mptcp: Initialize IPv6-fields even more correctly

Commit 708e2af ("mptcp: Correctly initialize IPv6 fields") tried to
address the issue, but wasn't complete. We need to stop collecting the
IPv6-SYN once the connection has been established by setting the rxopt
and repflow bits to 0. Also, we need to clear pktoptions to NULL, as it
got copied through the memcpy.

Otherwise, we will panic:
BUG: KASAN: use-after-free in kfree_skb+0x284/0x2d0 net/core/skbuff.c:659
Read of size 4 at addr ffff88806a0da734 by task kworker/u4:3/927

CPU: 0 PID: 927 Comm: kworker/u4:3 Not tainted 4.14.104 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
Workqueue: mptcp_wq mptcp_sub_close_wq
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xc6/0x15c lib/dump_stack.c:53
 print_address_description+0x6e/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x251/0x340 mm/kasan/report.c:409
 __read_once_size include/linux/compiler.h:183 [inline]
 atomic_read arch/x86/include/asm/atomic.h:27 [inline]
 refcount_read include/linux/refcount.h:42 [inline]
 skb_unref include/linux/skbuff.h:952 [inline]
 kfree_skb+0x284/0x2d0 net/core/skbuff.c:659
 inet6_destroy_sock+0x9b/0x160 net/ipv6/af_inet6.c:463
 inet_csk_destroy_sock+0x16f/0x3e0 net/ipv4/inet_connection_sock.c:843
 tcp_close+0xb98/0x1310 net/ipv4/tcp.c:2375
 mptcp_sub_close_doit net/mptcp/mptcp_ctrl.c:1553 [inline]
 mptcp_sub_close_wq+0x112/0x360 net/mptcp/mptcp_ctrl.c:1575
 process_one_work+0x927/0x13e0 kernel/workqueue.c:2114
 worker_thread+0x1bf/0xfb0 kernel/workqueue.c:2248
 kthread+0x316/0x3e0 kernel/kthread.c:232
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:402

Allocated by task 14:
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 kmem_cache_alloc+0xd0/0x1f0 mm/slub.c:2736
 skb_clone+0x17a/0x450 net/core/skbuff.c:1282
 tcp_v6_syn_recv_sock+0x108e/0x2390 net/ipv6/tcp_ipv6.c:1272
 tcp_get_cookie_sock+0xe7/0x5c0 net/ipv4/syncookies.c:219
 cookie_v6_check+0x186c/0x27e0 net/ipv6/syncookies.c:273
 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1039 [inline]
 tcp_v6_do_rcv+0xf54/0x12f0 net/ipv6/tcp_ipv6.c:1366
 tcp_v6_rcv+0x2b7e/0x3640 net/ipv6/tcp_ipv6.c:1603
 ip6_input_finish.constprop.10+0x2fd/0x1140 net/ipv6/ip6_input.c:284
 dst_input include/net/dst.h:465 [inline]
 ip6_rcv_finish+0x144/0x460 net/ipv6/ip6_input.c:71
 NF_HOOK include/linux/netfilter.h:365 [inline]
 ipv6_rcv+0xcaa/0x14a0 net/ipv6/ip6_input.c:208
 __netif_receive_skb_core+0xc85/0x2280 net/core/dev.c:4477
 __netif_receive_skb+0x27/0x1a0 net/core/dev.c:4515
 process_backlog+0x1f8/0x650 net/core/dev.c:5197
 napi_poll net/core/dev.c:5595 [inline]
 net_rx_action+0x68c/0x1520 net/core/dev.c:5661
 __do_softirq+0x1f5/0x6bf kernel/softirq.c:288

Freed by task 1902:
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kmem_cache_free+0x79/0x1f0 mm/slub.c:2988
 kfree_skbmem+0x187/0x1b0 net/core/skbuff.c:586
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb+0x121/0x2d0 net/core/skbuff.c:663
 inet6_destroy_sock+0x9b/0x160 net/ipv6/af_inet6.c:463
 inet_csk_destroy_sock+0x16f/0x3e0 net/ipv4/inet_connection_sock.c:843
 inet_csk_listen_stop+0x2df/0xa20 net/ipv4/inet_connection_sock.c:1003
 tcp_close+0xda5/0x1310 net/ipv4/tcp.c:2227
 inet_release+0xea/0x1c0 net/ipv4/af_inet.c:428
 inet6_release+0x4b/0x70 net/ipv6/af_inet6.c:449
 __sock_release+0xce/0x280 net/socket.c:602
 sock_close+0x15/0x20 net/socket.c:1138
 __fput+0x2f6/0x790 fs/file_table.c:210
 task_work_run+0x1e4/0x290 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1cd/0x200 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
 do_syscall_64+0x4b4/0x620 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

 Thanks, syzbot!

Fixes: Zero-day bug
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>

net/mptcp/mptcp_ctrl.c

@@ -1169,6 +1169,17 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 
 		newnp = inet6_sk(master_sk);
 		memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+
+		newnp->ipv6_mc_list = NULL;
+		newnp->ipv6_ac_list = NULL;
+		newnp->ipv6_fl_list = NULL;
+		newnp->pktoptions = NULL;
+		newnp->opt = NULL;
+
+		newnp->rxopt.all = 0;
+		newnp->repflow = 0;
+		np->rxopt.all = 0;
+		np->repflow = 0;
 	} else if (meta_sk->sk_family == AF_INET6) {
 		struct tcp6_sock *master_tp6 = (struct tcp6_sock *)master_sk;
 		struct ipv6_pinfo *newnp, *np = inet6_sk(meta_sk);
@@ -1180,6 +1191,17 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 		newnp = inet6_sk(master_sk);
 		memcpy(newnp, np, sizeof(struct ipv6_pinfo));
 
+		newnp->ipv6_mc_list = NULL;
+		newnp->ipv6_ac_list = NULL;
+		newnp->ipv6_fl_list = NULL;
+		newnp->pktoptions = NULL;
+		newnp->opt = NULL;
+
+		newnp->rxopt.all = 0;
+		newnp->repflow = 0;
+		np->rxopt.all = 0;
+		np->repflow = 0;
+
 		opt = rcu_dereference(np->opt);
 		if (opt) {
 			opt = ipv6_dup_options(master_sk, opt);
@@ -1189,7 +1211,6 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 		if (opt)
 			inet_csk(master_sk)->icsk_ext_hdr_len = opt->opt_nflen +
 								opt->opt_flen;
-
 	}
 #endif