[PATCH net-next v1] net: annotate data races around sk->sk_prot
From: Jiayuan Chen
Date: Tue Mar 03 2026 - 22:17:08 EST
inet_sendmsg(), inet_recvmsg() and sock_common_recvmsg() access
sk->sk_prot without lock_sock() or any other synchronization.
sock_replace_proto() (used by sockmap), TLS and MPTCP can change
sk->sk_prot under us, so these functions need READ_ONCE() to avoid
load tearing.
Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
---
net/core/sock.c | 2 +-
net/ipv4/af_inet.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index f4e2ff23d60e..79b659cebbb1 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3968,7 +3968,7 @@ int sock_common_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
{
struct sock *sk = sock->sk;
- return sk->sk_prot->recvmsg(sk, msg, size, flags);
+ return READ_ONCE(sk->sk_prot)->recvmsg(sk, msg, size, flags);
}
EXPORT_SYMBOL(sock_common_recvmsg);
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index babcd75a08e2..e95ffa070568 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
{
struct sock *sk = sock->sk;
+ const struct proto *prot;
if (unlikely(inet_send_prepare(sk)))
return -EAGAIN;
- return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
+ prot = READ_ONCE(sk->sk_prot);
+ return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
sk, msg, size);
}
EXPORT_SYMBOL(inet_sendmsg);
@@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
int flags)
{
struct sock *sk = sock->sk;
+ const struct proto *prot;
if (likely(!(flags & MSG_ERRQUEUE)))
sock_rps_record_flow(sk);
- return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
+ prot = READ_ONCE(sk->sk_prot);
+ return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
sk, msg, size, flags);
}
EXPORT_SYMBOL(inet_recvmsg);
--
2.43.0