net: annotate data races around sk->sk_prot

inet_sendmsg() and inet_recvmsg() access sk->sk_prot without lock_sock() or any other synchronization. sock_replace_proto() (used by sockmap), TLS and MPTCP can change sk->sk_prot under us, so these functions need READ_ONCE() to avoid load tearing. Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260304064253.16955-1-jiayuan.chen@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-01 19:13:47 +02:00 · 2026-03-04 14:42:52 +08:00 · 2026-03-04 14:42:52 +08:00 · ad4c955960
commit ad4c955960
parent 260d27b3ae
1 changed files with 6 additions and 2 deletions
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@ -852,11 +852,13 @@ EXPORT_SYMBOL_GPL(inet_send_prepare);
 int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 {
 	struct sock *sk = sock->sk;
+	const struct proto *prot;

 	if (unlikely(inet_send_prepare(sk)))
 		return -EAGAIN;

-	return INDIRECT_CALL_2(sk->sk_prot->sendmsg, tcp_sendmsg, udp_sendmsg,
+	prot = READ_ONCE(sk->sk_prot);
+	return INDIRECT_CALL_2(prot->sendmsg, tcp_sendmsg, udp_sendmsg,
 			       sk, msg, size);
 }
 EXPORT_SYMBOL(inet_sendmsg);
@ -882,11 +884,13 @@ int inet_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 		 int flags)
 {
 	struct sock *sk = sock->sk;
+	const struct proto *prot;

 	if (likely(!(flags & MSG_ERRQUEUE)))
 		sock_rps_record_flow(sk);

-	return INDIRECT_CALL_2(sk->sk_prot->recvmsg, tcp_recvmsg, udp_recvmsg,
+	prot = READ_ONCE(sk->sk_prot);
+	return INDIRECT_CALL_2(prot->recvmsg, tcp_recvmsg, udp_recvmsg,
 			       sk, msg, size, flags);
 }
 EXPORT_SYMBOL(inet_recvmsg);