[PATCH] tls: reject attaching TLS to sockets already in sockmap

[Xingwang Xiang <v3rdant.xiang@gmail.com>]

When a socket is first inserted into a sockmap with a verdict program,
then TLS is enabled on that socket, the TLS strparser's saved_data_ready
callback becomes sk_psock_verdict_data_ready(). This function calls
tcp_read_skb() which drains ALL skbs from sk_receive_queue without
updating tp->copied_seq when the BPF verdict is SK_PASS. This leaves
tcp_inq() returning stale values, causing the TLS strparser to think
data exists in the receive queue when it doesn't.

The result is a WARN_ON_ONCE(!first) in tls_strp_load_anchor_with_queue()
when tcp_recv_skb() returns NULL, and Use-After-Free when
the strparser's frag_list points to skbs that have been unlinked and
are now owned by the sockmap subsystem.

While sk_psock_init() correctly checks inet_csk_has_ulp() to prevent
inserting TLS sockets into sockmaps (blocking "forward order"), tls_init()
does not check for an existing psock, allowing "reverse order" setup.

Fix this by adding a check in tls_init() to reject sockets that already
have a psock attached (i.e., are in a sockmap). This mirrors the
existing guard in sk_psock_init() and ensures mutual exclusion between
TLS and sockmap attachments regardless of the order of operations.

Signed-off-by: Xingwang Xiang <v3rdant.xiang@gmail.com>
---
 net/tls/tls_main.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index fd39acf41..d4ac91c50 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -1047,6 +1047,8 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
 static int tls_init(struct sock *sk)
 {
 	struct tls_context *ctx;
+	struct sk_psock *psock;
+
 	int rc = 0;
 
 	tls_build_proto(sk);
@@ -1056,6 +1058,20 @@ static int tls_init(struct sock *sk)
 		return 0;
 #endif
 
+	/* Reject sockets that are already attached to a sockmap.
+	 * The sockmap verdict path (sk_psock_verdict_data_ready) is
+	 * incompatible with TLS: it drains the receive queue via
+	 * tcp_read_skb() without updating copied_seq, causing the
+	 * TLS strparser to operate on stale queue state.
+	 * This mirrors the check in sk_psock_init() that rejects
+	 * sockets with ULP (TLS) from being inserted into sockmaps.
+	 */
+	rcu_read_lock();
+	psock = sk_psock(sk);
+	rcu_read_unlock();
+	if (psock)
+		return -EBUSY;
+
 	/* The TLS ulp is currently supported only for TCP sockets
 	 * in ESTABLISHED state.
 	 * Supporting sockets in LISTEN state will require us
-- 
2.52.0