tls: reject the combination of TLS and sockmap

TLS and sockmap (BPF psock) integration hides a lot of latent bugs.
Bugs which may be more or less relevant for real users but they
are definitely exploitable.

We could not find anyone actively using this integration so let's
reject this config. Adding a TLS socket to a sockmap was already
rejected by sk_psock_init() through the inet_csk_has_ulp() check.
We need to reject the attempts to configure the TLS keys (rather
than adding the ULP itself) because checking prior to the ULP
installation is tricky without risking a race with sockmap getting
added in parallel (sockmap does not hold the socket lock).

This patch is a minimal rejection of the feature. Subsequent patch
in the series will do a light dead code removal. Full cleanup would
require a major rewrite of the Tx path, we don't need skmsg any more.

Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20260614014102.461064-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 13c88a7b8787df4a69cbeb6e3aa785369c0f3f6c..8e7ba018988d24474b41201775c5d0d58de1937f 100644 (file)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -643,6 +643,17 @@ static int do_tls_setsockopt_conf(struct sock *sk, sockptr_t optval,
        int rc = 0;
        int conf;
 
+       /* TLS and sockmap are mutually exclusive. A socket already in a
+        * sockmap (i.e. with a psock attached) cannot be upgraded to TLS.
+        * sockmap rejects TLS sockets already (see sk_psock_init()).
+        */
+       rcu_read_lock();
+       if (sk_psock(sk)) {
+               rcu_read_unlock();
+               return -EINVAL;
+       }
+       rcu_read_unlock();
+
        if (sockptr_is_null(optval) || (optlen < sizeof(*crypto_info)))
                return -EINVAL;