From cdd6ff9de830d4d2a6d03f02de3de56c78b1d00a Mon Sep 17 00:00:00 2001
From: Christoph Paasch <cpaasch@apple.com>
Date: Tue, 22 Feb 2022 12:58:07 -0800
Subject: [PATCH] mptcp: Properly reset sockets in tcp_disconnect

It is possible that we end up in tcp_disconnect after a failed call to
connect(). In that case tp->request_mptcp is set. We correctly remove
the socket from the token hash-table but leave request_mptcp set. This
can lead to inconsistent states later on if for some reason we end up
disabling MPTCP on that disconnected socket.

Fixes: Zero-day bug
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit f4596c10ef55b67682c503873b5026f012d7678c)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 7700fc30e7f8c469fa03edf0cc1352961b7d492d)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/ipv4/tcp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index de529a554553..5ea09d293011 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2683,6 +2683,7 @@ int tcp_disconnect(struct sock *sk, int flags)
 	if (is_meta_sk(sk)) {
 		mptcp_disconnect(sk);
 	} else {
+		tp->request_mptcp = 0;
 		if (tp->inside_tk_table)
 			mptcp_hash_remove_bh(tp);
 	}