From 4b156248776f734d63fe37629d56c40234fda9c0 Mon Sep 17 00:00:00 2001
From: WangJian <wangjian161@huawei.com>
Date: Wed, 9 Feb 2022 10:42:33 +0800
Subject: [PATCH] nbd/server.c: fix invalid read after client was already free

In the process of NBD equipment pressurization, executing QEMU NBD will
lead to the failure of IO distribution and go to NBD_ Out process of trip().
If two or more IO go to the out process, client NBD will release in nbd_request_put().
The user after free problem that is read again in close().
Through the NBD_ Save the value of client > closing before the out process in trip
to solve the use after free problem.

Signed-off-by: wangjian161 <wangjian161@huawei.com>
---
 nbd/server.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nbd/server.c b/nbd/server.c
index 4630dd7322..37515ed520 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -2606,6 +2606,7 @@ static coroutine_fn void nbd_trip(void *opaque)
     NBDRequestData *req;
     NBDRequest request = { 0 };    /* GCC thinks it can be used uninitialized */
     int ret;
+    bool client_closing;
     Error *local_err = NULL;
 
     trace_nbd_trip();
@@ -2681,8 +2682,11 @@ disconnect:
     if (local_err) {
         error_reportf_err(local_err, "Disconnect client, due to: ");
     }
+    client_closing = client->closing;
     nbd_request_put(req);
-    client_close(client, true);
+    if (!client_closing) {
+        client_close(client, true);
+    }
     nbd_client_put(client);
 }
 
-- 
2.27.0