1 /* drivers/net/pppolac.c
2 *
3 * Driver for PPP on L2TP Access Concentrator / PPPoLAC Socket (RFC 2661)
4 *
5 * Copyright (C) 2009 Google, Inc.
6 *
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 */
16
17 /* This driver handles L2TP data packets between a UDP socket and a PPP channel.
18 * The socket must keep connected, and only one session per socket is permitted.
19 * Sequencing of outgoing packets is controlled by LNS. Incoming packets with
20 * sequences are reordered within a sliding window of one second. Currently
21 * reordering only happens when a packet is received. It is done for simplicity
22 * since no additional locks or threads are required. This driver only works on
23 * IPv4 due to the lack of UDP encapsulation support in IPv6. */
24
25 #include <linux/module.h>
26 #include <linux/jiffies.h>
27 #include <linux/workqueue.h>
28 #include <linux/skbuff.h>
29 #include <linux/file.h>
30 #include <linux/netdevice.h>
31 #include <linux/net.h>
32 #include <linux/udp.h>
33 #include <linux/ppp_defs.h>
34 #include <linux/if_ppp.h>
35 #include <linux/if_pppox.h>
36 #include <linux/ppp_channel.h>
37 #include <net/tcp_states.h>
38 #include <asm/uaccess.h>
39
40 #define L2TP_CONTROL_BIT 0x80
41 #define L2TP_LENGTH_BIT 0x40
42 #define L2TP_SEQUENCE_BIT 0x08
43 #define L2TP_OFFSET_BIT 0x02
44 #define L2TP_VERSION 0x02
45 #define L2TP_VERSION_MASK 0x0F
46
47 #define PPP_ADDR 0xFF
48 #define PPP_CTRL 0x03
49
50 union unaligned {
51 __u32 u32;
52 } __attribute__((packed));
53
unaligned(void * ptr)54 static inline union unaligned *unaligned(void *ptr)
55 {
56 return (union unaligned *)ptr;
57 }
58
59 struct meta {
60 __u32 sequence;
61 __u32 timestamp;
62 };
63
skb_meta(struct sk_buff * skb)64 static inline struct meta *skb_meta(struct sk_buff *skb)
65 {
66 return (struct meta *)skb->cb;
67 }
68
69 /******************************************************************************/
70
pppolac_recv_core(struct sock * sk_udp,struct sk_buff * skb)71 static int pppolac_recv_core(struct sock *sk_udp, struct sk_buff *skb)
72 {
73 struct sock *sk = (struct sock *)sk_udp->sk_user_data;
74 struct pppolac_opt *opt = &pppox_sk(sk)->proto.lac;
75 struct meta *meta = skb_meta(skb);
76 __u32 now = jiffies;
77 __u8 bits;
78 __u8 *ptr;
79
80 /* Drop the packet if L2TP header is missing. */
81 if (skb->len < sizeof(struct udphdr) + 6)
82 goto drop;
83
84 /* Put it back if it is a control packet. */
85 if (skb->data[sizeof(struct udphdr)] & L2TP_CONTROL_BIT)
86 return opt->backlog_rcv(sk_udp, skb);
87
88 /* Skip UDP header. */
89 skb_pull(skb, sizeof(struct udphdr));
90
91 /* Check the version. */
92 if ((skb->data[1] & L2TP_VERSION_MASK) != L2TP_VERSION)
93 goto drop;
94 bits = skb->data[0];
95 ptr = &skb->data[2];
96
97 /* Check the length if it is present. */
98 if (bits & L2TP_LENGTH_BIT) {
99 if ((ptr[0] << 8 | ptr[1]) != skb->len)
100 goto drop;
101 ptr += 2;
102 }
103
104 /* Skip all fields including optional ones. */
105 if (!skb_pull(skb, 6 + (bits & L2TP_SEQUENCE_BIT ? 4 : 0) +
106 (bits & L2TP_LENGTH_BIT ? 2 : 0) +
107 (bits & L2TP_OFFSET_BIT ? 2 : 0)))
108 goto drop;
109
110 /* Skip the offset padding if it is present. */
111 if (bits & L2TP_OFFSET_BIT &&
112 !skb_pull(skb, skb->data[-2] << 8 | skb->data[-1]))
113 goto drop;
114
115 /* Check the tunnel and the session. */
116 if (unaligned(ptr)->u32 != opt->local)
117 goto drop;
118
119 /* Check the sequence if it is present. */
120 if (bits & L2TP_SEQUENCE_BIT) {
121 meta->sequence = ptr[4] << 8 | ptr[5];
122 if ((__s16)(meta->sequence - opt->recv_sequence) < 0)
123 goto drop;
124 }
125
126 /* Skip PPP address and control if they are present. */
127 if (skb->len >= 2 && skb->data[0] == PPP_ADDR &&
128 skb->data[1] == PPP_CTRL)
129 skb_pull(skb, 2);
130
131 /* Fix PPP protocol if it is compressed. */
132 if (skb->len >= 1 && skb->data[0] & 1)
133 skb_push(skb, 1)[0] = 0;
134
135 /* Drop the packet if PPP protocol is missing. */
136 if (skb->len < 2)
137 goto drop;
138
139 /* Perform reordering if sequencing is enabled. */
140 atomic_set(&opt->sequencing, bits & L2TP_SEQUENCE_BIT);
141 if (bits & L2TP_SEQUENCE_BIT) {
142 struct sk_buff *skb1;
143
144 /* Insert the packet into receive queue in order. */
145 skb_set_owner_r(skb, sk);
146 skb_queue_walk(&sk->sk_receive_queue, skb1) {
147 struct meta *meta1 = skb_meta(skb1);
148 __s16 order = meta->sequence - meta1->sequence;
149 if (order == 0)
150 goto drop;
151 if (order < 0) {
152 meta->timestamp = meta1->timestamp;
153 skb_insert(skb1, skb, &sk->sk_receive_queue);
154 skb = NULL;
155 break;
156 }
157 }
158 if (skb) {
159 meta->timestamp = now;
160 skb_queue_tail(&sk->sk_receive_queue, skb);
161 }
162
163 /* Remove packets from receive queue as long as
164 * 1. the receive buffer is full,
165 * 2. they are queued longer than one second, or
166 * 3. there are no missing packets before them. */
167 skb_queue_walk_safe(&sk->sk_receive_queue, skb, skb1) {
168 meta = skb_meta(skb);
169 if (atomic_read(&sk->sk_rmem_alloc) < sk->sk_rcvbuf &&
170 now - meta->timestamp < HZ &&
171 meta->sequence != opt->recv_sequence)
172 break;
173 skb_unlink(skb, &sk->sk_receive_queue);
174 opt->recv_sequence = (__u16)(meta->sequence + 1);
175 skb_orphan(skb);
176 ppp_input(&pppox_sk(sk)->chan, skb);
177 }
178 return NET_RX_SUCCESS;
179 }
180
181 /* Flush receive queue if sequencing is disabled. */
182 skb_queue_purge(&sk->sk_receive_queue);
183 skb_orphan(skb);
184 ppp_input(&pppox_sk(sk)->chan, skb);
185 return NET_RX_SUCCESS;
186 drop:
187 kfree_skb(skb);
188 return NET_RX_DROP;
189 }
190
pppolac_recv(struct sock * sk_udp,struct sk_buff * skb)191 static int pppolac_recv(struct sock *sk_udp, struct sk_buff *skb)
192 {
193 sock_hold(sk_udp);
194 sk_receive_skb(sk_udp, skb, 0);
195 return 0;
196 }
197
198 static struct sk_buff_head delivery_queue;
199
pppolac_xmit_core(struct work_struct * delivery_work)200 static void pppolac_xmit_core(struct work_struct *delivery_work)
201 {
202 mm_segment_t old_fs = get_fs();
203 struct sk_buff *skb;
204
205 set_fs(KERNEL_DS);
206 while ((skb = skb_dequeue(&delivery_queue))) {
207 struct sock *sk_udp = skb->sk;
208 struct kvec iov = {.iov_base = skb->data, .iov_len = skb->len};
209 struct msghdr msg = {
210 .msg_flags = MSG_NOSIGNAL | MSG_DONTWAIT,
211 };
212
213 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, &iov, 1,
214 skb->len);
215 sk_udp->sk_prot->sendmsg(sk_udp, &msg, skb->len);
216 kfree_skb(skb);
217 }
218 set_fs(old_fs);
219 }
220
221 static DECLARE_WORK(delivery_work, pppolac_xmit_core);
222
pppolac_xmit(struct ppp_channel * chan,struct sk_buff * skb)223 static int pppolac_xmit(struct ppp_channel *chan, struct sk_buff *skb)
224 {
225 struct sock *sk_udp = (struct sock *)chan->private;
226 struct pppolac_opt *opt = &pppox_sk(sk_udp->sk_user_data)->proto.lac;
227
228 /* Install PPP address and control. */
229 skb_push(skb, 2);
230 skb->data[0] = PPP_ADDR;
231 skb->data[1] = PPP_CTRL;
232
233 /* Install L2TP header. */
234 if (atomic_read(&opt->sequencing)) {
235 skb_push(skb, 10);
236 skb->data[0] = L2TP_SEQUENCE_BIT;
237 skb->data[6] = opt->xmit_sequence >> 8;
238 skb->data[7] = opt->xmit_sequence;
239 skb->data[8] = 0;
240 skb->data[9] = 0;
241 opt->xmit_sequence++;
242 } else {
243 skb_push(skb, 6);
244 skb->data[0] = 0;
245 }
246 skb->data[1] = L2TP_VERSION;
247 unaligned(&skb->data[2])->u32 = opt->remote;
248
249 /* Now send the packet via the delivery queue. */
250 skb_set_owner_w(skb, sk_udp);
251 skb_queue_tail(&delivery_queue, skb);
252 schedule_work(&delivery_work);
253 return 1;
254 }
255
256 /******************************************************************************/
257
258 static struct ppp_channel_ops pppolac_channel_ops = {
259 .start_xmit = pppolac_xmit,
260 };
261
pppolac_connect(struct socket * sock,struct sockaddr * useraddr,int addrlen,int flags)262 static int pppolac_connect(struct socket *sock, struct sockaddr *useraddr,
263 int addrlen, int flags)
264 {
265 struct sock *sk = sock->sk;
266 struct pppox_sock *po = pppox_sk(sk);
267 struct sockaddr_pppolac *addr = (struct sockaddr_pppolac *)useraddr;
268 struct socket *sock_udp = NULL;
269 struct sock *sk_udp;
270 int error;
271
272 if (addrlen != sizeof(struct sockaddr_pppolac) ||
273 !addr->local.tunnel || !addr->local.session ||
274 !addr->remote.tunnel || !addr->remote.session) {
275 return -EINVAL;
276 }
277
278 lock_sock(sk);
279 error = -EALREADY;
280 if (sk->sk_state != PPPOX_NONE)
281 goto out;
282
283 sock_udp = sockfd_lookup(addr->udp_socket, &error);
284 if (!sock_udp)
285 goto out;
286 sk_udp = sock_udp->sk;
287 lock_sock(sk_udp);
288
289 /* Remove this check when IPv6 supports UDP encapsulation. */
290 error = -EAFNOSUPPORT;
291 if (sk_udp->sk_family != AF_INET)
292 goto out;
293 error = -EPROTONOSUPPORT;
294 if (sk_udp->sk_protocol != IPPROTO_UDP)
295 goto out;
296 error = -EDESTADDRREQ;
297 if (sk_udp->sk_state != TCP_ESTABLISHED)
298 goto out;
299 error = -EBUSY;
300 if (udp_sk(sk_udp)->encap_type || sk_udp->sk_user_data)
301 goto out;
302 if (!sk_udp->sk_bound_dev_if) {
303 struct dst_entry *dst = sk_dst_get(sk_udp);
304 error = -ENODEV;
305 if (!dst)
306 goto out;
307 sk_udp->sk_bound_dev_if = dst->dev->ifindex;
308 dst_release(dst);
309 }
310
311 po->chan.hdrlen = 12;
312 po->chan.private = sk_udp;
313 po->chan.ops = &pppolac_channel_ops;
314 po->chan.mtu = PPP_MRU - 80;
315 po->proto.lac.local = unaligned(&addr->local)->u32;
316 po->proto.lac.remote = unaligned(&addr->remote)->u32;
317 atomic_set(&po->proto.lac.sequencing, 1);
318 po->proto.lac.backlog_rcv = sk_udp->sk_backlog_rcv;
319
320 error = ppp_register_channel(&po->chan);
321 if (error)
322 goto out;
323
324 sk->sk_state = PPPOX_CONNECTED;
325 udp_sk(sk_udp)->encap_type = UDP_ENCAP_L2TPINUDP;
326 udp_sk(sk_udp)->encap_rcv = pppolac_recv;
327 sk_udp->sk_backlog_rcv = pppolac_recv_core;
328 sk_udp->sk_user_data = sk;
329 out:
330 if (sock_udp) {
331 release_sock(sk_udp);
332 if (error)
333 sockfd_put(sock_udp);
334 }
335 release_sock(sk);
336 return error;
337 }
338
pppolac_release(struct socket * sock)339 static int pppolac_release(struct socket *sock)
340 {
341 struct sock *sk = sock->sk;
342
343 if (!sk)
344 return 0;
345
346 lock_sock(sk);
347 if (sock_flag(sk, SOCK_DEAD)) {
348 release_sock(sk);
349 return -EBADF;
350 }
351
352 if (sk->sk_state != PPPOX_NONE) {
353 struct sock *sk_udp = (struct sock *)pppox_sk(sk)->chan.private;
354 lock_sock(sk_udp);
355 skb_queue_purge(&sk->sk_receive_queue);
356 pppox_unbind_sock(sk);
357 udp_sk(sk_udp)->encap_type = 0;
358 udp_sk(sk_udp)->encap_rcv = NULL;
359 sk_udp->sk_backlog_rcv = pppox_sk(sk)->proto.lac.backlog_rcv;
360 sk_udp->sk_user_data = NULL;
361 release_sock(sk_udp);
362 sockfd_put(sk_udp->sk_socket);
363 }
364
365 sock_orphan(sk);
366 sock->sk = NULL;
367 release_sock(sk);
368 sock_put(sk);
369 return 0;
370 }
371
372 /******************************************************************************/
373
374 static struct proto pppolac_proto = {
375 .name = "PPPOLAC",
376 .owner = THIS_MODULE,
377 .obj_size = sizeof(struct pppox_sock),
378 };
379
380 static struct proto_ops pppolac_proto_ops = {
381 .family = PF_PPPOX,
382 .owner = THIS_MODULE,
383 .release = pppolac_release,
384 .bind = sock_no_bind,
385 .connect = pppolac_connect,
386 .socketpair = sock_no_socketpair,
387 .accept = sock_no_accept,
388 .getname = sock_no_getname,
389 .poll = sock_no_poll,
390 .ioctl = pppox_ioctl,
391 .listen = sock_no_listen,
392 .shutdown = sock_no_shutdown,
393 .setsockopt = sock_no_setsockopt,
394 .getsockopt = sock_no_getsockopt,
395 .sendmsg = sock_no_sendmsg,
396 .recvmsg = sock_no_recvmsg,
397 .mmap = sock_no_mmap,
398 };
399
pppolac_create(struct net * net,struct socket * sock,int kern)400 static int pppolac_create(struct net *net, struct socket *sock, int kern)
401 {
402 struct sock *sk;
403
404 sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pppolac_proto, kern);
405 if (!sk)
406 return -ENOMEM;
407
408 sock_init_data(sock, sk);
409 sock->state = SS_UNCONNECTED;
410 sock->ops = &pppolac_proto_ops;
411 sk->sk_protocol = PX_PROTO_OLAC;
412 sk->sk_state = PPPOX_NONE;
413 return 0;
414 }
415
416 /******************************************************************************/
417
418 static struct pppox_proto pppolac_pppox_proto = {
419 .create = pppolac_create,
420 .owner = THIS_MODULE,
421 };
422
pppolac_init(void)423 static int __init pppolac_init(void)
424 {
425 int error;
426
427 error = proto_register(&pppolac_proto, 0);
428 if (error)
429 return error;
430
431 error = register_pppox_proto(PX_PROTO_OLAC, &pppolac_pppox_proto);
432 if (error)
433 proto_unregister(&pppolac_proto);
434 else
435 skb_queue_head_init(&delivery_queue);
436 return error;
437 }
438
pppolac_exit(void)439 static void __exit pppolac_exit(void)
440 {
441 unregister_pppox_proto(PX_PROTO_OLAC);
442 proto_unregister(&pppolac_proto);
443 }
444
445 module_init(pppolac_init);
446 module_exit(pppolac_exit);
447
448 MODULE_DESCRIPTION("PPP on L2TP Access Concentrator (PPPoLAC)");
449 MODULE_AUTHOR("Chia-chi Yeh <chiachi@android.com>");
450 MODULE_LICENSE("GPL");
451