }
 
@@ -1540,7 +1540,10 @@ static int nbd_start_device(struct nbd_device *nbd)
 		args->index = i;
 		queue_work(nbd->recv_workq, &args->work);
 	}
-	return nbd_set_size(nbd, config->bytesize, nbd_blksize(config));
+	error = nbd_set_size(nbd, config->bytesize, nbd_blksize(config));
+	if (error)
+		flush_workqueue(nbd->recv_workq);
+	return error;
 }
 
 static int nbd_start_device_ioctl(struct nbd_device *nbd)
@@ -2355,6 +2358,7 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info)
 	}
 	mutex_unlock(&nbd_index_mutex);
 
+	mutex_lock(&nbd->config_lock);
 	config = nbd_get_config_unlocked(nbd);
 	if (!config) {
 		dev_err(nbd_to_dev(nbd),
@@ -2363,7 +2367,6 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info)
 		return -EINVAL;
 	}
 
-	mutex_lock(&nbd->config_lock);
 	if (!test_bit(NBD_RT_BOUND, &config->runtime_flags) ||
 	    !nbd->pid) {
 		dev_err(nbd_to_dev(nbd),