mptcp: Ensure proper free'ing of master_sk upon failure

We might have inet_opt set from the meta, but inet_sock_destruct will try to free it.
We need to set it to NULL to prevent a use-after-free.

We need to make sure that the socket is in SOCK_DEAD, thus call
sock_orphan() as inet_sock_destruct checks for SOCK_DEAD. Same for
TCP_CLOSE.

The lock has been taken in sk_clone_lock(). Drop it!

Fixes: Zero-day bug
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>

net/mptcp/mptcp_ctrl.c

@@ -1146,15 +1146,13 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 	master_sk = sk_clone_lock(meta_sk, GFP_ATOMIC | __GFP_ZERO);
 	meta_tp->is_master_sk = 0;
 	if (!master_sk)
-		return -ENOBUFS;
+		goto err_alloc_master;
 
 	master_tp = tcp_sk(master_sk);
 
 	mpcb = kmem_cache_zalloc(mptcp_cb_cache, GFP_ATOMIC);
-	if (!mpcb) {
-		sk_free(master_sk);
-		return -ENOBUFS;
-	}
+	if (!mpcb)
+		goto err_alloc_mpcb;
 
 	/* Store the mptcp version agreed on initial handshake */
 	mpcb->mptcp_ver = mptcp_ver;
@@ -1212,11 +1210,7 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 			spin_unlock(&mptcp_tk_hashlock);
 			rcu_read_unlock_bh();
 
-			inet_put_port(master_sk);
-			kmem_cache_free(mptcp_cb_cache, mpcb);
-			sk_free(master_sk);
-
-			return -ENOBUFS;
+			goto err_insert_token;
 		}
 		__mptcp_hash_insert(meta_tp, mpcb->mptcp_loc_token);
 
@@ -1360,6 +1354,19 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 		    __func__, mpcb->mptcp_loc_token);
 
 	return 0;
+
+err_insert_token:
+	kmem_cache_free(mptcp_cb_cache, mpcb);
+
+err_alloc_mpcb:
+	inet_sk(master_sk)->inet_opt = NULL;
+	master_sk->sk_state = TCP_CLOSE;
+	sock_orphan(master_sk);
+	bh_unlock_sock(master_sk);
+	sk_free(master_sk);
+
+err_alloc_master:
+	return -ENOBUFS;
 }
 
 /*  Called without holding lock on mpcb */