From 36b7954c10e99c1d97673b7bf4cce916768a1cd8 Mon Sep 17 00:00:00 2001
From: Paolo Abeni <pabeni@redhat.com>
Date: Fri, 5 Jun 2020 18:10:27 +0000
Subject: [PATCH] mptcp: don't leak msk in token container

When the left-over msk is freed by subflow_syn_recv_sock(),
we don't invoke the proto->destroy() method, to the socket
is not removed from the token container, leading to later
UaF.

Address the issue explicitly removing the token even in the
above error path.

Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/subflow.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index fcb9ca9a9dcef..229ffff4b2170 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -393,6 +393,7 @@ static void mptcp_sock_destruct(struct sock *sk)
 		sock_orphan(sk);
 	}
 
+	mptcp_token_destroy(mptcp_sk(sk));
 	inet_sock_destruct(sk);
 }