Re: [PATCH net-next v1] net: annotate data races around sk->sk_prot

[Kuniyuki Iwashima]

On Tue, Mar 3, 2026 at 7:16 PM Jiayuan Chen <jiayuan.chen@xxxxxxxxx> wrote:
>
> inet_sendmsg(), inet_recvmsg() and sock_common_recvmsg() access
> sk->sk_prot without lock_sock() or any other synchronization.
>
> sock_replace_proto() (used by sockmap), TLS and MPTCP can change
> sk->sk_prot under us, so these functions need READ_ONCE() to avoid
> load tearing.
>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
> ---
>  net/core/sock.c    | 2 +-
>  net/ipv4/af_inet.c | 8 ++++++--
>  2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/sock.c b/net/core/sock.c
> index f4e2ff23d60e..79b659cebbb1 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -3968,7 +3968,7 @@ int sock_common_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
>  {
>         struct sock *sk = sock->sk;
>
> -       return sk->sk_prot->recvmsg(sk, msg, size, flags);
> +       return READ_ONCE(sk->sk_prot)->recvmsg(sk, msg, size, flags);
>  }
>  EXPORT_SYMBOL(sock_common_recvmsg);

None of users seems to be supported by SOCKMAP,
or am I missing something ?

include/net/sock.h:1963:int sock_common_recvmsg(struct socket *sock,
struct msghdr *msg, size_t size,
net/core/sock.c:3966:int sock_common_recvmsg(struct socket *sock,
struct msghdr *msg, size_t size,
net/core/sock.c:3973:EXPORT_SYMBOL(sock_common_recvmsg);
net/l2tp/l2tp_ip6.c:774: .recvmsg   = sock_common_recvmsg,
net/l2tp/l2tp_ip.c:645: .recvmsg   = sock_common_recvmsg,
net/ipv6/raw.c:1292: .recvmsg   = sock_common_recvmsg, /* ok */
net/ieee802154/socket.c:427: .recvmsg   = sock_common_recvmsg,
net/ieee802154/socket.c:989: .recvmsg   = sock_common_recvmsg,
net/phonet/socket.c:441: .recvmsg = sock_common_recvmsg,
net/phonet/socket.c:461: .recvmsg = sock_common_recvmsg,



>
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index babcd75a08e2..e95ffa070568 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
>  int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
>  {
>         struct sock *sk = sock->sk;
> +       const struct proto *prot;
>
>         if (unlikely(inet_send_prepare(sk)))
>                 return -EAGAIN;
>
> -       return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
> +       prot = READ_ONCE(sk->sk_prot);
> +       return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
>                                sk, msg, size);
>  }
>  EXPORT_SYMBOL(inet_sendmsg);
> @@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
>                  int flags)
>  {
>         struct sock *sk = sock->sk;
> +       const struct proto *prot;
>
>         if (likely(!(flags & MSG_ERRQUEUE)))
>                 sock_rps_record_flow(sk);
>
> -       return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
> +       prot = READ_ONCE(sk->sk_prot);
> +       return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
>                                sk, msg, size, flags);
>  }
>  EXPORT_SYMBOL(inet_recvmsg);
> --
> 2.43.0
>