1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*****************************************************************************
3 * Linux PPP over L2TP (PPPoX/PPPoL2TP) Sockets
4 *
5 * PPPoX --- Generic PPP encapsulation socket family
6 * PPPoL2TP --- PPP over L2TP (RFC 2661)
7 *
8 * Version: 2.0.0
9 *
10 * Authors: James Chapman (jchapman@katalix.com)
11 *
12 * Based on original work by Martijn van Oosterhout <kleptog@svana.org>
13 *
14 * License:
15 */
16
17 /* This driver handles only L2TP data frames; control frames are handled by a
18 * userspace application.
19 *
20 * To send data in an L2TP session, userspace opens a PPPoL2TP socket and
21 * attaches it to a bound UDP socket with local tunnel_id / session_id and
22 * peer tunnel_id / session_id set. Data can then be sent or received using
23 * regular socket sendmsg() / recvmsg() calls. Kernel parameters of the socket
24 * can be read or modified using ioctl() or [gs]etsockopt() calls.
25 *
26 * When a PPPoL2TP socket is connected with local and peer session_id values
27 * zero, the socket is treated as a special tunnel management socket.
28 *
29 * Here's example userspace code to create a socket for sending/receiving data
30 * over an L2TP session:-
31 *
32 * struct sockaddr_pppol2tp sax;
33 * int fd;
34 * int session_fd;
35 *
36 * fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
37 *
38 * sax.sa_family = AF_PPPOX;
39 * sax.sa_protocol = PX_PROTO_OL2TP;
40 * sax.pppol2tp.fd = tunnel_fd; // bound UDP socket
41 * sax.pppol2tp.addr.sin_addr.s_addr = addr->sin_addr.s_addr;
42 * sax.pppol2tp.addr.sin_port = addr->sin_port;
43 * sax.pppol2tp.addr.sin_family = AF_INET;
44 * sax.pppol2tp.s_tunnel = tunnel_id;
45 * sax.pppol2tp.s_session = session_id;
46 * sax.pppol2tp.d_tunnel = peer_tunnel_id;
47 * sax.pppol2tp.d_session = peer_session_id;
48 *
49 * session_fd = connect(fd, (struct sockaddr *)&sax, sizeof(sax));
50 *
51 * A pppd plugin that allows PPP traffic to be carried over L2TP using
52 * this driver is available from the OpenL2TP project at
53 * http://openl2tp.sourceforge.net.
54 */
55
56 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
57
58 #include <linux/module.h>
59 #include <linux/string.h>
60 #include <linux/list.h>
61 #include <linux/uaccess.h>
62
63 #include <linux/kernel.h>
64 #include <linux/spinlock.h>
65 #include <linux/kthread.h>
66 #include <linux/sched.h>
67 #include <linux/slab.h>
68 #include <linux/errno.h>
69 #include <linux/jiffies.h>
70
71 #include <linux/netdevice.h>
72 #include <linux/net.h>
73 #include <linux/inetdevice.h>
74 #include <linux/skbuff.h>
75 #include <linux/init.h>
76 #include <linux/ip.h>
77 #include <linux/udp.h>
78 #include <linux/if_pppox.h>
79 #include <linux/if_pppol2tp.h>
80 #include <net/sock.h>
81 #include <linux/ppp_channel.h>
82 #include <linux/ppp_defs.h>
83 #include <linux/ppp-ioctl.h>
84 #include <linux/file.h>
85 #include <linux/hash.h>
86 #include <linux/sort.h>
87 #include <linux/proc_fs.h>
88 #include <linux/l2tp.h>
89 #include <linux/nsproxy.h>
90 #include <net/net_namespace.h>
91 #include <net/netns/generic.h>
92 #include <net/ip.h>
93 #include <net/udp.h>
94 #include <net/inet_common.h>
95
96 #include <asm/byteorder.h>
97 #include <linux/atomic.h>
98
99 #include "l2tp_core.h"
100
101 #define PPPOL2TP_DRV_VERSION "V2.0"
102
103 /* Space for UDP, L2TP and PPP headers */
104 #define PPPOL2TP_HEADER_OVERHEAD 40
105
106 /* Number of bytes to build transmit L2TP headers.
107 * Unfortunately the size is different depending on whether sequence numbers
108 * are enabled.
109 */
110 #define PPPOL2TP_L2TP_HDR_SIZE_SEQ 10
111 #define PPPOL2TP_L2TP_HDR_SIZE_NOSEQ 6
112
113 /* Private data of each session. This data lives at the end of struct
114 * l2tp_session, referenced via session->priv[].
115 */
116 struct pppol2tp_session {
117 int owner; /* pid that opened the socket */
118
119 struct mutex sk_lock; /* Protects .sk */
120 struct sock __rcu *sk; /* Pointer to the session PPPoX socket */
121 struct sock *__sk; /* Copy of .sk, for cleanup */
122 };
123
124 static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb);
125
126 static const struct ppp_channel_ops pppol2tp_chan_ops = {
127 .start_xmit = pppol2tp_xmit,
128 };
129
130 static const struct proto_ops pppol2tp_ops;
131
132 /* Retrieves the pppol2tp socket associated to a session.
133 * A reference is held on the returned socket, so this function must be paired
134 * with sock_put().
135 */
pppol2tp_session_get_sock(struct l2tp_session * session)136 static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
137 {
138 struct pppol2tp_session *ps = l2tp_session_priv(session);
139 struct sock *sk;
140
141 rcu_read_lock();
142 sk = rcu_dereference(ps->sk);
143 if (sk)
144 sock_hold(sk);
145 rcu_read_unlock();
146
147 return sk;
148 }
149
150 /* Helpers to obtain tunnel/session contexts from sockets.
151 */
pppol2tp_sock_to_session(struct sock * sk)152 static struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk)
153 {
154 struct l2tp_session *session;
155
156 if (!sk)
157 return NULL;
158
159 rcu_read_lock();
160 session = rcu_dereference_sk_user_data(sk);
161 if (session && refcount_inc_not_zero(&session->ref_count)) {
162 rcu_read_unlock();
163 WARN_ON_ONCE(session->magic != L2TP_SESSION_MAGIC);
164 return session;
165 }
166 rcu_read_unlock();
167
168 return NULL;
169 }
170
171 /*****************************************************************************
172 * Receive data handling
173 *****************************************************************************/
174
175 /* Receive message. This is the recvmsg for the PPPoL2TP socket.
176 */
pppol2tp_recvmsg(struct socket * sock,struct msghdr * msg,size_t len,int flags)177 static int pppol2tp_recvmsg(struct socket *sock, struct msghdr *msg,
178 size_t len, int flags)
179 {
180 int err;
181 struct sk_buff *skb;
182 struct sock *sk = sock->sk;
183
184 err = -EIO;
185 if (sk->sk_state & PPPOX_BOUND)
186 goto end;
187
188 err = 0;
189 skb = skb_recv_datagram(sk, flags, &err);
190 if (!skb)
191 goto end;
192
193 if (len > skb->len)
194 len = skb->len;
195 else if (len < skb->len)
196 msg->msg_flags |= MSG_TRUNC;
197
198 err = skb_copy_datagram_msg(skb, 0, msg, len);
199 if (likely(err == 0))
200 err = len;
201
202 kfree_skb(skb);
203 end:
204 return err;
205 }
206
pppol2tp_recv(struct l2tp_session * session,struct sk_buff * skb,int data_len)207 static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
208 {
209 struct pppol2tp_session *ps = l2tp_session_priv(session);
210 struct sock *sk = NULL;
211
212 /* If the socket is bound, send it in to PPP's input queue. Otherwise
213 * queue it on the session socket.
214 */
215 rcu_read_lock();
216 sk = rcu_dereference(ps->sk);
217 if (!sk)
218 goto no_sock;
219
220 /* If the first two bytes are 0xFF03, consider that it is the PPP's
221 * Address and Control fields and skip them. The L2TP module has always
222 * worked this way, although, in theory, the use of these fields should
223 * be negotiated and handled at the PPP layer. These fields are
224 * constant: 0xFF is the All-Stations Address and 0x03 the Unnumbered
225 * Information command with Poll/Final bit set to zero (RFC 1662).
226 */
227 if (pskb_may_pull(skb, 2) && skb->data[0] == PPP_ALLSTATIONS &&
228 skb->data[1] == PPP_UI)
229 skb_pull(skb, 2);
230
231 if (sk->sk_state & PPPOX_BOUND) {
232 struct pppox_sock *po;
233
234 po = pppox_sk(sk);
235 ppp_input(&po->chan, skb);
236 } else {
237 if (sock_queue_rcv_skb(sk, skb) < 0) {
238 atomic_long_inc(&session->stats.rx_errors);
239 kfree_skb(skb);
240 }
241 }
242 rcu_read_unlock();
243
244 return;
245
246 no_sock:
247 rcu_read_unlock();
248 pr_warn_ratelimited("%s: no socket in recv\n", session->name);
249 kfree_skb(skb);
250 }
251
252 /************************************************************************
253 * Transmit handling
254 ***********************************************************************/
255
256 /* This is the sendmsg for the PPPoL2TP pppol2tp_session socket. We come here
257 * when a user application does a sendmsg() on the session socket. L2TP and
258 * PPP headers must be inserted into the user's data.
259 */
pppol2tp_sendmsg(struct socket * sock,struct msghdr * m,size_t total_len)260 static int pppol2tp_sendmsg(struct socket *sock, struct msghdr *m,
261 size_t total_len)
262 {
263 struct sock *sk = sock->sk;
264 struct sk_buff *skb;
265 int error;
266 struct l2tp_session *session;
267 struct l2tp_tunnel *tunnel;
268 int uhlen;
269
270 error = -ENOTCONN;
271 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
272 goto error;
273
274 /* Get session and tunnel contexts */
275 error = -EBADF;
276 session = pppol2tp_sock_to_session(sk);
277 if (!session)
278 goto error;
279
280 tunnel = session->tunnel;
281
282 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
283
284 /* Allocate a socket buffer */
285 error = -ENOMEM;
286 skb = sock_wmalloc(sk, NET_SKB_PAD + sizeof(struct iphdr) +
287 uhlen + session->hdr_len +
288 2 + total_len, /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
289 0, GFP_KERNEL);
290 if (!skb)
291 goto error_put_sess;
292
293 /* Reserve space for headers. */
294 skb_reserve(skb, NET_SKB_PAD);
295 skb_reset_network_header(skb);
296 skb_reserve(skb, sizeof(struct iphdr));
297 skb_reset_transport_header(skb);
298 skb_reserve(skb, uhlen);
299
300 /* Add PPP header */
301 skb->data[0] = PPP_ALLSTATIONS;
302 skb->data[1] = PPP_UI;
303 skb_put(skb, 2);
304
305 /* Copy user data into skb */
306 error = memcpy_from_msg(skb_put(skb, total_len), m, total_len);
307 if (error < 0) {
308 kfree_skb(skb);
309 goto error_put_sess;
310 }
311
312 local_bh_disable();
313 l2tp_xmit_skb(session, skb);
314 local_bh_enable();
315
316 l2tp_session_put(session);
317
318 return total_len;
319
320 error_put_sess:
321 l2tp_session_put(session);
322 error:
323 return error;
324 }
325
326 /* Transmit function called by generic PPP driver. Sends PPP frame
327 * over PPPoL2TP socket.
328 *
329 * This is almost the same as pppol2tp_sendmsg(), but rather than
330 * being called with a msghdr from userspace, it is called with a skb
331 * from the kernel.
332 *
333 * The supplied skb from ppp doesn't have enough headroom for the
334 * insertion of L2TP, UDP and IP headers so we need to allocate more
335 * headroom in the skb. This will create a cloned skb. But we must be
336 * careful in the error case because the caller will expect to free
337 * the skb it supplied, not our cloned skb. So we take care to always
338 * leave the original skb unfreed if we return an error.
339 */
pppol2tp_xmit(struct ppp_channel * chan,struct sk_buff * skb)340 static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
341 {
342 struct sock *sk = (struct sock *)chan->private;
343 struct l2tp_session *session;
344 struct l2tp_tunnel *tunnel;
345 int uhlen, headroom;
346
347 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
348 goto abort;
349
350 /* Get session and tunnel contexts from the socket */
351 session = pppol2tp_sock_to_session(sk);
352 if (!session)
353 goto abort;
354
355 tunnel = session->tunnel;
356
357 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
358 headroom = NET_SKB_PAD +
359 sizeof(struct iphdr) + /* IP header */
360 uhlen + /* UDP header (if L2TP_ENCAPTYPE_UDP) */
361 session->hdr_len + /* L2TP header */
362 2; /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
363 if (skb_cow_head(skb, headroom))
364 goto abort_put_sess;
365
366 /* Setup PPP header */
367 __skb_push(skb, 2);
368 skb->data[0] = PPP_ALLSTATIONS;
369 skb->data[1] = PPP_UI;
370
371 local_bh_disable();
372 l2tp_xmit_skb(session, skb);
373 local_bh_enable();
374
375 l2tp_session_put(session);
376
377 return 1;
378
379 abort_put_sess:
380 l2tp_session_put(session);
381 abort:
382 /* Free the original skb */
383 kfree_skb(skb);
384 return 1;
385 }
386
387 /*****************************************************************************
388 * Session (and tunnel control) socket create/destroy.
389 *****************************************************************************/
390
391 /* Really kill the session socket. (Called from sock_put() if
392 * refcnt == 0.)
393 */
pppol2tp_session_destruct(struct sock * sk)394 static void pppol2tp_session_destruct(struct sock *sk)
395 {
396 skb_queue_purge(&sk->sk_receive_queue);
397 skb_queue_purge(&sk->sk_write_queue);
398 }
399
pppol2tp_session_close(struct l2tp_session * session)400 static void pppol2tp_session_close(struct l2tp_session *session)
401 {
402 struct pppol2tp_session *ps;
403
404 ps = l2tp_session_priv(session);
405 mutex_lock(&ps->sk_lock);
406 ps->__sk = rcu_dereference_protected(ps->sk,
407 lockdep_is_held(&ps->sk_lock));
408 RCU_INIT_POINTER(ps->sk, NULL);
409 mutex_unlock(&ps->sk_lock);
410 if (ps->__sk) {
411 /* detach socket */
412 rcu_assign_sk_user_data(ps->__sk, NULL);
413 sock_put(ps->__sk);
414
415 /* drop ref taken when we referenced socket via sk_user_data */
416 l2tp_session_put(session);
417 }
418 }
419
420 /* Called when the PPPoX socket (session) is closed.
421 */
pppol2tp_release(struct socket * sock)422 static int pppol2tp_release(struct socket *sock)
423 {
424 struct sock *sk = sock->sk;
425 struct l2tp_session *session;
426 int error;
427
428 if (!sk)
429 return 0;
430
431 error = -EBADF;
432 lock_sock(sk);
433 if (sock_flag(sk, SOCK_DEAD) != 0)
434 goto error;
435
436 pppox_unbind_sock(sk);
437
438 /* Signal the death of the socket. */
439 sk->sk_state = PPPOX_DEAD;
440 sock_orphan(sk);
441 sock->sk = NULL;
442
443 session = pppol2tp_sock_to_session(sk);
444 if (session) {
445 l2tp_session_delete(session);
446 /* drop ref taken by pppol2tp_sock_to_session */
447 l2tp_session_put(session);
448 }
449
450 release_sock(sk);
451
452 sock_put(sk);
453
454 return 0;
455
456 error:
457 release_sock(sk);
458 return error;
459 }
460
461 static struct proto pppol2tp_sk_proto = {
462 .name = "PPPOL2TP",
463 .owner = THIS_MODULE,
464 .obj_size = sizeof(struct pppox_sock),
465 };
466
pppol2tp_backlog_recv(struct sock * sk,struct sk_buff * skb)467 static int pppol2tp_backlog_recv(struct sock *sk, struct sk_buff *skb)
468 {
469 int rc;
470
471 rc = l2tp_udp_encap_recv(sk, skb);
472 if (rc)
473 kfree_skb(skb);
474
475 return NET_RX_SUCCESS;
476 }
477
478 /* socket() handler. Initialize a new struct sock.
479 */
pppol2tp_create(struct net * net,struct socket * sock,int kern)480 static int pppol2tp_create(struct net *net, struct socket *sock, int kern)
481 {
482 int error = -ENOMEM;
483 struct sock *sk;
484
485 sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pppol2tp_sk_proto, kern);
486 if (!sk)
487 goto out;
488
489 sock_init_data(sock, sk);
490 sock_set_flag(sk, SOCK_RCU_FREE);
491
492 sock->state = SS_UNCONNECTED;
493 sock->ops = &pppol2tp_ops;
494
495 sk->sk_backlog_rcv = pppol2tp_backlog_recv;
496 sk->sk_protocol = PX_PROTO_OL2TP;
497 sk->sk_family = PF_PPPOX;
498 sk->sk_state = PPPOX_NONE;
499 sk->sk_type = SOCK_STREAM;
500 sk->sk_destruct = pppol2tp_session_destruct;
501
502 error = 0;
503
504 out:
505 return error;
506 }
507
pppol2tp_show(struct seq_file * m,void * arg)508 static void pppol2tp_show(struct seq_file *m, void *arg)
509 {
510 struct l2tp_session *session = arg;
511 struct sock *sk;
512
513 sk = pppol2tp_session_get_sock(session);
514 if (sk) {
515 struct pppox_sock *po = pppox_sk(sk);
516
517 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
518 sock_put(sk);
519 }
520 }
521
pppol2tp_session_init(struct l2tp_session * session)522 static void pppol2tp_session_init(struct l2tp_session *session)
523 {
524 struct pppol2tp_session *ps;
525
526 session->recv_skb = pppol2tp_recv;
527 session->session_close = pppol2tp_session_close;
528 if (IS_ENABLED(CONFIG_L2TP_DEBUGFS))
529 session->show = pppol2tp_show;
530
531 ps = l2tp_session_priv(session);
532 mutex_init(&ps->sk_lock);
533 ps->owner = current->pid;
534 }
535
536 struct l2tp_connect_info {
537 u8 version;
538 int fd;
539 u32 tunnel_id;
540 u32 peer_tunnel_id;
541 u32 session_id;
542 u32 peer_session_id;
543 };
544
pppol2tp_sockaddr_get_info(const void * sa,int sa_len,struct l2tp_connect_info * info)545 static int pppol2tp_sockaddr_get_info(const void *sa, int sa_len,
546 struct l2tp_connect_info *info)
547 {
548 switch (sa_len) {
549 case sizeof(struct sockaddr_pppol2tp):
550 {
551 const struct sockaddr_pppol2tp *sa_v2in4 = sa;
552
553 if (sa_v2in4->sa_protocol != PX_PROTO_OL2TP)
554 return -EINVAL;
555
556 info->version = 2;
557 info->fd = sa_v2in4->pppol2tp.fd;
558 info->tunnel_id = sa_v2in4->pppol2tp.s_tunnel;
559 info->peer_tunnel_id = sa_v2in4->pppol2tp.d_tunnel;
560 info->session_id = sa_v2in4->pppol2tp.s_session;
561 info->peer_session_id = sa_v2in4->pppol2tp.d_session;
562
563 break;
564 }
565 case sizeof(struct sockaddr_pppol2tpv3):
566 {
567 const struct sockaddr_pppol2tpv3 *sa_v3in4 = sa;
568
569 if (sa_v3in4->sa_protocol != PX_PROTO_OL2TP)
570 return -EINVAL;
571
572 info->version = 3;
573 info->fd = sa_v3in4->pppol2tp.fd;
574 info->tunnel_id = sa_v3in4->pppol2tp.s_tunnel;
575 info->peer_tunnel_id = sa_v3in4->pppol2tp.d_tunnel;
576 info->session_id = sa_v3in4->pppol2tp.s_session;
577 info->peer_session_id = sa_v3in4->pppol2tp.d_session;
578
579 break;
580 }
581 case sizeof(struct sockaddr_pppol2tpin6):
582 {
583 const struct sockaddr_pppol2tpin6 *sa_v2in6 = sa;
584
585 if (sa_v2in6->sa_protocol != PX_PROTO_OL2TP)
586 return -EINVAL;
587
588 info->version = 2;
589 info->fd = sa_v2in6->pppol2tp.fd;
590 info->tunnel_id = sa_v2in6->pppol2tp.s_tunnel;
591 info->peer_tunnel_id = sa_v2in6->pppol2tp.d_tunnel;
592 info->session_id = sa_v2in6->pppol2tp.s_session;
593 info->peer_session_id = sa_v2in6->pppol2tp.d_session;
594
595 break;
596 }
597 case sizeof(struct sockaddr_pppol2tpv3in6):
598 {
599 const struct sockaddr_pppol2tpv3in6 *sa_v3in6 = sa;
600
601 if (sa_v3in6->sa_protocol != PX_PROTO_OL2TP)
602 return -EINVAL;
603
604 info->version = 3;
605 info->fd = sa_v3in6->pppol2tp.fd;
606 info->tunnel_id = sa_v3in6->pppol2tp.s_tunnel;
607 info->peer_tunnel_id = sa_v3in6->pppol2tp.d_tunnel;
608 info->session_id = sa_v3in6->pppol2tp.s_session;
609 info->peer_session_id = sa_v3in6->pppol2tp.d_session;
610
611 break;
612 }
613 default:
614 return -EINVAL;
615 }
616
617 return 0;
618 }
619
620 /* Rough estimation of the maximum payload size a tunnel can transmit without
621 * fragmenting at the lower IP layer. Assumes L2TPv2 with sequence
622 * numbers and no IP option. Not quite accurate, but the result is mostly
623 * unused anyway.
624 */
pppol2tp_tunnel_mtu(const struct l2tp_tunnel * tunnel)625 static int pppol2tp_tunnel_mtu(const struct l2tp_tunnel *tunnel)
626 {
627 int mtu;
628
629 mtu = l2tp_tunnel_dst_mtu(tunnel);
630 if (mtu <= PPPOL2TP_HEADER_OVERHEAD)
631 return 1500 - PPPOL2TP_HEADER_OVERHEAD;
632
633 return mtu - PPPOL2TP_HEADER_OVERHEAD;
634 }
635
pppol2tp_tunnel_get(struct net * net,const struct l2tp_connect_info * info,bool * new_tunnel)636 static struct l2tp_tunnel *pppol2tp_tunnel_get(struct net *net,
637 const struct l2tp_connect_info *info,
638 bool *new_tunnel)
639 {
640 struct l2tp_tunnel *tunnel;
641 int error;
642
643 *new_tunnel = false;
644
645 tunnel = l2tp_tunnel_get(net, info->tunnel_id);
646
647 /* Special case: create tunnel context if session_id and
648 * peer_session_id is 0. Otherwise look up tunnel using supplied
649 * tunnel id.
650 */
651 if (!info->session_id && !info->peer_session_id) {
652 if (!tunnel) {
653 struct l2tp_tunnel_cfg tcfg = {
654 .encap = L2TP_ENCAPTYPE_UDP,
655 };
656
657 /* Prevent l2tp_tunnel_register() from trying to set up
658 * a kernel socket.
659 */
660 if (info->fd < 0)
661 return ERR_PTR(-EBADF);
662
663 error = l2tp_tunnel_create(info->fd,
664 info->version,
665 info->tunnel_id,
666 info->peer_tunnel_id, &tcfg,
667 &tunnel);
668 if (error < 0)
669 return ERR_PTR(error);
670
671 refcount_inc(&tunnel->ref_count);
672 error = l2tp_tunnel_register(tunnel, net, &tcfg);
673 if (error < 0) {
674 kfree(tunnel);
675 return ERR_PTR(error);
676 }
677
678 *new_tunnel = true;
679 }
680 } else {
681 /* Error if we can't find the tunnel */
682 if (!tunnel)
683 return ERR_PTR(-ENOENT);
684
685 /* Error if socket is not prepped */
686 if (!tunnel->sock) {
687 l2tp_tunnel_put(tunnel);
688 return ERR_PTR(-ENOENT);
689 }
690 }
691
692 return tunnel;
693 }
694
695 /* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
696 */
pppol2tp_connect(struct socket * sock,struct sockaddr * uservaddr,int sockaddr_len,int flags)697 static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
698 int sockaddr_len, int flags)
699 {
700 struct sock *sk = sock->sk;
701 struct pppox_sock *po = pppox_sk(sk);
702 struct l2tp_session *session = NULL;
703 struct l2tp_connect_info info;
704 struct l2tp_tunnel *tunnel;
705 struct pppol2tp_session *ps;
706 struct l2tp_session_cfg cfg = { 0, };
707 bool drop_refcnt = false;
708 bool new_session = false;
709 bool new_tunnel = false;
710 int error;
711
712 error = pppol2tp_sockaddr_get_info(uservaddr, sockaddr_len, &info);
713 if (error < 0)
714 return error;
715
716 /* Don't bind if tunnel_id is 0 */
717 if (!info.tunnel_id)
718 return -EINVAL;
719
720 tunnel = pppol2tp_tunnel_get(sock_net(sk), &info, &new_tunnel);
721 if (IS_ERR(tunnel))
722 return PTR_ERR(tunnel);
723
724 lock_sock(sk);
725
726 /* Check for already bound sockets */
727 error = -EBUSY;
728 if (sk->sk_state & PPPOX_CONNECTED)
729 goto end;
730
731 /* We don't supporting rebinding anyway */
732 error = -EALREADY;
733 if (sk->sk_user_data)
734 goto end; /* socket is already attached */
735
736 if (tunnel->peer_tunnel_id == 0)
737 tunnel->peer_tunnel_id = info.peer_tunnel_id;
738
739 session = l2tp_session_get(sock_net(sk), tunnel->sock, tunnel->version,
740 info.tunnel_id, info.session_id);
741 if (session) {
742 drop_refcnt = true;
743
744 if (session->pwtype != L2TP_PWTYPE_PPP) {
745 error = -EPROTOTYPE;
746 goto end;
747 }
748
749 ps = l2tp_session_priv(session);
750
751 /* Using a pre-existing session is fine as long as it hasn't
752 * been connected yet.
753 */
754 mutex_lock(&ps->sk_lock);
755 if (rcu_dereference_protected(ps->sk,
756 lockdep_is_held(&ps->sk_lock)) ||
757 ps->__sk) {
758 mutex_unlock(&ps->sk_lock);
759 error = -EEXIST;
760 goto end;
761 }
762 } else {
763 cfg.pw_type = L2TP_PWTYPE_PPP;
764
765 session = l2tp_session_create(sizeof(struct pppol2tp_session),
766 tunnel, info.session_id,
767 info.peer_session_id, &cfg);
768 if (IS_ERR(session)) {
769 error = PTR_ERR(session);
770 goto end;
771 }
772
773 drop_refcnt = true;
774
775 pppol2tp_session_init(session);
776 ps = l2tp_session_priv(session);
777 refcount_inc(&session->ref_count);
778
779 mutex_lock(&ps->sk_lock);
780 error = l2tp_session_register(session, tunnel);
781 if (error < 0) {
782 mutex_unlock(&ps->sk_lock);
783 l2tp_session_put(session);
784 goto end;
785 }
786
787 new_session = true;
788 }
789
790 /* Special case: if source & dest session_id == 0x0000, this
791 * socket is being created to manage the tunnel. Just set up
792 * the internal context for use by ioctl() and sockopt()
793 * handlers.
794 */
795 if (session->session_id == 0 && session->peer_session_id == 0) {
796 error = 0;
797 goto out_no_ppp;
798 }
799
800 /* The only header we need to worry about is the L2TP
801 * header. This size is different depending on whether
802 * sequence numbers are enabled for the data channel.
803 */
804 po->chan.hdrlen = PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
805
806 po->chan.private = sk;
807 po->chan.ops = &pppol2tp_chan_ops;
808 po->chan.mtu = pppol2tp_tunnel_mtu(tunnel);
809 po->chan.direct_xmit = true;
810
811 error = ppp_register_net_channel(sock_net(sk), &po->chan);
812 if (error) {
813 mutex_unlock(&ps->sk_lock);
814 goto end;
815 }
816
817 out_no_ppp:
818 /* This is how we get the session context from the socket. */
819 sock_hold(sk);
820 rcu_assign_sk_user_data(sk, session);
821 rcu_assign_pointer(ps->sk, sk);
822 mutex_unlock(&ps->sk_lock);
823
824 /* Keep the reference we've grabbed on the session: sk doesn't expect
825 * the session to disappear. pppol2tp_session_close() is responsible
826 * for dropping it.
827 */
828 drop_refcnt = false;
829
830 sk->sk_state = PPPOX_CONNECTED;
831
832 end:
833 if (error) {
834 if (new_session)
835 l2tp_session_delete(session);
836 if (new_tunnel)
837 l2tp_tunnel_delete(tunnel);
838 }
839 if (drop_refcnt)
840 l2tp_session_put(session);
841 l2tp_tunnel_put(tunnel);
842 release_sock(sk);
843
844 return error;
845 }
846
847 #ifdef CONFIG_L2TP_V3
848
849 /* Called when creating sessions via the netlink interface. */
pppol2tp_session_create(struct net * net,struct l2tp_tunnel * tunnel,u32 session_id,u32 peer_session_id,struct l2tp_session_cfg * cfg)850 static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
851 u32 session_id, u32 peer_session_id,
852 struct l2tp_session_cfg *cfg)
853 {
854 int error;
855 struct l2tp_session *session;
856
857 /* Error if tunnel socket is not prepped */
858 if (!tunnel->sock) {
859 error = -ENOENT;
860 goto err;
861 }
862
863 /* Allocate and initialize a new session context. */
864 session = l2tp_session_create(sizeof(struct pppol2tp_session),
865 tunnel, session_id,
866 peer_session_id, cfg);
867 if (IS_ERR(session)) {
868 error = PTR_ERR(session);
869 goto err;
870 }
871
872 pppol2tp_session_init(session);
873
874 error = l2tp_session_register(session, tunnel);
875 if (error < 0)
876 goto err_sess;
877
878 return 0;
879
880 err_sess:
881 l2tp_session_put(session);
882 err:
883 return error;
884 }
885
886 #endif /* CONFIG_L2TP_V3 */
887
888 /* getname() support.
889 */
pppol2tp_getname(struct socket * sock,struct sockaddr * uaddr,int peer)890 static int pppol2tp_getname(struct socket *sock, struct sockaddr *uaddr,
891 int peer)
892 {
893 int len = 0;
894 int error = 0;
895 struct l2tp_session *session;
896 struct l2tp_tunnel *tunnel;
897 struct sock *sk = sock->sk;
898 struct inet_sock *inet;
899 struct pppol2tp_session *pls;
900
901 error = -ENOTCONN;
902 if (!sk)
903 goto end;
904 if (!(sk->sk_state & PPPOX_CONNECTED))
905 goto end;
906
907 error = -EBADF;
908 session = pppol2tp_sock_to_session(sk);
909 if (!session)
910 goto end;
911
912 pls = l2tp_session_priv(session);
913 tunnel = session->tunnel;
914
915 inet = inet_sk(tunnel->sock);
916 if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET) {
917 struct sockaddr_pppol2tp sp;
918
919 len = sizeof(sp);
920 memset(&sp, 0, len);
921 sp.sa_family = AF_PPPOX;
922 sp.sa_protocol = PX_PROTO_OL2TP;
923 sp.pppol2tp.fd = tunnel->fd;
924 sp.pppol2tp.pid = pls->owner;
925 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
926 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
927 sp.pppol2tp.s_session = session->session_id;
928 sp.pppol2tp.d_session = session->peer_session_id;
929 sp.pppol2tp.addr.sin_family = AF_INET;
930 sp.pppol2tp.addr.sin_port = inet->inet_dport;
931 sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
932 memcpy(uaddr, &sp, len);
933 #if IS_ENABLED(CONFIG_IPV6)
934 } else if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET6) {
935 struct sockaddr_pppol2tpin6 sp;
936
937 len = sizeof(sp);
938 memset(&sp, 0, len);
939 sp.sa_family = AF_PPPOX;
940 sp.sa_protocol = PX_PROTO_OL2TP;
941 sp.pppol2tp.fd = tunnel->fd;
942 sp.pppol2tp.pid = pls->owner;
943 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
944 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
945 sp.pppol2tp.s_session = session->session_id;
946 sp.pppol2tp.d_session = session->peer_session_id;
947 sp.pppol2tp.addr.sin6_family = AF_INET6;
948 sp.pppol2tp.addr.sin6_port = inet->inet_dport;
949 memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
950 sizeof(tunnel->sock->sk_v6_daddr));
951 memcpy(uaddr, &sp, len);
952 } else if (tunnel->version == 3 && tunnel->sock->sk_family == AF_INET6) {
953 struct sockaddr_pppol2tpv3in6 sp;
954
955 len = sizeof(sp);
956 memset(&sp, 0, len);
957 sp.sa_family = AF_PPPOX;
958 sp.sa_protocol = PX_PROTO_OL2TP;
959 sp.pppol2tp.fd = tunnel->fd;
960 sp.pppol2tp.pid = pls->owner;
961 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
962 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
963 sp.pppol2tp.s_session = session->session_id;
964 sp.pppol2tp.d_session = session->peer_session_id;
965 sp.pppol2tp.addr.sin6_family = AF_INET6;
966 sp.pppol2tp.addr.sin6_port = inet->inet_dport;
967 memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
968 sizeof(tunnel->sock->sk_v6_daddr));
969 memcpy(uaddr, &sp, len);
970 #endif
971 } else if (tunnel->version == 3) {
972 struct sockaddr_pppol2tpv3 sp;
973
974 len = sizeof(sp);
975 memset(&sp, 0, len);
976 sp.sa_family = AF_PPPOX;
977 sp.sa_protocol = PX_PROTO_OL2TP;
978 sp.pppol2tp.fd = tunnel->fd;
979 sp.pppol2tp.pid = pls->owner;
980 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
981 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
982 sp.pppol2tp.s_session = session->session_id;
983 sp.pppol2tp.d_session = session->peer_session_id;
984 sp.pppol2tp.addr.sin_family = AF_INET;
985 sp.pppol2tp.addr.sin_port = inet->inet_dport;
986 sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
987 memcpy(uaddr, &sp, len);
988 }
989
990 error = len;
991
992 l2tp_session_put(session);
993 end:
994 return error;
995 }
996
997 /****************************************************************************
998 * ioctl() handlers.
999 *
1000 * The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
1001 * sockets. However, in order to control kernel tunnel features, we allow
1002 * userspace to create a special "tunnel" PPPoX socket which is used for
1003 * control only. Tunnel PPPoX sockets have session_id == 0 and simply allow
1004 * the user application to issue L2TP setsockopt(), getsockopt() and ioctl()
1005 * calls.
1006 ****************************************************************************/
1007
pppol2tp_copy_stats(struct pppol2tp_ioc_stats * dest,const struct l2tp_stats * stats)1008 static void pppol2tp_copy_stats(struct pppol2tp_ioc_stats *dest,
1009 const struct l2tp_stats *stats)
1010 {
1011 memset(dest, 0, sizeof(*dest));
1012
1013 dest->tx_packets = atomic_long_read(&stats->tx_packets);
1014 dest->tx_bytes = atomic_long_read(&stats->tx_bytes);
1015 dest->tx_errors = atomic_long_read(&stats->tx_errors);
1016 dest->rx_packets = atomic_long_read(&stats->rx_packets);
1017 dest->rx_bytes = atomic_long_read(&stats->rx_bytes);
1018 dest->rx_seq_discards = atomic_long_read(&stats->rx_seq_discards);
1019 dest->rx_oos_packets = atomic_long_read(&stats->rx_oos_packets);
1020 dest->rx_errors = atomic_long_read(&stats->rx_errors);
1021 }
1022
pppol2tp_tunnel_copy_stats(struct pppol2tp_ioc_stats * stats,struct l2tp_tunnel * tunnel)1023 static int pppol2tp_tunnel_copy_stats(struct pppol2tp_ioc_stats *stats,
1024 struct l2tp_tunnel *tunnel)
1025 {
1026 struct l2tp_session *session;
1027
1028 if (!stats->session_id) {
1029 pppol2tp_copy_stats(stats, &tunnel->stats);
1030 return 0;
1031 }
1032
1033 /* If session_id is set, search the corresponding session in the
1034 * context of this tunnel and record the session's statistics.
1035 */
1036 session = l2tp_session_get(tunnel->l2tp_net, tunnel->sock, tunnel->version,
1037 tunnel->tunnel_id, stats->session_id);
1038 if (!session)
1039 return -EBADR;
1040
1041 if (session->pwtype != L2TP_PWTYPE_PPP) {
1042 l2tp_session_put(session);
1043 return -EBADR;
1044 }
1045
1046 pppol2tp_copy_stats(stats, &session->stats);
1047 l2tp_session_put(session);
1048
1049 return 0;
1050 }
1051
pppol2tp_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)1052 static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
1053 unsigned long arg)
1054 {
1055 struct pppol2tp_ioc_stats stats;
1056 struct l2tp_session *session;
1057
1058 switch (cmd) {
1059 case PPPIOCGMRU:
1060 case PPPIOCGFLAGS:
1061 session = sock->sk->sk_user_data;
1062 if (!session)
1063 return -ENOTCONN;
1064
1065 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
1066 return -EBADF;
1067
1068 /* Not defined for tunnels */
1069 if (!session->session_id && !session->peer_session_id)
1070 return -ENOSYS;
1071
1072 if (put_user(0, (int __user *)arg))
1073 return -EFAULT;
1074 break;
1075
1076 case PPPIOCSMRU:
1077 case PPPIOCSFLAGS:
1078 session = sock->sk->sk_user_data;
1079 if (!session)
1080 return -ENOTCONN;
1081
1082 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
1083 return -EBADF;
1084
1085 /* Not defined for tunnels */
1086 if (!session->session_id && !session->peer_session_id)
1087 return -ENOSYS;
1088
1089 if (!access_ok((int __user *)arg, sizeof(int)))
1090 return -EFAULT;
1091 break;
1092
1093 case PPPIOCGL2TPSTATS:
1094 session = sock->sk->sk_user_data;
1095 if (!session)
1096 return -ENOTCONN;
1097
1098 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
1099 return -EBADF;
1100
1101 /* Session 0 represents the parent tunnel */
1102 if (!session->session_id && !session->peer_session_id) {
1103 u32 session_id;
1104 int err;
1105
1106 if (copy_from_user(&stats, (void __user *)arg,
1107 sizeof(stats)))
1108 return -EFAULT;
1109
1110 session_id = stats.session_id;
1111 err = pppol2tp_tunnel_copy_stats(&stats,
1112 session->tunnel);
1113 if (err < 0)
1114 return err;
1115
1116 stats.session_id = session_id;
1117 } else {
1118 pppol2tp_copy_stats(&stats, &session->stats);
1119 stats.session_id = session->session_id;
1120 }
1121 stats.tunnel_id = session->tunnel->tunnel_id;
1122 stats.using_ipsec = l2tp_tunnel_uses_xfrm(session->tunnel);
1123
1124 if (copy_to_user((void __user *)arg, &stats, sizeof(stats)))
1125 return -EFAULT;
1126 break;
1127
1128 default:
1129 return -ENOIOCTLCMD;
1130 }
1131
1132 return 0;
1133 }
1134
1135 /*****************************************************************************
1136 * setsockopt() / getsockopt() support.
1137 *
1138 * The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
1139 * sockets. In order to control kernel tunnel features, we allow userspace to
1140 * create a special "tunnel" PPPoX socket which is used for control only.
1141 * Tunnel PPPoX sockets have session_id == 0 and simply allow the user
1142 * application to issue L2TP setsockopt(), getsockopt() and ioctl() calls.
1143 *****************************************************************************/
1144
1145 /* Tunnel setsockopt() helper.
1146 */
pppol2tp_tunnel_setsockopt(struct sock * sk,struct l2tp_tunnel * tunnel,int optname,int val)1147 static int pppol2tp_tunnel_setsockopt(struct sock *sk,
1148 struct l2tp_tunnel *tunnel,
1149 int optname, int val)
1150 {
1151 int err = 0;
1152
1153 switch (optname) {
1154 case PPPOL2TP_SO_DEBUG:
1155 /* Tunnel debug flags option is deprecated */
1156 break;
1157
1158 default:
1159 err = -ENOPROTOOPT;
1160 break;
1161 }
1162
1163 return err;
1164 }
1165
1166 /* Session setsockopt helper.
1167 */
pppol2tp_session_setsockopt(struct sock * sk,struct l2tp_session * session,int optname,int val)1168 static int pppol2tp_session_setsockopt(struct sock *sk,
1169 struct l2tp_session *session,
1170 int optname, int val)
1171 {
1172 int err = 0;
1173
1174 switch (optname) {
1175 case PPPOL2TP_SO_RECVSEQ:
1176 if (val != 0 && val != 1) {
1177 err = -EINVAL;
1178 break;
1179 }
1180 session->recv_seq = !!val;
1181 break;
1182
1183 case PPPOL2TP_SO_SENDSEQ:
1184 if (val != 0 && val != 1) {
1185 err = -EINVAL;
1186 break;
1187 }
1188 session->send_seq = !!val;
1189 {
1190 struct pppox_sock *po = pppox_sk(sk);
1191
1192 po->chan.hdrlen = val ? PPPOL2TP_L2TP_HDR_SIZE_SEQ :
1193 PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
1194 }
1195 l2tp_session_set_header_len(session, session->tunnel->version,
1196 session->tunnel->encap);
1197 break;
1198
1199 case PPPOL2TP_SO_LNSMODE:
1200 if (val != 0 && val != 1) {
1201 err = -EINVAL;
1202 break;
1203 }
1204 session->lns_mode = !!val;
1205 break;
1206
1207 case PPPOL2TP_SO_DEBUG:
1208 /* Session debug flags option is deprecated */
1209 break;
1210
1211 case PPPOL2TP_SO_REORDERTO:
1212 session->reorder_timeout = msecs_to_jiffies(val);
1213 break;
1214
1215 default:
1216 err = -ENOPROTOOPT;
1217 break;
1218 }
1219
1220 return err;
1221 }
1222
1223 /* Main setsockopt() entry point.
1224 * Does API checks, then calls either the tunnel or session setsockopt
1225 * handler, according to whether the PPPoL2TP socket is a for a regular
1226 * session or the special tunnel type.
1227 */
pppol2tp_setsockopt(struct socket * sock,int level,int optname,sockptr_t optval,unsigned int optlen)1228 static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
1229 sockptr_t optval, unsigned int optlen)
1230 {
1231 struct sock *sk = sock->sk;
1232 struct l2tp_session *session;
1233 struct l2tp_tunnel *tunnel;
1234 int val;
1235 int err;
1236
1237 if (level != SOL_PPPOL2TP)
1238 return -EINVAL;
1239
1240 if (optlen < sizeof(int))
1241 return -EINVAL;
1242
1243 if (copy_from_sockptr(&val, optval, sizeof(int)))
1244 return -EFAULT;
1245
1246 err = -ENOTCONN;
1247 if (!sk->sk_user_data)
1248 goto end;
1249
1250 /* Get session context from the socket */
1251 err = -EBADF;
1252 session = pppol2tp_sock_to_session(sk);
1253 if (!session)
1254 goto end;
1255
1256 /* Special case: if session_id == 0x0000, treat as operation on tunnel
1257 */
1258 if (session->session_id == 0 && session->peer_session_id == 0) {
1259 tunnel = session->tunnel;
1260 err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
1261 } else {
1262 err = pppol2tp_session_setsockopt(sk, session, optname, val);
1263 }
1264
1265 l2tp_session_put(session);
1266 end:
1267 return err;
1268 }
1269
1270 /* Tunnel getsockopt helper. Called with sock locked.
1271 */
pppol2tp_tunnel_getsockopt(struct sock * sk,struct l2tp_tunnel * tunnel,int optname,int * val)1272 static int pppol2tp_tunnel_getsockopt(struct sock *sk,
1273 struct l2tp_tunnel *tunnel,
1274 int optname, int *val)
1275 {
1276 int err = 0;
1277
1278 switch (optname) {
1279 case PPPOL2TP_SO_DEBUG:
1280 /* Tunnel debug flags option is deprecated */
1281 *val = 0;
1282 break;
1283
1284 default:
1285 err = -ENOPROTOOPT;
1286 break;
1287 }
1288
1289 return err;
1290 }
1291
1292 /* Session getsockopt helper. Called with sock locked.
1293 */
pppol2tp_session_getsockopt(struct sock * sk,struct l2tp_session * session,int optname,int * val)1294 static int pppol2tp_session_getsockopt(struct sock *sk,
1295 struct l2tp_session *session,
1296 int optname, int *val)
1297 {
1298 int err = 0;
1299
1300 switch (optname) {
1301 case PPPOL2TP_SO_RECVSEQ:
1302 *val = session->recv_seq;
1303 break;
1304
1305 case PPPOL2TP_SO_SENDSEQ:
1306 *val = session->send_seq;
1307 break;
1308
1309 case PPPOL2TP_SO_LNSMODE:
1310 *val = session->lns_mode;
1311 break;
1312
1313 case PPPOL2TP_SO_DEBUG:
1314 /* Session debug flags option is deprecated */
1315 *val = 0;
1316 break;
1317
1318 case PPPOL2TP_SO_REORDERTO:
1319 *val = (int)jiffies_to_msecs(session->reorder_timeout);
1320 break;
1321
1322 default:
1323 err = -ENOPROTOOPT;
1324 }
1325
1326 return err;
1327 }
1328
1329 /* Main getsockopt() entry point.
1330 * Does API checks, then calls either the tunnel or session getsockopt
1331 * handler, according to whether the PPPoX socket is a for a regular session
1332 * or the special tunnel type.
1333 */
pppol2tp_getsockopt(struct socket * sock,int level,int optname,char __user * optval,int __user * optlen)1334 static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
1335 char __user *optval, int __user *optlen)
1336 {
1337 struct sock *sk = sock->sk;
1338 struct l2tp_session *session;
1339 struct l2tp_tunnel *tunnel;
1340 int val, len;
1341 int err;
1342
1343 if (level != SOL_PPPOL2TP)
1344 return -EINVAL;
1345
1346 if (get_user(len, optlen))
1347 return -EFAULT;
1348
1349 if (len < 0)
1350 return -EINVAL;
1351
1352 len = min_t(unsigned int, len, sizeof(int));
1353
1354 err = -ENOTCONN;
1355 if (!sk->sk_user_data)
1356 goto end;
1357
1358 /* Get the session context */
1359 err = -EBADF;
1360 session = pppol2tp_sock_to_session(sk);
1361 if (!session)
1362 goto end;
1363
1364 /* Special case: if session_id == 0x0000, treat as operation on tunnel */
1365 if (session->session_id == 0 && session->peer_session_id == 0) {
1366 tunnel = session->tunnel;
1367 err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
1368 if (err)
1369 goto end_put_sess;
1370 } else {
1371 err = pppol2tp_session_getsockopt(sk, session, optname, &val);
1372 if (err)
1373 goto end_put_sess;
1374 }
1375
1376 err = -EFAULT;
1377 if (put_user(len, optlen))
1378 goto end_put_sess;
1379
1380 if (copy_to_user((void __user *)optval, &val, len))
1381 goto end_put_sess;
1382
1383 err = 0;
1384
1385 end_put_sess:
1386 l2tp_session_put(session);
1387 end:
1388 return err;
1389 }
1390
1391 /*****************************************************************************
1392 * /proc filesystem for debug
1393 * Since the original pppol2tp driver provided /proc/net/pppol2tp for
1394 * L2TPv2, we dump only L2TPv2 tunnels and sessions here.
1395 *****************************************************************************/
1396
1397 #ifdef CONFIG_PROC_FS
1398
1399 struct pppol2tp_seq_data {
1400 struct seq_net_private p;
1401 unsigned long tkey; /* lookup key of current tunnel */
1402 unsigned long skey; /* lookup key of current session */
1403 struct l2tp_tunnel *tunnel;
1404 struct l2tp_session *session; /* NULL means get next tunnel */
1405 };
1406
pppol2tp_next_tunnel(struct net * net,struct pppol2tp_seq_data * pd)1407 static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
1408 {
1409 /* Drop reference taken during previous invocation */
1410 if (pd->tunnel)
1411 l2tp_tunnel_put(pd->tunnel);
1412
1413 for (;;) {
1414 pd->tunnel = l2tp_tunnel_get_next(net, &pd->tkey);
1415 pd->tkey++;
1416
1417 /* Only accept L2TPv2 tunnels */
1418 if (!pd->tunnel || pd->tunnel->version == 2)
1419 return;
1420
1421 l2tp_tunnel_put(pd->tunnel);
1422 }
1423 }
1424
pppol2tp_next_session(struct net * net,struct pppol2tp_seq_data * pd)1425 static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
1426 {
1427 /* Drop reference taken during previous invocation */
1428 if (pd->session)
1429 l2tp_session_put(pd->session);
1430
1431 pd->session = l2tp_session_get_next(net, pd->tunnel->sock,
1432 pd->tunnel->version,
1433 pd->tunnel->tunnel_id, &pd->skey);
1434 pd->skey++;
1435
1436 if (!pd->session) {
1437 pd->skey = 0;
1438 pppol2tp_next_tunnel(net, pd);
1439 }
1440 }
1441
pppol2tp_seq_start(struct seq_file * m,loff_t * offs)1442 static void *pppol2tp_seq_start(struct seq_file *m, loff_t *offs)
1443 {
1444 struct pppol2tp_seq_data *pd = SEQ_START_TOKEN;
1445 loff_t pos = *offs;
1446 struct net *net;
1447
1448 if (!pos)
1449 goto out;
1450
1451 if (WARN_ON(!m->private)) {
1452 pd = NULL;
1453 goto out;
1454 }
1455
1456 pd = m->private;
1457 net = seq_file_net(m);
1458
1459 if (!pd->tunnel)
1460 pppol2tp_next_tunnel(net, pd);
1461 else
1462 pppol2tp_next_session(net, pd);
1463
1464 /* NULL tunnel and session indicates end of list */
1465 if (!pd->tunnel && !pd->session)
1466 pd = NULL;
1467
1468 out:
1469 return pd;
1470 }
1471
pppol2tp_seq_next(struct seq_file * m,void * v,loff_t * pos)1472 static void *pppol2tp_seq_next(struct seq_file *m, void *v, loff_t *pos)
1473 {
1474 (*pos)++;
1475 return NULL;
1476 }
1477
pppol2tp_seq_stop(struct seq_file * p,void * v)1478 static void pppol2tp_seq_stop(struct seq_file *p, void *v)
1479 {
1480 struct pppol2tp_seq_data *pd = v;
1481
1482 if (!pd || pd == SEQ_START_TOKEN)
1483 return;
1484
1485 /* Drop reference taken by last invocation of pppol2tp_next_session()
1486 * or pppol2tp_next_tunnel().
1487 */
1488 if (pd->session) {
1489 l2tp_session_put(pd->session);
1490 pd->session = NULL;
1491 }
1492 if (pd->tunnel) {
1493 l2tp_tunnel_put(pd->tunnel);
1494 pd->tunnel = NULL;
1495 }
1496 }
1497
pppol2tp_seq_tunnel_show(struct seq_file * m,void * v)1498 static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
1499 {
1500 struct l2tp_tunnel *tunnel = v;
1501
1502 seq_printf(m, "\nTUNNEL '%s', %c %d\n",
1503 tunnel->name,
1504 tunnel->sock ? 'Y' : 'N',
1505 refcount_read(&tunnel->ref_count) - 1);
1506 seq_printf(m, " %08x %ld/%ld/%ld %ld/%ld/%ld\n",
1507 0,
1508 atomic_long_read(&tunnel->stats.tx_packets),
1509 atomic_long_read(&tunnel->stats.tx_bytes),
1510 atomic_long_read(&tunnel->stats.tx_errors),
1511 atomic_long_read(&tunnel->stats.rx_packets),
1512 atomic_long_read(&tunnel->stats.rx_bytes),
1513 atomic_long_read(&tunnel->stats.rx_errors));
1514 }
1515
pppol2tp_seq_session_show(struct seq_file * m,void * v)1516 static void pppol2tp_seq_session_show(struct seq_file *m, void *v)
1517 {
1518 struct l2tp_session *session = v;
1519 struct l2tp_tunnel *tunnel = session->tunnel;
1520 unsigned char state;
1521 char user_data_ok;
1522 struct sock *sk;
1523 u32 ip = 0;
1524 u16 port = 0;
1525
1526 if (tunnel->sock) {
1527 struct inet_sock *inet = inet_sk(tunnel->sock);
1528
1529 ip = ntohl(inet->inet_saddr);
1530 port = ntohs(inet->inet_sport);
1531 }
1532
1533 sk = pppol2tp_session_get_sock(session);
1534 if (sk) {
1535 state = sk->sk_state;
1536 user_data_ok = (session == sk->sk_user_data) ? 'Y' : 'N';
1537 } else {
1538 state = 0;
1539 user_data_ok = 'N';
1540 }
1541
1542 seq_printf(m, " SESSION '%s' %08X/%d %04X/%04X -> %04X/%04X %d %c\n",
1543 session->name, ip, port,
1544 tunnel->tunnel_id,
1545 session->session_id,
1546 tunnel->peer_tunnel_id,
1547 session->peer_session_id,
1548 state, user_data_ok);
1549 seq_printf(m, " 0/0/%c/%c/%s %08x %u\n",
1550 session->recv_seq ? 'R' : '-',
1551 session->send_seq ? 'S' : '-',
1552 session->lns_mode ? "LNS" : "LAC",
1553 0,
1554 jiffies_to_msecs(session->reorder_timeout));
1555 seq_printf(m, " %u/%u %ld/%ld/%ld %ld/%ld/%ld\n",
1556 session->nr, session->ns,
1557 atomic_long_read(&session->stats.tx_packets),
1558 atomic_long_read(&session->stats.tx_bytes),
1559 atomic_long_read(&session->stats.tx_errors),
1560 atomic_long_read(&session->stats.rx_packets),
1561 atomic_long_read(&session->stats.rx_bytes),
1562 atomic_long_read(&session->stats.rx_errors));
1563
1564 if (sk) {
1565 struct pppox_sock *po = pppox_sk(sk);
1566
1567 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
1568 sock_put(sk);
1569 }
1570 }
1571
pppol2tp_seq_show(struct seq_file * m,void * v)1572 static int pppol2tp_seq_show(struct seq_file *m, void *v)
1573 {
1574 struct pppol2tp_seq_data *pd = v;
1575
1576 /* display header on line 1 */
1577 if (v == SEQ_START_TOKEN) {
1578 seq_puts(m, "PPPoL2TP driver info, " PPPOL2TP_DRV_VERSION "\n");
1579 seq_puts(m, "TUNNEL name, user-data-ok session-count\n");
1580 seq_puts(m, " debug tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
1581 seq_puts(m, " SESSION name, addr/port src-tid/sid dest-tid/sid state user-data-ok\n");
1582 seq_puts(m, " mtu/mru/rcvseq/sendseq/lns debug reorderto\n");
1583 seq_puts(m, " nr/ns tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
1584 goto out;
1585 }
1586
1587 if (!pd->session)
1588 pppol2tp_seq_tunnel_show(m, pd->tunnel);
1589 else
1590 pppol2tp_seq_session_show(m, pd->session);
1591
1592 out:
1593 return 0;
1594 }
1595
1596 static const struct seq_operations pppol2tp_seq_ops = {
1597 .start = pppol2tp_seq_start,
1598 .next = pppol2tp_seq_next,
1599 .stop = pppol2tp_seq_stop,
1600 .show = pppol2tp_seq_show,
1601 };
1602 #endif /* CONFIG_PROC_FS */
1603
1604 /*****************************************************************************
1605 * Network namespace
1606 *****************************************************************************/
1607
pppol2tp_init_net(struct net * net)1608 static __net_init int pppol2tp_init_net(struct net *net)
1609 {
1610 struct proc_dir_entry *pde;
1611 int err = 0;
1612
1613 pde = proc_create_net("pppol2tp", 0444, net->proc_net,
1614 &pppol2tp_seq_ops, sizeof(struct pppol2tp_seq_data));
1615 if (!pde) {
1616 err = -ENOMEM;
1617 goto out;
1618 }
1619
1620 out:
1621 return err;
1622 }
1623
pppol2tp_exit_net(struct net * net)1624 static __net_exit void pppol2tp_exit_net(struct net *net)
1625 {
1626 remove_proc_entry("pppol2tp", net->proc_net);
1627 }
1628
1629 static struct pernet_operations pppol2tp_net_ops = {
1630 .init = pppol2tp_init_net,
1631 .exit = pppol2tp_exit_net,
1632 };
1633
1634 /*****************************************************************************
1635 * Init and cleanup
1636 *****************************************************************************/
1637
1638 static const struct proto_ops pppol2tp_ops = {
1639 .family = AF_PPPOX,
1640 .owner = THIS_MODULE,
1641 .release = pppol2tp_release,
1642 .bind = sock_no_bind,
1643 .connect = pppol2tp_connect,
1644 .socketpair = sock_no_socketpair,
1645 .accept = sock_no_accept,
1646 .getname = pppol2tp_getname,
1647 .poll = datagram_poll,
1648 .listen = sock_no_listen,
1649 .shutdown = sock_no_shutdown,
1650 .setsockopt = pppol2tp_setsockopt,
1651 .getsockopt = pppol2tp_getsockopt,
1652 .sendmsg = pppol2tp_sendmsg,
1653 .recvmsg = pppol2tp_recvmsg,
1654 .mmap = sock_no_mmap,
1655 .ioctl = pppox_ioctl,
1656 #ifdef CONFIG_COMPAT
1657 .compat_ioctl = pppox_compat_ioctl,
1658 #endif
1659 };
1660
1661 static const struct pppox_proto pppol2tp_proto = {
1662 .create = pppol2tp_create,
1663 .ioctl = pppol2tp_ioctl,
1664 .owner = THIS_MODULE,
1665 };
1666
1667 #ifdef CONFIG_L2TP_V3
1668
1669 static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
1670 .session_create = pppol2tp_session_create,
1671 .session_delete = l2tp_session_delete,
1672 };
1673
1674 #endif /* CONFIG_L2TP_V3 */
1675
pppol2tp_init(void)1676 static int __init pppol2tp_init(void)
1677 {
1678 int err;
1679
1680 err = register_pernet_device(&pppol2tp_net_ops);
1681 if (err)
1682 goto out;
1683
1684 err = proto_register(&pppol2tp_sk_proto, 0);
1685 if (err)
1686 goto out_unregister_pppol2tp_pernet;
1687
1688 err = register_pppox_proto(PX_PROTO_OL2TP, &pppol2tp_proto);
1689 if (err)
1690 goto out_unregister_pppol2tp_proto;
1691
1692 #ifdef CONFIG_L2TP_V3
1693 err = l2tp_nl_register_ops(L2TP_PWTYPE_PPP, &pppol2tp_nl_cmd_ops);
1694 if (err)
1695 goto out_unregister_pppox;
1696 #endif
1697
1698 pr_info("PPPoL2TP kernel driver, %s\n", PPPOL2TP_DRV_VERSION);
1699
1700 out:
1701 return err;
1702
1703 #ifdef CONFIG_L2TP_V3
1704 out_unregister_pppox:
1705 unregister_pppox_proto(PX_PROTO_OL2TP);
1706 #endif
1707 out_unregister_pppol2tp_proto:
1708 proto_unregister(&pppol2tp_sk_proto);
1709 out_unregister_pppol2tp_pernet:
1710 unregister_pernet_device(&pppol2tp_net_ops);
1711 goto out;
1712 }
1713
pppol2tp_exit(void)1714 static void __exit pppol2tp_exit(void)
1715 {
1716 #ifdef CONFIG_L2TP_V3
1717 l2tp_nl_unregister_ops(L2TP_PWTYPE_PPP);
1718 #endif
1719 unregister_pppox_proto(PX_PROTO_OL2TP);
1720 proto_unregister(&pppol2tp_sk_proto);
1721 unregister_pernet_device(&pppol2tp_net_ops);
1722 }
1723
1724 module_init(pppol2tp_init);
1725 module_exit(pppol2tp_exit);
1726
1727 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1728 MODULE_DESCRIPTION("PPP over L2TP over UDP");
1729 MODULE_LICENSE("GPL");
1730 MODULE_VERSION(PPPOL2TP_DRV_VERSION);
1731 MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OL2TP);
1732 MODULE_ALIAS_L2TP_PWTYPE(7);
1733