From d3fc75beff62af6aa4f1a6632e416e7e5440b81f Mon Sep 17 00:00:00 2001
From: Christoph Paasch <cpaasch@apple.com>
Date: Wed, 12 Jul 2017 21:52:56 -0700
Subject: [PATCH] mptcp: Handle incoming ADD_ADDR on non-established sockets

If a server sends us an ADD_ADDR (with valid ACK-number) instead of the SYN/ACK,
we will parse this ADD_ADDR and access tp->mpcb. However, at this stage tp->mpcb
is not yet set and thus we will panic:

[   31.845802] BUG: unable to handle kernel NULL pointer dereference at 000000000000033d
[   31.846784] IP: [<ffffffff815a86c1>] mptcp_parse_options+0x2e1/0x540
[   31.846784] PGD 3d72d067 PUD 3dbcd067 PMD 0
[   31.846784] Oops: 0000 [#1] SMP
[   31.846784] Modules linked in:
[   31.846784] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.4.0.mptcp #3
[   31.846784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[   31.846784] task: ffff88003f87ee00 ti: ffff88003f8c4000 task.ti: ffff88003f8c4000
[   31.846784] RIP: 0010:[<ffffffff815a86c1>]  [<ffffffff815a86c1>] mptcp_parse_options+0x2e1/0x540
[   31.846784] RSP: 0018:ffff88003fd039a8  EFLAGS: 00010286
[   31.846784] RAX: 0000000000000000 RBX: 0000000000000010 RCX: ffff88003d469500
[   31.846784] RDX: ffff88003fd03a70 RSI: 0000000000000008 RDI: ffff88003c521482
[   31.846784] RBP: ffff88003fd039a8 R08: ffff88003d8d8000 R09: ffff88003c521484
[   31.846784] R10: ffff88003d8d85a8 R11: ffff88003fd03a3e R12: ffff88003c521462
[   31.846784] R13: 0000000000000008 R14: 0000000000000008 R15: ffff88003d469500
[   31.846784] FS:  0000000000000000(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
[   31.846784] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   31.846784] CR2: 000000000000033d CR3: 000000003c608000 CR4: 00000000000006e0
[   31.846784] Stack:
[   31.846784]  ffff88003fd03a20 ffffffff81504c1f ffff88003fd039c8 ffff88003fd03a3e
[   31.846784]  ffff88003d8d85a8 ffff88003c521484 ffff88003fd03a3f ffff88003d8d8000
[   31.846784]  000000006967fb40 ffff88003fd03a70 ffff88003d8d8000 ffff88003d8d8000
[   31.846784] Call Trace:
[   31.846784]  <IRQ>
[   31.846784]  [<ffffffff81504c1f>] tcp_parse_options+0x25f/0x420
[   31.846784]  [<ffffffff8150be35>] tcp_rcv_synsent_state_process+0x95/0x990
[   31.846784]  [<ffffffff8154680a>] ? ipt_do_table+0x2da/0x3a0
[   31.846784]  [<ffffffff8150c7d9>] tcp_rcv_state_process+0xa9/0x7e0
[   31.846784]  [<ffffffff81515d5a>] tcp_v4_do_rcv+0x16a/0x280
[   31.846784]  [<ffffffff8151714e>] tcp_v4_rcv+0xa6e/0xaf0
[   31.846784]  [<ffffffff814daf90>] ? ip_vs_local_request4+0x30/0x40
[   31.846784]  [<ffffffff814dafa9>] ? ip_vs_remote_request4+0x9/0x10
[   31.846784]  [<ffffffff814f1a2e>] ip_local_deliver_finish+0x4e/0x170
[   31.846784]  [<ffffffff814f1d58>] ip_local_deliver+0xb8/0xd0
[   31.846784]  [<ffffffff814f19e0>] ? ip_rcv_finish+0x2a0/0x2a0
[   31.846784]  [<ffffffff814f17bb>] ip_rcv_finish+0x7b/0x2a0
[   31.846784]  [<ffffffff814f2021>] ip_rcv+0x2b1/0x360
[   31.846784]  [<ffffffff814f1740>] ? inet_del_offload+0x40/0x40
[   31.846784]  [<ffffffff8149da12>] __netif_receive_skb_core+0x2d2/0x9b0
[   31.846784]  [<ffffffff8151c078>] ? tcp4_gro_receive+0x128/0x1d0
[   31.846784]  [<ffffffff8152ae7a>] ? inet_gro_receive+0x18a/0x200
[   31.846784]  [<ffffffff8149e108>] __netif_receive_skb+0x18/0x60
[   31.846784]  [<ffffffff8149e178>] netif_receive_skb_internal+0x28/0x90
[   31.846784]  [<ffffffff8149ebdb>] napi_gro_receive+0x6b/0x90
[   31.846784]  [<ffffffff813d2c00>] virtnet_receive+0x430/0x790
[   31.846784]  [<ffffffff813d2f78>] virtnet_poll+0x18/0x80
[   31.846784]  [<ffffffff8149e581>] net_rx_action+0x1b1/0x2f0
[   31.846784]  [<ffffffff81055402>] __do_softirq+0xf2/0x210
[   31.846784]  [<ffffffff8105569e>] irq_exit+0xae/0xb0
[   31.846784]  [<ffffffff8100508f>] do_IRQ+0x4f/0xd0
[   31.846784]  [<ffffffff815c15c2>] common_interrupt+0x82/0x82

Fixes: de09a8318666 (mptcp: Add ADD_ADDR2 option)
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 3fc787d80217c2cc25fe17da798ef313335e100c)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/mptcp/mptcp_input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mptcp/mptcp_input.c b/net/mptcp/mptcp_input.c
index 2fee1cb46b9f91..f5788c6919b011 100644
--- a/net/mptcp/mptcp_input.c
+++ b/net/mptcp/mptcp_input.c
@@ -1757,7 +1757,7 @@ void mptcp_parse_options(const uint8_t *ptr, int opsize,
 		/* If tcp_sock is not available, MPTCP version can't be
 		 * retrieved and ADD_ADDR opsize validation is not possible.
 		 */
-		if (!tp)
+		if (!tp || !tp->mpcb)
 			break;
 
 		if (!is_valid_addropt_opsize(tp->mpcb->mptcp_ver,