kernel/linux.git/drivers/net/ppp/pppoe.c, branch linux-7.0.y

pppoe: drop PFC frames

2026-05-23T11:09:20+00:00

[ Upstream commit cc1ff87bce1ccd38410ab10960f576dcd17db679 ] RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding. Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer") Signed-off-by: Qingfang Deng Reviewed-by: Simon Horman Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin

net: Convert proto_ops connect() callbacks to use sockaddr_unsized

2025-11-05T03:10:32+00:00

Update all struct proto_ops connect() callback function prototypes from "struct sockaddr *" to "struct sockaddr_unsized *" to avoid lying to the compiler about object sizes. Calls into struct proto handlers gain casts that will be removed in the struct proto conversion patch. No binary changes expected. Signed-off-by: Kees Cook Link: https://patch.msgid.link/20251104002617.2752303-3-kees@kernel.org Signed-off-by: Jakub Kicinski

pppoe: drop sock reference counting on fast path

2025-08-29T20:39:54+00:00

Now that PPPoE sockets are freed via RCU (SOCK_RCU_FREE), it is no longer necessary to take a reference count when looking up sockets on the receive path. Readers are protected by RCU, so the socket memory remains valid until after a grace period. Convert fast-path lookups to avoid refcounting: - Replace get_item() and sk_receive_skb() in pppoe_rcv() with __get_item() and __sk_receive_skb(). - Rework get_item_by_addr() into __get_item_by_addr() (no refcount and move RCU lock into pppoe_ioctl) - Remove unnecessary sock_put() calls. This avoids cacheline bouncing from atomic reference counting and improves performance on the receive fast path. Signed-off-by: Qingfang Deng Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250828012018.15922-2-dqfext@gmail.com Signed-off-by: Jakub Kicinski

pppoe: remove rwlock usage

2025-08-29T20:39:53+00:00

Like ppp_generic.c, convert the PPPoE socket hash table to use RCU for lookups and a spinlock for updates. This removes rwlock usage and allows lockless readers on the fast path. - Mark hash table and list pointers as __rcu. - Use spin_lock() to protect writers. - Readers use rcu_dereference() under rcu_read_lock(). All known callers of get_item() already hold the RCU read lock, so no additional locking is needed. - get_item() now uses refcount_inc_not_zero() instead of sock_hold() to safely take a reference. This prevents crashes if a socket is already in the process of being freed (sk_refcnt == 0). - Set SOCK_RCU_FREE to defer socket freeing until after an RCU grace period. - Move skb_queue_purge() into sk_destruct callback to ensure purge happens after an RCU grace period. Signed-off-by: Qingfang Deng Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20250828012018.15922-1-dqfext@gmail.com Signed-off-by: Jakub Kicinski

pppoe: drop PACKET_OTHERHOST before skb_share_check()

2025-06-24T23:37:02+00:00

Align with ip_rcv() by dropping PACKET_OTHERHOST packets before calling skb_share_check(). This avoids unnecessary skb processing for packets that will be discarded anyway. Signed-off-by: Qingfang Deng Acked-by: Guillaume Nault Link: https://patch.msgid.link/20250623033431.408810-1-dqfext@gmail.com Signed-off-by: Jakub Kicinski

ppp: use IFF_NO_QUEUE in virtual interfaces

2025-03-05T01:11:17+00:00

For PPPoE, PPTP, and PPPoL2TP, the start_xmit() function directly forwards packets to the underlying network stack and never returns anything other than 1. So these interfaces do not require a qdisc, and the IFF_NO_QUEUE flag should be set. Introduces a direct_xmit flag in struct ppp_channel to indicate when IFF_NO_QUEUE should be applied. The flag is set in ppp_connect_channel() for relevant protocols. While at it, remove the usused latency member from struct ppp_channel. Signed-off-by: Qingfang Deng Reviewed-by: Toke Høiland-Jørgensen Link: https://patch.msgid.link/20250301135517.695809-1-dqfext@gmail.com Signed-off-by: Jakub Kicinski

pppoe: Fix memory leak in pppoe_sendmsg()

2024-02-15T15:50:32+00:00

syzbot reports a memory leak in pppoe_sendmsg [1]. The problem is in the pppoe_recvmsg() function that handles errors in the wrong order. For the skb_recv_datagram() function, check the pointer to skb for NULL first, and then check the 'error' variable, because the skb_recv_datagram() function can set 'error' to -EAGAIN in a loop but return a correct pointer to socket buffer after a number of attempts, though 'error' remains set to -EAGAIN. skb_recv_datagram __skb_recv_datagram // Loop. if (err == -EAGAIN) then // go to the next loop iteration __skb_try_recv_datagram // if (skb != NULL) then return 'skb' // else if a signal is received then // return -EAGAIN Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. Link: https://syzkaller.appspot.com/bug?extid=6bdfd184eac7709e5cc9 [1] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+6bdfd184eac7709e5cc9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6bdfd184eac7709e5cc9 Signed-off-by: Gavrilov Ilia Reviewed-by: Guillaume Nault Link: https://lore.kernel.org/r/20240214085814.3894917-1-Ilia.Gavrilov@infotecs.ru Signed-off-by: Jakub Kicinski

net: implement lockless SO_PRIORITY

2023-10-01T18:09:54+00:00

This is a followup of 8bf43be799d4 ("net: annotate data-races around sk->sk_priority"). sk->sk_priority can be read and written without holding the socket lock. Signed-off-by: Eric Dumazet Reviewed-by: Wenjia Zhang Signed-off-by: David S. Miller

net: ppp: Remove unnecessary (void*) conversions

2023-07-19T02:00:47+00:00

No need cast (void*) to (struct sock *). Signed-off-by: Wu Yunchuan Reviewed-by: Guillaume Nault Link: https://lore.kernel.org/r/20230717031115.54432-1-yunchuan@nfschina.com Signed-off-by: Jakub Kicinski

net/pppoe: make number of hash bits configurable

2023-05-17T12:03:45+00:00

When running large numbers of pppoe connections, a bucket size of 16 may be too small and 256 may be more appropriate. This sacrifices some RAM but should result in faster processing of incoming PPPoE frames. On our systems we run upwards of 150 PPPoE connections at any point in time, and we suspect we're starting to see the effects of this small number of buckets. The legal values according to pppoe.c is anything that when 8 is divided by that results in a modulo of 0, ie, 1, 2, 4 and 8. The size of the per-underlying-interface structure is: sizeof(rwlock_t) + sizeof(pppox_sock*) * PPPOE_HASH_SIZE. Assuming a 64-bit pointer this will result in just over a 2KiB structure for PPPOE_HASH_BITS=8, which will likely result in a 4KiB allocation, which for us at least is acceptable. Not sure what the minimum allocation size is, and thus if values of 1 and 2 truly make sense. Default results in historic sizing and behaviour. Signed-off-by: Jaco Kroon Signed-off-by: David S. Miller