1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /** -*- linux-c -*- *********************************************************** 3 * Linux PPP over Ethernet (PPPoX/PPPoE) Sockets 4 * 5 * PPPoX --- Generic PPP encapsulation socket family 6 * PPPoE --- PPP over Ethernet (RFC 2516) 7 * 8 * Version: 0.7.0 9 * 10 * 070228 : Fix to allow multiple sessions with same remote MAC and same 11 * session id by including the local device ifindex in the 12 * tuple identifying a session. This also ensures packets can't 13 * be injected into a session from interfaces other than the one 14 * specified by userspace. Florian Zumbiehl <florz@florz.de> 15 * (Oh, BTW, this one is YYMMDD, in case you were wondering ...) 16 * 220102 : Fix module use count on failure in pppoe_create, pppox_sk -acme 17 * 030700 : Fixed connect logic to allow for disconnect. 18 * 270700 : Fixed potential SMP problems; we must protect against 19 * simultaneous invocation of ppp_input 20 * and ppp_unregister_channel. 21 * 040800 : Respect reference count mechanisms on net-devices. 22 * 200800 : fix kfree(skb) in pppoe_rcv (acme) 23 * Module reference count is decremented in the right spot now, 24 * guards against sock_put not actually freeing the sk 25 * in pppoe_release. 26 * 051000 : Initialization cleanup. 27 * 111100 : Fix recvmsg. 28 * 050101 : Fix PADT processing. 29 * 140501 : Use pppoe_rcv_core to handle all backlog. (Alexey) 30 * 170701 : Do not lock_sock with rwlock held. (DaveM) 31 * Ignore discovery frames if user has socket 32 * locked. (DaveM) 33 * Ignore return value of dev_queue_xmit in __pppoe_xmit 34 * or else we may kfree an SKB twice. (DaveM) 35 * 190701 : When doing copies of skb's in __pppoe_xmit, always delete 36 * the original skb that was passed in on success, never on 37 * failure. Delete the copy of the skb on failure to avoid 38 * a memory leak. 39 * 081001 : Misc. cleanup (licence string, non-blocking, prevent 40 * reference of device on close). 41 * 121301 : New ppp channels interface; cannot unregister a channel 42 * from interrupts. Thus, we mark the socket as a ZOMBIE 43 * and do the unregistration later. 44 * 081002 : seq_file support for proc stuff -acme 45 * 111602 : Merge all 2.4 fixes into 2.5/2.6 tree. Label 2.5/2.6 46 * as version 0.7. Spacing cleanup. 47 * Author: Michal Ostrowski <mostrows@speakeasy.net> 48 * Contributors: 49 * Arnaldo Carvalho de Melo <acme@conectiva.com.br> 50 * David S. Miller (davem@redhat.com) 51 * 52 * License: 53 */ 54 55 #include <linux/string.h> 56 #include <linux/module.h> 57 #include <linux/kernel.h> 58 #include <linux/slab.h> 59 #include <linux/errno.h> 60 #include <linux/netdevice.h> 61 #include <linux/net.h> 62 #include <linux/inetdevice.h> 63 #include <linux/etherdevice.h> 64 #include <linux/skbuff.h> 65 #include <linux/init.h> 66 #include <linux/if_ether.h> 67 #include <linux/if_pppox.h> 68 #include <linux/ppp_channel.h> 69 #include <linux/ppp_defs.h> 70 #include <linux/ppp-ioctl.h> 71 #include <linux/notifier.h> 72 #include <linux/file.h> 73 #include <linux/proc_fs.h> 74 #include <linux/seq_file.h> 75 76 #include <linux/nsproxy.h> 77 #include <net/net_namespace.h> 78 #include <net/netns/generic.h> 79 #include <net/sock.h> 80 #include <net/gro.h> 81 82 #include <linux/uaccess.h> 83 84 #define PPPOE_HASH_BITS CONFIG_PPPOE_HASH_BITS 85 #define PPPOE_HASH_SIZE (1 << PPPOE_HASH_BITS) 86 #define PPPOE_HASH_MASK (PPPOE_HASH_SIZE - 1) 87 88 static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb); 89 90 static const struct proto_ops pppoe_ops; 91 static const struct ppp_channel_ops pppoe_chan_ops; 92 93 /* per-net private data for this module */ 94 static unsigned int pppoe_net_id __read_mostly; 95 struct pppoe_net { 96 /* 97 * we could use _single_ hash table for all 98 * nets by injecting net id into the hash but 99 * it would increase hash chains and add 100 * a few additional math comparisons messy 101 * as well, moreover in case of SMP less locking 102 * controversy here 103 */ 104 struct pppox_sock __rcu *hash_table[PPPOE_HASH_SIZE]; 105 spinlock_t hash_lock; 106 }; 107 108 /* 109 * PPPoE could be in the following stages: 110 * 1) Discovery stage (to obtain remote MAC and Session ID) 111 * 2) Session stage (MAC and SID are known) 112 * 113 * Ethernet frames have a special tag for this but 114 * we use simpler approach based on session id 115 */ 116 static inline bool stage_session(__be16 sid) 117 { 118 return sid != 0; 119 } 120 121 static inline struct pppoe_net *pppoe_pernet(struct net *net) 122 { 123 return net_generic(net, pppoe_net_id); 124 } 125 126 static inline int cmp_2_addr(struct pppoe_addr *a, struct pppoe_addr *b) 127 { 128 return a->sid == b->sid && ether_addr_equal(a->remote, b->remote); 129 } 130 131 static inline int cmp_addr(struct pppoe_addr *a, __be16 sid, char *addr) 132 { 133 return a->sid == sid && ether_addr_equal(a->remote, addr); 134 } 135 136 #if 8 % PPPOE_HASH_BITS 137 #error 8 must be a multiple of PPPOE_HASH_BITS 138 #endif 139 140 static u8 hash_item(__be16 sid, const u8 addr[ETH_ALEN]) 141 { 142 const u16 *addr16 = (const u16 *)addr; 143 unsigned int i; 144 u16 hash16; 145 u8 hash; 146 147 hash16 = addr16[0] ^ addr16[1] ^ addr16[2] ^ (__force u16)sid; 148 hash = (hash16 >> 8) ^ hash16; 149 for (i = 8; (i >>= 1) >= PPPOE_HASH_BITS;) 150 hash ^= hash >> i; 151 152 return hash & PPPOE_HASH_MASK; 153 } 154 155 /********************************************************************** 156 * 157 * Set/get/delete/rehash items (internal versions) 158 * 159 **********************************************************************/ 160 static struct pppox_sock *__get_item(struct pppoe_net *pn, __be16 sid, 161 unsigned char *addr, int ifindex) 162 { 163 int hash = hash_item(sid, addr); 164 struct pppox_sock *ret; 165 166 ret = rcu_dereference(pn->hash_table[hash]); 167 while (ret) { 168 if (cmp_addr(&ret->pppoe_pa, sid, addr) && 169 ret->pppoe_ifindex == ifindex) 170 return ret; 171 172 ret = rcu_dereference(ret->next); 173 } 174 175 return NULL; 176 } 177 178 static int __set_item(struct pppoe_net *pn, struct pppox_sock *po) 179 { 180 int hash = hash_item(po->pppoe_pa.sid, po->pppoe_pa.remote); 181 struct pppox_sock *ret, *first; 182 183 first = rcu_dereference_protected(pn->hash_table[hash], lockdep_is_held(&pn->hash_lock)); 184 ret = first; 185 while (ret) { 186 if (cmp_2_addr(&ret->pppoe_pa, &po->pppoe_pa) && 187 ret->pppoe_ifindex == po->pppoe_ifindex) 188 return -EALREADY; 189 190 ret = rcu_dereference_protected(ret->next, lockdep_is_held(&pn->hash_lock)); 191 } 192 193 RCU_INIT_POINTER(po->next, first); 194 rcu_assign_pointer(pn->hash_table[hash], po); 195 196 return 0; 197 } 198 199 static void __delete_item(struct pppoe_net *pn, __be16 sid, 200 char *addr, int ifindex) 201 { 202 int hash = hash_item(sid, addr); 203 struct pppox_sock *ret, __rcu **src; 204 205 ret = rcu_dereference_protected(pn->hash_table[hash], lockdep_is_held(&pn->hash_lock)); 206 src = &pn->hash_table[hash]; 207 208 while (ret) { 209 if (cmp_addr(&ret->pppoe_pa, sid, addr) && 210 ret->pppoe_ifindex == ifindex) { 211 struct pppox_sock *next; 212 213 next = rcu_dereference_protected(ret->next, 214 lockdep_is_held(&pn->hash_lock)); 215 rcu_assign_pointer(*src, next); 216 break; 217 } 218 219 src = &ret->next; 220 ret = rcu_dereference_protected(ret->next, lockdep_is_held(&pn->hash_lock)); 221 } 222 } 223 224 /********************************************************************** 225 * 226 * Set/get/delete/rehash items 227 * 228 **********************************************************************/ 229 static inline struct pppox_sock *get_item(struct pppoe_net *pn, __be16 sid, 230 unsigned char *addr, int ifindex) 231 { 232 struct pppox_sock *po; 233 234 po = __get_item(pn, sid, addr, ifindex); 235 if (po && !refcount_inc_not_zero(&po->sk.sk_refcnt)) 236 po = NULL; 237 238 return po; 239 } 240 241 static inline void delete_item(struct pppoe_net *pn, __be16 sid, 242 char *addr, int ifindex) 243 { 244 spin_lock(&pn->hash_lock); 245 __delete_item(pn, sid, addr, ifindex); 246 spin_unlock(&pn->hash_lock); 247 } 248 249 /*************************************************************************** 250 * 251 * Handler for device events. 252 * Certain device events require that sockets be unconnected. 253 * 254 **************************************************************************/ 255 256 static void pppoe_flush_dev(struct net_device *dev) 257 { 258 struct pppoe_net *pn; 259 int i; 260 261 pn = pppoe_pernet(dev_net(dev)); 262 spin_lock(&pn->hash_lock); 263 for (i = 0; i < PPPOE_HASH_SIZE; i++) { 264 struct pppox_sock *po = rcu_dereference_protected(pn->hash_table[i], 265 lockdep_is_held(&pn->hash_lock)); 266 struct sock *sk; 267 268 while (po) { 269 while (po && po->pppoe_dev != dev) { 270 po = rcu_dereference_protected(po->next, 271 lockdep_is_held(&pn->hash_lock)); 272 } 273 274 if (!po) 275 break; 276 277 sk = &po->sk; 278 279 /* We always grab the socket lock, followed by the 280 * hash_lock, in that order. Since we should hold the 281 * sock lock while doing any unbinding, we need to 282 * release the lock we're holding. Hold a reference to 283 * the sock so it doesn't disappear as we're jumping 284 * between locks. 285 */ 286 287 sock_hold(sk); 288 spin_unlock(&pn->hash_lock); 289 lock_sock(sk); 290 291 if (po->pppoe_dev == dev && 292 sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) { 293 pppox_unbind_sock(sk); 294 sk->sk_state_change(sk); 295 po->pppoe_dev = NULL; 296 dev_put(dev); 297 } 298 299 release_sock(sk); 300 sock_put(sk); 301 302 /* Restart the process from the start of the current 303 * hash chain. We dropped locks so the world may have 304 * change from underneath us. 305 */ 306 307 BUG_ON(pppoe_pernet(dev_net(dev)) == NULL); 308 spin_lock(&pn->hash_lock); 309 po = rcu_dereference_protected(pn->hash_table[i], 310 lockdep_is_held(&pn->hash_lock)); 311 } 312 } 313 spin_unlock(&pn->hash_lock); 314 } 315 316 static int pppoe_device_event(struct notifier_block *this, 317 unsigned long event, void *ptr) 318 { 319 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 320 321 /* Only look at sockets that are using this specific device. */ 322 switch (event) { 323 case NETDEV_CHANGEADDR: 324 case NETDEV_CHANGEMTU: 325 /* A change in mtu or address is a bad thing, requiring 326 * LCP re-negotiation. 327 */ 328 329 case NETDEV_GOING_DOWN: 330 case NETDEV_DOWN: 331 /* Find every socket on this device and kill it. */ 332 pppoe_flush_dev(dev); 333 break; 334 335 default: 336 break; 337 } 338 339 return NOTIFY_DONE; 340 } 341 342 static struct notifier_block pppoe_notifier = { 343 .notifier_call = pppoe_device_event, 344 }; 345 346 /************************************************************************ 347 * 348 * Do the real work of receiving a PPPoE Session frame. 349 * 350 ***********************************************************************/ 351 static int pppoe_rcv_core(struct sock *sk, struct sk_buff *skb) 352 { 353 struct pppox_sock *po = pppox_sk(sk); 354 355 /* Backlog receive. Semantics of backlog rcv preclude any code from 356 * executing in lock_sock()/release_sock() bounds; meaning sk->sk_state 357 * can't change. 358 */ 359 360 if (sk->sk_state & PPPOX_BOUND) { 361 ppp_input(&po->chan, skb); 362 } else { 363 if (sock_queue_rcv_skb(sk, skb)) 364 goto abort_kfree; 365 } 366 367 return NET_RX_SUCCESS; 368 369 abort_kfree: 370 kfree_skb(skb); 371 return NET_RX_DROP; 372 } 373 374 /************************************************************************ 375 * 376 * Receive wrapper called in BH context. 377 * 378 ***********************************************************************/ 379 static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev, 380 struct packet_type *pt, struct net_device *orig_dev) 381 { 382 struct pppoe_hdr *ph; 383 struct pppox_sock *po; 384 struct pppoe_net *pn; 385 int len; 386 387 if (skb->pkt_type == PACKET_OTHERHOST) 388 goto drop; 389 390 skb = skb_share_check(skb, GFP_ATOMIC); 391 if (!skb) 392 goto out; 393 394 if (skb_mac_header_len(skb) < ETH_HLEN) 395 goto drop; 396 397 if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) 398 goto drop; 399 400 ph = pppoe_hdr(skb); 401 len = ntohs(ph->length); 402 403 skb_pull_rcsum(skb, sizeof(*ph)); 404 if (skb->len < len) 405 goto drop; 406 407 /* skb->data points to the PPP protocol header after skb_pull_rcsum. 408 * Drop PFC frames. 409 */ 410 if (ppp_skb_is_compressed_proto(skb)) 411 goto drop; 412 413 if (!skb_is_gso(skb) && pskb_trim_rcsum(skb, len)) 414 goto drop; 415 416 ph = pppoe_hdr(skb); 417 pn = pppoe_pernet(dev_net(dev)); 418 419 po = __get_item(pn, ph->sid, eth_hdr(skb)->h_source, dev->ifindex); 420 if (!po) 421 goto drop; 422 423 return __sk_receive_skb(&po->sk, skb, 0, 1, false); 424 425 drop: 426 kfree_skb(skb); 427 out: 428 return NET_RX_DROP; 429 } 430 431 static void pppoe_unbind_sock_work(struct work_struct *work) 432 { 433 struct pppox_sock *po = container_of(work, struct pppox_sock, 434 proto.pppoe.padt_work); 435 struct sock *sk = &po->sk; 436 437 lock_sock(sk); 438 if (po->pppoe_dev) { 439 dev_put(po->pppoe_dev); 440 po->pppoe_dev = NULL; 441 } 442 pppox_unbind_sock(sk); 443 release_sock(sk); 444 sock_put(sk); 445 } 446 447 /************************************************************************ 448 * 449 * Receive a PPPoE Discovery frame. 450 * This is solely for detection of PADT frames 451 * 452 ***********************************************************************/ 453 static int pppoe_disc_rcv(struct sk_buff *skb, struct net_device *dev, 454 struct packet_type *pt, struct net_device *orig_dev) 455 456 { 457 struct pppoe_hdr *ph; 458 struct pppox_sock *po; 459 struct pppoe_net *pn; 460 461 skb = skb_share_check(skb, GFP_ATOMIC); 462 if (!skb) 463 goto out; 464 465 if (skb->pkt_type != PACKET_HOST) 466 goto abort; 467 468 if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) 469 goto abort; 470 471 ph = pppoe_hdr(skb); 472 if (ph->code != PADT_CODE) 473 goto abort; 474 475 pn = pppoe_pernet(dev_net(dev)); 476 po = get_item(pn, ph->sid, eth_hdr(skb)->h_source, dev->ifindex); 477 if (po) 478 if (!schedule_work(&po->proto.pppoe.padt_work)) 479 sock_put(&po->sk); 480 481 abort: 482 kfree_skb(skb); 483 out: 484 return NET_RX_SUCCESS; /* Lies... :-) */ 485 } 486 487 static struct packet_type pppoes_ptype __read_mostly = { 488 .type = cpu_to_be16(ETH_P_PPP_SES), 489 .func = pppoe_rcv, 490 }; 491 492 static struct packet_type pppoed_ptype __read_mostly = { 493 .type = cpu_to_be16(ETH_P_PPP_DISC), 494 .func = pppoe_disc_rcv, 495 }; 496 497 static struct proto pppoe_sk_proto __read_mostly = { 498 .name = "PPPOE", 499 .owner = THIS_MODULE, 500 .obj_size = sizeof(struct pppox_sock), 501 }; 502 503 static void pppoe_destruct(struct sock *sk) 504 { 505 skb_queue_purge(&sk->sk_receive_queue); 506 } 507 508 /*********************************************************************** 509 * 510 * Initialize a new struct sock. 511 * 512 **********************************************************************/ 513 static int pppoe_create(struct net *net, struct socket *sock, int kern) 514 { 515 struct sock *sk; 516 517 sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pppoe_sk_proto, kern); 518 if (!sk) 519 return -ENOMEM; 520 521 sock_init_data(sock, sk); 522 sock_set_flag(sk, SOCK_RCU_FREE); 523 524 sock->state = SS_UNCONNECTED; 525 sock->ops = &pppoe_ops; 526 527 sk->sk_backlog_rcv = pppoe_rcv_core; 528 sk->sk_destruct = pppoe_destruct; 529 sk->sk_state = PPPOX_NONE; 530 sk->sk_type = SOCK_STREAM; 531 sk->sk_family = PF_PPPOX; 532 sk->sk_protocol = PX_PROTO_OE; 533 534 INIT_WORK(&pppox_sk(sk)->proto.pppoe.padt_work, 535 pppoe_unbind_sock_work); 536 537 return 0; 538 } 539 540 static int pppoe_release(struct socket *sock) 541 { 542 struct sock *sk = sock->sk; 543 struct pppox_sock *po; 544 struct pppoe_net *pn; 545 struct net *net = NULL; 546 547 if (!sk) 548 return 0; 549 550 lock_sock(sk); 551 if (sock_flag(sk, SOCK_DEAD)) { 552 release_sock(sk); 553 return -EBADF; 554 } 555 556 po = pppox_sk(sk); 557 558 if (po->pppoe_dev) { 559 dev_put(po->pppoe_dev); 560 po->pppoe_dev = NULL; 561 } 562 563 pppox_unbind_sock(sk); 564 565 /* Signal the death of the socket. */ 566 sk->sk_state = PPPOX_DEAD; 567 568 net = sock_net(sk); 569 pn = pppoe_pernet(net); 570 571 /* 572 * protect "po" from concurrent updates 573 * on pppoe_flush_dev 574 */ 575 delete_item(pn, po->pppoe_pa.sid, po->pppoe_pa.remote, 576 po->pppoe_ifindex); 577 578 sock_orphan(sk); 579 sock->sk = NULL; 580 581 release_sock(sk); 582 sock_put(sk); 583 584 return 0; 585 } 586 587 static int pppoe_connect(struct socket *sock, struct sockaddr_unsized *uservaddr, 588 int sockaddr_len, int flags) 589 { 590 struct sock *sk = sock->sk; 591 struct sockaddr_pppox *sp = (struct sockaddr_pppox *)uservaddr; 592 struct pppox_sock *po = pppox_sk(sk); 593 struct net_device *dev = NULL; 594 struct pppoe_net *pn; 595 struct net *net = NULL; 596 int error; 597 598 lock_sock(sk); 599 600 error = -EINVAL; 601 602 if (sockaddr_len != sizeof(struct sockaddr_pppox)) 603 goto end; 604 605 if (sp->sa_protocol != PX_PROTO_OE) 606 goto end; 607 608 /* Check for already bound sockets */ 609 error = -EBUSY; 610 if ((sk->sk_state & PPPOX_CONNECTED) && 611 stage_session(sp->sa_addr.pppoe.sid)) 612 goto end; 613 614 /* Check for already disconnected sockets, on attempts to disconnect */ 615 error = -EALREADY; 616 if ((sk->sk_state & PPPOX_DEAD) && 617 !stage_session(sp->sa_addr.pppoe.sid)) 618 goto end; 619 620 error = 0; 621 622 /* Delete the old binding */ 623 if (stage_session(po->pppoe_pa.sid)) { 624 pppox_unbind_sock(sk); 625 pn = pppoe_pernet(sock_net(sk)); 626 delete_item(pn, po->pppoe_pa.sid, 627 po->pppoe_pa.remote, po->pppoe_ifindex); 628 if (po->pppoe_dev) { 629 dev_put(po->pppoe_dev); 630 po->pppoe_dev = NULL; 631 } 632 633 po->pppoe_ifindex = 0; 634 memset(&po->pppoe_pa, 0, sizeof(po->pppoe_pa)); 635 memset(&po->chan, 0, sizeof(po->chan)); 636 po->next = NULL; 637 po->num = 0; 638 639 sk->sk_state = PPPOX_NONE; 640 } 641 642 /* Re-bind in session stage only */ 643 if (stage_session(sp->sa_addr.pppoe.sid)) { 644 error = -ENODEV; 645 net = sock_net(sk); 646 dev = dev_get_by_name(net, sp->sa_addr.pppoe.dev); 647 if (!dev) 648 goto err_put; 649 650 po->pppoe_dev = dev; 651 po->pppoe_ifindex = dev->ifindex; 652 pn = pppoe_pernet(net); 653 if (!(dev->flags & IFF_UP)) { 654 goto err_put; 655 } 656 657 memcpy(&po->pppoe_pa, 658 &sp->sa_addr.pppoe, 659 sizeof(struct pppoe_addr)); 660 661 spin_lock(&pn->hash_lock); 662 error = __set_item(pn, po); 663 spin_unlock(&pn->hash_lock); 664 if (error < 0) 665 goto err_put; 666 667 po->chan.hdrlen = (sizeof(struct pppoe_hdr) + 668 dev->hard_header_len); 669 670 po->chan.mtu = dev->mtu - sizeof(struct pppoe_hdr) - 2; 671 po->chan.private = sk; 672 po->chan.ops = &pppoe_chan_ops; 673 po->chan.direct_xmit = true; 674 675 error = ppp_register_net_channel(dev_net(dev), &po->chan); 676 if (error) { 677 delete_item(pn, po->pppoe_pa.sid, 678 po->pppoe_pa.remote, po->pppoe_ifindex); 679 goto err_put; 680 } 681 682 sk->sk_state = PPPOX_CONNECTED; 683 } 684 685 po->num = sp->sa_addr.pppoe.sid; 686 687 end: 688 release_sock(sk); 689 return error; 690 err_put: 691 if (po->pppoe_dev) { 692 dev_put(po->pppoe_dev); 693 po->pppoe_dev = NULL; 694 } 695 goto end; 696 } 697 698 static int pppoe_getname(struct socket *sock, struct sockaddr *uaddr, 699 int peer) 700 { 701 int len = sizeof(struct sockaddr_pppox); 702 struct sockaddr_pppox sp; 703 704 sp.sa_family = AF_PPPOX; 705 sp.sa_protocol = PX_PROTO_OE; 706 memcpy(&sp.sa_addr.pppoe, &pppox_sk(sock->sk)->pppoe_pa, 707 sizeof(struct pppoe_addr)); 708 709 memcpy(uaddr, &sp, len); 710 711 return len; 712 } 713 714 static int pppoe_ioctl(struct socket *sock, unsigned int cmd, 715 unsigned long arg) 716 { 717 struct sock *sk = sock->sk; 718 struct pppox_sock *po = pppox_sk(sk); 719 int val; 720 int err; 721 722 switch (cmd) { 723 case PPPIOCGMRU: 724 err = -ENXIO; 725 if (!(sk->sk_state & PPPOX_CONNECTED)) 726 break; 727 728 err = -EFAULT; 729 if (put_user(po->pppoe_dev->mtu - 730 sizeof(struct pppoe_hdr) - 731 PPP_HDRLEN, 732 (int __user *)arg)) 733 break; 734 err = 0; 735 break; 736 737 case PPPIOCSMRU: 738 err = -ENXIO; 739 if (!(sk->sk_state & PPPOX_CONNECTED)) 740 break; 741 742 err = -EFAULT; 743 if (get_user(val, (int __user *)arg)) 744 break; 745 746 if (val < (po->pppoe_dev->mtu 747 - sizeof(struct pppoe_hdr) 748 - PPP_HDRLEN)) 749 err = 0; 750 else 751 err = -EINVAL; 752 break; 753 754 case PPPIOCSFLAGS: 755 err = -EFAULT; 756 if (get_user(val, (int __user *)arg)) 757 break; 758 err = 0; 759 break; 760 761 default: 762 err = -ENOTTY; 763 } 764 765 return err; 766 } 767 768 static int pppoe_sendmsg(struct socket *sock, struct msghdr *m, 769 size_t total_len) 770 { 771 struct sk_buff *skb; 772 struct sock *sk = sock->sk; 773 struct pppox_sock *po = pppox_sk(sk); 774 int error; 775 struct pppoe_hdr hdr; 776 struct pppoe_hdr *ph; 777 struct net_device *dev; 778 char *start; 779 int hlen; 780 781 lock_sock(sk); 782 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) { 783 error = -ENOTCONN; 784 goto end; 785 } 786 787 hdr.ver = 1; 788 hdr.type = 1; 789 hdr.code = 0; 790 hdr.sid = po->num; 791 792 dev = po->pppoe_dev; 793 794 error = -EMSGSIZE; 795 if (total_len > (dev->mtu + dev->hard_header_len)) 796 goto end; 797 798 hlen = LL_RESERVED_SPACE(dev); 799 skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len + 800 dev->needed_tailroom, 0, GFP_KERNEL); 801 if (!skb) { 802 error = -ENOMEM; 803 goto end; 804 } 805 806 /* Reserve space for headers. */ 807 skb_reserve(skb, hlen); 808 skb_reset_network_header(skb); 809 810 skb->dev = dev; 811 812 skb->priority = READ_ONCE(sk->sk_priority); 813 skb->protocol = cpu_to_be16(ETH_P_PPP_SES); 814 815 ph = skb_put(skb, total_len + sizeof(struct pppoe_hdr)); 816 start = (char *)ph + sizeof(*ph); 817 818 error = memcpy_from_msg(start, m, total_len); 819 if (error < 0) { 820 kfree_skb(skb); 821 goto end; 822 } 823 824 error = total_len; 825 dev_hard_header(skb, dev, ETH_P_PPP_SES, 826 po->pppoe_pa.remote, NULL, total_len); 827 828 memcpy(ph, &hdr, sizeof(struct pppoe_hdr)); 829 830 ph->length = htons(total_len); 831 832 dev_queue_xmit(skb); 833 834 end: 835 release_sock(sk); 836 return error; 837 } 838 839 /************************************************************************ 840 * 841 * xmit function for internal use. 842 * 843 ***********************************************************************/ 844 static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb) 845 { 846 struct pppox_sock *po = pppox_sk(sk); 847 struct net_device *dev = po->pppoe_dev; 848 struct pppoe_hdr *ph; 849 int data_len = skb->len; 850 851 /* The higher-level PPP code (ppp_unregister_channel()) ensures the PPP 852 * xmit operations conclude prior to an unregistration call. Thus 853 * sk->sk_state cannot change, so we don't need to do lock_sock(). 854 * But, we also can't do a lock_sock since that introduces a potential 855 * deadlock as we'd reverse the lock ordering used when calling 856 * ppp_unregister_channel(). 857 */ 858 859 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) 860 goto abort; 861 862 if (!dev) 863 goto abort; 864 865 /* Copy the data if there is no space for the header or if it's 866 * read-only. 867 */ 868 if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph))) 869 goto abort; 870 871 __skb_push(skb, sizeof(*ph)); 872 skb_reset_network_header(skb); 873 874 ph = pppoe_hdr(skb); 875 ph->ver = 1; 876 ph->type = 1; 877 ph->code = 0; 878 ph->sid = po->num; 879 ph->length = htons(data_len); 880 881 skb->protocol = cpu_to_be16(ETH_P_PPP_SES); 882 skb->dev = dev; 883 884 dev_hard_header(skb, dev, ETH_P_PPP_SES, 885 po->pppoe_pa.remote, NULL, data_len); 886 887 dev_queue_xmit(skb); 888 return 1; 889 890 abort: 891 kfree_skb(skb); 892 return 1; 893 } 894 895 /************************************************************************ 896 * 897 * xmit function called by generic PPP driver 898 * sends PPP frame over PPPoE socket 899 * 900 ***********************************************************************/ 901 static int pppoe_xmit(struct ppp_channel *chan, struct sk_buff *skb) 902 { 903 struct sock *sk = chan->private; 904 return __pppoe_xmit(sk, skb); 905 } 906 907 static int pppoe_fill_forward_path(struct net_device_path_ctx *ctx, 908 struct net_device_path *path, 909 const struct ppp_channel *chan) 910 { 911 struct sock *sk = chan->private; 912 struct pppox_sock *po = pppox_sk(sk); 913 struct net_device *dev = po->pppoe_dev; 914 915 if (sock_flag(sk, SOCK_DEAD) || 916 !(sk->sk_state & PPPOX_CONNECTED) || !dev) 917 return -1; 918 919 path->type = DEV_PATH_PPPOE; 920 path->encap.proto = htons(ETH_P_PPP_SES); 921 path->encap.id = be16_to_cpu(po->num); 922 memcpy(path->encap.h_dest, po->pppoe_pa.remote, ETH_ALEN); 923 memcpy(ctx->daddr, po->pppoe_pa.remote, ETH_ALEN); 924 path->dev = ctx->dev; 925 ctx->dev = dev; 926 927 return 0; 928 } 929 930 static const struct ppp_channel_ops pppoe_chan_ops = { 931 .start_xmit = pppoe_xmit, 932 .fill_forward_path = pppoe_fill_forward_path, 933 }; 934 935 static int pppoe_recvmsg(struct socket *sock, struct msghdr *m, 936 size_t total_len, int flags) 937 { 938 struct sock *sk = sock->sk; 939 struct sk_buff *skb; 940 int error = 0; 941 942 if (sk->sk_state & PPPOX_BOUND) 943 return -EIO; 944 945 skb = skb_recv_datagram(sk, flags, &error); 946 if (!skb) 947 return error; 948 949 total_len = min_t(size_t, total_len, skb->len); 950 error = skb_copy_datagram_msg(skb, 0, m, total_len); 951 if (error == 0) { 952 consume_skb(skb); 953 return total_len; 954 } 955 956 kfree_skb(skb); 957 return error; 958 } 959 960 #ifdef CONFIG_PROC_FS 961 static int pppoe_seq_show(struct seq_file *seq, void *v) 962 { 963 struct pppox_sock *po; 964 char *dev_name; 965 966 if (v == SEQ_START_TOKEN) { 967 seq_puts(seq, "Id Address Device\n"); 968 goto out; 969 } 970 971 po = v; 972 dev_name = po->pppoe_pa.dev; 973 974 seq_printf(seq, "%08X %pM %8s\n", 975 po->pppoe_pa.sid, po->pppoe_pa.remote, dev_name); 976 out: 977 return 0; 978 } 979 980 static inline struct pppox_sock *pppoe_get_idx(struct pppoe_net *pn, loff_t pos) 981 { 982 struct pppox_sock *po; 983 int i; 984 985 for (i = 0; i < PPPOE_HASH_SIZE; i++) { 986 po = rcu_dereference(pn->hash_table[i]); 987 while (po) { 988 if (!pos--) 989 goto out; 990 po = rcu_dereference(po->next); 991 } 992 } 993 994 out: 995 return po; 996 } 997 998 static void *pppoe_seq_start(struct seq_file *seq, loff_t *pos) 999 __acquires(RCU) 1000 { 1001 struct pppoe_net *pn = pppoe_pernet(seq_file_net(seq)); 1002 loff_t l = *pos; 1003 1004 rcu_read_lock(); 1005 return l ? pppoe_get_idx(pn, --l) : SEQ_START_TOKEN; 1006 } 1007 1008 static void *pppoe_seq_next(struct seq_file *seq, void *v, loff_t *pos) 1009 { 1010 struct pppoe_net *pn = pppoe_pernet(seq_file_net(seq)); 1011 struct pppox_sock *po, *next; 1012 1013 ++*pos; 1014 if (v == SEQ_START_TOKEN) { 1015 po = pppoe_get_idx(pn, 0); 1016 goto out; 1017 } 1018 po = v; 1019 next = rcu_dereference(po->next); 1020 if (next) 1021 po = next; 1022 else { 1023 int hash = hash_item(po->pppoe_pa.sid, po->pppoe_pa.remote); 1024 1025 po = NULL; 1026 while (++hash < PPPOE_HASH_SIZE) { 1027 po = rcu_dereference(pn->hash_table[hash]); 1028 if (po) 1029 break; 1030 } 1031 } 1032 1033 out: 1034 return po; 1035 } 1036 1037 static void pppoe_seq_stop(struct seq_file *seq, void *v) 1038 __releases(RCU) 1039 { 1040 rcu_read_unlock(); 1041 } 1042 1043 static const struct seq_operations pppoe_seq_ops = { 1044 .start = pppoe_seq_start, 1045 .next = pppoe_seq_next, 1046 .stop = pppoe_seq_stop, 1047 .show = pppoe_seq_show, 1048 }; 1049 #endif /* CONFIG_PROC_FS */ 1050 1051 static const struct proto_ops pppoe_ops = { 1052 .family = AF_PPPOX, 1053 .owner = THIS_MODULE, 1054 .release = pppoe_release, 1055 .bind = sock_no_bind, 1056 .connect = pppoe_connect, 1057 .socketpair = sock_no_socketpair, 1058 .accept = sock_no_accept, 1059 .getname = pppoe_getname, 1060 .poll = datagram_poll, 1061 .listen = sock_no_listen, 1062 .shutdown = sock_no_shutdown, 1063 .sendmsg = pppoe_sendmsg, 1064 .recvmsg = pppoe_recvmsg, 1065 .mmap = sock_no_mmap, 1066 .ioctl = pppox_ioctl, 1067 #ifdef CONFIG_COMPAT 1068 .compat_ioctl = pppox_compat_ioctl, 1069 #endif 1070 }; 1071 1072 static const struct pppox_proto pppoe_proto = { 1073 .create = pppoe_create, 1074 .ioctl = pppoe_ioctl, 1075 .owner = THIS_MODULE, 1076 }; 1077 1078 static __net_init int pppoe_init_net(struct net *net) 1079 { 1080 struct pppoe_net *pn = pppoe_pernet(net); 1081 struct proc_dir_entry *pde; 1082 1083 spin_lock_init(&pn->hash_lock); 1084 1085 pde = proc_create_net("pppoe", 0444, net->proc_net, 1086 &pppoe_seq_ops, sizeof(struct seq_net_private)); 1087 #ifdef CONFIG_PROC_FS 1088 if (!pde) 1089 return -ENOMEM; 1090 #endif 1091 1092 return 0; 1093 } 1094 1095 static __net_exit void pppoe_exit_net(struct net *net) 1096 { 1097 remove_proc_entry("pppoe", net->proc_net); 1098 } 1099 1100 static struct pernet_operations pppoe_net_ops = { 1101 .init = pppoe_init_net, 1102 .exit = pppoe_exit_net, 1103 .id = &pppoe_net_id, 1104 .size = sizeof(struct pppoe_net), 1105 }; 1106 1107 static u16 1108 compare_pppoe_header(const struct pppoe_hdr *phdr, 1109 const struct pppoe_hdr *phdr2) 1110 { 1111 __be16 proto = *(const __be16 *)(phdr + 1); 1112 __be16 proto2 = *(const __be16 *)(phdr2 + 1); 1113 1114 return (__force u16)((phdr->sid ^ phdr2->sid) | (proto ^ proto2)); 1115 } 1116 1117 static __be16 pppoe_hdr_proto(const struct pppoe_hdr *phdr) 1118 { 1119 __be16 proto = *(const __be16 *)(phdr + 1); 1120 1121 switch (proto) { 1122 case cpu_to_be16(PPP_IP): 1123 return cpu_to_be16(ETH_P_IP); 1124 #if IS_ENABLED(CONFIG_IPV6) 1125 case cpu_to_be16(PPP_IPV6): 1126 return cpu_to_be16(ETH_P_IPV6); 1127 #endif 1128 default: 1129 return 0; 1130 } 1131 } 1132 1133 static struct sk_buff *pppoe_gro_receive(struct list_head *head, 1134 struct sk_buff *skb) 1135 { 1136 const struct packet_offload *ptype; 1137 unsigned int hlen, off_pppoe; 1138 const struct pppoe_hdr *phdr; 1139 struct sk_buff *pp = NULL; 1140 struct sk_buff *p; 1141 int flush = 1; 1142 __be16 type; 1143 1144 off_pppoe = skb_gro_offset(skb); 1145 hlen = off_pppoe + PPPOE_SES_HLEN; 1146 phdr = skb_gro_header(skb, hlen, off_pppoe); 1147 if (unlikely(!phdr)) 1148 goto out; 1149 1150 /* filter for session packets (type:1, ver:1, code:0) */ 1151 if (*(const __be16 *)phdr != cpu_to_be16(0x1100)) 1152 goto out; 1153 1154 /* ignore packets with padding or invalid length */ 1155 if (skb_gro_len(skb) != be16_to_cpu(phdr->length) + sizeof(*phdr)) 1156 goto out; 1157 1158 type = pppoe_hdr_proto(phdr); 1159 ptype = gro_find_receive_by_type(type); 1160 if (!ptype) 1161 goto out; 1162 1163 flush = 0; 1164 1165 list_for_each_entry(p, head, list) { 1166 const struct pppoe_hdr *phdr2; 1167 1168 if (!NAPI_GRO_CB(p)->same_flow) 1169 continue; 1170 1171 phdr2 = (const struct pppoe_hdr *)(p->data + off_pppoe); 1172 if (compare_pppoe_header(phdr, phdr2)) 1173 NAPI_GRO_CB(p)->same_flow = 0; 1174 } 1175 1176 skb_gro_pull(skb, PPPOE_SES_HLEN); 1177 skb_gro_postpull_rcsum(skb, phdr, PPPOE_SES_HLEN); 1178 1179 pp = indirect_call_gro_receive_inet(ptype->callbacks.gro_receive, 1180 ipv6_gro_receive, inet_gro_receive, 1181 head, skb); 1182 1183 out: 1184 skb_gro_flush_final(skb, pp, flush); 1185 1186 return pp; 1187 } 1188 1189 static int pppoe_gro_complete(struct sk_buff *skb, int nhoff) 1190 { 1191 struct pppoe_hdr *phdr = (struct pppoe_hdr *)(skb->data + nhoff); 1192 __be16 type = pppoe_hdr_proto(phdr); 1193 struct packet_offload *ptype; 1194 unsigned int len; 1195 1196 ptype = gro_find_complete_by_type(type); 1197 if (!ptype) 1198 return -ENOENT; 1199 1200 len = skb->len - (nhoff + sizeof(*phdr)); 1201 len = min(len, 0xFFFFU); 1202 phdr->length = cpu_to_be16(len); 1203 1204 return INDIRECT_CALL_INET(ptype->callbacks.gro_complete, 1205 ipv6_gro_complete, inet_gro_complete, 1206 skb, nhoff + PPPOE_SES_HLEN); 1207 } 1208 1209 static struct sk_buff *pppoe_gso_segment(struct sk_buff *skb, 1210 netdev_features_t features) 1211 { 1212 struct sk_buff *segs = ERR_PTR(-EINVAL); 1213 struct packet_offload *ptype; 1214 struct pppoe_hdr *phdr; 1215 __be16 orig_type, type; 1216 int len, nhoff; 1217 1218 skb_reset_network_header(skb); 1219 nhoff = skb_network_header(skb) - skb_mac_header(skb); 1220 1221 if (unlikely(!pskb_may_pull(skb, PPPOE_SES_HLEN))) 1222 goto out; 1223 1224 phdr = (struct pppoe_hdr *)skb_network_header(skb); 1225 type = pppoe_hdr_proto(phdr); 1226 ptype = gro_find_complete_by_type(type); 1227 if (!ptype) 1228 goto out; 1229 1230 orig_type = skb->protocol; 1231 __skb_pull(skb, PPPOE_SES_HLEN); 1232 features &= ~NETIF_F_GSO_SOFTWARE; 1233 segs = ptype->callbacks.gso_segment(skb, features); 1234 if (IS_ERR_OR_NULL(segs)) 1235 goto out; 1236 1237 skb = segs; 1238 do { 1239 phdr = (struct pppoe_hdr *)(skb_mac_header(skb) + nhoff); 1240 len = skb->len - (nhoff + sizeof(*phdr)); 1241 phdr->length = cpu_to_be16(len); 1242 skb->network_header = (u8 *)phdr - skb->head; 1243 skb->protocol = orig_type; 1244 skb_reset_mac_len(skb); 1245 } while ((skb = skb->next)); 1246 1247 out: 1248 return segs; 1249 } 1250 1251 static struct packet_offload pppoe_packet_offload __read_mostly = { 1252 .type = cpu_to_be16(ETH_P_PPP_SES), 1253 .priority = 20, 1254 .callbacks = { 1255 .gro_receive = pppoe_gro_receive, 1256 .gro_complete = pppoe_gro_complete, 1257 .gso_segment = pppoe_gso_segment, 1258 }, 1259 }; 1260 1261 static int __init pppoe_init(void) 1262 { 1263 int err; 1264 1265 err = register_pernet_device(&pppoe_net_ops); 1266 if (err) 1267 goto out; 1268 1269 err = proto_register(&pppoe_sk_proto, 0); 1270 if (err) 1271 goto out_unregister_net_ops; 1272 1273 err = register_pppox_proto(PX_PROTO_OE, &pppoe_proto); 1274 if (err) 1275 goto out_unregister_pppoe_proto; 1276 1277 if (IS_ENABLED(CONFIG_INET)) 1278 dev_add_offload(&pppoe_packet_offload); 1279 dev_add_pack(&pppoes_ptype); 1280 dev_add_pack(&pppoed_ptype); 1281 register_netdevice_notifier(&pppoe_notifier); 1282 1283 return 0; 1284 1285 out_unregister_pppoe_proto: 1286 proto_unregister(&pppoe_sk_proto); 1287 out_unregister_net_ops: 1288 unregister_pernet_device(&pppoe_net_ops); 1289 out: 1290 return err; 1291 } 1292 1293 static void __exit pppoe_exit(void) 1294 { 1295 unregister_netdevice_notifier(&pppoe_notifier); 1296 dev_remove_pack(&pppoed_ptype); 1297 dev_remove_pack(&pppoes_ptype); 1298 if (IS_ENABLED(CONFIG_INET)) 1299 dev_remove_offload(&pppoe_packet_offload); 1300 unregister_pppox_proto(PX_PROTO_OE); 1301 proto_unregister(&pppoe_sk_proto); 1302 unregister_pernet_device(&pppoe_net_ops); 1303 } 1304 1305 module_init(pppoe_init); 1306 module_exit(pppoe_exit); 1307 1308 MODULE_AUTHOR("Michal Ostrowski <mostrows@speakeasy.net>"); 1309 MODULE_DESCRIPTION("PPP over Ethernet driver"); 1310 MODULE_LICENSE("GPL"); 1311 MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OE); 1312