1. Patchew
  2. linux
  3. View series

[PATCH net-next v2] net: annotate data races around sk->sk_prot

Jiayuan Chen posted 1 patch 1 month, 1 week ago 
net/ipv4/af_inet.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
[PATCH net-next v2] net: annotate data races around sk->sk_prot
Posted by Jiayuan Chen 1 month, 1 week ago 
inet_sendmsg() and inet_recvmsg() access sk->sk_prot without
lock_sock() or any other synchronization.

sock_replace_proto() (used by sockmap), TLS and MPTCP can change
sk->sk_prot under us, so these functions need READ_ONCE() to avoid
load tearing.

Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
 net/ipv4/af_inet.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index babcd75a08e2..e95ffa070568 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
 int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 {
 	struct sock *sk = sock->sk;
+	const struct proto *prot;
 
 	if (unlikely(inet_send_prepare(sk)))
 		return -EAGAIN;
 
-	return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
+	prot = READ_ONCE(sk->sk_prot);
+	return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
 			       sk, msg, size);
 }
 EXPORT_SYMBOL(inet_sendmsg);
@@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 		 int flags)
 {
 	struct sock *sk = sock->sk;
+	const struct proto *prot;
 
 	if (likely(!(flags & MSG_ERRQUEUE)))
 		sock_rps_record_flow(sk);
 
-	return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
+	prot = READ_ONCE(sk->sk_prot);
+	return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
 			       sk, msg, size, flags);
 }
 EXPORT_SYMBOL(inet_recvmsg);
-- 
2.43.0
Re: [PATCH net-next v2] net: annotate data races around sk->sk_prot
Posted by Eric Dumazet 1 month, 1 week ago 
On Wed, Mar 4, 2026 at 7:43 AM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>
> inet_sendmsg() and inet_recvmsg() access sk->sk_prot without
> lock_sock() or any other synchronization.
>
> sock_replace_proto() (used by sockmap), TLS and MPTCP can change
> sk->sk_prot under us, so these functions need READ_ONCE() to avoid
> load tearing.
>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---

Reviewed-by: Eric Dumazet <edumazet@google.com>

nits:  (no need to resend)

1) You could have avoided the temporary variable
return  INDIRECT_CALL_2(READ_ONCE(sk->sk_prot)->recvmsg, tcp_recvmsg, ...);

2) This could target net tree, with a Fixes: tag, but I am guessing
stable teams will automatically pick
this patch based on the changelog content.

Thanks.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.