1 /*
2 * L2TP core.
3 *
4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
5 *
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
8 *
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
11 * Contributors:
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2 as
18 * published by the Free Software Foundation.
19 */
20
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
22
23 #include <linux/module.h>
24 #include <linux/string.h>
25 #include <linux/list.h>
26 #include <linux/rculist.h>
27 #include <linux/uaccess.h>
28
29 #include <linux/kernel.h>
30 #include <linux/spinlock.h>
31 #include <linux/kthread.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/errno.h>
35 #include <linux/jiffies.h>
36
37 #include <linux/netdevice.h>
38 #include <linux/net.h>
39 #include <linux/inetdevice.h>
40 #include <linux/skbuff.h>
41 #include <linux/init.h>
42 #include <linux/in.h>
43 #include <linux/ip.h>
44 #include <linux/udp.h>
45 #include <linux/l2tp.h>
46 #include <linux/hash.h>
47 #include <linux/sort.h>
48 #include <linux/file.h>
49 #include <linux/nsproxy.h>
50 #include <net/net_namespace.h>
51 #include <net/netns/generic.h>
52 #include <net/dst.h>
53 #include <net/ip.h>
54 #include <net/udp.h>
55 #include <net/udp_tunnel.h>
56 #include <net/inet_common.h>
57 #include <net/xfrm.h>
58 #include <net/protocol.h>
59 #include <net/inet6_connection_sock.h>
60 #include <net/inet_ecn.h>
61 #include <net/ip6_route.h>
62 #include <net/ip6_checksum.h>
63
64 #include <asm/byteorder.h>
65 #include <linux/atomic.h>
66
67 #include "l2tp_core.h"
68
69 #define L2TP_DRV_VERSION "V2.0"
70
71 /* L2TP header constants */
72 #define L2TP_HDRFLAG_T 0x8000
73 #define L2TP_HDRFLAG_L 0x4000
74 #define L2TP_HDRFLAG_S 0x0800
75 #define L2TP_HDRFLAG_O 0x0200
76 #define L2TP_HDRFLAG_P 0x0100
77
78 #define L2TP_HDR_VER_MASK 0x000F
79 #define L2TP_HDR_VER_2 0x0002
80 #define L2TP_HDR_VER_3 0x0003
81
82 /* L2TPv3 default L2-specific sublayer */
83 #define L2TP_SLFLAG_S 0x40000000
84 #define L2TP_SL_SEQ_MASK 0x00ffffff
85
86 #define L2TP_HDR_SIZE_MAX 14
87
88 /* Default trace flags */
89 #define L2TP_DEFAULT_DEBUG_FLAGS 0
90
91 /* Private data stored for received packets in the skb.
92 */
93 struct l2tp_skb_cb {
94 u32 ns;
95 u16 has_seq;
96 u16 length;
97 unsigned long expires;
98 };
99
100 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
101
102 static atomic_t l2tp_tunnel_count;
103 static atomic_t l2tp_session_count;
104 static struct workqueue_struct *l2tp_wq;
105
106 /* per-net private data for this module */
107 static unsigned int l2tp_net_id;
108 struct l2tp_net {
109 struct list_head l2tp_tunnel_list;
110 spinlock_t l2tp_tunnel_list_lock;
111 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
112 spinlock_t l2tp_session_hlist_lock;
113 };
114
115 #if IS_ENABLED(CONFIG_IPV6)
l2tp_sk_is_v6(struct sock * sk)116 static bool l2tp_sk_is_v6(struct sock *sk)
117 {
118 return sk->sk_family == PF_INET6 &&
119 !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
120 }
121 #endif
122
l2tp_tunnel(struct sock * sk)123 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
124 {
125 return sk->sk_user_data;
126 }
127
l2tp_pernet(const struct net * net)128 static inline struct l2tp_net *l2tp_pernet(const struct net *net)
129 {
130 BUG_ON(!net);
131
132 return net_generic(net, l2tp_net_id);
133 }
134
135 /* Session hash global list for L2TPv3.
136 * The session_id SHOULD be random according to RFC3931, but several
137 * L2TP implementations use incrementing session_ids. So we do a real
138 * hash on the session_id, rather than a simple bitmask.
139 */
140 static inline struct hlist_head *
l2tp_session_id_hash_2(struct l2tp_net * pn,u32 session_id)141 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
142 {
143 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
144
145 }
146
147 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
148 * owned by userspace. A struct sock returned from this function must be
149 * released using l2tp_tunnel_sock_put once you're done with it.
150 */
l2tp_tunnel_sock_lookup(struct l2tp_tunnel * tunnel)151 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
152 {
153 int err = 0;
154 struct socket *sock = NULL;
155 struct sock *sk = NULL;
156
157 if (!tunnel)
158 goto out;
159
160 if (tunnel->fd >= 0) {
161 /* Socket is owned by userspace, who might be in the process
162 * of closing it. Look the socket up using the fd to ensure
163 * consistency.
164 */
165 sock = sockfd_lookup(tunnel->fd, &err);
166 if (sock)
167 sk = sock->sk;
168 } else {
169 /* Socket is owned by kernelspace */
170 sk = tunnel->sock;
171 sock_hold(sk);
172 }
173
174 out:
175 return sk;
176 }
177
178 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
l2tp_tunnel_sock_put(struct sock * sk)179 static void l2tp_tunnel_sock_put(struct sock *sk)
180 {
181 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
182 if (tunnel) {
183 if (tunnel->fd >= 0) {
184 /* Socket is owned by userspace */
185 sockfd_put(sk->sk_socket);
186 }
187 sock_put(sk);
188 }
189 sock_put(sk);
190 }
191
192 /* Session hash list.
193 * The session_id SHOULD be random according to RFC2661, but several
194 * L2TP implementations (Cisco and Microsoft) use incrementing
195 * session_ids. So we do a real hash on the session_id, rather than a
196 * simple bitmask.
197 */
198 static inline struct hlist_head *
l2tp_session_id_hash(struct l2tp_tunnel * tunnel,u32 session_id)199 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
200 {
201 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
202 }
203
204 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
l2tp_tunnel_get(const struct net * net,u32 tunnel_id)205 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
206 {
207 const struct l2tp_net *pn = l2tp_pernet(net);
208 struct l2tp_tunnel *tunnel;
209
210 rcu_read_lock_bh();
211 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
212 if (tunnel->tunnel_id == tunnel_id) {
213 l2tp_tunnel_inc_refcount(tunnel);
214 rcu_read_unlock_bh();
215
216 return tunnel;
217 }
218 }
219 rcu_read_unlock_bh();
220
221 return NULL;
222 }
223 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
224
225 /* Lookup a session. A new reference is held on the returned session.
226 * Optionally calls session->ref() too if do_ref is true.
227 */
l2tp_session_get(const struct net * net,struct l2tp_tunnel * tunnel,u32 session_id,bool do_ref)228 struct l2tp_session *l2tp_session_get(const struct net *net,
229 struct l2tp_tunnel *tunnel,
230 u32 session_id, bool do_ref)
231 {
232 struct hlist_head *session_list;
233 struct l2tp_session *session;
234
235 if (!tunnel) {
236 struct l2tp_net *pn = l2tp_pernet(net);
237
238 session_list = l2tp_session_id_hash_2(pn, session_id);
239
240 rcu_read_lock_bh();
241 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
242 if (session->session_id == session_id) {
243 l2tp_session_inc_refcount(session);
244 if (do_ref && session->ref)
245 session->ref(session);
246 rcu_read_unlock_bh();
247
248 return session;
249 }
250 }
251 rcu_read_unlock_bh();
252
253 return NULL;
254 }
255
256 session_list = l2tp_session_id_hash(tunnel, session_id);
257 read_lock_bh(&tunnel->hlist_lock);
258 hlist_for_each_entry(session, session_list, hlist) {
259 if (session->session_id == session_id) {
260 l2tp_session_inc_refcount(session);
261 if (do_ref && session->ref)
262 session->ref(session);
263 read_unlock_bh(&tunnel->hlist_lock);
264
265 return session;
266 }
267 }
268 read_unlock_bh(&tunnel->hlist_lock);
269
270 return NULL;
271 }
272 EXPORT_SYMBOL_GPL(l2tp_session_get);
273
l2tp_session_get_nth(struct l2tp_tunnel * tunnel,int nth,bool do_ref)274 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
275 bool do_ref)
276 {
277 int hash;
278 struct l2tp_session *session;
279 int count = 0;
280
281 read_lock_bh(&tunnel->hlist_lock);
282 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
283 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
284 if (++count > nth) {
285 l2tp_session_inc_refcount(session);
286 if (do_ref && session->ref)
287 session->ref(session);
288 read_unlock_bh(&tunnel->hlist_lock);
289 return session;
290 }
291 }
292 }
293
294 read_unlock_bh(&tunnel->hlist_lock);
295
296 return NULL;
297 }
298 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
299
300 /* Lookup a session by interface name.
301 * This is very inefficient but is only used by management interfaces.
302 */
l2tp_session_get_by_ifname(const struct net * net,const char * ifname,bool do_ref)303 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
304 const char *ifname,
305 bool do_ref)
306 {
307 struct l2tp_net *pn = l2tp_pernet(net);
308 int hash;
309 struct l2tp_session *session;
310
311 rcu_read_lock_bh();
312 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
313 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
314 if (!strcmp(session->ifname, ifname)) {
315 l2tp_session_inc_refcount(session);
316 if (do_ref && session->ref)
317 session->ref(session);
318 rcu_read_unlock_bh();
319
320 return session;
321 }
322 }
323 }
324
325 rcu_read_unlock_bh();
326
327 return NULL;
328 }
329 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
330
l2tp_session_add_to_tunnel(struct l2tp_tunnel * tunnel,struct l2tp_session * session)331 static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
332 struct l2tp_session *session)
333 {
334 struct l2tp_session *session_walk;
335 struct hlist_head *g_head;
336 struct hlist_head *head;
337 struct l2tp_net *pn;
338 int err;
339
340 head = l2tp_session_id_hash(tunnel, session->session_id);
341
342 write_lock_bh(&tunnel->hlist_lock);
343 if (!tunnel->acpt_newsess) {
344 err = -ENODEV;
345 goto err_tlock;
346 }
347
348 hlist_for_each_entry(session_walk, head, hlist)
349 if (session_walk->session_id == session->session_id) {
350 err = -EEXIST;
351 goto err_tlock;
352 }
353
354 if (tunnel->version == L2TP_HDR_VER_3) {
355 pn = l2tp_pernet(tunnel->l2tp_net);
356 g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
357 session->session_id);
358
359 spin_lock_bh(&pn->l2tp_session_hlist_lock);
360
361 /* IP encap expects session IDs to be globally unique, while
362 * UDP encap doesn't.
363 */
364 hlist_for_each_entry(session_walk, g_head, global_hlist)
365 if (session_walk->session_id == session->session_id &&
366 (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
367 tunnel->encap == L2TP_ENCAPTYPE_IP)) {
368 err = -EEXIST;
369 goto err_tlock_pnlock;
370 }
371
372 l2tp_tunnel_inc_refcount(tunnel);
373 sock_hold(tunnel->sock);
374 hlist_add_head_rcu(&session->global_hlist, g_head);
375
376 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
377 } else {
378 l2tp_tunnel_inc_refcount(tunnel);
379 sock_hold(tunnel->sock);
380 }
381
382 hlist_add_head(&session->hlist, head);
383 write_unlock_bh(&tunnel->hlist_lock);
384
385 return 0;
386
387 err_tlock_pnlock:
388 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
389 err_tlock:
390 write_unlock_bh(&tunnel->hlist_lock);
391
392 return err;
393 }
394
395 /* Lookup a tunnel by id
396 */
l2tp_tunnel_find(const struct net * net,u32 tunnel_id)397 struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id)
398 {
399 struct l2tp_tunnel *tunnel;
400 struct l2tp_net *pn = l2tp_pernet(net);
401
402 rcu_read_lock_bh();
403 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
404 if (tunnel->tunnel_id == tunnel_id) {
405 rcu_read_unlock_bh();
406 return tunnel;
407 }
408 }
409 rcu_read_unlock_bh();
410
411 return NULL;
412 }
413 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
414
l2tp_tunnel_find_nth(const struct net * net,int nth)415 struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)
416 {
417 struct l2tp_net *pn = l2tp_pernet(net);
418 struct l2tp_tunnel *tunnel;
419 int count = 0;
420
421 rcu_read_lock_bh();
422 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
423 if (++count > nth) {
424 rcu_read_unlock_bh();
425 return tunnel;
426 }
427 }
428
429 rcu_read_unlock_bh();
430
431 return NULL;
432 }
433 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
434
435 /*****************************************************************************
436 * Receive data handling
437 *****************************************************************************/
438
439 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
440 * number.
441 */
l2tp_recv_queue_skb(struct l2tp_session * session,struct sk_buff * skb)442 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
443 {
444 struct sk_buff *skbp;
445 struct sk_buff *tmp;
446 u32 ns = L2TP_SKB_CB(skb)->ns;
447
448 spin_lock_bh(&session->reorder_q.lock);
449 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
450 if (L2TP_SKB_CB(skbp)->ns > ns) {
451 __skb_queue_before(&session->reorder_q, skbp, skb);
452 l2tp_dbg(session, L2TP_MSG_SEQ,
453 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
454 session->name, ns, L2TP_SKB_CB(skbp)->ns,
455 skb_queue_len(&session->reorder_q));
456 atomic_long_inc(&session->stats.rx_oos_packets);
457 goto out;
458 }
459 }
460
461 __skb_queue_tail(&session->reorder_q, skb);
462
463 out:
464 spin_unlock_bh(&session->reorder_q.lock);
465 }
466
467 /* Dequeue a single skb.
468 */
l2tp_recv_dequeue_skb(struct l2tp_session * session,struct sk_buff * skb)469 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
470 {
471 struct l2tp_tunnel *tunnel = session->tunnel;
472 int length = L2TP_SKB_CB(skb)->length;
473
474 /* We're about to requeue the skb, so return resources
475 * to its current owner (a socket receive buffer).
476 */
477 skb_orphan(skb);
478
479 atomic_long_inc(&tunnel->stats.rx_packets);
480 atomic_long_add(length, &tunnel->stats.rx_bytes);
481 atomic_long_inc(&session->stats.rx_packets);
482 atomic_long_add(length, &session->stats.rx_bytes);
483
484 if (L2TP_SKB_CB(skb)->has_seq) {
485 /* Bump our Nr */
486 session->nr++;
487 session->nr &= session->nr_max;
488
489 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
490 session->name, session->nr);
491 }
492
493 /* call private receive handler */
494 if (session->recv_skb != NULL)
495 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
496 else
497 kfree_skb(skb);
498
499 if (session->deref)
500 (*session->deref)(session);
501 }
502
503 /* Dequeue skbs from the session's reorder_q, subject to packet order.
504 * Skbs that have been in the queue for too long are simply discarded.
505 */
l2tp_recv_dequeue(struct l2tp_session * session)506 static void l2tp_recv_dequeue(struct l2tp_session *session)
507 {
508 struct sk_buff *skb;
509 struct sk_buff *tmp;
510
511 /* If the pkt at the head of the queue has the nr that we
512 * expect to send up next, dequeue it and any other
513 * in-sequence packets behind it.
514 */
515 start:
516 spin_lock_bh(&session->reorder_q.lock);
517 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
518 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
519 atomic_long_inc(&session->stats.rx_seq_discards);
520 atomic_long_inc(&session->stats.rx_errors);
521 l2tp_dbg(session, L2TP_MSG_SEQ,
522 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
523 session->name, L2TP_SKB_CB(skb)->ns,
524 L2TP_SKB_CB(skb)->length, session->nr,
525 skb_queue_len(&session->reorder_q));
526 session->reorder_skip = 1;
527 __skb_unlink(skb, &session->reorder_q);
528 kfree_skb(skb);
529 if (session->deref)
530 (*session->deref)(session);
531 continue;
532 }
533
534 if (L2TP_SKB_CB(skb)->has_seq) {
535 if (session->reorder_skip) {
536 l2tp_dbg(session, L2TP_MSG_SEQ,
537 "%s: advancing nr to next pkt: %u -> %u",
538 session->name, session->nr,
539 L2TP_SKB_CB(skb)->ns);
540 session->reorder_skip = 0;
541 session->nr = L2TP_SKB_CB(skb)->ns;
542 }
543 if (L2TP_SKB_CB(skb)->ns != session->nr) {
544 l2tp_dbg(session, L2TP_MSG_SEQ,
545 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
546 session->name, L2TP_SKB_CB(skb)->ns,
547 L2TP_SKB_CB(skb)->length, session->nr,
548 skb_queue_len(&session->reorder_q));
549 goto out;
550 }
551 }
552 __skb_unlink(skb, &session->reorder_q);
553
554 /* Process the skb. We release the queue lock while we
555 * do so to let other contexts process the queue.
556 */
557 spin_unlock_bh(&session->reorder_q.lock);
558 l2tp_recv_dequeue_skb(session, skb);
559 goto start;
560 }
561
562 out:
563 spin_unlock_bh(&session->reorder_q.lock);
564 }
565
l2tp_seq_check_rx_window(struct l2tp_session * session,u32 nr)566 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
567 {
568 u32 nws;
569
570 if (nr >= session->nr)
571 nws = nr - session->nr;
572 else
573 nws = (session->nr_max + 1) - (session->nr - nr);
574
575 return nws < session->nr_window_size;
576 }
577
578 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
579 * acceptable, else non-zero.
580 */
l2tp_recv_data_seq(struct l2tp_session * session,struct sk_buff * skb)581 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
582 {
583 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
584 /* Packet sequence number is outside allowed window.
585 * Discard it.
586 */
587 l2tp_dbg(session, L2TP_MSG_SEQ,
588 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
589 session->name, L2TP_SKB_CB(skb)->ns,
590 L2TP_SKB_CB(skb)->length, session->nr);
591 goto discard;
592 }
593
594 if (session->reorder_timeout != 0) {
595 /* Packet reordering enabled. Add skb to session's
596 * reorder queue, in order of ns.
597 */
598 l2tp_recv_queue_skb(session, skb);
599 goto out;
600 }
601
602 /* Packet reordering disabled. Discard out-of-sequence packets, while
603 * tracking the number if in-sequence packets after the first OOS packet
604 * is seen. After nr_oos_count_max in-sequence packets, reset the
605 * sequence number to re-enable packet reception.
606 */
607 if (L2TP_SKB_CB(skb)->ns == session->nr) {
608 skb_queue_tail(&session->reorder_q, skb);
609 } else {
610 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
611 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
612
613 if (nr_oos == nr_next)
614 session->nr_oos_count++;
615 else
616 session->nr_oos_count = 0;
617
618 session->nr_oos = nr_oos;
619 if (session->nr_oos_count > session->nr_oos_count_max) {
620 session->reorder_skip = 1;
621 l2tp_dbg(session, L2TP_MSG_SEQ,
622 "%s: %d oos packets received. Resetting sequence numbers\n",
623 session->name, session->nr_oos_count);
624 }
625 if (!session->reorder_skip) {
626 atomic_long_inc(&session->stats.rx_seq_discards);
627 l2tp_dbg(session, L2TP_MSG_SEQ,
628 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
629 session->name, L2TP_SKB_CB(skb)->ns,
630 L2TP_SKB_CB(skb)->length, session->nr,
631 skb_queue_len(&session->reorder_q));
632 goto discard;
633 }
634 skb_queue_tail(&session->reorder_q, skb);
635 }
636
637 out:
638 return 0;
639
640 discard:
641 return 1;
642 }
643
644 /* Do receive processing of L2TP data frames. We handle both L2TPv2
645 * and L2TPv3 data frames here.
646 *
647 * L2TPv2 Data Message Header
648 *
649 * 0 1 2 3
650 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
651 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
652 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
653 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
654 * | Tunnel ID | Session ID |
655 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
656 * | Ns (opt) | Nr (opt) |
657 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
658 * | Offset Size (opt) | Offset pad... (opt)
659 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
660 *
661 * Data frames are marked by T=0. All other fields are the same as
662 * those in L2TP control frames.
663 *
664 * L2TPv3 Data Message Header
665 *
666 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
667 * | L2TP Session Header |
668 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
669 * | L2-Specific Sublayer |
670 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
671 * | Tunnel Payload ...
672 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
673 *
674 * L2TPv3 Session Header Over IP
675 *
676 * 0 1 2 3
677 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
678 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
679 * | Session ID |
680 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
681 * | Cookie (optional, maximum 64 bits)...
682 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
683 * |
684 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
685 *
686 * L2TPv3 L2-Specific Sublayer Format
687 *
688 * 0 1 2 3
689 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
690 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
691 * |x|S|x|x|x|x|x|x| Sequence Number |
692 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
693 *
694 * Cookie value, sublayer format and offset (pad) are negotiated with
695 * the peer when the session is set up. Unlike L2TPv2, we do not need
696 * to parse the packet header to determine if optional fields are
697 * present.
698 *
699 * Caller must already have parsed the frame and determined that it is
700 * a data (not control) frame before coming here. Fields up to the
701 * session-id have already been parsed and ptr points to the data
702 * after the session-id.
703 *
704 * session->ref() must have been called prior to l2tp_recv_common().
705 * session->deref() will be called automatically after skb is processed.
706 */
l2tp_recv_common(struct l2tp_session * session,struct sk_buff * skb,unsigned char * ptr,unsigned char * optr,u16 hdrflags,int length)707 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
708 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
709 int length)
710 {
711 struct l2tp_tunnel *tunnel = session->tunnel;
712 int offset;
713 u32 ns, nr;
714
715 /* Parse and check optional cookie */
716 if (session->peer_cookie_len > 0) {
717 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
718 l2tp_info(tunnel, L2TP_MSG_DATA,
719 "%s: cookie mismatch (%u/%u). Discarding.\n",
720 tunnel->name, tunnel->tunnel_id,
721 session->session_id);
722 atomic_long_inc(&session->stats.rx_cookie_discards);
723 goto discard;
724 }
725 ptr += session->peer_cookie_len;
726 }
727
728 /* Handle the optional sequence numbers. Sequence numbers are
729 * in different places for L2TPv2 and L2TPv3.
730 *
731 * If we are the LAC, enable/disable sequence numbers under
732 * the control of the LNS. If no sequence numbers present but
733 * we were expecting them, discard frame.
734 */
735 ns = nr = 0;
736 L2TP_SKB_CB(skb)->has_seq = 0;
737 if (tunnel->version == L2TP_HDR_VER_2) {
738 if (hdrflags & L2TP_HDRFLAG_S) {
739 ns = ntohs(*(__be16 *) ptr);
740 ptr += 2;
741 nr = ntohs(*(__be16 *) ptr);
742 ptr += 2;
743
744 /* Store L2TP info in the skb */
745 L2TP_SKB_CB(skb)->ns = ns;
746 L2TP_SKB_CB(skb)->has_seq = 1;
747
748 l2tp_dbg(session, L2TP_MSG_SEQ,
749 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
750 session->name, ns, nr, session->nr);
751 }
752 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
753 u32 l2h = ntohl(*(__be32 *) ptr);
754
755 if (l2h & 0x40000000) {
756 ns = l2h & 0x00ffffff;
757
758 /* Store L2TP info in the skb */
759 L2TP_SKB_CB(skb)->ns = ns;
760 L2TP_SKB_CB(skb)->has_seq = 1;
761
762 l2tp_dbg(session, L2TP_MSG_SEQ,
763 "%s: recv data ns=%u, session nr=%u\n",
764 session->name, ns, session->nr);
765 }
766 ptr += 4;
767 }
768
769 if (L2TP_SKB_CB(skb)->has_seq) {
770 /* Received a packet with sequence numbers. If we're the LNS,
771 * check if we sre sending sequence numbers and if not,
772 * configure it so.
773 */
774 if ((!session->lns_mode) && (!session->send_seq)) {
775 l2tp_info(session, L2TP_MSG_SEQ,
776 "%s: requested to enable seq numbers by LNS\n",
777 session->name);
778 session->send_seq = 1;
779 l2tp_session_set_header_len(session, tunnel->version);
780 }
781 } else {
782 /* No sequence numbers.
783 * If user has configured mandatory sequence numbers, discard.
784 */
785 if (session->recv_seq) {
786 l2tp_warn(session, L2TP_MSG_SEQ,
787 "%s: recv data has no seq numbers when required. Discarding.\n",
788 session->name);
789 atomic_long_inc(&session->stats.rx_seq_discards);
790 goto discard;
791 }
792
793 /* If we're the LAC and we're sending sequence numbers, the
794 * LNS has requested that we no longer send sequence numbers.
795 * If we're the LNS and we're sending sequence numbers, the
796 * LAC is broken. Discard the frame.
797 */
798 if ((!session->lns_mode) && (session->send_seq)) {
799 l2tp_info(session, L2TP_MSG_SEQ,
800 "%s: requested to disable seq numbers by LNS\n",
801 session->name);
802 session->send_seq = 0;
803 l2tp_session_set_header_len(session, tunnel->version);
804 } else if (session->send_seq) {
805 l2tp_warn(session, L2TP_MSG_SEQ,
806 "%s: recv data has no seq numbers when required. Discarding.\n",
807 session->name);
808 atomic_long_inc(&session->stats.rx_seq_discards);
809 goto discard;
810 }
811 }
812
813 /* Session data offset is defined only for L2TPv2 and is
814 * indicated by an optional 16-bit value in the header.
815 */
816 if (tunnel->version == L2TP_HDR_VER_2) {
817 /* If offset bit set, skip it. */
818 if (hdrflags & L2TP_HDRFLAG_O) {
819 offset = ntohs(*(__be16 *)ptr);
820 ptr += 2 + offset;
821 }
822 }
823
824 offset = ptr - optr;
825 if (!pskb_may_pull(skb, offset))
826 goto discard;
827
828 __skb_pull(skb, offset);
829
830 /* Prepare skb for adding to the session's reorder_q. Hold
831 * packets for max reorder_timeout or 1 second if not
832 * reordering.
833 */
834 L2TP_SKB_CB(skb)->length = length;
835 L2TP_SKB_CB(skb)->expires = jiffies +
836 (session->reorder_timeout ? session->reorder_timeout : HZ);
837
838 /* Add packet to the session's receive queue. Reordering is done here, if
839 * enabled. Saved L2TP protocol info is stored in skb->sb[].
840 */
841 if (L2TP_SKB_CB(skb)->has_seq) {
842 if (l2tp_recv_data_seq(session, skb))
843 goto discard;
844 } else {
845 /* No sequence numbers. Add the skb to the tail of the
846 * reorder queue. This ensures that it will be
847 * delivered after all previous sequenced skbs.
848 */
849 skb_queue_tail(&session->reorder_q, skb);
850 }
851
852 /* Try to dequeue as many skbs from reorder_q as we can. */
853 l2tp_recv_dequeue(session);
854
855 return;
856
857 discard:
858 atomic_long_inc(&session->stats.rx_errors);
859 kfree_skb(skb);
860
861 if (session->deref)
862 (*session->deref)(session);
863 }
864 EXPORT_SYMBOL(l2tp_recv_common);
865
866 /* Drop skbs from the session's reorder_q
867 */
l2tp_session_queue_purge(struct l2tp_session * session)868 int l2tp_session_queue_purge(struct l2tp_session *session)
869 {
870 struct sk_buff *skb = NULL;
871 BUG_ON(!session);
872 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
873 while ((skb = skb_dequeue(&session->reorder_q))) {
874 atomic_long_inc(&session->stats.rx_errors);
875 kfree_skb(skb);
876 if (session->deref)
877 (*session->deref)(session);
878 }
879 return 0;
880 }
881 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
882
883 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
884 * here. The skb is not on a list when we get here.
885 * Returns 0 if the packet was a data packet and was successfully passed on.
886 * Returns 1 if the packet was not a good data packet and could not be
887 * forwarded. All such packets are passed up to userspace to deal with.
888 */
l2tp_udp_recv_core(struct l2tp_tunnel * tunnel,struct sk_buff * skb)889 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
890 {
891 struct l2tp_session *session = NULL;
892 unsigned char *ptr, *optr;
893 u16 hdrflags;
894 u32 tunnel_id, session_id;
895 u16 version;
896 int length;
897
898 /* UDP has verifed checksum */
899
900 /* UDP always verifies the packet length. */
901 __skb_pull(skb, sizeof(struct udphdr));
902
903 /* Short packet? */
904 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
905 l2tp_info(tunnel, L2TP_MSG_DATA,
906 "%s: recv short packet (len=%d)\n",
907 tunnel->name, skb->len);
908 goto error;
909 }
910
911 /* Trace packet contents, if enabled */
912 if (tunnel->debug & L2TP_MSG_DATA) {
913 length = min(32u, skb->len);
914 if (!pskb_may_pull(skb, length))
915 goto error;
916
917 pr_debug("%s: recv\n", tunnel->name);
918 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
919 }
920
921 /* Point to L2TP header */
922 optr = ptr = skb->data;
923
924 /* Get L2TP header flags */
925 hdrflags = ntohs(*(__be16 *) ptr);
926
927 /* Check protocol version */
928 version = hdrflags & L2TP_HDR_VER_MASK;
929 if (version != tunnel->version) {
930 l2tp_info(tunnel, L2TP_MSG_DATA,
931 "%s: recv protocol version mismatch: got %d expected %d\n",
932 tunnel->name, version, tunnel->version);
933 goto error;
934 }
935
936 /* Get length of L2TP packet */
937 length = skb->len;
938
939 /* If type is control packet, it is handled by userspace. */
940 if (hdrflags & L2TP_HDRFLAG_T) {
941 l2tp_dbg(tunnel, L2TP_MSG_DATA,
942 "%s: recv control packet, len=%d\n",
943 tunnel->name, length);
944 goto error;
945 }
946
947 /* Skip flags */
948 ptr += 2;
949
950 if (tunnel->version == L2TP_HDR_VER_2) {
951 /* If length is present, skip it */
952 if (hdrflags & L2TP_HDRFLAG_L)
953 ptr += 2;
954
955 /* Extract tunnel and session ID */
956 tunnel_id = ntohs(*(__be16 *) ptr);
957 ptr += 2;
958 session_id = ntohs(*(__be16 *) ptr);
959 ptr += 2;
960 } else {
961 ptr += 2; /* skip reserved bits */
962 tunnel_id = tunnel->tunnel_id;
963 session_id = ntohl(*(__be32 *) ptr);
964 ptr += 4;
965 }
966
967 /* Find the session context */
968 session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
969 if (!session || !session->recv_skb) {
970 if (session) {
971 if (session->deref)
972 session->deref(session);
973 l2tp_session_dec_refcount(session);
974 }
975
976 /* Not found? Pass to userspace to deal with */
977 l2tp_info(tunnel, L2TP_MSG_DATA,
978 "%s: no session found (%u/%u). Passing up.\n",
979 tunnel->name, tunnel_id, session_id);
980 goto error;
981 }
982
983 if (tunnel->version == L2TP_HDR_VER_3 &&
984 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
985 goto error;
986
987 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
988 l2tp_session_dec_refcount(session);
989
990 return 0;
991
992 error:
993 /* Put UDP header back */
994 __skb_push(skb, sizeof(struct udphdr));
995
996 return 1;
997 }
998
999 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
1000 * Return codes:
1001 * 0 : success.
1002 * <0: error
1003 * >0: skb should be passed up to userspace as UDP.
1004 */
l2tp_udp_encap_recv(struct sock * sk,struct sk_buff * skb)1005 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1006 {
1007 struct l2tp_tunnel *tunnel;
1008
1009 tunnel = l2tp_sock_to_tunnel(sk);
1010 if (tunnel == NULL)
1011 goto pass_up;
1012
1013 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
1014 tunnel->name, skb->len);
1015
1016 if (l2tp_udp_recv_core(tunnel, skb))
1017 goto pass_up_put;
1018
1019 sock_put(sk);
1020 return 0;
1021
1022 pass_up_put:
1023 sock_put(sk);
1024 pass_up:
1025 return 1;
1026 }
1027 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1028
1029 /************************************************************************
1030 * Transmit handling
1031 ***********************************************************************/
1032
1033 /* Build an L2TP header for the session into the buffer provided.
1034 */
l2tp_build_l2tpv2_header(struct l2tp_session * session,void * buf)1035 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1036 {
1037 struct l2tp_tunnel *tunnel = session->tunnel;
1038 __be16 *bufp = buf;
1039 __be16 *optr = buf;
1040 u16 flags = L2TP_HDR_VER_2;
1041 u32 tunnel_id = tunnel->peer_tunnel_id;
1042 u32 session_id = session->peer_session_id;
1043
1044 if (session->send_seq)
1045 flags |= L2TP_HDRFLAG_S;
1046
1047 /* Setup L2TP header. */
1048 *bufp++ = htons(flags);
1049 *bufp++ = htons(tunnel_id);
1050 *bufp++ = htons(session_id);
1051 if (session->send_seq) {
1052 *bufp++ = htons(session->ns);
1053 *bufp++ = 0;
1054 session->ns++;
1055 session->ns &= 0xffff;
1056 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1057 session->name, session->ns);
1058 }
1059
1060 return bufp - optr;
1061 }
1062
l2tp_build_l2tpv3_header(struct l2tp_session * session,void * buf)1063 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1064 {
1065 struct l2tp_tunnel *tunnel = session->tunnel;
1066 char *bufp = buf;
1067 char *optr = bufp;
1068
1069 /* Setup L2TP header. The header differs slightly for UDP and
1070 * IP encapsulations. For UDP, there is 4 bytes of flags.
1071 */
1072 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1073 u16 flags = L2TP_HDR_VER_3;
1074 *((__be16 *) bufp) = htons(flags);
1075 bufp += 2;
1076 *((__be16 *) bufp) = 0;
1077 bufp += 2;
1078 }
1079
1080 *((__be32 *) bufp) = htonl(session->peer_session_id);
1081 bufp += 4;
1082 if (session->cookie_len) {
1083 memcpy(bufp, &session->cookie[0], session->cookie_len);
1084 bufp += session->cookie_len;
1085 }
1086 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1087 u32 l2h = 0;
1088
1089 if (session->send_seq) {
1090 l2h = 0x40000000 | session->ns;
1091 session->ns++;
1092 session->ns &= 0xffffff;
1093 l2tp_dbg(session, L2TP_MSG_SEQ,
1094 "%s: updated ns to %u\n",
1095 session->name, session->ns);
1096 }
1097
1098 *((__be32 *)bufp) = htonl(l2h);
1099 bufp += 4;
1100 }
1101
1102 return bufp - optr;
1103 }
1104
l2tp_xmit_core(struct l2tp_session * session,struct sk_buff * skb,struct flowi * fl,size_t data_len)1105 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1106 struct flowi *fl, size_t data_len)
1107 {
1108 struct l2tp_tunnel *tunnel = session->tunnel;
1109 unsigned int len = skb->len;
1110 int error;
1111
1112 /* Debug */
1113 if (session->send_seq)
1114 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes, ns=%u\n",
1115 session->name, data_len, session->ns - 1);
1116 else
1117 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes\n",
1118 session->name, data_len);
1119
1120 if (session->debug & L2TP_MSG_DATA) {
1121 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1122 unsigned char *datap = skb->data + uhlen;
1123
1124 pr_debug("%s: xmit\n", session->name);
1125 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1126 datap, min_t(size_t, 32, len - uhlen));
1127 }
1128
1129 /* Queue the packet to IP for output */
1130 skb->ignore_df = 1;
1131 #if IS_ENABLED(CONFIG_IPV6)
1132 if (l2tp_sk_is_v6(tunnel->sock))
1133 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1134 else
1135 #endif
1136 error = ip_queue_xmit(tunnel->sock, skb, fl);
1137
1138 /* Update stats */
1139 if (error >= 0) {
1140 atomic_long_inc(&tunnel->stats.tx_packets);
1141 atomic_long_add(len, &tunnel->stats.tx_bytes);
1142 atomic_long_inc(&session->stats.tx_packets);
1143 atomic_long_add(len, &session->stats.tx_bytes);
1144 } else {
1145 atomic_long_inc(&tunnel->stats.tx_errors);
1146 atomic_long_inc(&session->stats.tx_errors);
1147 }
1148
1149 return 0;
1150 }
1151
1152 /* If caller requires the skb to have a ppp header, the header must be
1153 * inserted in the skb data before calling this function.
1154 */
l2tp_xmit_skb(struct l2tp_session * session,struct sk_buff * skb,int hdr_len)1155 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1156 {
1157 int data_len = skb->len;
1158 struct l2tp_tunnel *tunnel = session->tunnel;
1159 struct sock *sk = tunnel->sock;
1160 struct flowi *fl;
1161 struct udphdr *uh;
1162 struct inet_sock *inet;
1163 int headroom;
1164 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1165 int udp_len;
1166 int ret = NET_XMIT_SUCCESS;
1167
1168 /* Check that there's enough headroom in the skb to insert IP,
1169 * UDP and L2TP headers. If not enough, expand it to
1170 * make room. Adjust truesize.
1171 */
1172 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1173 uhlen + hdr_len;
1174 if (skb_cow_head(skb, headroom)) {
1175 kfree_skb(skb);
1176 return NET_XMIT_DROP;
1177 }
1178
1179 /* Setup L2TP header */
1180 session->build_header(session, __skb_push(skb, hdr_len));
1181
1182 /* Reset skb netfilter state */
1183 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1184 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1185 IPSKB_REROUTED);
1186 nf_reset(skb);
1187
1188 bh_lock_sock(sk);
1189 if (sock_owned_by_user(sk)) {
1190 kfree_skb(skb);
1191 ret = NET_XMIT_DROP;
1192 goto out_unlock;
1193 }
1194
1195 /* The user-space may change the connection status for the user-space
1196 * provided socket at run time: we must check it under the socket lock
1197 */
1198 if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1199 kfree_skb(skb);
1200 ret = NET_XMIT_DROP;
1201 goto out_unlock;
1202 }
1203
1204 /* Get routing info from the tunnel socket */
1205 skb_dst_drop(skb);
1206 skb_dst_set(skb, sk_dst_check(sk, 0));
1207
1208 inet = inet_sk(sk);
1209 fl = &inet->cork.fl;
1210 switch (tunnel->encap) {
1211 case L2TP_ENCAPTYPE_UDP:
1212 /* Setup UDP header */
1213 __skb_push(skb, sizeof(*uh));
1214 skb_reset_transport_header(skb);
1215 uh = udp_hdr(skb);
1216 uh->source = inet->inet_sport;
1217 uh->dest = inet->inet_dport;
1218 udp_len = uhlen + hdr_len + data_len;
1219 uh->len = htons(udp_len);
1220
1221 /* Calculate UDP checksum if configured to do so */
1222 #if IS_ENABLED(CONFIG_IPV6)
1223 if (l2tp_sk_is_v6(sk))
1224 udp6_set_csum(udp_get_no_check6_tx(sk),
1225 skb, &inet6_sk(sk)->saddr,
1226 &sk->sk_v6_daddr, udp_len);
1227 else
1228 #endif
1229 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1230 inet->inet_daddr, udp_len);
1231 break;
1232
1233 case L2TP_ENCAPTYPE_IP:
1234 break;
1235 }
1236
1237 l2tp_xmit_core(session, skb, fl, data_len);
1238 out_unlock:
1239 bh_unlock_sock(sk);
1240
1241 return ret;
1242 }
1243 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1244
1245 /*****************************************************************************
1246 * Tinnel and session create/destroy.
1247 *****************************************************************************/
1248
1249 /* Tunnel socket destruct hook.
1250 * The tunnel context is deleted only when all session sockets have been
1251 * closed.
1252 */
l2tp_tunnel_destruct(struct sock * sk)1253 static void l2tp_tunnel_destruct(struct sock *sk)
1254 {
1255 struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1256 struct l2tp_net *pn;
1257
1258 if (tunnel == NULL)
1259 goto end;
1260
1261 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1262
1263
1264 /* Disable udp encapsulation */
1265 switch (tunnel->encap) {
1266 case L2TP_ENCAPTYPE_UDP:
1267 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1268 (udp_sk(sk))->encap_type = 0;
1269 (udp_sk(sk))->encap_rcv = NULL;
1270 (udp_sk(sk))->encap_destroy = NULL;
1271 break;
1272 case L2TP_ENCAPTYPE_IP:
1273 break;
1274 }
1275
1276 /* Remove hooks into tunnel socket */
1277 sk->sk_destruct = tunnel->old_sk_destruct;
1278 sk->sk_user_data = NULL;
1279
1280 /* Remove the tunnel struct from the tunnel list */
1281 pn = l2tp_pernet(tunnel->l2tp_net);
1282 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1283 list_del_rcu(&tunnel->list);
1284 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1285 atomic_dec(&l2tp_tunnel_count);
1286
1287 l2tp_tunnel_closeall(tunnel);
1288
1289 tunnel->sock = NULL;
1290 l2tp_tunnel_dec_refcount(tunnel);
1291
1292 /* Call the original destructor */
1293 if (sk->sk_destruct)
1294 (*sk->sk_destruct)(sk);
1295 end:
1296 return;
1297 }
1298
1299 /* When the tunnel is closed, all the attached sessions need to go too.
1300 */
l2tp_tunnel_closeall(struct l2tp_tunnel * tunnel)1301 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1302 {
1303 int hash;
1304 struct hlist_node *walk;
1305 struct hlist_node *tmp;
1306 struct l2tp_session *session;
1307
1308 BUG_ON(tunnel == NULL);
1309
1310 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1311 tunnel->name);
1312
1313 write_lock_bh(&tunnel->hlist_lock);
1314 tunnel->acpt_newsess = false;
1315 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1316 again:
1317 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1318 session = hlist_entry(walk, struct l2tp_session, hlist);
1319
1320 l2tp_info(session, L2TP_MSG_CONTROL,
1321 "%s: closing session\n", session->name);
1322
1323 hlist_del_init(&session->hlist);
1324
1325 if (test_and_set_bit(0, &session->dead))
1326 goto again;
1327
1328 if (session->ref != NULL)
1329 (*session->ref)(session);
1330
1331 write_unlock_bh(&tunnel->hlist_lock);
1332
1333 __l2tp_session_unhash(session);
1334 l2tp_session_queue_purge(session);
1335
1336 if (session->session_close != NULL)
1337 (*session->session_close)(session);
1338
1339 if (session->deref != NULL)
1340 (*session->deref)(session);
1341
1342 l2tp_session_dec_refcount(session);
1343
1344 write_lock_bh(&tunnel->hlist_lock);
1345
1346 /* Now restart from the beginning of this hash
1347 * chain. We always remove a session from the
1348 * list so we are guaranteed to make forward
1349 * progress.
1350 */
1351 goto again;
1352 }
1353 }
1354 write_unlock_bh(&tunnel->hlist_lock);
1355 }
1356 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1357
1358 /* Tunnel socket destroy hook for UDP encapsulation */
l2tp_udp_encap_destroy(struct sock * sk)1359 static void l2tp_udp_encap_destroy(struct sock *sk)
1360 {
1361 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1362 if (tunnel) {
1363 l2tp_tunnel_closeall(tunnel);
1364 sock_put(sk);
1365 }
1366 }
1367
1368 /* Workqueue tunnel deletion function */
l2tp_tunnel_del_work(struct work_struct * work)1369 static void l2tp_tunnel_del_work(struct work_struct *work)
1370 {
1371 struct l2tp_tunnel *tunnel = NULL;
1372 struct socket *sock = NULL;
1373 struct sock *sk = NULL;
1374
1375 tunnel = container_of(work, struct l2tp_tunnel, del_work);
1376
1377 l2tp_tunnel_closeall(tunnel);
1378
1379 sk = l2tp_tunnel_sock_lookup(tunnel);
1380 if (!sk)
1381 goto out;
1382
1383 sock = sk->sk_socket;
1384
1385 /* If the tunnel socket was created by userspace, then go through the
1386 * inet layer to shut the socket down, and let userspace close it.
1387 * Otherwise, if we created the socket directly within the kernel, use
1388 * the sk API to release it here.
1389 * In either case the tunnel resources are freed in the socket
1390 * destructor when the tunnel socket goes away.
1391 */
1392 if (tunnel->fd >= 0) {
1393 if (sock)
1394 inet_shutdown(sock, 2);
1395 } else {
1396 if (sock) {
1397 kernel_sock_shutdown(sock, SHUT_RDWR);
1398 sock_release(sock);
1399 }
1400 }
1401
1402 l2tp_tunnel_sock_put(sk);
1403 out:
1404 l2tp_tunnel_dec_refcount(tunnel);
1405 }
1406
1407 /* Create a socket for the tunnel, if one isn't set up by
1408 * userspace. This is used for static tunnels where there is no
1409 * managing L2TP daemon.
1410 *
1411 * Since we don't want these sockets to keep a namespace alive by
1412 * themselves, we drop the socket's namespace refcount after creation.
1413 * These sockets are freed when the namespace exits using the pernet
1414 * exit hook.
1415 */
l2tp_tunnel_sock_create(struct net * net,u32 tunnel_id,u32 peer_tunnel_id,struct l2tp_tunnel_cfg * cfg,struct socket ** sockp)1416 static int l2tp_tunnel_sock_create(struct net *net,
1417 u32 tunnel_id,
1418 u32 peer_tunnel_id,
1419 struct l2tp_tunnel_cfg *cfg,
1420 struct socket **sockp)
1421 {
1422 int err = -EINVAL;
1423 struct socket *sock = NULL;
1424 struct udp_port_cfg udp_conf;
1425
1426 switch (cfg->encap) {
1427 case L2TP_ENCAPTYPE_UDP:
1428 memset(&udp_conf, 0, sizeof(udp_conf));
1429
1430 #if IS_ENABLED(CONFIG_IPV6)
1431 if (cfg->local_ip6 && cfg->peer_ip6) {
1432 udp_conf.family = AF_INET6;
1433 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1434 sizeof(udp_conf.local_ip6));
1435 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1436 sizeof(udp_conf.peer_ip6));
1437 udp_conf.use_udp6_tx_checksums =
1438 ! cfg->udp6_zero_tx_checksums;
1439 udp_conf.use_udp6_rx_checksums =
1440 ! cfg->udp6_zero_rx_checksums;
1441 } else
1442 #endif
1443 {
1444 udp_conf.family = AF_INET;
1445 udp_conf.local_ip = cfg->local_ip;
1446 udp_conf.peer_ip = cfg->peer_ip;
1447 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1448 }
1449
1450 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1451 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1452
1453 err = udp_sock_create(net, &udp_conf, &sock);
1454 if (err < 0)
1455 goto out;
1456
1457 break;
1458
1459 case L2TP_ENCAPTYPE_IP:
1460 #if IS_ENABLED(CONFIG_IPV6)
1461 if (cfg->local_ip6 && cfg->peer_ip6) {
1462 struct sockaddr_l2tpip6 ip6_addr = {0};
1463
1464 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1465 IPPROTO_L2TP, &sock);
1466 if (err < 0)
1467 goto out;
1468
1469 ip6_addr.l2tp_family = AF_INET6;
1470 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1471 sizeof(ip6_addr.l2tp_addr));
1472 ip6_addr.l2tp_conn_id = tunnel_id;
1473 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1474 sizeof(ip6_addr));
1475 if (err < 0)
1476 goto out;
1477
1478 ip6_addr.l2tp_family = AF_INET6;
1479 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1480 sizeof(ip6_addr.l2tp_addr));
1481 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1482 err = kernel_connect(sock,
1483 (struct sockaddr *) &ip6_addr,
1484 sizeof(ip6_addr), 0);
1485 if (err < 0)
1486 goto out;
1487 } else
1488 #endif
1489 {
1490 struct sockaddr_l2tpip ip_addr = {0};
1491
1492 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1493 IPPROTO_L2TP, &sock);
1494 if (err < 0)
1495 goto out;
1496
1497 ip_addr.l2tp_family = AF_INET;
1498 ip_addr.l2tp_addr = cfg->local_ip;
1499 ip_addr.l2tp_conn_id = tunnel_id;
1500 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1501 sizeof(ip_addr));
1502 if (err < 0)
1503 goto out;
1504
1505 ip_addr.l2tp_family = AF_INET;
1506 ip_addr.l2tp_addr = cfg->peer_ip;
1507 ip_addr.l2tp_conn_id = peer_tunnel_id;
1508 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1509 sizeof(ip_addr), 0);
1510 if (err < 0)
1511 goto out;
1512 }
1513 break;
1514
1515 default:
1516 goto out;
1517 }
1518
1519 out:
1520 *sockp = sock;
1521 if ((err < 0) && sock) {
1522 kernel_sock_shutdown(sock, SHUT_RDWR);
1523 sock_release(sock);
1524 *sockp = NULL;
1525 }
1526
1527 return err;
1528 }
1529
1530 static struct lock_class_key l2tp_socket_class;
1531
l2tp_tunnel_create(struct net * net,int fd,int version,u32 tunnel_id,u32 peer_tunnel_id,struct l2tp_tunnel_cfg * cfg,struct l2tp_tunnel ** tunnelp)1532 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1533 {
1534 struct l2tp_tunnel *tunnel = NULL;
1535 int err;
1536 struct socket *sock = NULL;
1537 struct sock *sk = NULL;
1538 struct l2tp_net *pn;
1539 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1540
1541 /* Get the tunnel socket from the fd, which was opened by
1542 * the userspace L2TP daemon. If not specified, create a
1543 * kernel socket.
1544 */
1545 if (fd < 0) {
1546 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1547 cfg, &sock);
1548 if (err < 0)
1549 goto err;
1550 } else {
1551 sock = sockfd_lookup(fd, &err);
1552 if (!sock) {
1553 pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1554 tunnel_id, fd, err);
1555 err = -EBADF;
1556 goto err;
1557 }
1558
1559 /* Reject namespace mismatches */
1560 if (!net_eq(sock_net(sock->sk), net)) {
1561 pr_err("tunl %u: netns mismatch\n", tunnel_id);
1562 err = -EINVAL;
1563 goto err;
1564 }
1565 }
1566
1567 sk = sock->sk;
1568
1569 if (cfg != NULL)
1570 encap = cfg->encap;
1571
1572 /* Quick sanity checks */
1573 err = -EPROTONOSUPPORT;
1574 if (sk->sk_type != SOCK_DGRAM) {
1575 pr_debug("tunl %hu: fd %d wrong socket type\n",
1576 tunnel_id, fd);
1577 goto err;
1578 }
1579 switch (encap) {
1580 case L2TP_ENCAPTYPE_UDP:
1581 if (sk->sk_protocol != IPPROTO_UDP) {
1582 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1583 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1584 goto err;
1585 }
1586 break;
1587 case L2TP_ENCAPTYPE_IP:
1588 if (sk->sk_protocol != IPPROTO_L2TP) {
1589 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1590 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1591 goto err;
1592 }
1593 break;
1594 }
1595
1596 /* Check if this socket has already been prepped */
1597 tunnel = l2tp_tunnel(sk);
1598 if (tunnel != NULL) {
1599 /* This socket has already been prepped */
1600 err = -EBUSY;
1601 goto err;
1602 }
1603
1604 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1605 if (tunnel == NULL) {
1606 err = -ENOMEM;
1607 goto err;
1608 }
1609
1610 tunnel->version = version;
1611 tunnel->tunnel_id = tunnel_id;
1612 tunnel->peer_tunnel_id = peer_tunnel_id;
1613 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1614
1615 tunnel->magic = L2TP_TUNNEL_MAGIC;
1616 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1617 rwlock_init(&tunnel->hlist_lock);
1618 tunnel->acpt_newsess = true;
1619
1620 /* The net we belong to */
1621 tunnel->l2tp_net = net;
1622 pn = l2tp_pernet(net);
1623
1624 if (cfg != NULL)
1625 tunnel->debug = cfg->debug;
1626
1627 /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1628 tunnel->encap = encap;
1629 if (encap == L2TP_ENCAPTYPE_UDP) {
1630 struct udp_tunnel_sock_cfg udp_cfg = { };
1631
1632 udp_cfg.sk_user_data = tunnel;
1633 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1634 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1635 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1636
1637 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1638 } else {
1639 sk->sk_user_data = tunnel;
1640 }
1641
1642 /* Hook on the tunnel socket destructor so that we can cleanup
1643 * if the tunnel socket goes away.
1644 */
1645 tunnel->old_sk_destruct = sk->sk_destruct;
1646 sk->sk_destruct = &l2tp_tunnel_destruct;
1647 tunnel->sock = sk;
1648 tunnel->fd = fd;
1649 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1650
1651 sk->sk_allocation = GFP_ATOMIC;
1652
1653 /* Init delete workqueue struct */
1654 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1655
1656 /* Add tunnel to our list */
1657 INIT_LIST_HEAD(&tunnel->list);
1658 atomic_inc(&l2tp_tunnel_count);
1659
1660 /* Bump the reference count. The tunnel context is deleted
1661 * only when this drops to zero. Must be done before list insertion
1662 */
1663 refcount_set(&tunnel->ref_count, 1);
1664 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1665 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1666 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1667
1668 err = 0;
1669 err:
1670 if (tunnelp)
1671 *tunnelp = tunnel;
1672
1673 /* If tunnel's socket was created by the kernel, it doesn't
1674 * have a file.
1675 */
1676 if (sock && sock->file)
1677 sockfd_put(sock);
1678
1679 return err;
1680 }
1681 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1682
1683 /* This function is used by the netlink TUNNEL_DELETE command.
1684 */
l2tp_tunnel_delete(struct l2tp_tunnel * tunnel)1685 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1686 {
1687 if (!test_and_set_bit(0, &tunnel->dead)) {
1688 l2tp_tunnel_inc_refcount(tunnel);
1689 queue_work(l2tp_wq, &tunnel->del_work);
1690 }
1691 }
1692 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1693
1694 /* Really kill the session.
1695 */
l2tp_session_free(struct l2tp_session * session)1696 void l2tp_session_free(struct l2tp_session *session)
1697 {
1698 struct l2tp_tunnel *tunnel = session->tunnel;
1699
1700 BUG_ON(refcount_read(&session->ref_count) != 0);
1701
1702 if (tunnel) {
1703 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1704 if (session->session_id != 0)
1705 atomic_dec(&l2tp_session_count);
1706 sock_put(tunnel->sock);
1707 session->tunnel = NULL;
1708 l2tp_tunnel_dec_refcount(tunnel);
1709 }
1710
1711 kfree(session);
1712 }
1713 EXPORT_SYMBOL_GPL(l2tp_session_free);
1714
1715 /* Remove an l2tp session from l2tp_core's hash lists.
1716 * Provides a tidyup interface for pseudowire code which can't just route all
1717 * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1718 * callback.
1719 */
__l2tp_session_unhash(struct l2tp_session * session)1720 void __l2tp_session_unhash(struct l2tp_session *session)
1721 {
1722 struct l2tp_tunnel *tunnel = session->tunnel;
1723
1724 /* Remove the session from core hashes */
1725 if (tunnel) {
1726 /* Remove from the per-tunnel hash */
1727 write_lock_bh(&tunnel->hlist_lock);
1728 hlist_del_init(&session->hlist);
1729 write_unlock_bh(&tunnel->hlist_lock);
1730
1731 /* For L2TPv3 we have a per-net hash: remove from there, too */
1732 if (tunnel->version != L2TP_HDR_VER_2) {
1733 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1734 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1735 hlist_del_init_rcu(&session->global_hlist);
1736 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1737 synchronize_rcu();
1738 }
1739 }
1740 }
1741 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1742
1743 /* This function is used by the netlink SESSION_DELETE command and by
1744 pseudowire modules.
1745 */
l2tp_session_delete(struct l2tp_session * session)1746 int l2tp_session_delete(struct l2tp_session *session)
1747 {
1748 if (test_and_set_bit(0, &session->dead))
1749 return 0;
1750
1751 if (session->ref)
1752 (*session->ref)(session);
1753 __l2tp_session_unhash(session);
1754 l2tp_session_queue_purge(session);
1755 if (session->session_close != NULL)
1756 (*session->session_close)(session);
1757 if (session->deref)
1758 (*session->deref)(session);
1759 l2tp_session_dec_refcount(session);
1760 return 0;
1761 }
1762 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1763
1764 /* We come here whenever a session's send_seq, cookie_len or
1765 * l2specific_type parameters are set.
1766 */
l2tp_session_set_header_len(struct l2tp_session * session,int version)1767 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1768 {
1769 if (version == L2TP_HDR_VER_2) {
1770 session->hdr_len = 6;
1771 if (session->send_seq)
1772 session->hdr_len += 4;
1773 } else {
1774 session->hdr_len = 4 + session->cookie_len;
1775 session->hdr_len += l2tp_get_l2specific_len(session);
1776 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1777 session->hdr_len += 4;
1778 }
1779
1780 }
1781 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1782
l2tp_session_create(int priv_size,struct l2tp_tunnel * tunnel,u32 session_id,u32 peer_session_id,struct l2tp_session_cfg * cfg)1783 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1784 {
1785 struct l2tp_session *session;
1786 int err;
1787
1788 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1789 if (session != NULL) {
1790 session->magic = L2TP_SESSION_MAGIC;
1791 session->tunnel = tunnel;
1792
1793 session->session_id = session_id;
1794 session->peer_session_id = peer_session_id;
1795 session->nr = 0;
1796 if (tunnel->version == L2TP_HDR_VER_2)
1797 session->nr_max = 0xffff;
1798 else
1799 session->nr_max = 0xffffff;
1800 session->nr_window_size = session->nr_max / 2;
1801 session->nr_oos_count_max = 4;
1802
1803 /* Use NR of first received packet */
1804 session->reorder_skip = 1;
1805
1806 sprintf(&session->name[0], "sess %u/%u",
1807 tunnel->tunnel_id, session->session_id);
1808
1809 skb_queue_head_init(&session->reorder_q);
1810
1811 INIT_HLIST_NODE(&session->hlist);
1812 INIT_HLIST_NODE(&session->global_hlist);
1813
1814 /* Inherit debug options from tunnel */
1815 session->debug = tunnel->debug;
1816
1817 if (cfg) {
1818 session->pwtype = cfg->pw_type;
1819 session->debug = cfg->debug;
1820 session->mtu = cfg->mtu;
1821 session->mru = cfg->mru;
1822 session->send_seq = cfg->send_seq;
1823 session->recv_seq = cfg->recv_seq;
1824 session->lns_mode = cfg->lns_mode;
1825 session->reorder_timeout = cfg->reorder_timeout;
1826 session->l2specific_type = cfg->l2specific_type;
1827 session->l2specific_len = cfg->l2specific_len;
1828 session->cookie_len = cfg->cookie_len;
1829 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1830 session->peer_cookie_len = cfg->peer_cookie_len;
1831 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1832 }
1833
1834 if (tunnel->version == L2TP_HDR_VER_2)
1835 session->build_header = l2tp_build_l2tpv2_header;
1836 else
1837 session->build_header = l2tp_build_l2tpv3_header;
1838
1839 l2tp_session_set_header_len(session, tunnel->version);
1840
1841 refcount_set(&session->ref_count, 1);
1842
1843 err = l2tp_session_add_to_tunnel(tunnel, session);
1844 if (err) {
1845 kfree(session);
1846
1847 return ERR_PTR(err);
1848 }
1849
1850 /* Ignore management session in session count value */
1851 if (session->session_id != 0)
1852 atomic_inc(&l2tp_session_count);
1853
1854 return session;
1855 }
1856
1857 return ERR_PTR(-ENOMEM);
1858 }
1859 EXPORT_SYMBOL_GPL(l2tp_session_create);
1860
1861 /*****************************************************************************
1862 * Init and cleanup
1863 *****************************************************************************/
1864
l2tp_init_net(struct net * net)1865 static __net_init int l2tp_init_net(struct net *net)
1866 {
1867 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1868 int hash;
1869
1870 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1871 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1872
1873 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1874 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1875
1876 spin_lock_init(&pn->l2tp_session_hlist_lock);
1877
1878 return 0;
1879 }
1880
l2tp_exit_net(struct net * net)1881 static __net_exit void l2tp_exit_net(struct net *net)
1882 {
1883 struct l2tp_net *pn = l2tp_pernet(net);
1884 struct l2tp_tunnel *tunnel = NULL;
1885
1886 rcu_read_lock_bh();
1887 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1888 l2tp_tunnel_delete(tunnel);
1889 }
1890 rcu_read_unlock_bh();
1891
1892 if (l2tp_wq)
1893 flush_workqueue(l2tp_wq);
1894 rcu_barrier();
1895 }
1896
1897 static struct pernet_operations l2tp_net_ops = {
1898 .init = l2tp_init_net,
1899 .exit = l2tp_exit_net,
1900 .id = &l2tp_net_id,
1901 .size = sizeof(struct l2tp_net),
1902 };
1903
l2tp_init(void)1904 static int __init l2tp_init(void)
1905 {
1906 int rc = 0;
1907
1908 rc = register_pernet_device(&l2tp_net_ops);
1909 if (rc)
1910 goto out;
1911
1912 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1913 if (!l2tp_wq) {
1914 pr_err("alloc_workqueue failed\n");
1915 unregister_pernet_device(&l2tp_net_ops);
1916 rc = -ENOMEM;
1917 goto out;
1918 }
1919
1920 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1921
1922 out:
1923 return rc;
1924 }
1925
l2tp_exit(void)1926 static void __exit l2tp_exit(void)
1927 {
1928 unregister_pernet_device(&l2tp_net_ops);
1929 if (l2tp_wq) {
1930 destroy_workqueue(l2tp_wq);
1931 l2tp_wq = NULL;
1932 }
1933 }
1934
1935 module_init(l2tp_init);
1936 module_exit(l2tp_exit);
1937
1938 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1939 MODULE_DESCRIPTION("L2TP core");
1940 MODULE_LICENSE("GPL");
1941 MODULE_VERSION(L2TP_DRV_VERSION);
1942
1943