Commit 3ee923ef authored Mar 01, 2022 by Richael Zhuang Committed by Tomasz Zawadzki Mar 11, 2022

uring: fix heap-use-after-free bug in sock_flush_client



If the req's cb_fn will close the socket, there is heap-use-after-free
error if continuing to access sock.

Signed-off-by: Richael Zhuang <richael.zhuang@arm.com>
Change-Id: I88c6adb9d25e52d94b08f53e8ccac611c4d29fff
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/11855


Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Broadcom CI <spdk-ci.pdl@broadcom.com>
Community-CI: Mellanox Build Bot
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@mellanox.com>

parent 6c3fdade

module/sock/uring/uring.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -1138,6 +1138,7 @@ _sock_flush_client(struct spdk_sock *_sock)
		int iovcnt;
		ssize_t rc;
		int flags = sock->zcopy_send_flags;
		int retval;

		/* Can't flush from within a callback or we end up with recursive calls */
		if (_sock->cb_cnt > 0) {
		@@ -1161,7 +1162,11 @@ _sock_flush_client(struct spdk_sock *_sock)
		return rc;
		}

		sock_complete_reqs(_sock, rc);
		retval = sock_complete_reqs(_sock, rc);
		if (retval < 0) {
		/* if the socket is closed, return to avoid heap-use-after-free error */
		return retval;
		}

		#ifdef SPDK_ZEROCOPY
		if (sock->zcopy && !TAILQ_EMPTY(&_sock->pending_reqs)) {