uring: fix heap-use-after-free bug in sock_flush_client

If the req's cb_fn will close the socket, there is heap-use-after-free
error if continuing to access sock.

Signed-off-by: Richael Zhuang <richael.zhuang@arm.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/11855 (master)

(cherry picked from commit 3ee923eff1)
Change-Id: I88c6adb9d25e52d94b08f53e8ccac611c4d29fff
Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/12479
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>

module/sock/uring/uring.c

@@ -1138,6 +1138,7 @@ _sock_flush_client(struct spdk_sock *_sock)
 	int iovcnt;
 	ssize_t rc;
 	int flags = sock->zcopy_send_flags;
+	int retval;
 
 	/* Can't flush from within a callback or we end up with recursive calls */
 	if (_sock->cb_cnt > 0) {
@@ -1161,7 +1162,11 @@ _sock_flush_client(struct spdk_sock *_sock)
 		return rc;
 	}
 
-	sock_complete_reqs(_sock, rc);
+	retval = sock_complete_reqs(_sock, rc);
+	if (retval < 0) {
+		/* if the socket is closed, return to avoid heap-use-after-free error */
+		return retval;
+	}
 
 #ifdef SPDK_ZEROCOPY
 	if (sock->zcopy && !TAILQ_EMPTY(&_sock->pending_reqs)) {