1 // SPDX-License-Identifier: GPL-2.0-only
2 /* L2TP core.
3 *
4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
5 *
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
8 *
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
11 * Contributors:
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
15 */
16
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19 #include <linux/module.h>
20 #include <linux/string.h>
21 #include <linux/list.h>
22 #include <linux/rculist.h>
23 #include <linux/uaccess.h>
24
25 #include <linux/kernel.h>
26 #include <linux/spinlock.h>
27 #include <linux/kthread.h>
28 #include <linux/sched.h>
29 #include <linux/slab.h>
30 #include <linux/errno.h>
31 #include <linux/jiffies.h>
32
33 #include <linux/netdevice.h>
34 #include <linux/net.h>
35 #include <linux/inetdevice.h>
36 #include <linux/skbuff.h>
37 #include <linux/init.h>
38 #include <linux/in.h>
39 #include <linux/ip.h>
40 #include <linux/udp.h>
41 #include <linux/l2tp.h>
42 #include <linux/sort.h>
43 #include <linux/file.h>
44 #include <linux/nsproxy.h>
45 #include <net/net_namespace.h>
46 #include <net/netns/generic.h>
47 #include <net/dst.h>
48 #include <net/ip.h>
49 #include <net/udp.h>
50 #include <net/udp_tunnel.h>
51 #include <net/inet_common.h>
52 #include <net/xfrm.h>
53 #include <net/protocol.h>
54 #include <net/inet6_connection_sock.h>
55 #include <net/inet_ecn.h>
56 #include <net/ip6_route.h>
57 #include <net/ip6_checksum.h>
58
59 #include <asm/byteorder.h>
60 #include <linux/atomic.h>
61
62 #include "l2tp_core.h"
63
64 #define CREATE_TRACE_POINTS
65 #include "trace.h"
66
67 #define L2TP_DRV_VERSION "V2.0"
68
69 /* L2TP header constants */
70 #define L2TP_HDRFLAG_T 0x8000
71 #define L2TP_HDRFLAG_L 0x4000
72 #define L2TP_HDRFLAG_S 0x0800
73 #define L2TP_HDRFLAG_O 0x0200
74 #define L2TP_HDRFLAG_P 0x0100
75
76 #define L2TP_HDR_VER_MASK 0x000F
77 #define L2TP_HDR_VER_2 0x0002
78 #define L2TP_HDR_VER_3 0x0003
79
80 /* L2TPv3 default L2-specific sublayer */
81 #define L2TP_SLFLAG_S 0x40000000
82 #define L2TP_SL_SEQ_MASK 0x00ffffff
83
84 #define L2TP_HDR_SIZE_MAX 14
85
86 /* Default trace flags */
87 #define L2TP_DEFAULT_DEBUG_FLAGS 0
88
89 #define L2TP_DEPTH_NESTING 2
90 #if L2TP_DEPTH_NESTING == SINGLE_DEPTH_NESTING
91 #error "L2TP requires its own lockdep subclass"
92 #endif
93
94 /* Private data stored for received packets in the skb.
95 */
96 struct l2tp_skb_cb {
97 u32 ns;
98 u16 has_seq;
99 u16 length;
100 unsigned long expires;
101 };
102
103 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *)&(skb)->cb[sizeof(struct inet_skb_parm)])
104
105 static struct workqueue_struct *l2tp_wq;
106
107 /* per-net private data for this module */
108 static unsigned int l2tp_net_id;
109 struct l2tp_net {
110 /* Lock for write access to l2tp_tunnel_idr */
111 spinlock_t l2tp_tunnel_idr_lock;
112 struct idr l2tp_tunnel_idr;
113 /* Lock for write access to l2tp_v[23]_session_idr/htable */
114 spinlock_t l2tp_session_idr_lock;
115 struct idr l2tp_v2_session_idr;
116 struct idr l2tp_v3_session_idr;
117 struct hlist_head l2tp_v3_session_htable[16];
118 };
119
l2tp_v2_session_key(u16 tunnel_id,u16 session_id)120 static u32 l2tp_v2_session_key(u16 tunnel_id, u16 session_id)
121 {
122 return ((u32)tunnel_id) << 16 | session_id;
123 }
124
l2tp_v3_session_hashkey(struct sock * sk,u32 session_id)125 static unsigned long l2tp_v3_session_hashkey(struct sock *sk, u32 session_id)
126 {
127 return ((unsigned long)sk) + session_id;
128 }
129
130 #if IS_ENABLED(CONFIG_IPV6)
l2tp_sk_is_v6(struct sock * sk)131 static bool l2tp_sk_is_v6(struct sock *sk)
132 {
133 return sk->sk_family == PF_INET6 &&
134 !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
135 }
136 #endif
137
l2tp_pernet(const struct net * net)138 static struct l2tp_net *l2tp_pernet(const struct net *net)
139 {
140 return net_generic(net, l2tp_net_id);
141 }
142
l2tp_tunnel_free(struct l2tp_tunnel * tunnel)143 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
144 {
145 struct sock *sk = tunnel->sock;
146
147 trace_free_tunnel(tunnel);
148
149 if (sk) {
150 /* Disable udp encapsulation */
151 switch (tunnel->encap) {
152 case L2TP_ENCAPTYPE_UDP:
153 /* No longer an encapsulation socket. See net/ipv4/udp.c */
154 WRITE_ONCE(udp_sk(sk)->encap_type, 0);
155 udp_sk(sk)->encap_rcv = NULL;
156 udp_sk(sk)->encap_destroy = NULL;
157 break;
158 case L2TP_ENCAPTYPE_IP:
159 break;
160 }
161
162 tunnel->sock = NULL;
163 sock_put(sk);
164 }
165
166 kfree_rcu(tunnel, rcu);
167 }
168
l2tp_session_free(struct l2tp_session * session)169 static void l2tp_session_free(struct l2tp_session *session)
170 {
171 trace_free_session(session);
172 if (session->tunnel)
173 l2tp_tunnel_put(session->tunnel);
174 kfree_rcu(session, rcu);
175 }
176
l2tp_sk_to_tunnel(const struct sock * sk)177 struct l2tp_tunnel *l2tp_sk_to_tunnel(const struct sock *sk)
178 {
179 const struct net *net = sock_net(sk);
180 unsigned long tunnel_id, tmp;
181 struct l2tp_tunnel *tunnel;
182 struct l2tp_net *pn;
183
184 rcu_read_lock_bh();
185 pn = l2tp_pernet(net);
186 idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
187 if (tunnel &&
188 tunnel->sock == sk &&
189 refcount_inc_not_zero(&tunnel->ref_count)) {
190 rcu_read_unlock_bh();
191 return tunnel;
192 }
193 }
194 rcu_read_unlock_bh();
195
196 return NULL;
197 }
198 EXPORT_SYMBOL_GPL(l2tp_sk_to_tunnel);
199
l2tp_tunnel_put(struct l2tp_tunnel * tunnel)200 void l2tp_tunnel_put(struct l2tp_tunnel *tunnel)
201 {
202 if (refcount_dec_and_test(&tunnel->ref_count))
203 l2tp_tunnel_free(tunnel);
204 }
205 EXPORT_SYMBOL_GPL(l2tp_tunnel_put);
206
l2tp_session_put(struct l2tp_session * session)207 void l2tp_session_put(struct l2tp_session *session)
208 {
209 if (refcount_dec_and_test(&session->ref_count))
210 l2tp_session_free(session);
211 }
212 EXPORT_SYMBOL_GPL(l2tp_session_put);
213
214 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
l2tp_tunnel_get(const struct net * net,u32 tunnel_id)215 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
216 {
217 const struct l2tp_net *pn = l2tp_pernet(net);
218 struct l2tp_tunnel *tunnel;
219
220 rcu_read_lock_bh();
221 tunnel = idr_find(&pn->l2tp_tunnel_idr, tunnel_id);
222 if (tunnel && refcount_inc_not_zero(&tunnel->ref_count)) {
223 rcu_read_unlock_bh();
224 return tunnel;
225 }
226 rcu_read_unlock_bh();
227
228 return NULL;
229 }
230 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
231
l2tp_tunnel_get_next(const struct net * net,unsigned long * key)232 struct l2tp_tunnel *l2tp_tunnel_get_next(const struct net *net, unsigned long *key)
233 {
234 struct l2tp_net *pn = l2tp_pernet(net);
235 struct l2tp_tunnel *tunnel = NULL;
236
237 rcu_read_lock_bh();
238 again:
239 tunnel = idr_get_next_ul(&pn->l2tp_tunnel_idr, key);
240 if (tunnel) {
241 if (refcount_inc_not_zero(&tunnel->ref_count)) {
242 rcu_read_unlock_bh();
243 return tunnel;
244 }
245 (*key)++;
246 goto again;
247 }
248 rcu_read_unlock_bh();
249
250 return NULL;
251 }
252 EXPORT_SYMBOL_GPL(l2tp_tunnel_get_next);
253
l2tp_v3_session_get(const struct net * net,struct sock * sk,u32 session_id)254 struct l2tp_session *l2tp_v3_session_get(const struct net *net, struct sock *sk, u32 session_id)
255 {
256 const struct l2tp_net *pn = l2tp_pernet(net);
257 struct l2tp_session *session;
258
259 rcu_read_lock_bh();
260 session = idr_find(&pn->l2tp_v3_session_idr, session_id);
261 if (session && !hash_hashed(&session->hlist) &&
262 refcount_inc_not_zero(&session->ref_count)) {
263 rcu_read_unlock_bh();
264 return session;
265 }
266
267 /* If we get here and session is non-NULL, the session_id
268 * collides with one in another tunnel. If sk is non-NULL,
269 * find the session matching sk.
270 */
271 if (session && sk) {
272 unsigned long key = l2tp_v3_session_hashkey(sk, session->session_id);
273
274 hash_for_each_possible_rcu(pn->l2tp_v3_session_htable, session,
275 hlist, key) {
276 /* session->tunnel may be NULL if another thread is in
277 * l2tp_session_register and has added an item to
278 * l2tp_v3_session_htable but hasn't yet added the
279 * session to its tunnel's session_list.
280 */
281 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
282
283 if (session->session_id == session_id &&
284 tunnel && tunnel->sock == sk &&
285 refcount_inc_not_zero(&session->ref_count)) {
286 rcu_read_unlock_bh();
287 return session;
288 }
289 }
290 }
291 rcu_read_unlock_bh();
292
293 return NULL;
294 }
295 EXPORT_SYMBOL_GPL(l2tp_v3_session_get);
296
l2tp_v2_session_get(const struct net * net,u16 tunnel_id,u16 session_id)297 struct l2tp_session *l2tp_v2_session_get(const struct net *net, u16 tunnel_id, u16 session_id)
298 {
299 u32 session_key = l2tp_v2_session_key(tunnel_id, session_id);
300 const struct l2tp_net *pn = l2tp_pernet(net);
301 struct l2tp_session *session;
302
303 rcu_read_lock_bh();
304 session = idr_find(&pn->l2tp_v2_session_idr, session_key);
305 if (session && refcount_inc_not_zero(&session->ref_count)) {
306 rcu_read_unlock_bh();
307 return session;
308 }
309 rcu_read_unlock_bh();
310
311 return NULL;
312 }
313 EXPORT_SYMBOL_GPL(l2tp_v2_session_get);
314
l2tp_session_get(const struct net * net,struct sock * sk,int pver,u32 tunnel_id,u32 session_id)315 struct l2tp_session *l2tp_session_get(const struct net *net, struct sock *sk, int pver,
316 u32 tunnel_id, u32 session_id)
317 {
318 if (pver == L2TP_HDR_VER_2)
319 return l2tp_v2_session_get(net, tunnel_id, session_id);
320 else
321 return l2tp_v3_session_get(net, sk, session_id);
322 }
323 EXPORT_SYMBOL_GPL(l2tp_session_get);
324
l2tp_v2_session_get_next(const struct net * net,u16 tid,unsigned long * key)325 static struct l2tp_session *l2tp_v2_session_get_next(const struct net *net,
326 u16 tid,
327 unsigned long *key)
328 {
329 struct l2tp_net *pn = l2tp_pernet(net);
330 struct l2tp_session *session = NULL;
331
332 /* Start searching within the range of the tid */
333 if (*key == 0)
334 *key = l2tp_v2_session_key(tid, 0);
335
336 rcu_read_lock_bh();
337 again:
338 session = idr_get_next_ul(&pn->l2tp_v2_session_idr, key);
339 if (session) {
340 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
341
342 /* ignore sessions with id 0 as they are internal for pppol2tp */
343 if (session->session_id == 0) {
344 (*key)++;
345 goto again;
346 }
347
348 if (tunnel->tunnel_id == tid &&
349 refcount_inc_not_zero(&session->ref_count)) {
350 rcu_read_unlock_bh();
351 return session;
352 }
353
354 (*key)++;
355 if (tunnel->tunnel_id == tid)
356 goto again;
357 }
358 rcu_read_unlock_bh();
359
360 return NULL;
361 }
362
l2tp_v3_session_get_next(const struct net * net,u32 tid,struct sock * sk,unsigned long * key)363 static struct l2tp_session *l2tp_v3_session_get_next(const struct net *net,
364 u32 tid, struct sock *sk,
365 unsigned long *key)
366 {
367 struct l2tp_net *pn = l2tp_pernet(net);
368 struct l2tp_session *session = NULL;
369
370 rcu_read_lock_bh();
371 again:
372 session = idr_get_next_ul(&pn->l2tp_v3_session_idr, key);
373 if (session && !hash_hashed(&session->hlist)) {
374 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
375
376 if (tunnel && tunnel->tunnel_id == tid &&
377 refcount_inc_not_zero(&session->ref_count)) {
378 rcu_read_unlock_bh();
379 return session;
380 }
381
382 (*key)++;
383 goto again;
384 }
385
386 /* If we get here and session is non-NULL, the IDR entry may be one
387 * where the session_id collides with one in another tunnel. Check
388 * session_htable for a match. There can only be one session of a given
389 * ID per tunnel so we can return as soon as a match is found.
390 */
391 if (session && hash_hashed(&session->hlist)) {
392 unsigned long hkey = l2tp_v3_session_hashkey(sk, session->session_id);
393 u32 sid = session->session_id;
394
395 hash_for_each_possible_rcu(pn->l2tp_v3_session_htable, session,
396 hlist, hkey) {
397 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
398
399 if (session->session_id == sid &&
400 tunnel && tunnel->tunnel_id == tid &&
401 refcount_inc_not_zero(&session->ref_count)) {
402 rcu_read_unlock_bh();
403 return session;
404 }
405 }
406
407 /* If no match found, the colliding session ID isn't in our
408 * tunnel so try the next session ID.
409 */
410 (*key)++;
411 goto again;
412 }
413
414 rcu_read_unlock_bh();
415
416 return NULL;
417 }
418
l2tp_session_get_next(const struct net * net,struct sock * sk,int pver,u32 tunnel_id,unsigned long * key)419 struct l2tp_session *l2tp_session_get_next(const struct net *net, struct sock *sk, int pver,
420 u32 tunnel_id, unsigned long *key)
421 {
422 if (pver == L2TP_HDR_VER_2)
423 return l2tp_v2_session_get_next(net, tunnel_id, key);
424 else
425 return l2tp_v3_session_get_next(net, tunnel_id, sk, key);
426 }
427 EXPORT_SYMBOL_GPL(l2tp_session_get_next);
428
429 /* Lookup a session by interface name.
430 * This is very inefficient but is only used by management interfaces.
431 */
l2tp_session_get_by_ifname(const struct net * net,const char * ifname)432 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
433 const char *ifname)
434 {
435 struct l2tp_net *pn = l2tp_pernet(net);
436 unsigned long tunnel_id, tmp;
437 struct l2tp_session *session;
438 struct l2tp_tunnel *tunnel;
439
440 rcu_read_lock_bh();
441 idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
442 if (tunnel) {
443 list_for_each_entry_rcu(session, &tunnel->session_list, list) {
444 if (strcmp(session->ifname, ifname))
445 continue;
446 if (!refcount_inc_not_zero(&session->ref_count))
447 continue;
448 rcu_read_unlock_bh();
449
450 return session;
451 }
452 }
453 }
454 rcu_read_unlock_bh();
455
456 return NULL;
457 }
458 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
459
l2tp_session_coll_list_add(struct l2tp_session_coll_list * clist,struct l2tp_session * session)460 static void l2tp_session_coll_list_add(struct l2tp_session_coll_list *clist,
461 struct l2tp_session *session)
462 {
463 refcount_inc(&session->ref_count);
464 WARN_ON_ONCE(session->coll_list);
465 session->coll_list = clist;
466 spin_lock(&clist->lock);
467 list_add(&session->clist, &clist->list);
468 spin_unlock(&clist->lock);
469 }
470
l2tp_session_collision_add(struct l2tp_net * pn,struct l2tp_session * session1,struct l2tp_session * session2)471 static int l2tp_session_collision_add(struct l2tp_net *pn,
472 struct l2tp_session *session1,
473 struct l2tp_session *session2)
474 {
475 struct l2tp_session_coll_list *clist;
476
477 lockdep_assert_held(&pn->l2tp_session_idr_lock);
478
479 if (!session2)
480 return -EEXIST;
481
482 /* If existing session is in IP-encap tunnel, refuse new session */
483 if (session2->tunnel->encap == L2TP_ENCAPTYPE_IP)
484 return -EEXIST;
485
486 clist = session2->coll_list;
487 if (!clist) {
488 /* First collision. Allocate list to manage the collided sessions
489 * and add the existing session to the list.
490 */
491 clist = kmalloc_obj(*clist, GFP_ATOMIC);
492 if (!clist)
493 return -ENOMEM;
494
495 spin_lock_init(&clist->lock);
496 INIT_LIST_HEAD(&clist->list);
497 refcount_set(&clist->ref_count, 1);
498 l2tp_session_coll_list_add(clist, session2);
499 }
500
501 /* If existing session isn't already in the session hlist, add it. */
502 if (!hash_hashed(&session2->hlist))
503 hash_add_rcu(pn->l2tp_v3_session_htable, &session2->hlist,
504 session2->hlist_key);
505
506 /* Add new session to the hlist and collision list */
507 hash_add_rcu(pn->l2tp_v3_session_htable, &session1->hlist,
508 session1->hlist_key);
509 refcount_inc(&clist->ref_count);
510 l2tp_session_coll_list_add(clist, session1);
511
512 return 0;
513 }
514
l2tp_session_collision_del(struct l2tp_net * pn,struct l2tp_session * session)515 static void l2tp_session_collision_del(struct l2tp_net *pn,
516 struct l2tp_session *session)
517 {
518 struct l2tp_session_coll_list *clist = session->coll_list;
519 unsigned long session_key = session->session_id;
520 struct l2tp_session *session2;
521
522 lockdep_assert_held(&pn->l2tp_session_idr_lock);
523
524 hash_del_rcu(&session->hlist);
525
526 if (clist) {
527 /* Remove session from its collision list. If there
528 * are other sessions with the same ID, replace this
529 * session's IDR entry with that session, otherwise
530 * remove the IDR entry. If this is the last session,
531 * the collision list data is freed.
532 */
533 spin_lock(&clist->lock);
534 list_del_init(&session->clist);
535 session2 = list_first_entry_or_null(&clist->list, struct l2tp_session, clist);
536 if (session2) {
537 void *old = idr_replace(&pn->l2tp_v3_session_idr, session2, session_key);
538
539 WARN_ON_ONCE(IS_ERR_VALUE(old));
540 } else {
541 void *removed = idr_remove(&pn->l2tp_v3_session_idr, session_key);
542
543 WARN_ON_ONCE(removed != session);
544 }
545 session->coll_list = NULL;
546 spin_unlock(&clist->lock);
547 if (refcount_dec_and_test(&clist->ref_count))
548 kfree(clist);
549 l2tp_session_put(session);
550 }
551 }
552
l2tp_session_register(struct l2tp_session * session,struct l2tp_tunnel * tunnel)553 int l2tp_session_register(struct l2tp_session *session,
554 struct l2tp_tunnel *tunnel)
555 {
556 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
557 struct l2tp_session *other_session = NULL;
558 void *old = NULL;
559 u32 session_key;
560 int err;
561
562 spin_lock_bh(&tunnel->list_lock);
563 spin_lock_bh(&pn->l2tp_session_idr_lock);
564
565 if (!tunnel->acpt_newsess) {
566 err = -ENODEV;
567 goto out;
568 }
569
570 if (tunnel->version == L2TP_HDR_VER_3) {
571 session_key = session->session_id;
572 err = idr_alloc_u32(&pn->l2tp_v3_session_idr, NULL,
573 &session_key, session_key, GFP_ATOMIC);
574 /* IP encap expects session IDs to be globally unique, while
575 * UDP encap doesn't. This isn't per the RFC, which says that
576 * sessions are identified only by the session ID, but is to
577 * support existing userspace which depends on it.
578 */
579 if (err == -ENOSPC && tunnel->encap == L2TP_ENCAPTYPE_UDP) {
580 other_session = idr_find(&pn->l2tp_v3_session_idr,
581 session_key);
582 err = l2tp_session_collision_add(pn, session,
583 other_session);
584 }
585 } else {
586 session_key = l2tp_v2_session_key(tunnel->tunnel_id,
587 session->session_id);
588 err = idr_alloc_u32(&pn->l2tp_v2_session_idr, NULL,
589 &session_key, session_key, GFP_ATOMIC);
590 }
591
592 if (err) {
593 if (err == -ENOSPC)
594 err = -EEXIST;
595 goto out;
596 }
597
598 refcount_inc(&tunnel->ref_count);
599 WRITE_ONCE(session->tunnel, tunnel);
600 list_add_rcu(&session->list, &tunnel->session_list);
601
602 /* this makes session available to lockless getters */
603 if (tunnel->version == L2TP_HDR_VER_3) {
604 if (!other_session)
605 old = idr_replace(&pn->l2tp_v3_session_idr, session, session_key);
606 } else {
607 old = idr_replace(&pn->l2tp_v2_session_idr, session, session_key);
608 }
609
610 /* old should be NULL, unless something removed or modified
611 * the IDR entry after our idr_alloc_32 above (which shouldn't
612 * happen).
613 */
614 WARN_ON_ONCE(old);
615 out:
616 spin_unlock_bh(&pn->l2tp_session_idr_lock);
617 spin_unlock_bh(&tunnel->list_lock);
618
619 if (!err)
620 trace_register_session(session);
621
622 return err;
623 }
624 EXPORT_SYMBOL_GPL(l2tp_session_register);
625
626 /*****************************************************************************
627 * Receive data handling
628 *****************************************************************************/
629
630 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
631 * number.
632 */
l2tp_recv_queue_skb(struct l2tp_session * session,struct sk_buff * skb)633 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
634 {
635 struct sk_buff *skbp;
636 struct sk_buff *tmp;
637 u32 ns = L2TP_SKB_CB(skb)->ns;
638
639 spin_lock_bh(&session->reorder_q.lock);
640 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
641 if (L2TP_SKB_CB(skbp)->ns > ns) {
642 __skb_queue_before(&session->reorder_q, skbp, skb);
643 atomic_long_inc(&session->stats.rx_oos_packets);
644 goto out;
645 }
646 }
647
648 __skb_queue_tail(&session->reorder_q, skb);
649
650 out:
651 spin_unlock_bh(&session->reorder_q.lock);
652 }
653
654 /* Dequeue a single skb.
655 */
l2tp_recv_dequeue_skb(struct l2tp_session * session,struct sk_buff * skb)656 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
657 {
658 struct l2tp_tunnel *tunnel = session->tunnel;
659 int length = L2TP_SKB_CB(skb)->length;
660
661 /* We're about to requeue the skb, so return resources
662 * to its current owner (a socket receive buffer).
663 */
664 skb_orphan(skb);
665
666 atomic_long_inc(&tunnel->stats.rx_packets);
667 atomic_long_add(length, &tunnel->stats.rx_bytes);
668 atomic_long_inc(&session->stats.rx_packets);
669 atomic_long_add(length, &session->stats.rx_bytes);
670
671 if (L2TP_SKB_CB(skb)->has_seq) {
672 /* Bump our Nr */
673 session->nr++;
674 session->nr &= session->nr_max;
675 trace_session_seqnum_update(session);
676 }
677
678 /* call private receive handler */
679 if (session->recv_skb)
680 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
681 else
682 kfree_skb(skb);
683 }
684
685 /* Dequeue skbs from the session's reorder_q, subject to packet order.
686 * Skbs that have been in the queue for too long are simply discarded.
687 */
l2tp_recv_dequeue(struct l2tp_session * session)688 static void l2tp_recv_dequeue(struct l2tp_session *session)
689 {
690 struct sk_buff *skb;
691 struct sk_buff *tmp;
692
693 /* If the pkt at the head of the queue has the nr that we
694 * expect to send up next, dequeue it and any other
695 * in-sequence packets behind it.
696 */
697 start:
698 spin_lock_bh(&session->reorder_q.lock);
699 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
700 struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
701
702 /* If the packet has been pending on the queue for too long, discard it */
703 if (time_after(jiffies, cb->expires)) {
704 atomic_long_inc(&session->stats.rx_seq_discards);
705 atomic_long_inc(&session->stats.rx_errors);
706 trace_session_pkt_expired(session, cb->ns);
707 session->reorder_skip = 1;
708 __skb_unlink(skb, &session->reorder_q);
709 kfree_skb(skb);
710 continue;
711 }
712
713 if (cb->has_seq) {
714 if (session->reorder_skip) {
715 session->reorder_skip = 0;
716 session->nr = cb->ns;
717 trace_session_seqnum_reset(session);
718 }
719 if (cb->ns != session->nr)
720 goto out;
721 }
722 __skb_unlink(skb, &session->reorder_q);
723
724 /* Process the skb. We release the queue lock while we
725 * do so to let other contexts process the queue.
726 */
727 spin_unlock_bh(&session->reorder_q.lock);
728 l2tp_recv_dequeue_skb(session, skb);
729 goto start;
730 }
731
732 out:
733 spin_unlock_bh(&session->reorder_q.lock);
734 }
735
l2tp_seq_check_rx_window(struct l2tp_session * session,u32 nr)736 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
737 {
738 u32 nws;
739
740 if (nr >= session->nr)
741 nws = nr - session->nr;
742 else
743 nws = (session->nr_max + 1) - (session->nr - nr);
744
745 return nws < session->nr_window_size;
746 }
747
748 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
749 * acceptable, else non-zero.
750 */
l2tp_recv_data_seq(struct l2tp_session * session,struct sk_buff * skb)751 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
752 {
753 struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
754
755 if (!l2tp_seq_check_rx_window(session, cb->ns)) {
756 /* Packet sequence number is outside allowed window.
757 * Discard it.
758 */
759 trace_session_pkt_outside_rx_window(session, cb->ns);
760 goto discard;
761 }
762
763 if (session->reorder_timeout != 0) {
764 /* Packet reordering enabled. Add skb to session's
765 * reorder queue, in order of ns.
766 */
767 l2tp_recv_queue_skb(session, skb);
768 goto out;
769 }
770
771 /* Packet reordering disabled. Discard out-of-sequence packets, while
772 * tracking the number if in-sequence packets after the first OOS packet
773 * is seen. After nr_oos_count_max in-sequence packets, reset the
774 * sequence number to re-enable packet reception.
775 */
776 if (cb->ns == session->nr) {
777 skb_queue_tail(&session->reorder_q, skb);
778 } else {
779 u32 nr_oos = cb->ns;
780 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
781
782 if (nr_oos == nr_next)
783 session->nr_oos_count++;
784 else
785 session->nr_oos_count = 0;
786
787 session->nr_oos = nr_oos;
788 if (session->nr_oos_count > session->nr_oos_count_max) {
789 session->reorder_skip = 1;
790 }
791 if (!session->reorder_skip) {
792 atomic_long_inc(&session->stats.rx_seq_discards);
793 trace_session_pkt_oos(session, cb->ns);
794 goto discard;
795 }
796 skb_queue_tail(&session->reorder_q, skb);
797 }
798
799 out:
800 return 0;
801
802 discard:
803 return 1;
804 }
805
806 /* Do receive processing of L2TP data frames. We handle both L2TPv2
807 * and L2TPv3 data frames here.
808 *
809 * L2TPv2 Data Message Header
810 *
811 * 0 1 2 3
812 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
813 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
814 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
815 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
816 * | Tunnel ID | Session ID |
817 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
818 * | Ns (opt) | Nr (opt) |
819 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
820 * | Offset Size (opt) | Offset pad... (opt)
821 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
822 *
823 * Data frames are marked by T=0. All other fields are the same as
824 * those in L2TP control frames.
825 *
826 * L2TPv3 Data Message Header
827 *
828 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
829 * | L2TP Session Header |
830 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
831 * | L2-Specific Sublayer |
832 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
833 * | Tunnel Payload ...
834 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
835 *
836 * L2TPv3 Session Header Over IP
837 *
838 * 0 1 2 3
839 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
840 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
841 * | Session ID |
842 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
843 * | Cookie (optional, maximum 64 bits)...
844 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
845 * |
846 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
847 *
848 * L2TPv3 L2-Specific Sublayer Format
849 *
850 * 0 1 2 3
851 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
852 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
853 * |x|S|x|x|x|x|x|x| Sequence Number |
854 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
855 *
856 * Cookie value and sublayer format are negotiated with the peer when
857 * the session is set up. Unlike L2TPv2, we do not need to parse the
858 * packet header to determine if optional fields are present.
859 *
860 * Caller must already have parsed the frame and determined that it is
861 * a data (not control) frame before coming here. Fields up to the
862 * session-id have already been parsed and ptr points to the data
863 * after the session-id.
864 */
l2tp_recv_common(struct l2tp_session * session,struct sk_buff * skb,unsigned char * ptr,unsigned char * optr,u16 hdrflags,int length)865 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
866 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
867 int length)
868 {
869 struct l2tp_tunnel *tunnel = session->tunnel;
870 int offset;
871
872 /* Parse and check optional cookie */
873 if (session->peer_cookie_len > 0) {
874 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
875 pr_debug_ratelimited("%s: cookie mismatch (%u/%u). Discarding.\n",
876 tunnel->name, tunnel->tunnel_id,
877 session->session_id);
878 atomic_long_inc(&session->stats.rx_cookie_discards);
879 goto discard;
880 }
881 ptr += session->peer_cookie_len;
882 }
883
884 /* Handle the optional sequence numbers. Sequence numbers are
885 * in different places for L2TPv2 and L2TPv3.
886 *
887 * If we are the LAC, enable/disable sequence numbers under
888 * the control of the LNS. If no sequence numbers present but
889 * we were expecting them, discard frame.
890 */
891 L2TP_SKB_CB(skb)->has_seq = 0;
892 if (tunnel->version == L2TP_HDR_VER_2) {
893 if (hdrflags & L2TP_HDRFLAG_S) {
894 /* Store L2TP info in the skb */
895 L2TP_SKB_CB(skb)->ns = ntohs(*(__be16 *)ptr);
896 L2TP_SKB_CB(skb)->has_seq = 1;
897 ptr += 2;
898 /* Skip past nr in the header */
899 ptr += 2;
900
901 }
902 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
903 u32 l2h = ntohl(*(__be32 *)ptr);
904
905 if (l2h & 0x40000000) {
906 /* Store L2TP info in the skb */
907 L2TP_SKB_CB(skb)->ns = l2h & 0x00ffffff;
908 L2TP_SKB_CB(skb)->has_seq = 1;
909 }
910 ptr += 4;
911 }
912
913 if (L2TP_SKB_CB(skb)->has_seq) {
914 /* Received a packet with sequence numbers. If we're the LAC,
915 * check if we sre sending sequence numbers and if not,
916 * configure it so.
917 */
918 if (!session->lns_mode && !session->send_seq) {
919 trace_session_seqnum_lns_enable(session);
920 session->send_seq = 1;
921 l2tp_session_set_header_len(session, tunnel->version,
922 tunnel->encap);
923 }
924 } else {
925 /* No sequence numbers.
926 * If user has configured mandatory sequence numbers, discard.
927 */
928 if (session->recv_seq) {
929 pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
930 session->name);
931 atomic_long_inc(&session->stats.rx_seq_discards);
932 goto discard;
933 }
934
935 /* If we're the LAC and we're sending sequence numbers, the
936 * LNS has requested that we no longer send sequence numbers.
937 * If we're the LNS and we're sending sequence numbers, the
938 * LAC is broken. Discard the frame.
939 */
940 if (!session->lns_mode && session->send_seq) {
941 trace_session_seqnum_lns_disable(session);
942 session->send_seq = 0;
943 l2tp_session_set_header_len(session, tunnel->version,
944 tunnel->encap);
945 } else if (session->send_seq) {
946 pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
947 session->name);
948 atomic_long_inc(&session->stats.rx_seq_discards);
949 goto discard;
950 }
951 }
952
953 /* Session data offset is defined only for L2TPv2 and is
954 * indicated by an optional 16-bit value in the header.
955 */
956 if (tunnel->version == L2TP_HDR_VER_2) {
957 /* If offset bit set, skip it. */
958 if (hdrflags & L2TP_HDRFLAG_O) {
959 offset = ntohs(*(__be16 *)ptr);
960 ptr += 2 + offset;
961 }
962 }
963
964 offset = ptr - optr;
965 if (!pskb_may_pull(skb, offset))
966 goto discard;
967
968 __skb_pull(skb, offset);
969
970 /* Prepare skb for adding to the session's reorder_q. Hold
971 * packets for max reorder_timeout or 1 second if not
972 * reordering.
973 */
974 L2TP_SKB_CB(skb)->length = length;
975 L2TP_SKB_CB(skb)->expires = jiffies +
976 (session->reorder_timeout ? session->reorder_timeout : HZ);
977
978 /* Add packet to the session's receive queue. Reordering is done here, if
979 * enabled. Saved L2TP protocol info is stored in skb->sb[].
980 */
981 if (L2TP_SKB_CB(skb)->has_seq) {
982 if (l2tp_recv_data_seq(session, skb))
983 goto discard;
984 } else {
985 /* No sequence numbers. Add the skb to the tail of the
986 * reorder queue. This ensures that it will be
987 * delivered after all previous sequenced skbs.
988 */
989 skb_queue_tail(&session->reorder_q, skb);
990 }
991
992 /* Try to dequeue as many skbs from reorder_q as we can. */
993 l2tp_recv_dequeue(session);
994
995 return;
996
997 discard:
998 atomic_long_inc(&session->stats.rx_errors);
999 kfree_skb(skb);
1000 }
1001 EXPORT_SYMBOL_GPL(l2tp_recv_common);
1002
1003 /* Drop skbs from the session's reorder_q
1004 */
l2tp_session_queue_purge(struct l2tp_session * session)1005 static void l2tp_session_queue_purge(struct l2tp_session *session)
1006 {
1007 struct sk_buff *skb = NULL;
1008
1009 while ((skb = skb_dequeue(&session->reorder_q))) {
1010 atomic_long_inc(&session->stats.rx_errors);
1011 kfree_skb(skb);
1012 }
1013 }
1014
1015 /* UDP encapsulation receive handler. See net/ipv4/udp.c for details. */
l2tp_udp_encap_recv(struct sock * sk,struct sk_buff * skb)1016 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1017 {
1018 struct l2tp_session *session = NULL;
1019 struct l2tp_tunnel *tunnel = NULL;
1020 struct net *net = sock_net(sk);
1021 unsigned char *ptr, *optr;
1022 u16 hdrflags;
1023 u16 version;
1024 int length;
1025
1026 /* UDP has verified checksum */
1027
1028 /* UDP always verifies the packet length. */
1029 __skb_pull(skb, sizeof(struct udphdr));
1030
1031 /* Short packet? */
1032 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX))
1033 goto pass;
1034
1035 /* Point to L2TP header */
1036 optr = skb->data;
1037 ptr = skb->data;
1038
1039 /* Get L2TP header flags */
1040 hdrflags = ntohs(*(__be16 *)ptr);
1041
1042 /* Get protocol version */
1043 version = hdrflags & L2TP_HDR_VER_MASK;
1044
1045 /* Get length of L2TP packet */
1046 length = skb->len;
1047
1048 /* If type is control packet, it is handled by userspace. */
1049 if (hdrflags & L2TP_HDRFLAG_T)
1050 goto pass;
1051
1052 /* Skip flags */
1053 ptr += 2;
1054
1055 if (version == L2TP_HDR_VER_2) {
1056 u16 tunnel_id, session_id;
1057
1058 /* If length is present, skip it */
1059 if (hdrflags & L2TP_HDRFLAG_L)
1060 ptr += 2;
1061
1062 /* Extract tunnel and session ID */
1063 tunnel_id = ntohs(*(__be16 *)ptr);
1064 ptr += 2;
1065 session_id = ntohs(*(__be16 *)ptr);
1066 ptr += 2;
1067
1068 session = l2tp_v2_session_get(net, tunnel_id, session_id);
1069 } else {
1070 u32 session_id;
1071
1072 ptr += 2; /* skip reserved bits */
1073 session_id = ntohl(*(__be32 *)ptr);
1074 ptr += 4;
1075
1076 session = l2tp_v3_session_get(net, sk, session_id);
1077 }
1078
1079 if (!session || !session->recv_skb) {
1080 if (session)
1081 l2tp_session_put(session);
1082
1083 /* Not found? Pass to userspace to deal with */
1084 goto pass;
1085 }
1086
1087 tunnel = session->tunnel;
1088
1089 /* Check protocol version */
1090 if (version != tunnel->version) {
1091 l2tp_session_put(session);
1092 goto invalid;
1093 }
1094
1095 if (version == L2TP_HDR_VER_3 &&
1096 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
1097 l2tp_session_put(session);
1098 goto invalid;
1099 }
1100
1101 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
1102 l2tp_session_put(session);
1103
1104 return 0;
1105
1106 invalid:
1107 atomic_long_inc(&tunnel->stats.rx_invalid);
1108
1109 pass:
1110 /* Put UDP header back */
1111 __skb_push(skb, sizeof(struct udphdr));
1112
1113 return 1;
1114 }
1115 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1116
1117 /* UDP encapsulation receive error handler. See net/ipv4/udp.c for details. */
l2tp_udp_encap_err_recv(struct sock * sk,struct sk_buff * skb,int err,__be16 port,u32 info,u8 * payload)1118 static void l2tp_udp_encap_err_recv(struct sock *sk, struct sk_buff *skb, int err,
1119 __be16 port, u32 info, u8 *payload)
1120 {
1121 sk->sk_err = err;
1122 sk_error_report(sk);
1123
1124 if (ip_hdr(skb)->version == IPVERSION) {
1125 if (inet_test_bit(RECVERR, sk))
1126 return ip_icmp_error(sk, skb, err, port, info, payload);
1127 #if IS_ENABLED(CONFIG_IPV6)
1128 } else {
1129 if (inet6_test_bit(RECVERR6, sk))
1130 return ipv6_icmp_error(sk, skb, err, port, info, payload);
1131 #endif
1132 }
1133 }
1134
1135 /************************************************************************
1136 * Transmit handling
1137 ***********************************************************************/
1138
1139 /* Build an L2TP header for the session into the buffer provided.
1140 */
l2tp_build_l2tpv2_header(struct l2tp_session * session,void * buf)1141 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1142 {
1143 struct l2tp_tunnel *tunnel = session->tunnel;
1144 __be16 *bufp = buf;
1145 __be16 *optr = buf;
1146 u16 flags = L2TP_HDR_VER_2;
1147 u32 tunnel_id = tunnel->peer_tunnel_id;
1148 u32 session_id = session->peer_session_id;
1149
1150 if (session->send_seq)
1151 flags |= L2TP_HDRFLAG_S;
1152
1153 /* Setup L2TP header. */
1154 *bufp++ = htons(flags);
1155 *bufp++ = htons(tunnel_id);
1156 *bufp++ = htons(session_id);
1157 if (session->send_seq) {
1158 *bufp++ = htons(session->ns);
1159 *bufp++ = 0;
1160 session->ns++;
1161 session->ns &= 0xffff;
1162 trace_session_seqnum_update(session);
1163 }
1164
1165 return bufp - optr;
1166 }
1167
l2tp_build_l2tpv3_header(struct l2tp_session * session,void * buf)1168 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1169 {
1170 struct l2tp_tunnel *tunnel = session->tunnel;
1171 char *bufp = buf;
1172 char *optr = bufp;
1173
1174 /* Setup L2TP header. The header differs slightly for UDP and
1175 * IP encapsulations. For UDP, there is 4 bytes of flags.
1176 */
1177 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1178 u16 flags = L2TP_HDR_VER_3;
1179 *((__be16 *)bufp) = htons(flags);
1180 bufp += 2;
1181 *((__be16 *)bufp) = 0;
1182 bufp += 2;
1183 }
1184
1185 *((__be32 *)bufp) = htonl(session->peer_session_id);
1186 bufp += 4;
1187 if (session->cookie_len) {
1188 memcpy(bufp, &session->cookie[0], session->cookie_len);
1189 bufp += session->cookie_len;
1190 }
1191 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1192 u32 l2h = 0;
1193
1194 if (session->send_seq) {
1195 l2h = 0x40000000 | session->ns;
1196 session->ns++;
1197 session->ns &= 0xffffff;
1198 trace_session_seqnum_update(session);
1199 }
1200
1201 *((__be32 *)bufp) = htonl(l2h);
1202 bufp += 4;
1203 }
1204
1205 return bufp - optr;
1206 }
1207
1208 /* Queue the packet to IP for output: tunnel socket lock must be held */
l2tp_xmit_queue(struct l2tp_tunnel * tunnel,struct sk_buff * skb,struct flowi * fl)1209 static int l2tp_xmit_queue(struct l2tp_tunnel *tunnel, struct sk_buff *skb, struct flowi *fl)
1210 {
1211 int err;
1212
1213 skb->ignore_df = 1;
1214 skb_dst_drop(skb);
1215 #if IS_ENABLED(CONFIG_IPV6)
1216 if (l2tp_sk_is_v6(tunnel->sock))
1217 err = inet6_csk_xmit(tunnel->sock, skb, NULL);
1218 else
1219 #endif
1220 err = ip_queue_xmit(tunnel->sock, skb, fl);
1221
1222 return err >= 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
1223 }
1224
l2tp_xmit_core(struct l2tp_session * session,struct sk_buff * skb,unsigned int * len)1225 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, unsigned int *len)
1226 {
1227 struct l2tp_tunnel *tunnel = session->tunnel;
1228 unsigned int data_len = skb->len;
1229 struct sock *sk = tunnel->sock;
1230 int headroom, uhlen, udp_len;
1231 int ret = NET_XMIT_SUCCESS;
1232 struct inet_sock *inet;
1233 struct udphdr *uh;
1234
1235 /* Check that there's enough headroom in the skb to insert IP,
1236 * UDP and L2TP headers. If not enough, expand it to
1237 * make room. Adjust truesize.
1238 */
1239 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(*uh) : 0;
1240 headroom = NET_SKB_PAD + sizeof(struct iphdr) + uhlen + session->hdr_len;
1241 if (skb_cow_head(skb, headroom)) {
1242 kfree_skb(skb);
1243 return NET_XMIT_DROP;
1244 }
1245
1246 /* Setup L2TP header */
1247 if (tunnel->version == L2TP_HDR_VER_2)
1248 l2tp_build_l2tpv2_header(session, __skb_push(skb, session->hdr_len));
1249 else
1250 l2tp_build_l2tpv3_header(session, __skb_push(skb, session->hdr_len));
1251
1252 /* Reset control buffer */
1253 memset(skb->cb, 0, sizeof(skb->cb));
1254
1255 nf_reset_ct(skb);
1256
1257 /* L2TP uses its own lockdep subclass to avoid lockdep splats caused by
1258 * nested socket calls on the same lockdep socket class. This can
1259 * happen when data from a user socket is routed over l2tp, which uses
1260 * another userspace socket.
1261 */
1262 spin_lock_nested(&sk->sk_lock.slock, L2TP_DEPTH_NESTING);
1263
1264 if (sock_owned_by_user(sk)) {
1265 kfree_skb(skb);
1266 ret = NET_XMIT_DROP;
1267 goto out_unlock;
1268 }
1269
1270 /* The user-space may change the connection status for the user-space
1271 * provided socket at run time: we must check it under the socket lock
1272 */
1273 if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1274 kfree_skb(skb);
1275 ret = NET_XMIT_DROP;
1276 goto out_unlock;
1277 }
1278
1279 /* Report transmitted length before we add encap header, which keeps
1280 * statistics consistent for both UDP and IP encap tx/rx paths.
1281 */
1282 *len = skb->len;
1283
1284 inet = inet_sk(sk);
1285 switch (tunnel->encap) {
1286 case L2TP_ENCAPTYPE_UDP:
1287 /* Setup UDP header */
1288 __skb_push(skb, sizeof(*uh));
1289 skb_reset_transport_header(skb);
1290 uh = udp_hdr(skb);
1291 uh->source = inet->inet_sport;
1292 uh->dest = inet->inet_dport;
1293 udp_len = uhlen + session->hdr_len + data_len;
1294 if (udp_len > U16_MAX) {
1295 kfree_skb(skb);
1296 ret = NET_XMIT_DROP;
1297 goto out_unlock;
1298 }
1299 uh->len = htons(udp_len);
1300
1301 /* Calculate UDP checksum if configured to do so */
1302 #if IS_ENABLED(CONFIG_IPV6)
1303 if (l2tp_sk_is_v6(sk))
1304 udp6_set_csum(udp_get_no_check6_tx(sk),
1305 skb, &inet6_sk(sk)->saddr,
1306 &sk->sk_v6_daddr, udp_len);
1307 else
1308 #endif
1309 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1310 inet->inet_daddr, udp_len);
1311 break;
1312
1313 case L2TP_ENCAPTYPE_IP:
1314 break;
1315 }
1316
1317 ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl);
1318
1319 out_unlock:
1320 spin_unlock(&sk->sk_lock.slock);
1321
1322 return ret;
1323 }
1324
1325 /* If caller requires the skb to have a ppp header, the header must be
1326 * inserted in the skb data before calling this function.
1327 */
l2tp_xmit_skb(struct l2tp_session * session,struct sk_buff * skb)1328 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb)
1329 {
1330 unsigned int len = 0;
1331 int ret;
1332
1333 ret = l2tp_xmit_core(session, skb, &len);
1334 if (ret == NET_XMIT_SUCCESS) {
1335 atomic_long_inc(&session->tunnel->stats.tx_packets);
1336 atomic_long_add(len, &session->tunnel->stats.tx_bytes);
1337 atomic_long_inc(&session->stats.tx_packets);
1338 atomic_long_add(len, &session->stats.tx_bytes);
1339 } else {
1340 atomic_long_inc(&session->tunnel->stats.tx_errors);
1341 atomic_long_inc(&session->stats.tx_errors);
1342 }
1343 return ret;
1344 }
1345 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1346
1347 /*****************************************************************************
1348 * Tinnel and session create/destroy.
1349 *****************************************************************************/
1350
1351 /* Remove an l2tp session from l2tp_core's lists. */
l2tp_session_unhash(struct l2tp_session * session)1352 static void l2tp_session_unhash(struct l2tp_session *session)
1353 {
1354 struct l2tp_tunnel *tunnel = session->tunnel;
1355
1356 if (tunnel) {
1357 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1358 struct l2tp_session *removed = session;
1359
1360 spin_lock_bh(&tunnel->list_lock);
1361 spin_lock_bh(&pn->l2tp_session_idr_lock);
1362
1363 /* Remove from the per-tunnel list */
1364 list_del_rcu(&session->list);
1365
1366 /* Remove from per-net IDR */
1367 if (tunnel->version == L2TP_HDR_VER_3) {
1368 if (hash_hashed(&session->hlist))
1369 l2tp_session_collision_del(pn, session);
1370 else
1371 removed = idr_remove(&pn->l2tp_v3_session_idr,
1372 session->session_id);
1373 } else {
1374 u32 session_key = l2tp_v2_session_key(tunnel->tunnel_id,
1375 session->session_id);
1376 removed = idr_remove(&pn->l2tp_v2_session_idr,
1377 session_key);
1378 }
1379 WARN_ON_ONCE(removed && removed != session);
1380
1381 spin_unlock_bh(&pn->l2tp_session_idr_lock);
1382 spin_unlock_bh(&tunnel->list_lock);
1383 }
1384 }
1385
1386 /* When the tunnel is closed, all the attached sessions need to go too.
1387 */
l2tp_tunnel_closeall(struct l2tp_tunnel * tunnel)1388 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1389 {
1390 struct l2tp_session *session;
1391
1392 spin_lock_bh(&tunnel->list_lock);
1393 tunnel->acpt_newsess = false;
1394 list_for_each_entry(session, &tunnel->session_list, list)
1395 l2tp_session_delete(session);
1396 spin_unlock_bh(&tunnel->list_lock);
1397 }
1398
1399 /* Tunnel socket destroy hook for UDP encapsulation */
l2tp_udp_encap_destroy(struct sock * sk)1400 static void l2tp_udp_encap_destroy(struct sock *sk)
1401 {
1402 struct l2tp_tunnel *tunnel;
1403
1404 tunnel = l2tp_sk_to_tunnel(sk);
1405 if (tunnel) {
1406 l2tp_tunnel_delete(tunnel);
1407 l2tp_tunnel_put(tunnel);
1408 }
1409 }
1410
l2tp_tunnel_remove(struct net * net,struct l2tp_tunnel * tunnel)1411 static void l2tp_tunnel_remove(struct net *net, struct l2tp_tunnel *tunnel)
1412 {
1413 struct l2tp_net *pn = l2tp_pernet(net);
1414
1415 spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
1416 idr_remove(&pn->l2tp_tunnel_idr, tunnel->tunnel_id);
1417 spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
1418 }
1419
1420 /* Workqueue tunnel deletion function */
l2tp_tunnel_del_work(struct work_struct * work)1421 static void l2tp_tunnel_del_work(struct work_struct *work)
1422 {
1423 struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
1424 del_work);
1425
1426 l2tp_tunnel_closeall(tunnel);
1427
1428 /* If the tunnel socket was created within the kernel, use
1429 * the sk API to release it here.
1430 */
1431 if (tunnel->fd < 0) {
1432 struct socket *sock = tunnel->sock->sk_socket;
1433
1434 if (sock) {
1435 kernel_sock_shutdown(sock, SHUT_RDWR);
1436 sock_release(sock);
1437 }
1438 }
1439
1440 l2tp_tunnel_remove(tunnel->l2tp_net, tunnel);
1441 /* drop initial ref */
1442 l2tp_tunnel_put(tunnel);
1443
1444 /* drop workqueue ref */
1445 l2tp_tunnel_put(tunnel);
1446 }
1447
1448 /* Create a socket for the tunnel, if one isn't set up by
1449 * userspace. This is used for static tunnels where there is no
1450 * managing L2TP daemon.
1451 *
1452 * Since we don't want these sockets to keep a namespace alive by
1453 * themselves, we drop the socket's namespace refcount after creation.
1454 * These sockets are freed when the namespace exits using the pernet
1455 * exit hook.
1456 */
l2tp_tunnel_sock_create(struct net * net,u32 tunnel_id,u32 peer_tunnel_id,struct l2tp_tunnel_cfg * cfg,struct socket ** sockp)1457 static int l2tp_tunnel_sock_create(struct net *net,
1458 u32 tunnel_id,
1459 u32 peer_tunnel_id,
1460 struct l2tp_tunnel_cfg *cfg,
1461 struct socket **sockp)
1462 {
1463 int err = -EINVAL;
1464 struct socket *sock = NULL;
1465 struct udp_port_cfg udp_conf;
1466
1467 switch (cfg->encap) {
1468 case L2TP_ENCAPTYPE_UDP:
1469 memset(&udp_conf, 0, sizeof(udp_conf));
1470
1471 #if IS_ENABLED(CONFIG_IPV6)
1472 if (cfg->local_ip6 && cfg->peer_ip6) {
1473 udp_conf.family = AF_INET6;
1474 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1475 sizeof(udp_conf.local_ip6));
1476 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1477 sizeof(udp_conf.peer_ip6));
1478 udp_conf.use_udp6_tx_checksums =
1479 !cfg->udp6_zero_tx_checksums;
1480 udp_conf.use_udp6_rx_checksums =
1481 !cfg->udp6_zero_rx_checksums;
1482 } else
1483 #endif
1484 {
1485 udp_conf.family = AF_INET;
1486 udp_conf.local_ip = cfg->local_ip;
1487 udp_conf.peer_ip = cfg->peer_ip;
1488 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1489 }
1490
1491 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1492 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1493
1494 err = udp_sock_create(net, &udp_conf, &sock);
1495 if (err < 0)
1496 goto out;
1497
1498 break;
1499
1500 case L2TP_ENCAPTYPE_IP:
1501 #if IS_ENABLED(CONFIG_IPV6)
1502 if (cfg->local_ip6 && cfg->peer_ip6) {
1503 struct sockaddr_l2tpip6 ip6_addr = {0};
1504
1505 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1506 IPPROTO_L2TP, &sock);
1507 if (err < 0)
1508 goto out;
1509
1510 ip6_addr.l2tp_family = AF_INET6;
1511 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1512 sizeof(ip6_addr.l2tp_addr));
1513 ip6_addr.l2tp_conn_id = tunnel_id;
1514 err = kernel_bind(sock, (struct sockaddr_unsized *)&ip6_addr,
1515 sizeof(ip6_addr));
1516 if (err < 0)
1517 goto out;
1518
1519 ip6_addr.l2tp_family = AF_INET6;
1520 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1521 sizeof(ip6_addr.l2tp_addr));
1522 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1523 err = kernel_connect(sock,
1524 (struct sockaddr_unsized *)&ip6_addr,
1525 sizeof(ip6_addr), 0);
1526 if (err < 0)
1527 goto out;
1528 } else
1529 #endif
1530 {
1531 struct sockaddr_l2tpip ip_addr = {0};
1532
1533 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1534 IPPROTO_L2TP, &sock);
1535 if (err < 0)
1536 goto out;
1537
1538 ip_addr.l2tp_family = AF_INET;
1539 ip_addr.l2tp_addr = cfg->local_ip;
1540 ip_addr.l2tp_conn_id = tunnel_id;
1541 err = kernel_bind(sock, (struct sockaddr_unsized *)&ip_addr,
1542 sizeof(ip_addr));
1543 if (err < 0)
1544 goto out;
1545
1546 ip_addr.l2tp_family = AF_INET;
1547 ip_addr.l2tp_addr = cfg->peer_ip;
1548 ip_addr.l2tp_conn_id = peer_tunnel_id;
1549 err = kernel_connect(sock, (struct sockaddr_unsized *)&ip_addr,
1550 sizeof(ip_addr), 0);
1551 if (err < 0)
1552 goto out;
1553 }
1554 break;
1555
1556 default:
1557 goto out;
1558 }
1559
1560 out:
1561 *sockp = sock;
1562 if (err < 0 && sock) {
1563 kernel_sock_shutdown(sock, SHUT_RDWR);
1564 sock_release(sock);
1565 *sockp = NULL;
1566 }
1567
1568 return err;
1569 }
1570
l2tp_tunnel_create(int fd,int version,u32 tunnel_id,u32 peer_tunnel_id,struct l2tp_tunnel_cfg * cfg,struct l2tp_tunnel ** tunnelp)1571 int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
1572 struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1573 {
1574 struct l2tp_tunnel *tunnel = NULL;
1575 int err;
1576 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1577
1578 if (cfg)
1579 encap = cfg->encap;
1580
1581 tunnel = kzalloc_obj(*tunnel);
1582 if (!tunnel) {
1583 err = -ENOMEM;
1584 goto err;
1585 }
1586
1587 tunnel->version = version;
1588 tunnel->tunnel_id = tunnel_id;
1589 tunnel->peer_tunnel_id = peer_tunnel_id;
1590
1591 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1592 spin_lock_init(&tunnel->list_lock);
1593 tunnel->acpt_newsess = true;
1594 INIT_LIST_HEAD(&tunnel->session_list);
1595
1596 tunnel->encap = encap;
1597
1598 refcount_set(&tunnel->ref_count, 1);
1599 tunnel->fd = fd;
1600
1601 /* Init delete workqueue struct */
1602 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1603
1604 err = 0;
1605 err:
1606 if (tunnelp)
1607 *tunnelp = tunnel;
1608
1609 return err;
1610 }
1611 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1612
l2tp_validate_socket(const struct sock * sk,const struct net * net,enum l2tp_encap_type encap)1613 static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
1614 enum l2tp_encap_type encap)
1615 {
1616 struct l2tp_tunnel *tunnel;
1617
1618 if (!net_eq(sock_net(sk), net))
1619 return -EINVAL;
1620
1621 if (sk->sk_type != SOCK_DGRAM)
1622 return -EPROTONOSUPPORT;
1623
1624 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1625 return -EPROTONOSUPPORT;
1626
1627 if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
1628 (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
1629 return -EPROTONOSUPPORT;
1630
1631 if (encap == L2TP_ENCAPTYPE_UDP && sk->sk_user_data)
1632 return -EBUSY;
1633
1634 tunnel = l2tp_sk_to_tunnel(sk);
1635 if (tunnel) {
1636 l2tp_tunnel_put(tunnel);
1637 return -EBUSY;
1638 }
1639
1640 return 0;
1641 }
1642
l2tp_tunnel_register(struct l2tp_tunnel * tunnel,struct net * net,struct l2tp_tunnel_cfg * cfg)1643 int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
1644 struct l2tp_tunnel_cfg *cfg)
1645 {
1646 struct l2tp_net *pn = l2tp_pernet(net);
1647 u32 tunnel_id = tunnel->tunnel_id;
1648 struct socket *sock;
1649 struct sock *sk;
1650 int ret;
1651
1652 spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
1653 ret = idr_alloc_u32(&pn->l2tp_tunnel_idr, NULL, &tunnel_id, tunnel_id,
1654 GFP_ATOMIC);
1655 spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
1656 if (ret)
1657 return ret == -ENOSPC ? -EEXIST : ret;
1658
1659 if (tunnel->fd < 0) {
1660 ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
1661 tunnel->peer_tunnel_id, cfg,
1662 &sock);
1663 if (ret < 0)
1664 goto err;
1665 } else {
1666 sock = sockfd_lookup(tunnel->fd, &ret);
1667 if (!sock)
1668 goto err;
1669 }
1670
1671 sk = sock->sk;
1672 lock_sock(sk);
1673 write_lock_bh(&sk->sk_callback_lock);
1674 ret = l2tp_validate_socket(sk, net, tunnel->encap);
1675 if (ret < 0)
1676 goto err_inval_sock;
1677 write_unlock_bh(&sk->sk_callback_lock);
1678
1679 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1680 struct udp_tunnel_sock_cfg udp_cfg = {
1681 .encap_type = UDP_ENCAP_L2TPINUDP,
1682 .encap_rcv = l2tp_udp_encap_recv,
1683 .encap_err_rcv = l2tp_udp_encap_err_recv,
1684 .encap_destroy = l2tp_udp_encap_destroy,
1685 };
1686
1687 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1688 }
1689
1690 sk->sk_allocation = GFP_ATOMIC;
1691 release_sock(sk);
1692
1693 sock_hold(sk);
1694 tunnel->sock = sk;
1695 tunnel->l2tp_net = net;
1696
1697 spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
1698 idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id);
1699 spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
1700
1701 trace_register_tunnel(tunnel);
1702
1703 if (tunnel->fd >= 0)
1704 sockfd_put(sock);
1705
1706 return 0;
1707
1708 err_inval_sock:
1709 write_unlock_bh(&sk->sk_callback_lock);
1710 release_sock(sk);
1711
1712 if (tunnel->fd < 0)
1713 sock_release(sock);
1714 else
1715 sockfd_put(sock);
1716 err:
1717 l2tp_tunnel_remove(net, tunnel);
1718 return ret;
1719 }
1720 EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
1721
1722 /* This function is used by the netlink TUNNEL_DELETE command.
1723 */
l2tp_tunnel_delete(struct l2tp_tunnel * tunnel)1724 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1725 {
1726 if (!test_and_set_bit(0, &tunnel->dead)) {
1727 trace_delete_tunnel(tunnel);
1728 refcount_inc(&tunnel->ref_count);
1729 queue_work(l2tp_wq, &tunnel->del_work);
1730 }
1731 }
1732 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1733
l2tp_session_delete(struct l2tp_session * session)1734 void l2tp_session_delete(struct l2tp_session *session)
1735 {
1736 if (!test_and_set_bit(0, &session->dead)) {
1737 trace_delete_session(session);
1738 refcount_inc(&session->ref_count);
1739 queue_work(l2tp_wq, &session->del_work);
1740 }
1741 }
1742 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1743
1744 /* Workqueue session deletion function */
l2tp_session_del_work(struct work_struct * work)1745 static void l2tp_session_del_work(struct work_struct *work)
1746 {
1747 struct l2tp_session *session = container_of(work, struct l2tp_session,
1748 del_work);
1749
1750 l2tp_session_unhash(session);
1751 l2tp_session_queue_purge(session);
1752 if (session->session_close)
1753 (*session->session_close)(session);
1754
1755 /* drop initial ref */
1756 l2tp_session_put(session);
1757
1758 /* drop workqueue ref */
1759 l2tp_session_put(session);
1760 }
1761
1762 /* We come here whenever a session's send_seq, cookie_len or
1763 * l2specific_type parameters are set.
1764 */
l2tp_session_set_header_len(struct l2tp_session * session,int version,enum l2tp_encap_type encap)1765 void l2tp_session_set_header_len(struct l2tp_session *session, int version,
1766 enum l2tp_encap_type encap)
1767 {
1768 if (version == L2TP_HDR_VER_2) {
1769 session->hdr_len = 6;
1770 if (session->send_seq)
1771 session->hdr_len += 4;
1772 } else {
1773 session->hdr_len = 4 + session->cookie_len;
1774 session->hdr_len += l2tp_get_l2specific_len(session);
1775 if (encap == L2TP_ENCAPTYPE_UDP)
1776 session->hdr_len += 4;
1777 }
1778 }
1779 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1780
l2tp_session_create(int priv_size,struct l2tp_tunnel * tunnel,u32 session_id,u32 peer_session_id,struct l2tp_session_cfg * cfg)1781 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id,
1782 u32 peer_session_id, struct l2tp_session_cfg *cfg)
1783 {
1784 struct l2tp_session *session;
1785
1786 session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL);
1787 if (session) {
1788 session->magic = L2TP_SESSION_MAGIC;
1789
1790 session->session_id = session_id;
1791 session->peer_session_id = peer_session_id;
1792 session->nr = 0;
1793 if (tunnel->version == L2TP_HDR_VER_2)
1794 session->nr_max = 0xffff;
1795 else
1796 session->nr_max = 0xffffff;
1797 session->nr_window_size = session->nr_max / 2;
1798 session->nr_oos_count_max = 4;
1799
1800 /* Use NR of first received packet */
1801 session->reorder_skip = 1;
1802
1803 sprintf(&session->name[0], "sess %u/%u",
1804 tunnel->tunnel_id, session->session_id);
1805
1806 skb_queue_head_init(&session->reorder_q);
1807
1808 session->hlist_key = l2tp_v3_session_hashkey(tunnel->sock, session->session_id);
1809 INIT_HLIST_NODE(&session->hlist);
1810 INIT_LIST_HEAD(&session->clist);
1811 INIT_LIST_HEAD(&session->list);
1812 INIT_WORK(&session->del_work, l2tp_session_del_work);
1813
1814 if (cfg) {
1815 session->pwtype = cfg->pw_type;
1816 session->send_seq = cfg->send_seq;
1817 session->recv_seq = cfg->recv_seq;
1818 session->lns_mode = cfg->lns_mode;
1819 session->reorder_timeout = cfg->reorder_timeout;
1820 session->l2specific_type = cfg->l2specific_type;
1821 session->cookie_len = cfg->cookie_len;
1822 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1823 session->peer_cookie_len = cfg->peer_cookie_len;
1824 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1825 }
1826
1827 l2tp_session_set_header_len(session, tunnel->version, tunnel->encap);
1828
1829 refcount_set(&session->ref_count, 1);
1830
1831 return session;
1832 }
1833
1834 return ERR_PTR(-ENOMEM);
1835 }
1836 EXPORT_SYMBOL_GPL(l2tp_session_create);
1837
1838 /*****************************************************************************
1839 * Init and cleanup
1840 *****************************************************************************/
1841
l2tp_init_net(struct net * net)1842 static __net_init int l2tp_init_net(struct net *net)
1843 {
1844 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1845
1846 idr_init(&pn->l2tp_tunnel_idr);
1847 spin_lock_init(&pn->l2tp_tunnel_idr_lock);
1848
1849 idr_init(&pn->l2tp_v2_session_idr);
1850 idr_init(&pn->l2tp_v3_session_idr);
1851 spin_lock_init(&pn->l2tp_session_idr_lock);
1852
1853 return 0;
1854 }
1855
l2tp_pre_exit_net(struct net * net)1856 static __net_exit void l2tp_pre_exit_net(struct net *net)
1857 {
1858 struct l2tp_net *pn = l2tp_pernet(net);
1859 struct l2tp_tunnel *tunnel = NULL;
1860 unsigned long tunnel_id, tmp;
1861
1862 rcu_read_lock_bh();
1863 idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
1864 if (tunnel)
1865 l2tp_tunnel_delete(tunnel);
1866 }
1867 rcu_read_unlock_bh();
1868
1869 if (l2tp_wq) {
1870 /* Run all TUNNEL_DELETE work items just queued. */
1871 __flush_workqueue(l2tp_wq);
1872
1873 /* Each TUNNEL_DELETE work item will queue a SESSION_DELETE
1874 * work item for each session in the tunnel. Flush the
1875 * workqueue again to process these.
1876 */
1877 __flush_workqueue(l2tp_wq);
1878 }
1879 }
1880
l2tp_idr_item_unexpected(int id,void * p,void * data)1881 static int l2tp_idr_item_unexpected(int id, void *p, void *data)
1882 {
1883 const char *idr_name = data;
1884
1885 pr_err("l2tp: %s IDR not empty at net %d exit\n", idr_name, id);
1886 WARN_ON_ONCE(1);
1887 return 1;
1888 }
1889
l2tp_exit_net(struct net * net)1890 static __net_exit void l2tp_exit_net(struct net *net)
1891 {
1892 struct l2tp_net *pn = l2tp_pernet(net);
1893
1894 /* Our per-net IDRs should be empty. Check that is so, to
1895 * help catch cleanup races or refcnt leaks.
1896 */
1897 idr_for_each(&pn->l2tp_v2_session_idr, l2tp_idr_item_unexpected,
1898 "v2_session");
1899 idr_for_each(&pn->l2tp_v3_session_idr, l2tp_idr_item_unexpected,
1900 "v3_session");
1901 idr_for_each(&pn->l2tp_tunnel_idr, l2tp_idr_item_unexpected,
1902 "tunnel");
1903
1904 idr_destroy(&pn->l2tp_v2_session_idr);
1905 idr_destroy(&pn->l2tp_v3_session_idr);
1906 idr_destroy(&pn->l2tp_tunnel_idr);
1907 }
1908
1909 static struct pernet_operations l2tp_net_ops = {
1910 .init = l2tp_init_net,
1911 .exit = l2tp_exit_net,
1912 .pre_exit = l2tp_pre_exit_net,
1913 .id = &l2tp_net_id,
1914 .size = sizeof(struct l2tp_net),
1915 };
1916
l2tp_init(void)1917 static int __init l2tp_init(void)
1918 {
1919 int rc = 0;
1920
1921 rc = register_pernet_device(&l2tp_net_ops);
1922 if (rc)
1923 goto out;
1924
1925 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1926 if (!l2tp_wq) {
1927 pr_err("alloc_workqueue failed\n");
1928 unregister_pernet_device(&l2tp_net_ops);
1929 rc = -ENOMEM;
1930 goto out;
1931 }
1932
1933 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1934
1935 out:
1936 return rc;
1937 }
1938
l2tp_exit(void)1939 static void __exit l2tp_exit(void)
1940 {
1941 unregister_pernet_device(&l2tp_net_ops);
1942 if (l2tp_wq) {
1943 destroy_workqueue(l2tp_wq);
1944 l2tp_wq = NULL;
1945 }
1946 }
1947
1948 module_init(l2tp_init);
1949 module_exit(l2tp_exit);
1950
1951 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1952 MODULE_DESCRIPTION("L2TP core");
1953 MODULE_LICENSE("GPL");
1954 MODULE_VERSION(L2TP_DRV_VERSION);
1955