From: Geliang Tang <redacted>

When a TLS socket is offloaded to a TOE device, tls_toe_bypass() replaces
sk->sk_prot with a TLS-specific protocol table. On socket destruction,
tls_toe_sk_destruct() calls the original sk_destruct callback
(ctx->sk_destruct), which may rely on the original sk_prot (e.g., for
memory accounting or close handling). Without restoring sk->sk_prot
before calling ctx->sk_destruct, the destructor may access stale or
incorrect protocol functions, leading to use-after-free or kernel panic.

Add WRITE_ONCE(sk->sk_prot, ctx->sk_proto) before invoking
ctx->sk_destruct to restore the original protocol pointer. This mirrors
the restoration already done in tls_sk_proto_close() for the software
and device offload paths.

Fixes: 76f7164d02d4 ("net/tls: free ctx in sock destruct")
Co-developed-by: Gang Yan <redacted>
Signed-off-by: Gang Yan <redacted>
Signed-off-by: Geliang Tang <redacted>
---
Hi,

This bug was identified by Sashiko during my development of "MPTCP KTLS
support" [1]. I am sending this fix separately for now.

Thanks,
-Geliang

[1]
https://patchwork.kernel.org/project/mptcp/cover/cover.1780621326.git.tanggeliang@kylinos.cn/
---
 net/tls/tls_toe.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tls/tls_toe.c b/net/tls/tls_toe.c
index 825669e1ab47..c9c1a0952f4b 100644
--- a/net/tls/tls_toe.c
+++ b/net/tls/tls_toe.c

@@ -48,6 +48,8 @@ static void tls_toe_sk_destruct(struct sock *sk)
 	struct inet_connection_sock *icsk = inet_csk(sk);
 	struct tls_context *ctx = tls_get_ctx(sk);
 
+	WRITE_ONCE(sk->sk_prot, ctx->sk_proto);
+
 	ctx->sk_destruct(sk);
 	/* Free ctx */
 	rcu_assign_pointer(icsk->icsk_ulp_data, NULL);

-- 
2.53.0