From ed39d2f30445beec26295f10db62f8ae7067a2d5 Mon Sep 17 00:00:00 2001
From: Christoph Paasch <cpaasch@apple.com>
Date: Tue, 28 May 2019 15:16:18 -0700
Subject: [PATCH] mptcp: mpcb-put when canceling a workqueue for closing
 subflows

Commit ece771ffb87e ("mptcp: Fully cleanup meta-socket in
mptcp_disconnect") added a refcount hold on the mpcb when closing
subflows (among other cases). We forgot to put the reference when the
work-queue is being canceled. Otherwise, we will end up leaking the
mpcb, and we get log-splashs like:

BUG: memory leak
unreferenced object 0xffff888053724000 (size 1056):
  comm "softirq", pid 0, jiffies 4295075668 (age 18.015s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    d1 d8 ee 60 d0 d8 ee 60 55 f5 51 cd 56 f5 51 cd  ...`...`U.Q.V.Q.
  backtrace:
    [<ffffffff8333b9b3>] kmem_cache_zalloc include/linux/slab.h:651 [inline]
    [<ffffffff8333b9b3>] mptcp_alloc_mpcb net/mptcp/mptcp_ctrl.c:1105 [inline]
    [<ffffffff8333b9b3>] mptcp_create_master_sk+0x203/0x2980 net/mptcp/mptcp_ctrl.c:1960
    [<ffffffff83368f50>] mptcp_rcv_synsent_state_process+0x580/0x1120 net/mptcp/mptcp_input.c:2300
    [<ffffffff83006345>] tcp_rcv_synsent_state_process+0x19b5/0x2d30 net/ipv4/tcp_input.c:5828
    [<ffffffff83007ef3>] tcp_rcv_state_process+0x833/0x2e43 net/ipv4/tcp_input.c:6074
    [<ffffffff832d09e9>] tcp_v6_do_rcv+0x789/0x12d0 net/ipv6/tcp_ipv6.c:1381
    [<ffffffff82d00088>] sk_backlog_rcv include/net/sock.h:913 [inline]
    [<ffffffff82d00088>] __release_sock+0x138/0x360 net/core/sock.c:2289
    [<ffffffff82d00350>] release_sock+0xa0/0x280 net/core/sock.c:2804
    [<ffffffff830a3951>] inet_wait_for_connect net/ipv4/af_inet.c:560 [inline]
    [<ffffffff830a3951>] __inet_stream_connect+0x621/0xe60 net/ipv4/af_inet.c:646
    [<ffffffff830a41e3>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:685
    [<ffffffff82ce95a6>] SYSC_connect+0x1e6/0x420 net/socket.c:1655
    [<ffffffff8100693f>] do_syscall_64+0x23f/0x6f0 arch/x86/entry/common.c:292
    [<ffffffff83a00086>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
    [<ffffffffffffffff>] 0xffffffffffffffff

Reported-by: Franz Schleindlhuber <Schleindlhuber@gmx.net>
Fixes: ece771ffb87e ("mptcp: Fully cleanup meta-socket in mptcp_disconnect")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 528be7477e4e10ef7a2882c2306284f1ba831169)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/mptcp/mptcp_ctrl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/mptcp/mptcp_ctrl.c b/net/mptcp/mptcp_ctrl.c
index bd5eb4f965c58..ca0a7901dc1d4 100644
--- a/net/mptcp/mptcp_ctrl.c
+++ b/net/mptcp/mptcp_ctrl.c
@@ -1707,6 +1707,7 @@ void mptcp_sub_close(struct sock *sk, unsigned long delay)
 		if (!cancel_delayed_work(work))
 			return;
 		sock_put(sk);
+		mptcp_mpcb_put(tp->mpcb);
 	}
 
 	if (!delay) {