1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
22
23#include <linux/module.h>
24#include <linux/string.h>
25#include <linux/list.h>
26#include <linux/rculist.h>
27#include <linux/uaccess.h>
28
29#include <linux/kernel.h>
30#include <linux/spinlock.h>
31#include <linux/kthread.h>
32#include <linux/sched.h>
33#include <linux/slab.h>
34#include <linux/errno.h>
35#include <linux/jiffies.h>
36
37#include <linux/netdevice.h>
38#include <linux/net.h>
39#include <linux/inetdevice.h>
40#include <linux/skbuff.h>
41#include <linux/init.h>
42#include <linux/in.h>
43#include <linux/ip.h>
44#include <linux/udp.h>
45#include <linux/l2tp.h>
46#include <linux/hash.h>
47#include <linux/sort.h>
48#include <linux/file.h>
49#include <linux/nsproxy.h>
50#include <net/net_namespace.h>
51#include <net/netns/generic.h>
52#include <net/dst.h>
53#include <net/ip.h>
54#include <net/udp.h>
55#include <net/inet_common.h>
56#include <net/xfrm.h>
57#include <net/protocol.h>
58#include <net/inet6_connection_sock.h>
59#include <net/inet_ecn.h>
60#include <net/ip6_route.h>
61#include <net/ip6_checksum.h>
62
63#include <asm/byteorder.h>
64#include <linux/atomic.h>
65
66#include "l2tp_core.h"
67
68#define L2TP_DRV_VERSION "V2.0"
69
70
71#define L2TP_HDRFLAG_T 0x8000
72#define L2TP_HDRFLAG_L 0x4000
73#define L2TP_HDRFLAG_S 0x0800
74#define L2TP_HDRFLAG_O 0x0200
75#define L2TP_HDRFLAG_P 0x0100
76
77#define L2TP_HDR_VER_MASK 0x000F
78#define L2TP_HDR_VER_2 0x0002
79#define L2TP_HDR_VER_3 0x0003
80
81
82#define L2TP_SLFLAG_S 0x40000000
83#define L2TP_SL_SEQ_MASK 0x00ffffff
84
85#define L2TP_HDR_SIZE_SEQ 10
86#define L2TP_HDR_SIZE_NOSEQ 6
87
88
89#define L2TP_DEFAULT_DEBUG_FLAGS 0
90
91
92
93struct l2tp_skb_cb {
94 u32 ns;
95 u16 has_seq;
96 u16 length;
97 unsigned long expires;
98};
99
100#define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
101
102static atomic_t l2tp_tunnel_count;
103static atomic_t l2tp_session_count;
104static struct workqueue_struct *l2tp_wq;
105
106
107static unsigned int l2tp_net_id;
108struct l2tp_net {
109 struct list_head l2tp_tunnel_list;
110 spinlock_t l2tp_tunnel_list_lock;
111 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
112 spinlock_t l2tp_session_hlist_lock;
113};
114
115static void l2tp_session_set_header_len(struct l2tp_session *session, int version);
116static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
117
118static inline struct l2tp_net *l2tp_pernet(struct net *net)
119{
120 BUG_ON(!net);
121
122 return net_generic(net, l2tp_net_id);
123}
124
125
126
127
128static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
129{
130 atomic_inc(&tunnel->ref_count);
131}
132
133static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
134{
135 if (atomic_dec_and_test(&tunnel->ref_count))
136 l2tp_tunnel_free(tunnel);
137}
138#ifdef L2TP_REFCNT_DEBUG
139#define l2tp_tunnel_inc_refcount(_t) \
140do { \
141 pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n", \
142 __func__, __LINE__, (_t)->name, \
143 atomic_read(&_t->ref_count)); \
144 l2tp_tunnel_inc_refcount_1(_t); \
145} while (0)
146#define l2tp_tunnel_dec_refcount(_t)
147do { \
148 pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n", \
149 __func__, __LINE__, (_t)->name, \
150 atomic_read(&_t->ref_count)); \
151 l2tp_tunnel_dec_refcount_1(_t); \
152} while (0)
153#else
154#define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
155#define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
156#endif
157
158
159
160
161
162
163static inline struct hlist_head *
164l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
165{
166 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
167
168}
169
170
171
172
173
174struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
175{
176 int err = 0;
177 struct socket *sock = NULL;
178 struct sock *sk = NULL;
179
180 if (!tunnel)
181 goto out;
182
183 if (tunnel->fd >= 0) {
184
185
186
187
188 sock = sockfd_lookup(tunnel->fd, &err);
189 if (sock)
190 sk = sock->sk;
191 } else {
192
193 sk = tunnel->sock;
194 sock_hold(sk);
195 }
196
197out:
198 return sk;
199}
200EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_lookup);
201
202
203void l2tp_tunnel_sock_put(struct sock *sk)
204{
205 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
206 if (tunnel) {
207 if (tunnel->fd >= 0) {
208
209 sockfd_put(sk->sk_socket);
210 }
211 sock_put(sk);
212 }
213 sock_put(sk);
214}
215EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_put);
216
217
218
219static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
220{
221 struct l2tp_net *pn = l2tp_pernet(net);
222 struct hlist_head *session_list =
223 l2tp_session_id_hash_2(pn, session_id);
224 struct l2tp_session *session;
225
226 rcu_read_lock_bh();
227 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
228 if (session->session_id == session_id) {
229 rcu_read_unlock_bh();
230 return session;
231 }
232 }
233 rcu_read_unlock_bh();
234
235 return NULL;
236}
237
238
239
240
241
242
243
244static inline struct hlist_head *
245l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
246{
247 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
248}
249
250
251
252struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id)
253{
254 struct hlist_head *session_list;
255 struct l2tp_session *session;
256
257
258
259
260
261 if (tunnel == NULL)
262 return l2tp_session_find_2(net, session_id);
263
264 session_list = l2tp_session_id_hash(tunnel, session_id);
265 read_lock_bh(&tunnel->hlist_lock);
266 hlist_for_each_entry(session, session_list, hlist) {
267 if (session->session_id == session_id) {
268 read_unlock_bh(&tunnel->hlist_lock);
269 return session;
270 }
271 }
272 read_unlock_bh(&tunnel->hlist_lock);
273
274 return NULL;
275}
276EXPORT_SYMBOL_GPL(l2tp_session_find);
277
278struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
279{
280 int hash;
281 struct l2tp_session *session;
282 int count = 0;
283
284 read_lock_bh(&tunnel->hlist_lock);
285 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
286 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
287 if (++count > nth) {
288 read_unlock_bh(&tunnel->hlist_lock);
289 return session;
290 }
291 }
292 }
293
294 read_unlock_bh(&tunnel->hlist_lock);
295
296 return NULL;
297}
298EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
299
300
301
302
303struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
304{
305 struct l2tp_net *pn = l2tp_pernet(net);
306 int hash;
307 struct l2tp_session *session;
308
309 rcu_read_lock_bh();
310 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
311 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
312 if (!strcmp(session->ifname, ifname)) {
313 rcu_read_unlock_bh();
314 return session;
315 }
316 }
317 }
318
319 rcu_read_unlock_bh();
320
321 return NULL;
322}
323EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
324
325
326
327struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)
328{
329 struct l2tp_tunnel *tunnel;
330 struct l2tp_net *pn = l2tp_pernet(net);
331
332 rcu_read_lock_bh();
333 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
334 if (tunnel->tunnel_id == tunnel_id) {
335 rcu_read_unlock_bh();
336 return tunnel;
337 }
338 }
339 rcu_read_unlock_bh();
340
341 return NULL;
342}
343EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
344
345struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth)
346{
347 struct l2tp_net *pn = l2tp_pernet(net);
348 struct l2tp_tunnel *tunnel;
349 int count = 0;
350
351 rcu_read_lock_bh();
352 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
353 if (++count > nth) {
354 rcu_read_unlock_bh();
355 return tunnel;
356 }
357 }
358
359 rcu_read_unlock_bh();
360
361 return NULL;
362}
363EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
364
365
366
367
368
369
370
371
372static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
373{
374 struct sk_buff *skbp;
375 struct sk_buff *tmp;
376 u32 ns = L2TP_SKB_CB(skb)->ns;
377
378 spin_lock_bh(&session->reorder_q.lock);
379 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
380 if (L2TP_SKB_CB(skbp)->ns > ns) {
381 __skb_queue_before(&session->reorder_q, skbp, skb);
382 l2tp_dbg(session, L2TP_MSG_SEQ,
383 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
384 session->name, ns, L2TP_SKB_CB(skbp)->ns,
385 skb_queue_len(&session->reorder_q));
386 atomic_long_inc(&session->stats.rx_oos_packets);
387 goto out;
388 }
389 }
390
391 __skb_queue_tail(&session->reorder_q, skb);
392
393out:
394 spin_unlock_bh(&session->reorder_q.lock);
395}
396
397
398
399static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
400{
401 struct l2tp_tunnel *tunnel = session->tunnel;
402 int length = L2TP_SKB_CB(skb)->length;
403
404
405
406
407 skb_orphan(skb);
408
409 atomic_long_inc(&tunnel->stats.rx_packets);
410 atomic_long_add(length, &tunnel->stats.rx_bytes);
411 atomic_long_inc(&session->stats.rx_packets);
412 atomic_long_add(length, &session->stats.rx_bytes);
413
414 if (L2TP_SKB_CB(skb)->has_seq) {
415
416 session->nr++;
417 session->nr &= session->nr_max;
418
419 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
420 session->name, session->nr);
421 }
422
423
424 if (session->recv_skb != NULL)
425 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
426 else
427 kfree_skb(skb);
428
429 if (session->deref)
430 (*session->deref)(session);
431}
432
433
434
435
436static void l2tp_recv_dequeue(struct l2tp_session *session)
437{
438 struct sk_buff *skb;
439 struct sk_buff *tmp;
440
441
442
443
444
445start:
446 spin_lock_bh(&session->reorder_q.lock);
447 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
448 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
449 atomic_long_inc(&session->stats.rx_seq_discards);
450 atomic_long_inc(&session->stats.rx_errors);
451 l2tp_dbg(session, L2TP_MSG_SEQ,
452 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
453 session->name, L2TP_SKB_CB(skb)->ns,
454 L2TP_SKB_CB(skb)->length, session->nr,
455 skb_queue_len(&session->reorder_q));
456 session->reorder_skip = 1;
457 __skb_unlink(skb, &session->reorder_q);
458 kfree_skb(skb);
459 if (session->deref)
460 (*session->deref)(session);
461 continue;
462 }
463
464 if (L2TP_SKB_CB(skb)->has_seq) {
465 if (session->reorder_skip) {
466 l2tp_dbg(session, L2TP_MSG_SEQ,
467 "%s: advancing nr to next pkt: %u -> %u",
468 session->name, session->nr,
469 L2TP_SKB_CB(skb)->ns);
470 session->reorder_skip = 0;
471 session->nr = L2TP_SKB_CB(skb)->ns;
472 }
473 if (L2TP_SKB_CB(skb)->ns != session->nr) {
474 l2tp_dbg(session, L2TP_MSG_SEQ,
475 "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
476 session->name, L2TP_SKB_CB(skb)->ns,
477 L2TP_SKB_CB(skb)->length, session->nr,
478 skb_queue_len(&session->reorder_q));
479 goto out;
480 }
481 }
482 __skb_unlink(skb, &session->reorder_q);
483
484
485
486
487 spin_unlock_bh(&session->reorder_q.lock);
488 l2tp_recv_dequeue_skb(session, skb);
489 goto start;
490 }
491
492out:
493 spin_unlock_bh(&session->reorder_q.lock);
494}
495
496static inline int l2tp_verify_udp_checksum(struct sock *sk,
497 struct sk_buff *skb)
498{
499 struct udphdr *uh = udp_hdr(skb);
500 u16 ulen = ntohs(uh->len);
501 __wsum psum;
502
503 if (sk->sk_no_check || skb_csum_unnecessary(skb))
504 return 0;
505
506#if IS_ENABLED(CONFIG_IPV6)
507 if (sk->sk_family == PF_INET6) {
508 if (!uh->check) {
509 LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
510 return 1;
511 }
512 if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
513 !csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
514 &ipv6_hdr(skb)->daddr, ulen,
515 IPPROTO_UDP, skb->csum)) {
516 skb->ip_summed = CHECKSUM_UNNECESSARY;
517 return 0;
518 }
519 skb->csum = ~csum_unfold(csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
520 &ipv6_hdr(skb)->daddr,
521 skb->len, IPPROTO_UDP,
522 0));
523 } else
524#endif
525 {
526 struct inet_sock *inet;
527 if (!uh->check)
528 return 0;
529 inet = inet_sk(sk);
530 psum = csum_tcpudp_nofold(inet->inet_saddr, inet->inet_daddr,
531 ulen, IPPROTO_UDP, 0);
532
533 if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
534 !csum_fold(csum_add(psum, skb->csum)))
535 return 0;
536 skb->csum = psum;
537 }
538
539 return __skb_checksum_complete(skb);
540}
541
542static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
543{
544 u32 nws;
545
546 if (nr >= session->nr)
547 nws = nr - session->nr;
548 else
549 nws = (session->nr_max + 1) - (session->nr - nr);
550
551 return nws < session->nr_window_size;
552}
553
554
555
556
557static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
558{
559 if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
560
561
562
563 l2tp_dbg(session, L2TP_MSG_SEQ,
564 "%s: pkt %u len %d discarded, outside window, nr=%u\n",
565 session->name, L2TP_SKB_CB(skb)->ns,
566 L2TP_SKB_CB(skb)->length, session->nr);
567 goto discard;
568 }
569
570 if (session->reorder_timeout != 0) {
571
572
573
574 l2tp_recv_queue_skb(session, skb);
575 goto out;
576 }
577
578
579
580
581
582
583 if (L2TP_SKB_CB(skb)->ns == session->nr) {
584 skb_queue_tail(&session->reorder_q, skb);
585 } else {
586 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
587 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
588
589 if (nr_oos == nr_next)
590 session->nr_oos_count++;
591 else
592 session->nr_oos_count = 0;
593
594 session->nr_oos = nr_oos;
595 if (session->nr_oos_count > session->nr_oos_count_max) {
596 session->reorder_skip = 1;
597 l2tp_dbg(session, L2TP_MSG_SEQ,
598 "%s: %d oos packets received. Resetting sequence numbers\n",
599 session->name, session->nr_oos_count);
600 }
601 if (!session->reorder_skip) {
602 atomic_long_inc(&session->stats.rx_seq_discards);
603 l2tp_dbg(session, L2TP_MSG_SEQ,
604 "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
605 session->name, L2TP_SKB_CB(skb)->ns,
606 L2TP_SKB_CB(skb)->length, session->nr,
607 skb_queue_len(&session->reorder_q));
608 goto discard;
609 }
610 skb_queue_tail(&session->reorder_q, skb);
611 }
612
613out:
614 return 0;
615
616discard:
617 return 1;
618}
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
681 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
682 int length, int (*payload_hook)(struct sk_buff *skb))
683{
684 struct l2tp_tunnel *tunnel = session->tunnel;
685 int offset;
686 u32 ns, nr;
687
688
689
690
691
692 l2tp_session_inc_refcount(session);
693 if (session->ref)
694 (*session->ref)(session);
695
696
697 if (session->peer_cookie_len > 0) {
698 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
699 l2tp_info(tunnel, L2TP_MSG_DATA,
700 "%s: cookie mismatch (%u/%u). Discarding.\n",
701 tunnel->name, tunnel->tunnel_id,
702 session->session_id);
703 atomic_long_inc(&session->stats.rx_cookie_discards);
704 goto discard;
705 }
706 ptr += session->peer_cookie_len;
707 }
708
709
710
711
712
713
714
715
716 ns = nr = 0;
717 L2TP_SKB_CB(skb)->has_seq = 0;
718 if (tunnel->version == L2TP_HDR_VER_2) {
719 if (hdrflags & L2TP_HDRFLAG_S) {
720 ns = ntohs(*(__be16 *) ptr);
721 ptr += 2;
722 nr = ntohs(*(__be16 *) ptr);
723 ptr += 2;
724
725
726 L2TP_SKB_CB(skb)->ns = ns;
727 L2TP_SKB_CB(skb)->has_seq = 1;
728
729 l2tp_dbg(session, L2TP_MSG_SEQ,
730 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
731 session->name, ns, nr, session->nr);
732 }
733 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
734 u32 l2h = ntohl(*(__be32 *) ptr);
735
736 if (l2h & 0x40000000) {
737 ns = l2h & 0x00ffffff;
738
739
740 L2TP_SKB_CB(skb)->ns = ns;
741 L2TP_SKB_CB(skb)->has_seq = 1;
742
743 l2tp_dbg(session, L2TP_MSG_SEQ,
744 "%s: recv data ns=%u, session nr=%u\n",
745 session->name, ns, session->nr);
746 }
747 }
748
749
750 ptr += session->l2specific_len;
751
752 if (L2TP_SKB_CB(skb)->has_seq) {
753
754
755
756
757 if ((!session->lns_mode) && (!session->send_seq)) {
758 l2tp_info(session, L2TP_MSG_SEQ,
759 "%s: requested to enable seq numbers by LNS\n",
760 session->name);
761 session->send_seq = -1;
762 l2tp_session_set_header_len(session, tunnel->version);
763 }
764 } else {
765
766
767
768 if (session->recv_seq) {
769 l2tp_warn(session, L2TP_MSG_SEQ,
770 "%s: recv data has no seq numbers when required. Discarding.\n",
771 session->name);
772 atomic_long_inc(&session->stats.rx_seq_discards);
773 goto discard;
774 }
775
776
777
778
779
780
781 if ((!session->lns_mode) && (session->send_seq)) {
782 l2tp_info(session, L2TP_MSG_SEQ,
783 "%s: requested to disable seq numbers by LNS\n",
784 session->name);
785 session->send_seq = 0;
786 l2tp_session_set_header_len(session, tunnel->version);
787 } else if (session->send_seq) {
788 l2tp_warn(session, L2TP_MSG_SEQ,
789 "%s: recv data has no seq numbers when required. Discarding.\n",
790 session->name);
791 atomic_long_inc(&session->stats.rx_seq_discards);
792 goto discard;
793 }
794 }
795
796
797
798
799
800
801 if (tunnel->version == L2TP_HDR_VER_2) {
802
803 if (hdrflags & L2TP_HDRFLAG_O) {
804 offset = ntohs(*(__be16 *)ptr);
805 ptr += 2 + offset;
806 }
807 } else
808 ptr += session->offset;
809
810 offset = ptr - optr;
811 if (!pskb_may_pull(skb, offset))
812 goto discard;
813
814 __skb_pull(skb, offset);
815
816
817
818
819 if (payload_hook)
820 if ((*payload_hook)(skb))
821 goto discard;
822
823
824
825
826
827 L2TP_SKB_CB(skb)->length = length;
828 L2TP_SKB_CB(skb)->expires = jiffies +
829 (session->reorder_timeout ? session->reorder_timeout : HZ);
830
831
832
833
834 if (L2TP_SKB_CB(skb)->has_seq) {
835 if (l2tp_recv_data_seq(session, skb))
836 goto discard;
837 } else {
838
839
840
841
842 skb_queue_tail(&session->reorder_q, skb);
843 }
844
845
846 l2tp_recv_dequeue(session);
847
848 l2tp_session_dec_refcount(session);
849
850 return;
851
852discard:
853 atomic_long_inc(&session->stats.rx_errors);
854 kfree_skb(skb);
855
856 if (session->deref)
857 (*session->deref)(session);
858
859 l2tp_session_dec_refcount(session);
860}
861EXPORT_SYMBOL(l2tp_recv_common);
862
863
864
865int l2tp_session_queue_purge(struct l2tp_session *session)
866{
867 struct sk_buff *skb = NULL;
868 BUG_ON(!session);
869 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
870 while ((skb = skb_dequeue(&session->reorder_q))) {
871 atomic_long_inc(&session->stats.rx_errors);
872 kfree_skb(skb);
873 if (session->deref)
874 (*session->deref)(session);
875 }
876 return 0;
877}
878EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
879
880
881
882
883
884
885
886static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
887 int (*payload_hook)(struct sk_buff *skb))
888{
889 struct l2tp_session *session = NULL;
890 unsigned char *ptr, *optr;
891 u16 hdrflags;
892 u32 tunnel_id, session_id;
893 u16 version;
894 int length;
895
896 if (tunnel->sock && l2tp_verify_udp_checksum(tunnel->sock, skb))
897 goto discard_bad_csum;
898
899
900 __skb_pull(skb, sizeof(struct udphdr));
901
902
903 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
904 l2tp_info(tunnel, L2TP_MSG_DATA,
905 "%s: recv short packet (len=%d)\n",
906 tunnel->name, skb->len);
907 goto error;
908 }
909
910
911 if (tunnel->debug & L2TP_MSG_DATA) {
912 length = min(32u, skb->len);
913 if (!pskb_may_pull(skb, length))
914 goto error;
915
916 pr_debug("%s: recv\n", tunnel->name);
917 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
918 }
919
920
921 optr = ptr = skb->data;
922
923
924 hdrflags = ntohs(*(__be16 *) ptr);
925
926
927 version = hdrflags & L2TP_HDR_VER_MASK;
928 if (version != tunnel->version) {
929 l2tp_info(tunnel, L2TP_MSG_DATA,
930 "%s: recv protocol version mismatch: got %d expected %d\n",
931 tunnel->name, version, tunnel->version);
932 goto error;
933 }
934
935
936 length = skb->len;
937
938
939 if (hdrflags & L2TP_HDRFLAG_T) {
940 l2tp_dbg(tunnel, L2TP_MSG_DATA,
941 "%s: recv control packet, len=%d\n",
942 tunnel->name, length);
943 goto error;
944 }
945
946
947 ptr += 2;
948
949 if (tunnel->version == L2TP_HDR_VER_2) {
950
951 if (hdrflags & L2TP_HDRFLAG_L)
952 ptr += 2;
953
954
955 tunnel_id = ntohs(*(__be16 *) ptr);
956 ptr += 2;
957 session_id = ntohs(*(__be16 *) ptr);
958 ptr += 2;
959 } else {
960 ptr += 2;
961 tunnel_id = tunnel->tunnel_id;
962 session_id = ntohl(*(__be32 *) ptr);
963 ptr += 4;
964 }
965
966
967 session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
968 if (!session || !session->recv_skb) {
969
970 l2tp_info(tunnel, L2TP_MSG_DATA,
971 "%s: no session found (%u/%u). Passing up.\n",
972 tunnel->name, tunnel_id, session_id);
973 goto error;
974 }
975
976 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
977
978 return 0;
979
980discard_bad_csum:
981 LIMIT_NETDEBUG("%s: UDP: bad checksum\n", tunnel->name);
982 UDP_INC_STATS_USER(tunnel->l2tp_net, UDP_MIB_INERRORS, 0);
983 atomic_long_inc(&tunnel->stats.rx_errors);
984 kfree_skb(skb);
985
986 return 0;
987
988error:
989
990 __skb_push(skb, sizeof(struct udphdr));
991
992 return 1;
993}
994
995
996
997
998
999
1000
1001int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1002{
1003 struct l2tp_tunnel *tunnel;
1004
1005 tunnel = l2tp_sock_to_tunnel(sk);
1006 if (tunnel == NULL)
1007 goto pass_up;
1008
1009 l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
1010 tunnel->name, skb->len);
1011
1012 if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
1013 goto pass_up_put;
1014
1015 sock_put(sk);
1016 return 0;
1017
1018pass_up_put:
1019 sock_put(sk);
1020pass_up:
1021 return 1;
1022}
1023EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1024
1025
1026
1027
1028
1029
1030
1031static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1032{
1033 struct l2tp_tunnel *tunnel = session->tunnel;
1034 __be16 *bufp = buf;
1035 __be16 *optr = buf;
1036 u16 flags = L2TP_HDR_VER_2;
1037 u32 tunnel_id = tunnel->peer_tunnel_id;
1038 u32 session_id = session->peer_session_id;
1039
1040 if (session->send_seq)
1041 flags |= L2TP_HDRFLAG_S;
1042
1043
1044 *bufp++ = htons(flags);
1045 *bufp++ = htons(tunnel_id);
1046 *bufp++ = htons(session_id);
1047 if (session->send_seq) {
1048 *bufp++ = htons(session->ns);
1049 *bufp++ = 0;
1050 session->ns++;
1051 session->ns &= 0xffff;
1052 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1053 session->name, session->ns);
1054 }
1055
1056 return bufp - optr;
1057}
1058
1059static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1060{
1061 struct l2tp_tunnel *tunnel = session->tunnel;
1062 char *bufp = buf;
1063 char *optr = bufp;
1064
1065
1066
1067
1068 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1069 u16 flags = L2TP_HDR_VER_3;
1070 *((__be16 *) bufp) = htons(flags);
1071 bufp += 2;
1072 *((__be16 *) bufp) = 0;
1073 bufp += 2;
1074 }
1075
1076 *((__be32 *) bufp) = htonl(session->peer_session_id);
1077 bufp += 4;
1078 if (session->cookie_len) {
1079 memcpy(bufp, &session->cookie[0], session->cookie_len);
1080 bufp += session->cookie_len;
1081 }
1082 if (session->l2specific_len) {
1083 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1084 u32 l2h = 0;
1085 if (session->send_seq) {
1086 l2h = 0x40000000 | session->ns;
1087 session->ns++;
1088 session->ns &= 0xffffff;
1089 l2tp_dbg(session, L2TP_MSG_SEQ,
1090 "%s: updated ns to %u\n",
1091 session->name, session->ns);
1092 }
1093
1094 *((__be32 *) bufp) = htonl(l2h);
1095 }
1096 bufp += session->l2specific_len;
1097 }
1098 if (session->offset)
1099 bufp += session->offset;
1100
1101 return bufp - optr;
1102}
1103
1104static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1105 struct flowi *fl, size_t data_len)
1106{
1107 struct l2tp_tunnel *tunnel = session->tunnel;
1108 unsigned int len = skb->len;
1109 int error;
1110
1111
1112 if (session->send_seq)
1113 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1114 session->name, data_len, session->ns - 1);
1115 else
1116 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1117 session->name, data_len);
1118
1119 if (session->debug & L2TP_MSG_DATA) {
1120 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1121 unsigned char *datap = skb->data + uhlen;
1122
1123 pr_debug("%s: xmit\n", session->name);
1124 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1125 datap, min_t(size_t, 32, len - uhlen));
1126 }
1127
1128
1129 skb->local_df = 1;
1130#if IS_ENABLED(CONFIG_IPV6)
1131 if (skb->sk->sk_family == PF_INET6)
1132 error = inet6_csk_xmit(skb, NULL);
1133 else
1134#endif
1135 error = ip_queue_xmit(skb, fl);
1136
1137
1138 if (error >= 0) {
1139 atomic_long_inc(&tunnel->stats.tx_packets);
1140 atomic_long_add(len, &tunnel->stats.tx_bytes);
1141 atomic_long_inc(&session->stats.tx_packets);
1142 atomic_long_add(len, &session->stats.tx_bytes);
1143 } else {
1144 atomic_long_inc(&tunnel->stats.tx_errors);
1145 atomic_long_inc(&session->stats.tx_errors);
1146 }
1147
1148 return 0;
1149}
1150
1151
1152
1153static void l2tp_sock_wfree(struct sk_buff *skb)
1154{
1155 sock_put(skb->sk);
1156}
1157
1158
1159
1160
1161static inline void l2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
1162{
1163 sock_hold(sk);
1164 skb->sk = sk;
1165 skb->destructor = l2tp_sock_wfree;
1166}
1167
1168#if IS_ENABLED(CONFIG_IPV6)
1169static void l2tp_xmit_ipv6_csum(struct sock *sk, struct sk_buff *skb,
1170 int udp_len)
1171{
1172 struct ipv6_pinfo *np = inet6_sk(sk);
1173 struct udphdr *uh = udp_hdr(skb);
1174
1175 if (!skb_dst(skb) || !skb_dst(skb)->dev ||
1176 !(skb_dst(skb)->dev->features & NETIF_F_IPV6_CSUM)) {
1177 __wsum csum = skb_checksum(skb, 0, udp_len, 0);
1178 skb->ip_summed = CHECKSUM_UNNECESSARY;
1179 uh->check = csum_ipv6_magic(&np->saddr, &np->daddr, udp_len,
1180 IPPROTO_UDP, csum);
1181 if (uh->check == 0)
1182 uh->check = CSUM_MANGLED_0;
1183 } else {
1184 skb->ip_summed = CHECKSUM_PARTIAL;
1185 skb->csum_start = skb_transport_header(skb) - skb->head;
1186 skb->csum_offset = offsetof(struct udphdr, check);
1187 uh->check = ~csum_ipv6_magic(&np->saddr, &np->daddr,
1188 udp_len, IPPROTO_UDP, 0);
1189 }
1190}
1191#endif
1192
1193
1194
1195
1196int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1197{
1198 int data_len = skb->len;
1199 struct l2tp_tunnel *tunnel = session->tunnel;
1200 struct sock *sk = tunnel->sock;
1201 struct flowi *fl;
1202 struct udphdr *uh;
1203 struct inet_sock *inet;
1204 __wsum csum;
1205 int headroom;
1206 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1207 int udp_len;
1208 int ret = NET_XMIT_SUCCESS;
1209
1210
1211
1212
1213
1214 headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1215 uhlen + hdr_len;
1216 if (skb_cow_head(skb, headroom)) {
1217 kfree_skb(skb);
1218 return NET_XMIT_DROP;
1219 }
1220
1221 skb_orphan(skb);
1222
1223 session->build_header(session, __skb_push(skb, hdr_len));
1224
1225
1226 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1227 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1228 IPSKB_REROUTED);
1229 nf_reset(skb);
1230
1231 bh_lock_sock(sk);
1232 if (sock_owned_by_user(sk)) {
1233 kfree_skb(skb);
1234 ret = NET_XMIT_DROP;
1235 goto out_unlock;
1236 }
1237
1238
1239 skb_dst_drop(skb);
1240 skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1241
1242 inet = inet_sk(sk);
1243 fl = &inet->cork.fl;
1244 switch (tunnel->encap) {
1245 case L2TP_ENCAPTYPE_UDP:
1246
1247 __skb_push(skb, sizeof(*uh));
1248 skb_reset_transport_header(skb);
1249 uh = udp_hdr(skb);
1250 uh->source = inet->inet_sport;
1251 uh->dest = inet->inet_dport;
1252 udp_len = uhlen + hdr_len + data_len;
1253 uh->len = htons(udp_len);
1254 uh->check = 0;
1255
1256
1257#if IS_ENABLED(CONFIG_IPV6)
1258 if (sk->sk_family == PF_INET6)
1259 l2tp_xmit_ipv6_csum(sk, skb, udp_len);
1260 else
1261#endif
1262 if (sk->sk_no_check == UDP_CSUM_NOXMIT)
1263 skb->ip_summed = CHECKSUM_NONE;
1264 else if ((skb_dst(skb) && skb_dst(skb)->dev) &&
1265 (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) {
1266 skb->ip_summed = CHECKSUM_COMPLETE;
1267 csum = skb_checksum(skb, 0, udp_len, 0);
1268 uh->check = csum_tcpudp_magic(inet->inet_saddr,
1269 inet->inet_daddr,
1270 udp_len, IPPROTO_UDP, csum);
1271 if (uh->check == 0)
1272 uh->check = CSUM_MANGLED_0;
1273 } else {
1274 skb->ip_summed = CHECKSUM_PARTIAL;
1275 skb->csum_start = skb_transport_header(skb) - skb->head;
1276 skb->csum_offset = offsetof(struct udphdr, check);
1277 uh->check = ~csum_tcpudp_magic(inet->inet_saddr,
1278 inet->inet_daddr,
1279 udp_len, IPPROTO_UDP, 0);
1280 }
1281 break;
1282
1283 case L2TP_ENCAPTYPE_IP:
1284 break;
1285 }
1286
1287 l2tp_skb_set_owner_w(skb, sk);
1288
1289 l2tp_xmit_core(session, skb, fl, data_len);
1290out_unlock:
1291 bh_unlock_sock(sk);
1292
1293 return ret;
1294}
1295EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305static void l2tp_tunnel_destruct(struct sock *sk)
1306{
1307 struct l2tp_tunnel *tunnel;
1308 struct l2tp_net *pn;
1309
1310 tunnel = sk->sk_user_data;
1311 if (tunnel == NULL)
1312 goto end;
1313
1314 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1315
1316
1317
1318 switch (tunnel->encap) {
1319 case L2TP_ENCAPTYPE_UDP:
1320
1321 (udp_sk(sk))->encap_type = 0;
1322 (udp_sk(sk))->encap_rcv = NULL;
1323 (udp_sk(sk))->encap_destroy = NULL;
1324 break;
1325 case L2TP_ENCAPTYPE_IP:
1326 break;
1327 }
1328
1329
1330 sk->sk_destruct = tunnel->old_sk_destruct;
1331 sk->sk_user_data = NULL;
1332 tunnel->sock = NULL;
1333
1334
1335 pn = l2tp_pernet(tunnel->l2tp_net);
1336 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1337 list_del_rcu(&tunnel->list);
1338 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1339 atomic_dec(&l2tp_tunnel_count);
1340
1341 l2tp_tunnel_closeall(tunnel);
1342 l2tp_tunnel_dec_refcount(tunnel);
1343
1344
1345 if (sk->sk_destruct)
1346 (*sk->sk_destruct)(sk);
1347end:
1348 return;
1349}
1350
1351
1352
1353void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1354{
1355 int hash;
1356 struct hlist_node *walk;
1357 struct hlist_node *tmp;
1358 struct l2tp_session *session;
1359
1360 BUG_ON(tunnel == NULL);
1361
1362 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1363 tunnel->name);
1364
1365 write_lock_bh(&tunnel->hlist_lock);
1366 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1367again:
1368 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1369 session = hlist_entry(walk, struct l2tp_session, hlist);
1370
1371 l2tp_info(session, L2TP_MSG_CONTROL,
1372 "%s: closing session\n", session->name);
1373
1374 hlist_del_init(&session->hlist);
1375
1376 if (session->ref != NULL)
1377 (*session->ref)(session);
1378
1379 write_unlock_bh(&tunnel->hlist_lock);
1380
1381 __l2tp_session_unhash(session);
1382 l2tp_session_queue_purge(session);
1383
1384 if (session->session_close != NULL)
1385 (*session->session_close)(session);
1386
1387 if (session->deref != NULL)
1388 (*session->deref)(session);
1389
1390 l2tp_session_dec_refcount(session);
1391
1392 write_lock_bh(&tunnel->hlist_lock);
1393
1394
1395
1396
1397
1398
1399 goto again;
1400 }
1401 }
1402 write_unlock_bh(&tunnel->hlist_lock);
1403}
1404EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1405
1406
1407static void l2tp_udp_encap_destroy(struct sock *sk)
1408{
1409 struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1410 if (tunnel) {
1411 l2tp_tunnel_closeall(tunnel);
1412 sock_put(sk);
1413 }
1414}
1415
1416
1417
1418
1419static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1420{
1421 BUG_ON(atomic_read(&tunnel->ref_count) != 0);
1422 BUG_ON(tunnel->sock != NULL);
1423 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
1424 kfree_rcu(tunnel, rcu);
1425}
1426
1427
1428static void l2tp_tunnel_del_work(struct work_struct *work)
1429{
1430 struct l2tp_tunnel *tunnel = NULL;
1431 struct socket *sock = NULL;
1432 struct sock *sk = NULL;
1433
1434 tunnel = container_of(work, struct l2tp_tunnel, del_work);
1435 sk = l2tp_tunnel_sock_lookup(tunnel);
1436 if (!sk)
1437 return;
1438
1439 sock = sk->sk_socket;
1440
1441
1442
1443
1444
1445
1446
1447
1448 if (tunnel->fd >= 0) {
1449 if (sock)
1450 inet_shutdown(sock, 2);
1451 } else {
1452 if (sock)
1453 kernel_sock_shutdown(sock, SHUT_RDWR);
1454 sk_release_kernel(sk);
1455 }
1456
1457 l2tp_tunnel_sock_put(sk);
1458}
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469static int l2tp_tunnel_sock_create(struct net *net,
1470 u32 tunnel_id,
1471 u32 peer_tunnel_id,
1472 struct l2tp_tunnel_cfg *cfg,
1473 struct socket **sockp)
1474{
1475 int err = -EINVAL;
1476 struct socket *sock = NULL;
1477 struct sockaddr_in udp_addr = {0};
1478 struct sockaddr_l2tpip ip_addr = {0};
1479#if IS_ENABLED(CONFIG_IPV6)
1480 struct sockaddr_in6 udp6_addr = {0};
1481 struct sockaddr_l2tpip6 ip6_addr = {0};
1482#endif
1483
1484 switch (cfg->encap) {
1485 case L2TP_ENCAPTYPE_UDP:
1486#if IS_ENABLED(CONFIG_IPV6)
1487 if (cfg->local_ip6 && cfg->peer_ip6) {
1488 err = sock_create_kern(AF_INET6, SOCK_DGRAM, 0, &sock);
1489 if (err < 0)
1490 goto out;
1491
1492 sk_change_net(sock->sk, net);
1493
1494 udp6_addr.sin6_family = AF_INET6;
1495 memcpy(&udp6_addr.sin6_addr, cfg->local_ip6,
1496 sizeof(udp6_addr.sin6_addr));
1497 udp6_addr.sin6_port = htons(cfg->local_udp_port);
1498 err = kernel_bind(sock, (struct sockaddr *) &udp6_addr,
1499 sizeof(udp6_addr));
1500 if (err < 0)
1501 goto out;
1502
1503 udp6_addr.sin6_family = AF_INET6;
1504 memcpy(&udp6_addr.sin6_addr, cfg->peer_ip6,
1505 sizeof(udp6_addr.sin6_addr));
1506 udp6_addr.sin6_port = htons(cfg->peer_udp_port);
1507 err = kernel_connect(sock,
1508 (struct sockaddr *) &udp6_addr,
1509 sizeof(udp6_addr), 0);
1510 if (err < 0)
1511 goto out;
1512 } else
1513#endif
1514 {
1515 err = sock_create_kern(AF_INET, SOCK_DGRAM, 0, &sock);
1516 if (err < 0)
1517 goto out;
1518
1519 sk_change_net(sock->sk, net);
1520
1521 udp_addr.sin_family = AF_INET;
1522 udp_addr.sin_addr = cfg->local_ip;
1523 udp_addr.sin_port = htons(cfg->local_udp_port);
1524 err = kernel_bind(sock, (struct sockaddr *) &udp_addr,
1525 sizeof(udp_addr));
1526 if (err < 0)
1527 goto out;
1528
1529 udp_addr.sin_family = AF_INET;
1530 udp_addr.sin_addr = cfg->peer_ip;
1531 udp_addr.sin_port = htons(cfg->peer_udp_port);
1532 err = kernel_connect(sock,
1533 (struct sockaddr *) &udp_addr,
1534 sizeof(udp_addr), 0);
1535 if (err < 0)
1536 goto out;
1537 }
1538
1539 if (!cfg->use_udp_checksums)
1540 sock->sk->sk_no_check = UDP_CSUM_NOXMIT;
1541
1542 break;
1543
1544 case L2TP_ENCAPTYPE_IP:
1545#if IS_ENABLED(CONFIG_IPV6)
1546 if (cfg->local_ip6 && cfg->peer_ip6) {
1547 err = sock_create_kern(AF_INET6, SOCK_DGRAM,
1548 IPPROTO_L2TP, &sock);
1549 if (err < 0)
1550 goto out;
1551
1552 sk_change_net(sock->sk, net);
1553
1554 ip6_addr.l2tp_family = AF_INET6;
1555 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1556 sizeof(ip6_addr.l2tp_addr));
1557 ip6_addr.l2tp_conn_id = tunnel_id;
1558 err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1559 sizeof(ip6_addr));
1560 if (err < 0)
1561 goto out;
1562
1563 ip6_addr.l2tp_family = AF_INET6;
1564 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1565 sizeof(ip6_addr.l2tp_addr));
1566 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1567 err = kernel_connect(sock,
1568 (struct sockaddr *) &ip6_addr,
1569 sizeof(ip6_addr), 0);
1570 if (err < 0)
1571 goto out;
1572 } else
1573#endif
1574 {
1575 err = sock_create_kern(AF_INET, SOCK_DGRAM,
1576 IPPROTO_L2TP, &sock);
1577 if (err < 0)
1578 goto out;
1579
1580 sk_change_net(sock->sk, net);
1581
1582 ip_addr.l2tp_family = AF_INET;
1583 ip_addr.l2tp_addr = cfg->local_ip;
1584 ip_addr.l2tp_conn_id = tunnel_id;
1585 err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1586 sizeof(ip_addr));
1587 if (err < 0)
1588 goto out;
1589
1590 ip_addr.l2tp_family = AF_INET;
1591 ip_addr.l2tp_addr = cfg->peer_ip;
1592 ip_addr.l2tp_conn_id = peer_tunnel_id;
1593 err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1594 sizeof(ip_addr), 0);
1595 if (err < 0)
1596 goto out;
1597 }
1598 break;
1599
1600 default:
1601 goto out;
1602 }
1603
1604out:
1605 *sockp = sock;
1606 if ((err < 0) && sock) {
1607 kernel_sock_shutdown(sock, SHUT_RDWR);
1608 sk_release_kernel(sock->sk);
1609 *sockp = NULL;
1610 }
1611
1612 return err;
1613}
1614
1615static struct lock_class_key l2tp_socket_class;
1616
1617int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1618{
1619 struct l2tp_tunnel *tunnel = NULL;
1620 int err;
1621 struct socket *sock = NULL;
1622 struct sock *sk = NULL;
1623 struct l2tp_net *pn;
1624 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1625
1626
1627
1628
1629
1630 if (fd < 0) {
1631 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1632 cfg, &sock);
1633 if (err < 0)
1634 goto err;
1635 } else {
1636 sock = sockfd_lookup(fd, &err);
1637 if (!sock) {
1638 pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1639 tunnel_id, fd, err);
1640 err = -EBADF;
1641 goto err;
1642 }
1643
1644
1645 if (!net_eq(sock_net(sock->sk), net)) {
1646 pr_err("tunl %u: netns mismatch\n", tunnel_id);
1647 err = -EINVAL;
1648 goto err;
1649 }
1650 }
1651
1652 sk = sock->sk;
1653
1654 if (cfg != NULL)
1655 encap = cfg->encap;
1656
1657
1658 switch (encap) {
1659 case L2TP_ENCAPTYPE_UDP:
1660 err = -EPROTONOSUPPORT;
1661 if (sk->sk_protocol != IPPROTO_UDP) {
1662 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1663 tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1664 goto err;
1665 }
1666 break;
1667 case L2TP_ENCAPTYPE_IP:
1668 err = -EPROTONOSUPPORT;
1669 if (sk->sk_protocol != IPPROTO_L2TP) {
1670 pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1671 tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1672 goto err;
1673 }
1674 break;
1675 }
1676
1677
1678 tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
1679 if (tunnel != NULL) {
1680
1681 err = -EBUSY;
1682 goto err;
1683 }
1684
1685 tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1686 if (tunnel == NULL) {
1687 err = -ENOMEM;
1688 goto err;
1689 }
1690
1691 tunnel->version = version;
1692 tunnel->tunnel_id = tunnel_id;
1693 tunnel->peer_tunnel_id = peer_tunnel_id;
1694 tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1695
1696 tunnel->magic = L2TP_TUNNEL_MAGIC;
1697 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1698 rwlock_init(&tunnel->hlist_lock);
1699
1700
1701 tunnel->l2tp_net = net;
1702 pn = l2tp_pernet(net);
1703
1704 if (cfg != NULL)
1705 tunnel->debug = cfg->debug;
1706
1707
1708 tunnel->encap = encap;
1709 if (encap == L2TP_ENCAPTYPE_UDP) {
1710
1711 udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
1712 udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
1713 udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
1714#if IS_ENABLED(CONFIG_IPV6)
1715 if (sk->sk_family == PF_INET6)
1716 udpv6_encap_enable();
1717 else
1718#endif
1719 udp_encap_enable();
1720 }
1721
1722 sk->sk_user_data = tunnel;
1723
1724
1725
1726
1727 tunnel->old_sk_destruct = sk->sk_destruct;
1728 sk->sk_destruct = &l2tp_tunnel_destruct;
1729 tunnel->sock = sk;
1730 tunnel->fd = fd;
1731 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1732
1733 sk->sk_allocation = GFP_ATOMIC;
1734
1735
1736 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1737
1738
1739 INIT_LIST_HEAD(&tunnel->list);
1740 atomic_inc(&l2tp_tunnel_count);
1741
1742
1743
1744
1745 l2tp_tunnel_inc_refcount(tunnel);
1746 spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1747 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1748 spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1749
1750 err = 0;
1751err:
1752 if (tunnelp)
1753 *tunnelp = tunnel;
1754
1755
1756
1757
1758 if (sock && sock->file)
1759 sockfd_put(sock);
1760
1761 return err;
1762}
1763EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1764
1765
1766
1767int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1768{
1769 l2tp_tunnel_closeall(tunnel);
1770 return (false == queue_work(l2tp_wq, &tunnel->del_work));
1771}
1772EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1773
1774
1775
1776void l2tp_session_free(struct l2tp_session *session)
1777{
1778 struct l2tp_tunnel *tunnel = session->tunnel;
1779
1780 BUG_ON(atomic_read(&session->ref_count) != 0);
1781
1782 if (tunnel) {
1783 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1784 if (session->session_id != 0)
1785 atomic_dec(&l2tp_session_count);
1786 sock_put(tunnel->sock);
1787 session->tunnel = NULL;
1788 l2tp_tunnel_dec_refcount(tunnel);
1789 }
1790
1791 kfree(session);
1792
1793 return;
1794}
1795EXPORT_SYMBOL_GPL(l2tp_session_free);
1796
1797
1798
1799
1800
1801
1802void __l2tp_session_unhash(struct l2tp_session *session)
1803{
1804 struct l2tp_tunnel *tunnel = session->tunnel;
1805
1806
1807 if (tunnel) {
1808
1809 write_lock_bh(&tunnel->hlist_lock);
1810 hlist_del_init(&session->hlist);
1811 write_unlock_bh(&tunnel->hlist_lock);
1812
1813
1814 if (tunnel->version != L2TP_HDR_VER_2) {
1815 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1816 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1817 hlist_del_init_rcu(&session->global_hlist);
1818 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1819 synchronize_rcu();
1820 }
1821 }
1822}
1823EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1824
1825
1826
1827
1828int l2tp_session_delete(struct l2tp_session *session)
1829{
1830 if (session->ref)
1831 (*session->ref)(session);
1832 __l2tp_session_unhash(session);
1833 l2tp_session_queue_purge(session);
1834 if (session->session_close != NULL)
1835 (*session->session_close)(session);
1836 if (session->deref)
1837 (*session->deref)(session);
1838 l2tp_session_dec_refcount(session);
1839 return 0;
1840}
1841EXPORT_SYMBOL_GPL(l2tp_session_delete);
1842
1843
1844
1845
1846static void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1847{
1848 if (version == L2TP_HDR_VER_2) {
1849 session->hdr_len = 6;
1850 if (session->send_seq)
1851 session->hdr_len += 4;
1852 } else {
1853 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1854 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1855 session->hdr_len += 4;
1856 }
1857
1858}
1859
1860struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1861{
1862 struct l2tp_session *session;
1863
1864 session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1865 if (session != NULL) {
1866 session->magic = L2TP_SESSION_MAGIC;
1867 session->tunnel = tunnel;
1868
1869 session->session_id = session_id;
1870 session->peer_session_id = peer_session_id;
1871 session->nr = 0;
1872 if (tunnel->version == L2TP_HDR_VER_2)
1873 session->nr_max = 0xffff;
1874 else
1875 session->nr_max = 0xffffff;
1876 session->nr_window_size = session->nr_max / 2;
1877 session->nr_oos_count_max = 4;
1878
1879
1880 session->reorder_skip = 1;
1881
1882 sprintf(&session->name[0], "sess %u/%u",
1883 tunnel->tunnel_id, session->session_id);
1884
1885 skb_queue_head_init(&session->reorder_q);
1886
1887 INIT_HLIST_NODE(&session->hlist);
1888 INIT_HLIST_NODE(&session->global_hlist);
1889
1890
1891 session->debug = tunnel->debug;
1892
1893 if (cfg) {
1894 session->pwtype = cfg->pw_type;
1895 session->debug = cfg->debug;
1896 session->mtu = cfg->mtu;
1897 session->mru = cfg->mru;
1898 session->send_seq = cfg->send_seq;
1899 session->recv_seq = cfg->recv_seq;
1900 session->lns_mode = cfg->lns_mode;
1901 session->reorder_timeout = cfg->reorder_timeout;
1902 session->offset = cfg->offset;
1903 session->l2specific_type = cfg->l2specific_type;
1904 session->l2specific_len = cfg->l2specific_len;
1905 session->cookie_len = cfg->cookie_len;
1906 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1907 session->peer_cookie_len = cfg->peer_cookie_len;
1908 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1909 }
1910
1911 if (tunnel->version == L2TP_HDR_VER_2)
1912 session->build_header = l2tp_build_l2tpv2_header;
1913 else
1914 session->build_header = l2tp_build_l2tpv3_header;
1915
1916 l2tp_session_set_header_len(session, tunnel->version);
1917
1918
1919
1920
1921 l2tp_session_inc_refcount(session);
1922 l2tp_tunnel_inc_refcount(tunnel);
1923
1924
1925 sock_hold(tunnel->sock);
1926
1927
1928 write_lock_bh(&tunnel->hlist_lock);
1929 hlist_add_head(&session->hlist,
1930 l2tp_session_id_hash(tunnel, session_id));
1931 write_unlock_bh(&tunnel->hlist_lock);
1932
1933
1934 if (tunnel->version != L2TP_HDR_VER_2) {
1935 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1936
1937 spin_lock_bh(&pn->l2tp_session_hlist_lock);
1938 hlist_add_head_rcu(&session->global_hlist,
1939 l2tp_session_id_hash_2(pn, session_id));
1940 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1941 }
1942
1943
1944 if (session->session_id != 0)
1945 atomic_inc(&l2tp_session_count);
1946 }
1947
1948 return session;
1949}
1950EXPORT_SYMBOL_GPL(l2tp_session_create);
1951
1952
1953
1954
1955
1956static __net_init int l2tp_init_net(struct net *net)
1957{
1958 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1959 int hash;
1960
1961 INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1962 spin_lock_init(&pn->l2tp_tunnel_list_lock);
1963
1964 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1965 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1966
1967 spin_lock_init(&pn->l2tp_session_hlist_lock);
1968
1969 return 0;
1970}
1971
1972static __net_exit void l2tp_exit_net(struct net *net)
1973{
1974 struct l2tp_net *pn = l2tp_pernet(net);
1975 struct l2tp_tunnel *tunnel = NULL;
1976
1977 rcu_read_lock_bh();
1978 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1979 (void)l2tp_tunnel_delete(tunnel);
1980 }
1981 rcu_read_unlock_bh();
1982}
1983
1984static struct pernet_operations l2tp_net_ops = {
1985 .init = l2tp_init_net,
1986 .exit = l2tp_exit_net,
1987 .id = &l2tp_net_id,
1988 .size = sizeof(struct l2tp_net),
1989};
1990
1991static int __init l2tp_init(void)
1992{
1993 int rc = 0;
1994
1995 rc = register_pernet_device(&l2tp_net_ops);
1996 if (rc)
1997 goto out;
1998
1999 l2tp_wq = alloc_workqueue("l2tp", WQ_NON_REENTRANT | WQ_UNBOUND, 0);
2000 if (!l2tp_wq) {
2001 pr_err("alloc_workqueue failed\n");
2002 rc = -ENOMEM;
2003 goto out;
2004 }
2005
2006 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
2007
2008out:
2009 return rc;
2010}
2011
2012static void __exit l2tp_exit(void)
2013{
2014 unregister_pernet_device(&l2tp_net_ops);
2015 if (l2tp_wq) {
2016 destroy_workqueue(l2tp_wq);
2017 l2tp_wq = NULL;
2018 }
2019}
2020
2021module_init(l2tp_init);
2022module_exit(l2tp_exit);
2023
2024MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
2025MODULE_DESCRIPTION("L2TP core");
2026MODULE_LICENSE("GPL");
2027MODULE_VERSION(L2TP_DRV_VERSION);
2028
2029
