Open /dev/nbdX first, the config_refs will be 1 and the pointers in nbd_device are still null. Disconnect /dev/nbdX, then reference a null recv_workq. The protection by config_refs in nbd_genl_disconnect is useless. To fix it, just add a check for a non null task_recv in nbd_genl_disconnect. Signed-off-by: Sun Ke <sunke32@xxxxxxxxxx> --- drivers/block/nbd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index b4607dd96185..5e1530bcb81a 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -2008,6 +2008,8 @@ static int nbd_genl_disconnect(struct sk_buff *skb, struct genl_info *info) index); return -EINVAL; } + if (!nbd->task_recv) + return -EINVAL; if (!refcount_inc_not_zero(&nbd->refs)) { mutex_unlock(&nbd_index_mutex); printk(KERN_ERR "nbd: device at index %d is going down\n", -- 2.17.2