1. Patchew
  2. linux
  3. View series

[PATCH net-next v1] net: annotate data races around sk->sk_prot

Jiayuan Chen posted 1 patch 1 month, 1 week ago
There is a newer version of this series
net/core/sock.c    | 2 +-
net/ipv4/af_inet.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
[PATCH net-next v1] net: annotate data races around sk->sk_prot
Posted by Jiayuan Chen 1 month, 1 week ago 
inet_sendmsg(), inet_recvmsg() and sock_common_recvmsg() access
sk->sk_prot without lock_sock() or any other synchronization.

sock_replace_proto() (used by sockmap), TLS and MPTCP can change
sk->sk_prot under us, so these functions need READ_ONCE() to avoid
load tearing.

Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
 net/core/sock.c    | 2 +-
 net/ipv4/af_inet.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index f4e2ff23d60e..79b659cebbb1 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3968,7 +3968,7 @@ int sock_common_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 {
 	struct sock *sk = sock->sk;
 
-	return sk->sk_prot->recvmsg(sk, msg, size, flags);
+	return READ_ONCE(sk->sk_prot)->recvmsg(sk, msg, size, flags);
 }
 EXPORT_SYMBOL(sock_common_recvmsg);
 
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index babcd75a08e2..e95ffa070568 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
 int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 {
 	struct sock *sk = sock->sk;
+	const struct proto *prot;
 
 	if (unlikely(inet_send_prepare(sk)))
 		return -EAGAIN;
 
-	return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
+	prot = READ_ONCE(sk->sk_prot);
+	return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
 			       sk, msg, size);
 }
 EXPORT_SYMBOL(inet_sendmsg);
@@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 		 int flags)
 {
 	struct sock *sk = sock->sk;
+	const struct proto *prot;
 
 	if (likely(!(flags & MSG_ERRQUEUE)))
 		sock_rps_record_flow(sk);
 
-	return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
+	prot = READ_ONCE(sk->sk_prot);
+	return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
 			       sk, msg, size, flags);
 }
 EXPORT_SYMBOL(inet_recvmsg);
-- 
2.43.0
Re: [PATCH net-next v1] net: annotate data races around sk->sk_prot
Posted by Kuniyuki Iwashima 1 month, 1 week ago 
On Tue, Mar 3, 2026 at 7:16 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>
> inet_sendmsg(), inet_recvmsg() and sock_common_recvmsg() access
> sk->sk_prot without lock_sock() or any other synchronization.
>
> sock_replace_proto() (used by sockmap), TLS and MPTCP can change
> sk->sk_prot under us, so these functions need READ_ONCE() to avoid
> load tearing.
>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
>  net/core/sock.c    | 2 +-
>  net/ipv4/af_inet.c | 8 ++++++--
>  2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index f4e2ff23d60e..79b659cebbb1 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -3968,7 +3968,7 @@ int sock_common_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
>  {
>         struct sock *sk = sock->sk;
>
> -       return sk->sk_prot->recvmsg(sk, msg, size, flags);
> +       return READ_ONCE(sk->sk_prot)->recvmsg(sk, msg, size, flags);
>  }
>  EXPORT_SYMBOL(sock_common_recvmsg);

None of users seems to be supported by SOCKMAP,
or am I missing something ?

include/net/sock.h:1963:int sock_common_recvmsg(struct socket *sock,
struct msghdr *msg, size_t size,
net/core/sock.c:3966:int sock_common_recvmsg(struct socket *sock,
struct msghdr *msg, size_t size,
net/core/sock.c:3973:EXPORT_SYMBOL(sock_common_recvmsg);
net/l2tp/l2tp_ip6.c:774: .recvmsg   = sock_common_recvmsg,
net/l2tp/l2tp_ip.c:645: .recvmsg   = sock_common_recvmsg,
net/ipv6/raw.c:1292: .recvmsg   = sock_common_recvmsg, /* ok */
net/ieee802154/socket.c:427: .recvmsg   = sock_common_recvmsg,
net/ieee802154/socket.c:989: .recvmsg   = sock_common_recvmsg,
net/phonet/socket.c:441: .recvmsg = sock_common_recvmsg,
net/phonet/socket.c:461: .recvmsg = sock_common_recvmsg,



>
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index babcd75a08e2..e95ffa070568 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
>  int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
>  {
>         struct sock *sk = sock->sk;
> +       const struct proto *prot;
>
>         if (unlikely(inet_send_prepare(sk)))
>                 return -EAGAIN;
>
> -       return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
> +       prot = READ_ONCE(sk->sk_prot);
> +       return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
>                                sk, msg, size);
>  }
>  EXPORT_SYMBOL(inet_sendmsg);
> @@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
>                  int flags)
>  {
>         struct sock *sk = sock->sk;
> +       const struct proto *prot;
>
>         if (likely(!(flags & MSG_ERRQUEUE)))
>                 sock_rps_record_flow(sk);
>
> -       return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
> +       prot = READ_ONCE(sk->sk_prot);
> +       return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
>                                sk, msg, size, flags);
>  }
>  EXPORT_SYMBOL(inet_recvmsg);
> --
> 2.43.0
>
Re: [PATCH net-next v1] net: annotate data races around sk->sk_prot
Posted by Jiayuan Chen 1 month, 1 week ago 
March 4, 2026 at 11:42, "Kuniyuki Iwashima" <kuniyu@google.com mailto:kuniyu@google.com?to=%22Kuniyuki%20Iwashima%22%20%3Ckuniyu%40google.com%3E > wrote:


> 
> On Tue, Mar 3, 2026 at 7:16 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
> 
> > 
> > inet_sendmsg(), inet_recvmsg() and sock_common_recvmsg() access
> >  sk->sk_prot without lock_sock() or any other synchronization.
> > 
> >  sock_replace_proto() (used by sockmap), TLS and MPTCP can change
> >  sk->sk_prot under us, so these functions need READ_ONCE() to avoid
> >  load tearing.
> > 
> >  Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> >  ---
> >  net/core/sock.c | 2 +-
> >  net/ipv4/af_inet.c | 8 ++++++--
> >  2 files changed, 7 insertions(+), 3 deletions(-)
> > 
> >  diff --git a/net/core/sock.c b/net/core/sock.c
> >  index f4e2ff23d60e..79b659cebbb1 100644
> >  --- a/net/core/sock.c
> >  +++ b/net/core/sock.c
> >  @@ -3968,7 +3968,7 @@ int sock_common_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> >  {
> >  struct sock *sk = sock->sk;
> > 
> >  - return sk->sk_prot->recvmsg(sk, msg, size, flags);
> >  + return READ_ONCE(sk->sk_prot)->recvmsg(sk, msg, size, flags);
> >  }
> >  EXPORT_SYMBOL(sock_common_recvmsg);
> > 
> None of users seems to be supported by SOCKMAP,
> or am I missing something ?
> 
> include/net/sock.h:1963:int sock_common_recvmsg(struct socket *sock,
> struct msghdr *msg, size_t size,
> net/core/sock.c:3966:int sock_common_recvmsg(struct socket *sock,
> struct msghdr *msg, size_t size,
> net/core/sock.c:3973:EXPORT_SYMBOL(sock_common_recvmsg);
> net/l2tp/l2tp_ip6.c:774: .recvmsg = sock_common_recvmsg,
> net/l2tp/l2tp_ip.c:645: .recvmsg = sock_common_recvmsg,
> net/ipv6/raw.c:1292: .recvmsg = sock_common_recvmsg, /* ok */
> net/ieee802154/socket.c:427: .recvmsg = sock_common_recvmsg,
> net/ieee802154/socket.c:989: .recvmsg = sock_common_recvmsg,
> net/phonet/socket.c:441: .recvmsg = sock_common_recvmsg,
> net/phonet/socket.c:461: .recvmsg = sock_common_recvmsg,


You're right. None of the sock_common_recvmsg() users (raw, l2tp,
ieee802154, phonet) support SOCKMAP/TLS/MPTCP, so there is no
concurrent writer to sk->sk_prot for these socket types. I'll drop
that change in v2.

> > 
> > diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> >  index babcd75a08e2..e95ffa070568 100644
> >  --- a/net/ipv4/af_inet.c
> >  +++ b/net/ipv4/af_inet.c
> >  @@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
> >  int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
> >  {
> >  struct sock *sk = sock->sk;
> >  + const struct proto *prot;
> > 
> >  if (unlikely(inet_send_prepare(sk)))
> >  return -EAGAIN;
> > 
> >  - return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
> >  + prot = READ_ONCE(sk->sk_prot);
> >  + return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
> >  sk, msg, size);
> >  }
> >  EXPORT_SYMBOL(inet_sendmsg);
> >  @@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> >  int flags)
> >  {
> >  struct sock *sk = sock->sk;
> >  + const struct proto *prot;
> > 
> >  if (likely(!(flags & MSG_ERRQUEUE)))
> >  sock_rps_record_flow(sk);
> > 
> >  - return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
> >  + prot = READ_ONCE(sk->sk_prot);
> >  + return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
> >  sk, msg, size, flags);
> >  }
> >  EXPORT_SYMBOL(inet_recvmsg);
> >  --
> >  2.43.0
> >
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.