From 2c2fea9ea4c6de8c0347ca0a2adcea7934f3c30c Mon Sep 17 00:00:00 2001
From: Richael Zhuang <richael.zhuang@arm.com>
Date: Tue, 1 Mar 2022 16:32:57 +0800
Subject: [PATCH] uring: fix heap-use-after-free bug in sock_flush_client

If the req's cb_fn will close the socket, there is heap-use-after-free
error if continuing to access sock.

Signed-off-by: Richael Zhuang <richael.zhuang@arm.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/11855 (master)

(cherry picked from commit 3ee923eff112dab96b296c55cdf4d5066375c667)
Change-Id: I88c6adb9d25e52d94b08f53e8ccac611c4d29fff
Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/12479
Reviewed-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
---
 module/sock/uring/uring.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/module/sock/uring/uring.c b/module/sock/uring/uring.c
index 80ac12db3..434f3c2fc 100644
--- a/module/sock/uring/uring.c
+++ b/module/sock/uring/uring.c
@@ -1138,6 +1138,7 @@ _sock_flush_client(struct spdk_sock *_sock)
 	int iovcnt;
 	ssize_t rc;
 	int flags = sock->zcopy_send_flags;
+	int retval;
 
 	/* Can't flush from within a callback or we end up with recursive calls */
 	if (_sock->cb_cnt > 0) {
@@ -1161,7 +1162,11 @@ _sock_flush_client(struct spdk_sock *_sock)
 		return rc;
 	}
 
-	sock_complete_reqs(_sock, rc);
+	retval = sock_complete_reqs(_sock, rc);
+	if (retval < 0) {
+		/* if the socket is closed, return to avoid heap-use-after-free error */
+		return retval;
+	}
 
 #ifdef SPDK_ZEROCOPY
 	if (sock->zcopy && !TAILQ_EMPTY(&_sock->pending_reqs)) {