nbd: release exp->blk after all clients are closed

If the socket fd is shutdown, there may be some data which is received before shutdown. We will read the data and do read/write in nbd_trip(). But the exp's blk is NULL, and it will cause qemu crashed. Reported-by: Li Zhijian <lizhijian@cn.fujitsu.com> Signed-off-by: Wen Congyang <wency@cn.fujitsu.com> Message-Id: <55F929E2.1020501@cn.fujitsu.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2015-09-16 16:35:46 +08:00 · 2015-09-16 16:35:46 +08:00 · d626834849
commit d626834849
parent 04f2562f8e
1 changed files with 15 additions and 6 deletions
--- a/nbd.c
+++ b/nbd.c
@ -1131,12 +1131,6 @@ void nbd_export_close(NBDExport *exp)
    }
    nbd_export_set_name(exp, NULL);
    nbd_export_put(exp);
-    if (exp->blk) {
-        blk_remove_aio_context_notifier(exp->blk, blk_aio_attached,
-                                        blk_aio_detach, exp);
-        blk_unref(exp->blk);
-        exp->blk = NULL;
-    }
 }

 void nbd_export_get(NBDExport *exp)
@ -1159,6 +1153,13 @@ void nbd_export_put(NBDExport *exp)
            exp->close(exp);
        }

+        if (exp->blk) {
+            blk_remove_aio_context_notifier(exp->blk, blk_aio_attached,
+                                            blk_aio_detach, exp);
+            blk_unref(exp->blk);
+            exp->blk = NULL;
+        }
+
        g_free(exp);
    }
 }
@ -1305,6 +1306,14 @@ static void nbd_trip(void *opaque)
        goto invalid_request;
    }

+    if (client->closing) {
+        /*
+         * The client may be closed when we are blocked in
+         * nbd_co_receive_request()
+         */
+        goto done;
+    }
+
    switch (command) {
    case NBD_CMD_READ:
        TRACE("Request type is READ");