linux/net/l2tp/l2tp_core.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/* L2TP core.
   3 *
   4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
   5 *
   6 * This file contains some code of the original L2TPv2 pppol2tp
   7 * driver, which has the following copyright:
   8 *
   9 * Authors:     Martijn van Oosterhout <kleptog@svana.org>
  10 *              James Chapman (jchapman@katalix.com)
  11 * Contributors:
  12 *              Michal Ostrowski <mostrows@speakeasy.net>
  13 *              Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
  14 *              David S. Miller (davem@redhat.com)
  15 */
  16
  17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  18
  19#include <linux/module.h>
  20#include <linux/string.h>
  21#include <linux/list.h>
  22#include <linux/rculist.h>
  23#include <linux/uaccess.h>
  24
  25#include <linux/kernel.h>
  26#include <linux/spinlock.h>
  27#include <linux/kthread.h>
  28#include <linux/sched.h>
  29#include <linux/slab.h>
  30#include <linux/errno.h>
  31#include <linux/jiffies.h>
  32
  33#include <linux/netdevice.h>
  34#include <linux/net.h>
  35#include <linux/inetdevice.h>
  36#include <linux/skbuff.h>
  37#include <linux/init.h>
  38#include <linux/in.h>
  39#include <linux/ip.h>
  40#include <linux/udp.h>
  41#include <linux/l2tp.h>
  42#include <linux/hash.h>
  43#include <linux/sort.h>
  44#include <linux/file.h>
  45#include <linux/nsproxy.h>
  46#include <net/net_namespace.h>
  47#include <net/netns/generic.h>
  48#include <net/dst.h>
  49#include <net/ip.h>
  50#include <net/udp.h>
  51#include <net/udp_tunnel.h>
  52#include <net/inet_common.h>
  53#include <net/xfrm.h>
  54#include <net/protocol.h>
  55#include <net/inet6_connection_sock.h>
  56#include <net/inet_ecn.h>
  57#include <net/ip6_route.h>
  58#include <net/ip6_checksum.h>
  59
  60#include <asm/byteorder.h>
  61#include <linux/atomic.h>
  62
  63#include "l2tp_core.h"
  64#include "trace.h"
  65
  66#define CREATE_TRACE_POINTS
  67#include "trace.h"
  68
  69#define L2TP_DRV_VERSION        "V2.0"
  70
  71/* L2TP header constants */
  72#define L2TP_HDRFLAG_T     0x8000
  73#define L2TP_HDRFLAG_L     0x4000
  74#define L2TP_HDRFLAG_S     0x0800
  75#define L2TP_HDRFLAG_O     0x0200
  76#define L2TP_HDRFLAG_P     0x0100
  77
  78#define L2TP_HDR_VER_MASK  0x000F
  79#define L2TP_HDR_VER_2     0x0002
  80#define L2TP_HDR_VER_3     0x0003
  81
  82/* L2TPv3 default L2-specific sublayer */
  83#define L2TP_SLFLAG_S      0x40000000
  84#define L2TP_SL_SEQ_MASK   0x00ffffff
  85
  86#define L2TP_HDR_SIZE_MAX               14
  87
  88/* Default trace flags */
  89#define L2TP_DEFAULT_DEBUG_FLAGS        0
  90
  91/* Private data stored for received packets in the skb.
  92 */
  93struct l2tp_skb_cb {
  94        u32                     ns;
  95        u16                     has_seq;
  96        u16                     length;
  97        unsigned long           expires;
  98};
  99
 100#define L2TP_SKB_CB(skb)        ((struct l2tp_skb_cb *)&(skb)->cb[sizeof(struct inet_skb_parm)])
 101
 102static struct workqueue_struct *l2tp_wq;
 103
 104/* per-net private data for this module */
 105static unsigned int l2tp_net_id;
 106struct l2tp_net {
 107        struct list_head l2tp_tunnel_list;
 108        /* Lock for write access to l2tp_tunnel_list */
 109        spinlock_t l2tp_tunnel_list_lock;
 110        struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
 111        /* Lock for write access to l2tp_session_hlist */
 112        spinlock_t l2tp_session_hlist_lock;
 113};
 114
 115#if IS_ENABLED(CONFIG_IPV6)
 116static bool l2tp_sk_is_v6(struct sock *sk)
 117{
 118        return sk->sk_family == PF_INET6 &&
 119               !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
 120}
 121#endif
 122
 123static inline struct l2tp_net *l2tp_pernet(const struct net *net)
 124{
 125        return net_generic(net, l2tp_net_id);
 126}
 127
 128/* Session hash global list for L2TPv3.
 129 * The session_id SHOULD be random according to RFC3931, but several
 130 * L2TP implementations use incrementing session_ids.  So we do a real
 131 * hash on the session_id, rather than a simple bitmask.
 132 */
 133static inline struct hlist_head *
 134l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
 135{
 136        return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
 137}
 138
 139/* Session hash list.
 140 * The session_id SHOULD be random according to RFC2661, but several
 141 * L2TP implementations (Cisco and Microsoft) use incrementing
 142 * session_ids.  So we do a real hash on the session_id, rather than a
 143 * simple bitmask.
 144 */
 145static inline struct hlist_head *
 146l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
 147{
 148        return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
 149}
 150
 151static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
 152{
 153        trace_free_tunnel(tunnel);
 154        sock_put(tunnel->sock);
 155        /* the tunnel is freed in the socket destructor */
 156}
 157
 158static void l2tp_session_free(struct l2tp_session *session)
 159{
 160        trace_free_session(session);
 161        if (session->tunnel)
 162                l2tp_tunnel_dec_refcount(session->tunnel);
 163        kfree(session);
 164}
 165
 166struct l2tp_tunnel *l2tp_sk_to_tunnel(struct sock *sk)
 167{
 168        struct l2tp_tunnel *tunnel = sk->sk_user_data;
 169
 170        if (tunnel)
 171                if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC))
 172                        return NULL;
 173
 174        return tunnel;
 175}
 176EXPORT_SYMBOL_GPL(l2tp_sk_to_tunnel);
 177
 178void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel)
 179{
 180        refcount_inc(&tunnel->ref_count);
 181}
 182EXPORT_SYMBOL_GPL(l2tp_tunnel_inc_refcount);
 183
 184void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
 185{
 186        if (refcount_dec_and_test(&tunnel->ref_count))
 187                l2tp_tunnel_free(tunnel);
 188}
 189EXPORT_SYMBOL_GPL(l2tp_tunnel_dec_refcount);
 190
 191void l2tp_session_inc_refcount(struct l2tp_session *session)
 192{
 193        refcount_inc(&session->ref_count);
 194}
 195EXPORT_SYMBOL_GPL(l2tp_session_inc_refcount);
 196
 197void l2tp_session_dec_refcount(struct l2tp_session *session)
 198{
 199        if (refcount_dec_and_test(&session->ref_count))
 200                l2tp_session_free(session);
 201}
 202EXPORT_SYMBOL_GPL(l2tp_session_dec_refcount);
 203
 204/* Lookup a tunnel. A new reference is held on the returned tunnel. */
 205struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
 206{
 207        const struct l2tp_net *pn = l2tp_pernet(net);
 208        struct l2tp_tunnel *tunnel;
 209
 210        rcu_read_lock_bh();
 211        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 212                if (tunnel->tunnel_id == tunnel_id &&
 213                    refcount_inc_not_zero(&tunnel->ref_count)) {
 214                        rcu_read_unlock_bh();
 215
 216                        return tunnel;
 217                }
 218        }
 219        rcu_read_unlock_bh();
 220
 221        return NULL;
 222}
 223EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
 224
 225struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
 226{
 227        const struct l2tp_net *pn = l2tp_pernet(net);
 228        struct l2tp_tunnel *tunnel;
 229        int count = 0;
 230
 231        rcu_read_lock_bh();
 232        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 233                if (++count > nth &&
 234                    refcount_inc_not_zero(&tunnel->ref_count)) {
 235                        rcu_read_unlock_bh();
 236                        return tunnel;
 237                }
 238        }
 239        rcu_read_unlock_bh();
 240
 241        return NULL;
 242}
 243EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth);
 244
 245struct l2tp_session *l2tp_tunnel_get_session(struct l2tp_tunnel *tunnel,
 246                                             u32 session_id)
 247{
 248        struct hlist_head *session_list;
 249        struct l2tp_session *session;
 250
 251        session_list = l2tp_session_id_hash(tunnel, session_id);
 252
 253        read_lock_bh(&tunnel->hlist_lock);
 254        hlist_for_each_entry(session, session_list, hlist)
 255                if (session->session_id == session_id) {
 256                        l2tp_session_inc_refcount(session);
 257                        read_unlock_bh(&tunnel->hlist_lock);
 258
 259                        return session;
 260                }
 261        read_unlock_bh(&tunnel->hlist_lock);
 262
 263        return NULL;
 264}
 265EXPORT_SYMBOL_GPL(l2tp_tunnel_get_session);
 266
 267struct l2tp_session *l2tp_session_get(const struct net *net, u32 session_id)
 268{
 269        struct hlist_head *session_list;
 270        struct l2tp_session *session;
 271
 272        session_list = l2tp_session_id_hash_2(l2tp_pernet(net), session_id);
 273
 274        rcu_read_lock_bh();
 275        hlist_for_each_entry_rcu(session, session_list, global_hlist)
 276                if (session->session_id == session_id) {
 277                        l2tp_session_inc_refcount(session);
 278                        rcu_read_unlock_bh();
 279
 280                        return session;
 281                }
 282        rcu_read_unlock_bh();
 283
 284        return NULL;
 285}
 286EXPORT_SYMBOL_GPL(l2tp_session_get);
 287
 288struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth)
 289{
 290        int hash;
 291        struct l2tp_session *session;
 292        int count = 0;
 293
 294        read_lock_bh(&tunnel->hlist_lock);
 295        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
 296                hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
 297                        if (++count > nth) {
 298                                l2tp_session_inc_refcount(session);
 299                                read_unlock_bh(&tunnel->hlist_lock);
 300                                return session;
 301                        }
 302                }
 303        }
 304
 305        read_unlock_bh(&tunnel->hlist_lock);
 306
 307        return NULL;
 308}
 309EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
 310
 311/* Lookup a session by interface name.
 312 * This is very inefficient but is only used by management interfaces.
 313 */
 314struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
 315                                                const char *ifname)
 316{
 317        struct l2tp_net *pn = l2tp_pernet(net);
 318        int hash;
 319        struct l2tp_session *session;
 320
 321        rcu_read_lock_bh();
 322        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
 323                hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
 324                        if (!strcmp(session->ifname, ifname)) {
 325                                l2tp_session_inc_refcount(session);
 326                                rcu_read_unlock_bh();
 327
 328                                return session;
 329                        }
 330                }
 331        }
 332
 333        rcu_read_unlock_bh();
 334
 335        return NULL;
 336}
 337EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
 338
 339int l2tp_session_register(struct l2tp_session *session,
 340                          struct l2tp_tunnel *tunnel)
 341{
 342        struct l2tp_session *session_walk;
 343        struct hlist_head *g_head;
 344        struct hlist_head *head;
 345        struct l2tp_net *pn;
 346        int err;
 347
 348        head = l2tp_session_id_hash(tunnel, session->session_id);
 349
 350        write_lock_bh(&tunnel->hlist_lock);
 351        if (!tunnel->acpt_newsess) {
 352                err = -ENODEV;
 353                goto err_tlock;
 354        }
 355
 356        hlist_for_each_entry(session_walk, head, hlist)
 357                if (session_walk->session_id == session->session_id) {
 358                        err = -EEXIST;
 359                        goto err_tlock;
 360                }
 361
 362        if (tunnel->version == L2TP_HDR_VER_3) {
 363                pn = l2tp_pernet(tunnel->l2tp_net);
 364                g_head = l2tp_session_id_hash_2(pn, session->session_id);
 365
 366                spin_lock_bh(&pn->l2tp_session_hlist_lock);
 367
 368                /* IP encap expects session IDs to be globally unique, while
 369                 * UDP encap doesn't.
 370                 */
 371                hlist_for_each_entry(session_walk, g_head, global_hlist)
 372                        if (session_walk->session_id == session->session_id &&
 373                            (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
 374                             tunnel->encap == L2TP_ENCAPTYPE_IP)) {
 375                                err = -EEXIST;
 376                                goto err_tlock_pnlock;
 377                        }
 378
 379                l2tp_tunnel_inc_refcount(tunnel);
 380                hlist_add_head_rcu(&session->global_hlist, g_head);
 381
 382                spin_unlock_bh(&pn->l2tp_session_hlist_lock);
 383        } else {
 384                l2tp_tunnel_inc_refcount(tunnel);
 385        }
 386
 387        hlist_add_head(&session->hlist, head);
 388        write_unlock_bh(&tunnel->hlist_lock);
 389
 390        trace_register_session(session);
 391
 392        return 0;
 393
 394err_tlock_pnlock:
 395        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
 396err_tlock:
 397        write_unlock_bh(&tunnel->hlist_lock);
 398
 399        return err;
 400}
 401EXPORT_SYMBOL_GPL(l2tp_session_register);
 402
 403/*****************************************************************************
 404 * Receive data handling
 405 *****************************************************************************/
 406
 407/* Queue a skb in order. We come here only if the skb has an L2TP sequence
 408 * number.
 409 */
 410static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
 411{
 412        struct sk_buff *skbp;
 413        struct sk_buff *tmp;
 414        u32 ns = L2TP_SKB_CB(skb)->ns;
 415
 416        spin_lock_bh(&session->reorder_q.lock);
 417        skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
 418                if (L2TP_SKB_CB(skbp)->ns > ns) {
 419                        __skb_queue_before(&session->reorder_q, skbp, skb);
 420                        atomic_long_inc(&session->stats.rx_oos_packets);
 421                        goto out;
 422                }
 423        }
 424
 425        __skb_queue_tail(&session->reorder_q, skb);
 426
 427out:
 428        spin_unlock_bh(&session->reorder_q.lock);
 429}
 430
 431/* Dequeue a single skb.
 432 */
 433static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
 434{
 435        struct l2tp_tunnel *tunnel = session->tunnel;
 436        int length = L2TP_SKB_CB(skb)->length;
 437
 438        /* We're about to requeue the skb, so return resources
 439         * to its current owner (a socket receive buffer).
 440         */
 441        skb_orphan(skb);
 442
 443        atomic_long_inc(&tunnel->stats.rx_packets);
 444        atomic_long_add(length, &tunnel->stats.rx_bytes);
 445        atomic_long_inc(&session->stats.rx_packets);
 446        atomic_long_add(length, &session->stats.rx_bytes);
 447
 448        if (L2TP_SKB_CB(skb)->has_seq) {
 449                /* Bump our Nr */
 450                session->nr++;
 451                session->nr &= session->nr_max;
 452                trace_session_seqnum_update(session);
 453        }
 454
 455        /* call private receive handler */
 456        if (session->recv_skb)
 457                (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
 458        else
 459                kfree_skb(skb);
 460}
 461
 462/* Dequeue skbs from the session's reorder_q, subject to packet order.
 463 * Skbs that have been in the queue for too long are simply discarded.
 464 */
 465static void l2tp_recv_dequeue(struct l2tp_session *session)
 466{
 467        struct sk_buff *skb;
 468        struct sk_buff *tmp;
 469
 470        /* If the pkt at the head of the queue has the nr that we
 471         * expect to send up next, dequeue it and any other
 472         * in-sequence packets behind it.
 473         */
 474start:
 475        spin_lock_bh(&session->reorder_q.lock);
 476        skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
 477                struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
 478
 479                /* If the packet has been pending on the queue for too long, discard it */
 480                if (time_after(jiffies, cb->expires)) {
 481                        atomic_long_inc(&session->stats.rx_seq_discards);
 482                        atomic_long_inc(&session->stats.rx_errors);
 483                        trace_session_pkt_expired(session, cb->ns);
 484                        session->reorder_skip = 1;
 485                        __skb_unlink(skb, &session->reorder_q);
 486                        kfree_skb(skb);
 487                        continue;
 488                }
 489
 490                if (cb->has_seq) {
 491                        if (session->reorder_skip) {
 492                                session->reorder_skip = 0;
 493                                session->nr = cb->ns;
 494                                trace_session_seqnum_reset(session);
 495                        }
 496                        if (cb->ns != session->nr)
 497                                goto out;
 498                }
 499                __skb_unlink(skb, &session->reorder_q);
 500
 501                /* Process the skb. We release the queue lock while we
 502                 * do so to let other contexts process the queue.
 503                 */
 504                spin_unlock_bh(&session->reorder_q.lock);
 505                l2tp_recv_dequeue_skb(session, skb);
 506                goto start;
 507        }
 508
 509out:
 510        spin_unlock_bh(&session->reorder_q.lock);
 511}
 512
 513static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
 514{
 515        u32 nws;
 516
 517        if (nr >= session->nr)
 518                nws = nr - session->nr;
 519        else
 520                nws = (session->nr_max + 1) - (session->nr - nr);
 521
 522        return nws < session->nr_window_size;
 523}
 524
 525/* If packet has sequence numbers, queue it if acceptable. Returns 0 if
 526 * acceptable, else non-zero.
 527 */
 528static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
 529{
 530        struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
 531
 532        if (!l2tp_seq_check_rx_window(session, cb->ns)) {
 533                /* Packet sequence number is outside allowed window.
 534                 * Discard it.
 535                 */
 536                trace_session_pkt_outside_rx_window(session, cb->ns);
 537                goto discard;
 538        }
 539
 540        if (session->reorder_timeout != 0) {
 541                /* Packet reordering enabled. Add skb to session's
 542                 * reorder queue, in order of ns.
 543                 */
 544                l2tp_recv_queue_skb(session, skb);
 545                goto out;
 546        }
 547
 548        /* Packet reordering disabled. Discard out-of-sequence packets, while
 549         * tracking the number if in-sequence packets after the first OOS packet
 550         * is seen. After nr_oos_count_max in-sequence packets, reset the
 551         * sequence number to re-enable packet reception.
 552         */
 553        if (cb->ns == session->nr) {
 554                skb_queue_tail(&session->reorder_q, skb);
 555        } else {
 556                u32 nr_oos = cb->ns;
 557                u32 nr_next = (session->nr_oos + 1) & session->nr_max;
 558
 559                if (nr_oos == nr_next)
 560                        session->nr_oos_count++;
 561                else
 562                        session->nr_oos_count = 0;
 563
 564                session->nr_oos = nr_oos;
 565                if (session->nr_oos_count > session->nr_oos_count_max) {
 566                        session->reorder_skip = 1;
 567                }
 568                if (!session->reorder_skip) {
 569                        atomic_long_inc(&session->stats.rx_seq_discards);
 570                        trace_session_pkt_oos(session, cb->ns);
 571                        goto discard;
 572                }
 573                skb_queue_tail(&session->reorder_q, skb);
 574        }
 575
 576out:
 577        return 0;
 578
 579discard:
 580        return 1;
 581}
 582
 583/* Do receive processing of L2TP data frames. We handle both L2TPv2
 584 * and L2TPv3 data frames here.
 585 *
 586 * L2TPv2 Data Message Header
 587 *
 588 *  0                   1                   2                   3
 589 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 590 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 591 * |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
 592 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 593 * |           Tunnel ID           |           Session ID          |
 594 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 595 * |             Ns (opt)          |             Nr (opt)          |
 596 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 597 * |      Offset Size (opt)        |    Offset pad... (opt)
 598 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 599 *
 600 * Data frames are marked by T=0. All other fields are the same as
 601 * those in L2TP control frames.
 602 *
 603 * L2TPv3 Data Message Header
 604 *
 605 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 606 * |                      L2TP Session Header                      |
 607 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 608 * |                      L2-Specific Sublayer                     |
 609 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 610 * |                        Tunnel Payload                      ...
 611 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 612 *
 613 * L2TPv3 Session Header Over IP
 614 *
 615 *  0                   1                   2                   3
 616 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 617 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 618 * |                           Session ID                          |
 619 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 620 * |               Cookie (optional, maximum 64 bits)...
 621 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 622 *                                                                 |
 623 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 624 *
 625 * L2TPv3 L2-Specific Sublayer Format
 626 *
 627 *  0                   1                   2                   3
 628 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 629 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 630 * |x|S|x|x|x|x|x|x|              Sequence Number                  |
 631 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 632 *
 633 * Cookie value and sublayer format are negotiated with the peer when
 634 * the session is set up. Unlike L2TPv2, we do not need to parse the
 635 * packet header to determine if optional fields are present.
 636 *
 637 * Caller must already have parsed the frame and determined that it is
 638 * a data (not control) frame before coming here. Fields up to the
 639 * session-id have already been parsed and ptr points to the data
 640 * after the session-id.
 641 */
 642void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
 643                      unsigned char *ptr, unsigned char *optr, u16 hdrflags,
 644                      int length)
 645{
 646        struct l2tp_tunnel *tunnel = session->tunnel;
 647        int offset;
 648
 649        /* Parse and check optional cookie */
 650        if (session->peer_cookie_len > 0) {
 651                if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
 652                        pr_warn_ratelimited("%s: cookie mismatch (%u/%u). Discarding.\n",
 653                                            tunnel->name, tunnel->tunnel_id,
 654                                            session->session_id);
 655                        atomic_long_inc(&session->stats.rx_cookie_discards);
 656                        goto discard;
 657                }
 658                ptr += session->peer_cookie_len;
 659        }
 660
 661        /* Handle the optional sequence numbers. Sequence numbers are
 662         * in different places for L2TPv2 and L2TPv3.
 663         *
 664         * If we are the LAC, enable/disable sequence numbers under
 665         * the control of the LNS.  If no sequence numbers present but
 666         * we were expecting them, discard frame.
 667         */
 668        L2TP_SKB_CB(skb)->has_seq = 0;
 669        if (tunnel->version == L2TP_HDR_VER_2) {
 670                if (hdrflags & L2TP_HDRFLAG_S) {
 671                        /* Store L2TP info in the skb */
 672                        L2TP_SKB_CB(skb)->ns = ntohs(*(__be16 *)ptr);
 673                        L2TP_SKB_CB(skb)->has_seq = 1;
 674                        ptr += 2;
 675                        /* Skip past nr in the header */
 676                        ptr += 2;
 677
 678                }
 679        } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
 680                u32 l2h = ntohl(*(__be32 *)ptr);
 681
 682                if (l2h & 0x40000000) {
 683                        /* Store L2TP info in the skb */
 684                        L2TP_SKB_CB(skb)->ns = l2h & 0x00ffffff;
 685                        L2TP_SKB_CB(skb)->has_seq = 1;
 686                }
 687                ptr += 4;
 688        }
 689
 690        if (L2TP_SKB_CB(skb)->has_seq) {
 691                /* Received a packet with sequence numbers. If we're the LAC,
 692                 * check if we sre sending sequence numbers and if not,
 693                 * configure it so.
 694                 */
 695                if (!session->lns_mode && !session->send_seq) {
 696                        trace_session_seqnum_lns_enable(session);
 697                        session->send_seq = 1;
 698                        l2tp_session_set_header_len(session, tunnel->version);
 699                }
 700        } else {
 701                /* No sequence numbers.
 702                 * If user has configured mandatory sequence numbers, discard.
 703                 */
 704                if (session->recv_seq) {
 705                        pr_warn_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
 706                                            session->name);
 707                        atomic_long_inc(&session->stats.rx_seq_discards);
 708                        goto discard;
 709                }
 710
 711                /* If we're the LAC and we're sending sequence numbers, the
 712                 * LNS has requested that we no longer send sequence numbers.
 713                 * If we're the LNS and we're sending sequence numbers, the
 714                 * LAC is broken. Discard the frame.
 715                 */
 716                if (!session->lns_mode && session->send_seq) {
 717                        trace_session_seqnum_lns_disable(session);
 718                        session->send_seq = 0;
 719                        l2tp_session_set_header_len(session, tunnel->version);
 720                } else if (session->send_seq) {
 721                        pr_warn_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
 722                                            session->name);
 723                        atomic_long_inc(&session->stats.rx_seq_discards);
 724                        goto discard;
 725                }
 726        }
 727
 728        /* Session data offset is defined only for L2TPv2 and is
 729         * indicated by an optional 16-bit value in the header.
 730         */
 731        if (tunnel->version == L2TP_HDR_VER_2) {
 732                /* If offset bit set, skip it. */
 733                if (hdrflags & L2TP_HDRFLAG_O) {
 734                        offset = ntohs(*(__be16 *)ptr);
 735                        ptr += 2 + offset;
 736                }
 737        }
 738
 739        offset = ptr - optr;
 740        if (!pskb_may_pull(skb, offset))
 741                goto discard;
 742
 743        __skb_pull(skb, offset);
 744
 745        /* Prepare skb for adding to the session's reorder_q.  Hold
 746         * packets for max reorder_timeout or 1 second if not
 747         * reordering.
 748         */
 749        L2TP_SKB_CB(skb)->length = length;
 750        L2TP_SKB_CB(skb)->expires = jiffies +
 751                (session->reorder_timeout ? session->reorder_timeout : HZ);
 752
 753        /* Add packet to the session's receive queue. Reordering is done here, if
 754         * enabled. Saved L2TP protocol info is stored in skb->sb[].
 755         */
 756        if (L2TP_SKB_CB(skb)->has_seq) {
 757                if (l2tp_recv_data_seq(session, skb))
 758                        goto discard;
 759        } else {
 760                /* No sequence numbers. Add the skb to the tail of the
 761                 * reorder queue. This ensures that it will be
 762                 * delivered after all previous sequenced skbs.
 763                 */
 764                skb_queue_tail(&session->reorder_q, skb);
 765        }
 766
 767        /* Try to dequeue as many skbs from reorder_q as we can. */
 768        l2tp_recv_dequeue(session);
 769
 770        return;
 771
 772discard:
 773        atomic_long_inc(&session->stats.rx_errors);
 774        kfree_skb(skb);
 775}
 776EXPORT_SYMBOL_GPL(l2tp_recv_common);
 777
 778/* Drop skbs from the session's reorder_q
 779 */
 780static void l2tp_session_queue_purge(struct l2tp_session *session)
 781{
 782        struct sk_buff *skb = NULL;
 783
 784        while ((skb = skb_dequeue(&session->reorder_q))) {
 785                atomic_long_inc(&session->stats.rx_errors);
 786                kfree_skb(skb);
 787        }
 788}
 789
 790/* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
 791 * here. The skb is not on a list when we get here.
 792 * Returns 0 if the packet was a data packet and was successfully passed on.
 793 * Returns 1 if the packet was not a good data packet and could not be
 794 * forwarded.  All such packets are passed up to userspace to deal with.
 795 */
 796static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
 797{
 798        struct l2tp_session *session = NULL;
 799        unsigned char *ptr, *optr;
 800        u16 hdrflags;
 801        u32 tunnel_id, session_id;
 802        u16 version;
 803        int length;
 804
 805        /* UDP has verifed checksum */
 806
 807        /* UDP always verifies the packet length. */
 808        __skb_pull(skb, sizeof(struct udphdr));
 809
 810        /* Short packet? */
 811        if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
 812                pr_warn_ratelimited("%s: recv short packet (len=%d)\n",
 813                                    tunnel->name, skb->len);
 814                goto error;
 815        }
 816
 817        /* Point to L2TP header */
 818        optr = skb->data;
 819        ptr = skb->data;
 820
 821        /* Get L2TP header flags */
 822        hdrflags = ntohs(*(__be16 *)ptr);
 823
 824        /* Check protocol version */
 825        version = hdrflags & L2TP_HDR_VER_MASK;
 826        if (version != tunnel->version) {
 827                pr_warn_ratelimited("%s: recv protocol version mismatch: got %d expected %d\n",
 828                                    tunnel->name, version, tunnel->version);
 829                goto error;
 830        }
 831
 832        /* Get length of L2TP packet */
 833        length = skb->len;
 834
 835        /* If type is control packet, it is handled by userspace. */
 836        if (hdrflags & L2TP_HDRFLAG_T)
 837                goto error;
 838
 839        /* Skip flags */
 840        ptr += 2;
 841
 842        if (tunnel->version == L2TP_HDR_VER_2) {
 843                /* If length is present, skip it */
 844                if (hdrflags & L2TP_HDRFLAG_L)
 845                        ptr += 2;
 846
 847                /* Extract tunnel and session ID */
 848                tunnel_id = ntohs(*(__be16 *)ptr);
 849                ptr += 2;
 850                session_id = ntohs(*(__be16 *)ptr);
 851                ptr += 2;
 852        } else {
 853                ptr += 2;       /* skip reserved bits */
 854                tunnel_id = tunnel->tunnel_id;
 855                session_id = ntohl(*(__be32 *)ptr);
 856                ptr += 4;
 857        }
 858
 859        /* Find the session context */
 860        session = l2tp_tunnel_get_session(tunnel, session_id);
 861        if (!session || !session->recv_skb) {
 862                if (session)
 863                        l2tp_session_dec_refcount(session);
 864
 865                /* Not found? Pass to userspace to deal with */
 866                pr_warn_ratelimited("%s: no session found (%u/%u). Passing up.\n",
 867                                    tunnel->name, tunnel_id, session_id);
 868                goto error;
 869        }
 870
 871        if (tunnel->version == L2TP_HDR_VER_3 &&
 872            l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
 873                goto error;
 874
 875        l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
 876        l2tp_session_dec_refcount(session);
 877
 878        return 0;
 879
 880error:
 881        /* Put UDP header back */
 882        __skb_push(skb, sizeof(struct udphdr));
 883
 884        return 1;
 885}
 886
 887/* UDP encapsulation receive handler. See net/ipv4/udp.c.
 888 * Return codes:
 889 * 0 : success.
 890 * <0: error
 891 * >0: skb should be passed up to userspace as UDP.
 892 */
 893int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 894{
 895        struct l2tp_tunnel *tunnel;
 896
 897        /* Note that this is called from the encap_rcv hook inside an
 898         * RCU-protected region, but without the socket being locked.
 899         * Hence we use rcu_dereference_sk_user_data to access the
 900         * tunnel data structure rather the usual l2tp_sk_to_tunnel
 901         * accessor function.
 902         */
 903        tunnel = rcu_dereference_sk_user_data(sk);
 904        if (!tunnel)
 905                goto pass_up;
 906        if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC))
 907                goto pass_up;
 908
 909        if (l2tp_udp_recv_core(tunnel, skb))
 910                goto pass_up;
 911
 912        return 0;
 913
 914pass_up:
 915        return 1;
 916}
 917EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
 918
 919/************************************************************************
 920 * Transmit handling
 921 ***********************************************************************/
 922
 923/* Build an L2TP header for the session into the buffer provided.
 924 */
 925static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
 926{
 927        struct l2tp_tunnel *tunnel = session->tunnel;
 928        __be16 *bufp = buf;
 929        __be16 *optr = buf;
 930        u16 flags = L2TP_HDR_VER_2;
 931        u32 tunnel_id = tunnel->peer_tunnel_id;
 932        u32 session_id = session->peer_session_id;
 933
 934        if (session->send_seq)
 935                flags |= L2TP_HDRFLAG_S;
 936
 937        /* Setup L2TP header. */
 938        *bufp++ = htons(flags);
 939        *bufp++ = htons(tunnel_id);
 940        *bufp++ = htons(session_id);
 941        if (session->send_seq) {
 942                *bufp++ = htons(session->ns);
 943                *bufp++ = 0;
 944                session->ns++;
 945                session->ns &= 0xffff;
 946                trace_session_seqnum_update(session);
 947        }
 948
 949        return bufp - optr;
 950}
 951
 952static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
 953{
 954        struct l2tp_tunnel *tunnel = session->tunnel;
 955        char *bufp = buf;
 956        char *optr = bufp;
 957
 958        /* Setup L2TP header. The header differs slightly for UDP and
 959         * IP encapsulations. For UDP, there is 4 bytes of flags.
 960         */
 961        if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
 962                u16 flags = L2TP_HDR_VER_3;
 963                *((__be16 *)bufp) = htons(flags);
 964                bufp += 2;
 965                *((__be16 *)bufp) = 0;
 966                bufp += 2;
 967        }
 968
 969        *((__be32 *)bufp) = htonl(session->peer_session_id);
 970        bufp += 4;
 971        if (session->cookie_len) {
 972                memcpy(bufp, &session->cookie[0], session->cookie_len);
 973                bufp += session->cookie_len;
 974        }
 975        if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
 976                u32 l2h = 0;
 977
 978                if (session->send_seq) {
 979                        l2h = 0x40000000 | session->ns;
 980                        session->ns++;
 981                        session->ns &= 0xffffff;
 982                        trace_session_seqnum_update(session);
 983                }
 984
 985                *((__be32 *)bufp) = htonl(l2h);
 986                bufp += 4;
 987        }
 988
 989        return bufp - optr;
 990}
 991
 992/* Queue the packet to IP for output: tunnel socket lock must be held */
 993static int l2tp_xmit_queue(struct l2tp_tunnel *tunnel, struct sk_buff *skb, struct flowi *fl)
 994{
 995        int err;
 996
 997        skb->ignore_df = 1;
 998        skb_dst_drop(skb);
 999#if IS_ENABLED(CONFIG_IPV6)
1000        if (l2tp_sk_is_v6(tunnel->sock))
1001                err = inet6_csk_xmit(tunnel->sock, skb, NULL);
1002        else
1003#endif
1004                err = ip_queue_xmit(tunnel->sock, skb, fl);
1005
1006        return err >= 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
1007}
1008
1009static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, unsigned int *len)
1010{
1011        struct l2tp_tunnel *tunnel = session->tunnel;
1012        unsigned int data_len = skb->len;
1013        struct sock *sk = tunnel->sock;
1014        int headroom, uhlen, udp_len;
1015        int ret = NET_XMIT_SUCCESS;
1016        struct inet_sock *inet;
1017        struct udphdr *uh;
1018
1019        /* Check that there's enough headroom in the skb to insert IP,
1020         * UDP and L2TP headers. If not enough, expand it to
1021         * make room. Adjust truesize.
1022         */
1023        uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(*uh) : 0;
1024        headroom = NET_SKB_PAD + sizeof(struct iphdr) + uhlen + session->hdr_len;
1025        if (skb_cow_head(skb, headroom)) {
1026                kfree_skb(skb);
1027                return NET_XMIT_DROP;
1028        }
1029
1030        /* Setup L2TP header */
1031        if (tunnel->version == L2TP_HDR_VER_2)
1032                l2tp_build_l2tpv2_header(session, __skb_push(skb, session->hdr_len));
1033        else
1034                l2tp_build_l2tpv3_header(session, __skb_push(skb, session->hdr_len));
1035
1036        /* Reset skb netfilter state */
1037        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1038        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED);
1039        nf_reset_ct(skb);
1040
1041        bh_lock_sock(sk);
1042        if (sock_owned_by_user(sk)) {
1043                kfree_skb(skb);
1044                ret = NET_XMIT_DROP;
1045                goto out_unlock;
1046        }
1047
1048        /* The user-space may change the connection status for the user-space
1049         * provided socket at run time: we must check it under the socket lock
1050         */
1051        if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1052                kfree_skb(skb);
1053                ret = NET_XMIT_DROP;
1054                goto out_unlock;
1055        }
1056
1057        /* Report transmitted length before we add encap header, which keeps
1058         * statistics consistent for both UDP and IP encap tx/rx paths.
1059         */
1060        *len = skb->len;
1061
1062        inet = inet_sk(sk);
1063        switch (tunnel->encap) {
1064        case L2TP_ENCAPTYPE_UDP:
1065                /* Setup UDP header */
1066                __skb_push(skb, sizeof(*uh));
1067                skb_reset_transport_header(skb);
1068                uh = udp_hdr(skb);
1069                uh->source = inet->inet_sport;
1070                uh->dest = inet->inet_dport;
1071                udp_len = uhlen + session->hdr_len + data_len;
1072                uh->len = htons(udp_len);
1073
1074                /* Calculate UDP checksum if configured to do so */
1075#if IS_ENABLED(CONFIG_IPV6)
1076                if (l2tp_sk_is_v6(sk))
1077                        udp6_set_csum(udp_get_no_check6_tx(sk),
1078                                      skb, &inet6_sk(sk)->saddr,
1079                                      &sk->sk_v6_daddr, udp_len);
1080                else
1081#endif
1082                        udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1083                                     inet->inet_daddr, udp_len);
1084                break;
1085
1086        case L2TP_ENCAPTYPE_IP:
1087                break;
1088        }
1089
1090        ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl);
1091
1092out_unlock:
1093        bh_unlock_sock(sk);
1094
1095        return ret;
1096}
1097
1098/* If caller requires the skb to have a ppp header, the header must be
1099 * inserted in the skb data before calling this function.
1100 */
1101int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb)
1102{
1103        unsigned int len = 0;
1104        int ret;
1105
1106        ret = l2tp_xmit_core(session, skb, &len);
1107        if (ret == NET_XMIT_SUCCESS) {
1108                atomic_long_inc(&session->tunnel->stats.tx_packets);
1109                atomic_long_add(len, &session->tunnel->stats.tx_bytes);
1110                atomic_long_inc(&session->stats.tx_packets);
1111                atomic_long_add(len, &session->stats.tx_bytes);
1112        } else {
1113                atomic_long_inc(&session->tunnel->stats.tx_errors);
1114                atomic_long_inc(&session->stats.tx_errors);
1115        }
1116        return ret;
1117}
1118EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1119
1120/*****************************************************************************
1121 * Tinnel and session create/destroy.
1122 *****************************************************************************/
1123
1124/* Tunnel socket destruct hook.
1125 * The tunnel context is deleted only when all session sockets have been
1126 * closed.
1127 */
1128static void l2tp_tunnel_destruct(struct sock *sk)
1129{
1130        struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk);
1131
1132        if (!tunnel)
1133                goto end;
1134
1135        /* Disable udp encapsulation */
1136        switch (tunnel->encap) {
1137        case L2TP_ENCAPTYPE_UDP:
1138                /* No longer an encapsulation socket. See net/ipv4/udp.c */
1139                (udp_sk(sk))->encap_type = 0;
1140                (udp_sk(sk))->encap_rcv = NULL;
1141                (udp_sk(sk))->encap_destroy = NULL;
1142                break;
1143        case L2TP_ENCAPTYPE_IP:
1144                break;
1145        }
1146
1147        /* Remove hooks into tunnel socket */
1148        sk->sk_destruct = tunnel->old_sk_destruct;
1149        sk->sk_user_data = NULL;
1150
1151        /* Call the original destructor */
1152        if (sk->sk_destruct)
1153                (*sk->sk_destruct)(sk);
1154
1155        kfree_rcu(tunnel, rcu);
1156end:
1157        return;
1158}
1159
1160/* Remove an l2tp session from l2tp_core's hash lists. */
1161static void l2tp_session_unhash(struct l2tp_session *session)
1162{
1163        struct l2tp_tunnel *tunnel = session->tunnel;
1164
1165        /* Remove the session from core hashes */
1166        if (tunnel) {
1167                /* Remove from the per-tunnel hash */
1168                write_lock_bh(&tunnel->hlist_lock);
1169                hlist_del_init(&session->hlist);
1170                write_unlock_bh(&tunnel->hlist_lock);
1171
1172                /* For L2TPv3 we have a per-net hash: remove from there, too */
1173                if (tunnel->version != L2TP_HDR_VER_2) {
1174                        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1175
1176                        spin_lock_bh(&pn->l2tp_session_hlist_lock);
1177                        hlist_del_init_rcu(&session->global_hlist);
1178                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1179                        synchronize_rcu();
1180                }
1181        }
1182}
1183
1184/* When the tunnel is closed, all the attached sessions need to go too.
1185 */
1186static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1187{
1188        int hash;
1189        struct hlist_node *walk;
1190        struct hlist_node *tmp;
1191        struct l2tp_session *session;
1192
1193        write_lock_bh(&tunnel->hlist_lock);
1194        tunnel->acpt_newsess = false;
1195        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1196again:
1197                hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1198                        session = hlist_entry(walk, struct l2tp_session, hlist);
1199                        hlist_del_init(&session->hlist);
1200
1201                        write_unlock_bh(&tunnel->hlist_lock);
1202                        l2tp_session_delete(session);
1203                        write_lock_bh(&tunnel->hlist_lock);
1204
1205                        /* Now restart from the beginning of this hash
1206                         * chain.  We always remove a session from the
1207                         * list so we are guaranteed to make forward
1208                         * progress.
1209                         */
1210                        goto again;
1211                }
1212        }
1213        write_unlock_bh(&tunnel->hlist_lock);
1214}
1215
1216/* Tunnel socket destroy hook for UDP encapsulation */
1217static void l2tp_udp_encap_destroy(struct sock *sk)
1218{
1219        struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk);
1220
1221        if (tunnel)
1222                l2tp_tunnel_delete(tunnel);
1223}
1224
1225/* Workqueue tunnel deletion function */
1226static void l2tp_tunnel_del_work(struct work_struct *work)
1227{
1228        struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
1229                                                  del_work);
1230        struct sock *sk = tunnel->sock;
1231        struct socket *sock = sk->sk_socket;
1232        struct l2tp_net *pn;
1233
1234        l2tp_tunnel_closeall(tunnel);
1235
1236        /* If the tunnel socket was created within the kernel, use
1237         * the sk API to release it here.
1238         */
1239        if (tunnel->fd < 0) {
1240                if (sock) {
1241                        kernel_sock_shutdown(sock, SHUT_RDWR);
1242                        sock_release(sock);
1243                }
1244        }
1245
1246        /* Remove the tunnel struct from the tunnel list */
1247        pn = l2tp_pernet(tunnel->l2tp_net);
1248        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1249        list_del_rcu(&tunnel->list);
1250        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1251
1252        /* drop initial ref */
1253        l2tp_tunnel_dec_refcount(tunnel);
1254
1255        /* drop workqueue ref */
1256        l2tp_tunnel_dec_refcount(tunnel);
1257}
1258
1259/* Create a socket for the tunnel, if one isn't set up by
1260 * userspace. This is used for static tunnels where there is no
1261 * managing L2TP daemon.
1262 *
1263 * Since we don't want these sockets to keep a namespace alive by
1264 * themselves, we drop the socket's namespace refcount after creation.
1265 * These sockets are freed when the namespace exits using the pernet
1266 * exit hook.
1267 */
1268static int l2tp_tunnel_sock_create(struct net *net,
1269                                   u32 tunnel_id,
1270                                   u32 peer_tunnel_id,
1271                                   struct l2tp_tunnel_cfg *cfg,
1272                                   struct socket **sockp)
1273{
1274        int err = -EINVAL;
1275        struct socket *sock = NULL;
1276        struct udp_port_cfg udp_conf;
1277
1278        switch (cfg->encap) {
1279        case L2TP_ENCAPTYPE_UDP:
1280                memset(&udp_conf, 0, sizeof(udp_conf));
1281
1282#if IS_ENABLED(CONFIG_IPV6)
1283                if (cfg->local_ip6 && cfg->peer_ip6) {
1284                        udp_conf.family = AF_INET6;
1285                        memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1286                               sizeof(udp_conf.local_ip6));
1287                        memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1288                               sizeof(udp_conf.peer_ip6));
1289                        udp_conf.use_udp6_tx_checksums =
1290                          !cfg->udp6_zero_tx_checksums;
1291                        udp_conf.use_udp6_rx_checksums =
1292                          !cfg->udp6_zero_rx_checksums;
1293                } else
1294#endif
1295                {
1296                        udp_conf.family = AF_INET;
1297                        udp_conf.local_ip = cfg->local_ip;
1298                        udp_conf.peer_ip = cfg->peer_ip;
1299                        udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1300                }
1301
1302                udp_conf.local_udp_port = htons(cfg->local_udp_port);
1303                udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1304
1305                err = udp_sock_create(net, &udp_conf, &sock);
1306                if (err < 0)
1307                        goto out;
1308
1309                break;
1310
1311        case L2TP_ENCAPTYPE_IP:
1312#if IS_ENABLED(CONFIG_IPV6)
1313                if (cfg->local_ip6 && cfg->peer_ip6) {
1314                        struct sockaddr_l2tpip6 ip6_addr = {0};
1315
1316                        err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1317                                               IPPROTO_L2TP, &sock);
1318                        if (err < 0)
1319                                goto out;
1320
1321                        ip6_addr.l2tp_family = AF_INET6;
1322                        memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1323                               sizeof(ip6_addr.l2tp_addr));
1324                        ip6_addr.l2tp_conn_id = tunnel_id;
1325                        err = kernel_bind(sock, (struct sockaddr *)&ip6_addr,
1326                                          sizeof(ip6_addr));
1327                        if (err < 0)
1328                                goto out;
1329
1330                        ip6_addr.l2tp_family = AF_INET6;
1331                        memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1332                               sizeof(ip6_addr.l2tp_addr));
1333                        ip6_addr.l2tp_conn_id = peer_tunnel_id;
1334                        err = kernel_connect(sock,
1335                                             (struct sockaddr *)&ip6_addr,
1336                                             sizeof(ip6_addr), 0);
1337                        if (err < 0)
1338                                goto out;
1339                } else
1340#endif
1341                {
1342                        struct sockaddr_l2tpip ip_addr = {0};
1343
1344                        err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1345                                               IPPROTO_L2TP, &sock);
1346                        if (err < 0)
1347                                goto out;
1348
1349                        ip_addr.l2tp_family = AF_INET;
1350                        ip_addr.l2tp_addr = cfg->local_ip;
1351                        ip_addr.l2tp_conn_id = tunnel_id;
1352                        err = kernel_bind(sock, (struct sockaddr *)&ip_addr,
1353                                          sizeof(ip_addr));
1354                        if (err < 0)
1355                                goto out;
1356
1357                        ip_addr.l2tp_family = AF_INET;
1358                        ip_addr.l2tp_addr = cfg->peer_ip;
1359                        ip_addr.l2tp_conn_id = peer_tunnel_id;
1360                        err = kernel_connect(sock, (struct sockaddr *)&ip_addr,
1361                                             sizeof(ip_addr), 0);
1362                        if (err < 0)
1363                                goto out;
1364                }
1365                break;
1366
1367        default:
1368                goto out;
1369        }
1370
1371out:
1372        *sockp = sock;
1373        if (err < 0 && sock) {
1374                kernel_sock_shutdown(sock, SHUT_RDWR);
1375                sock_release(sock);
1376                *sockp = NULL;
1377        }
1378
1379        return err;
1380}
1381
1382static struct lock_class_key l2tp_socket_class;
1383
1384int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
1385                       struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1386{
1387        struct l2tp_tunnel *tunnel = NULL;
1388        int err;
1389        enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1390
1391        if (cfg)
1392                encap = cfg->encap;
1393
1394        tunnel = kzalloc(sizeof(*tunnel), GFP_KERNEL);
1395        if (!tunnel) {
1396                err = -ENOMEM;
1397                goto err;
1398        }
1399
1400        tunnel->version = version;
1401        tunnel->tunnel_id = tunnel_id;
1402        tunnel->peer_tunnel_id = peer_tunnel_id;
1403
1404        tunnel->magic = L2TP_TUNNEL_MAGIC;
1405        sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1406        rwlock_init(&tunnel->hlist_lock);
1407        tunnel->acpt_newsess = true;
1408
1409        tunnel->encap = encap;
1410
1411        refcount_set(&tunnel->ref_count, 1);
1412        tunnel->fd = fd;
1413
1414        /* Init delete workqueue struct */
1415        INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1416
1417        INIT_LIST_HEAD(&tunnel->list);
1418
1419        err = 0;
1420err:
1421        if (tunnelp)
1422                *tunnelp = tunnel;
1423
1424        return err;
1425}
1426EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1427
1428static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
1429                                enum l2tp_encap_type encap)
1430{
1431        if (!net_eq(sock_net(sk), net))
1432                return -EINVAL;
1433
1434        if (sk->sk_type != SOCK_DGRAM)
1435                return -EPROTONOSUPPORT;
1436
1437        if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1438                return -EPROTONOSUPPORT;
1439
1440        if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
1441            (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
1442                return -EPROTONOSUPPORT;
1443
1444        if (sk->sk_user_data)
1445                return -EBUSY;
1446
1447        return 0;
1448}
1449
1450int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
1451                         struct l2tp_tunnel_cfg *cfg)
1452{
1453        struct l2tp_tunnel *tunnel_walk;
1454        struct l2tp_net *pn;
1455        struct socket *sock;
1456        struct sock *sk;
1457        int ret;
1458
1459        if (tunnel->fd < 0) {
1460                ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
1461                                              tunnel->peer_tunnel_id, cfg,
1462                                              &sock);
1463                if (ret < 0)
1464                        goto err;
1465        } else {
1466                sock = sockfd_lookup(tunnel->fd, &ret);
1467                if (!sock)
1468                        goto err;
1469
1470                ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
1471                if (ret < 0)
1472                        goto err_sock;
1473        }
1474
1475        tunnel->l2tp_net = net;
1476        pn = l2tp_pernet(net);
1477
1478        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1479        list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {
1480                if (tunnel_walk->tunnel_id == tunnel->tunnel_id) {
1481                        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1482
1483                        ret = -EEXIST;
1484                        goto err_sock;
1485                }
1486        }
1487        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1488        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1489
1490        sk = sock->sk;
1491        sock_hold(sk);
1492        tunnel->sock = sk;
1493
1494        if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1495                struct udp_tunnel_sock_cfg udp_cfg = {
1496                        .sk_user_data = tunnel,
1497                        .encap_type = UDP_ENCAP_L2TPINUDP,
1498                        .encap_rcv = l2tp_udp_encap_recv,
1499                        .encap_destroy = l2tp_udp_encap_destroy,
1500                };
1501
1502                setup_udp_tunnel_sock(net, sock, &udp_cfg);
1503        } else {
1504                sk->sk_user_data = tunnel;
1505        }
1506
1507        tunnel->old_sk_destruct = sk->sk_destruct;
1508        sk->sk_destruct = &l2tp_tunnel_destruct;
1509        lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
1510                                   "l2tp_sock");
1511        sk->sk_allocation = GFP_ATOMIC;
1512
1513        trace_register_tunnel(tunnel);
1514
1515        if (tunnel->fd >= 0)
1516                sockfd_put(sock);
1517
1518        return 0;
1519
1520err_sock:
1521        if (tunnel->fd < 0)
1522                sock_release(sock);
1523        else
1524                sockfd_put(sock);
1525err:
1526        return ret;
1527}
1528EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
1529
1530/* This function is used by the netlink TUNNEL_DELETE command.
1531 */
1532void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1533{
1534        if (!test_and_set_bit(0, &tunnel->dead)) {
1535                trace_delete_tunnel(tunnel);
1536                l2tp_tunnel_inc_refcount(tunnel);
1537                queue_work(l2tp_wq, &tunnel->del_work);
1538        }
1539}
1540EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1541
1542void l2tp_session_delete(struct l2tp_session *session)
1543{
1544        if (test_and_set_bit(0, &session->dead))
1545                return;
1546
1547        trace_delete_session(session);
1548        l2tp_session_unhash(session);
1549        l2tp_session_queue_purge(session);
1550        if (session->session_close)
1551                (*session->session_close)(session);
1552
1553        l2tp_session_dec_refcount(session);
1554}
1555EXPORT_SYMBOL_GPL(l2tp_session_delete);
1556
1557/* We come here whenever a session's send_seq, cookie_len or
1558 * l2specific_type parameters are set.
1559 */
1560void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1561{
1562        if (version == L2TP_HDR_VER_2) {
1563                session->hdr_len = 6;
1564                if (session->send_seq)
1565                        session->hdr_len += 4;
1566        } else {
1567                session->hdr_len = 4 + session->cookie_len;
1568                session->hdr_len += l2tp_get_l2specific_len(session);
1569                if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1570                        session->hdr_len += 4;
1571        }
1572}
1573EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1574
1575struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id,
1576                                         u32 peer_session_id, struct l2tp_session_cfg *cfg)
1577{
1578        struct l2tp_session *session;
1579
1580        session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL);
1581        if (session) {
1582                session->magic = L2TP_SESSION_MAGIC;
1583                session->tunnel = tunnel;
1584
1585                session->session_id = session_id;
1586                session->peer_session_id = peer_session_id;
1587                session->nr = 0;
1588                if (tunnel->version == L2TP_HDR_VER_2)
1589                        session->nr_max = 0xffff;
1590                else
1591                        session->nr_max = 0xffffff;
1592                session->nr_window_size = session->nr_max / 2;
1593                session->nr_oos_count_max = 4;
1594
1595                /* Use NR of first received packet */
1596                session->reorder_skip = 1;
1597
1598                sprintf(&session->name[0], "sess %u/%u",
1599                        tunnel->tunnel_id, session->session_id);
1600
1601                skb_queue_head_init(&session->reorder_q);
1602
1603                INIT_HLIST_NODE(&session->hlist);
1604                INIT_HLIST_NODE(&session->global_hlist);
1605
1606                if (cfg) {
1607                        session->pwtype = cfg->pw_type;
1608                        session->send_seq = cfg->send_seq;
1609                        session->recv_seq = cfg->recv_seq;
1610                        session->lns_mode = cfg->lns_mode;
1611                        session->reorder_timeout = cfg->reorder_timeout;
1612                        session->l2specific_type = cfg->l2specific_type;
1613                        session->cookie_len = cfg->cookie_len;
1614                        memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1615                        session->peer_cookie_len = cfg->peer_cookie_len;
1616                        memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1617                }
1618
1619                l2tp_session_set_header_len(session, tunnel->version);
1620
1621                refcount_set(&session->ref_count, 1);
1622
1623                return session;
1624        }
1625
1626        return ERR_PTR(-ENOMEM);
1627}
1628EXPORT_SYMBOL_GPL(l2tp_session_create);
1629
1630/*****************************************************************************
1631 * Init and cleanup
1632 *****************************************************************************/
1633
1634static __net_init int l2tp_init_net(struct net *net)
1635{
1636        struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1637        int hash;
1638
1639        INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1640        spin_lock_init(&pn->l2tp_tunnel_list_lock);
1641
1642        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1643                INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1644
1645        spin_lock_init(&pn->l2tp_session_hlist_lock);
1646
1647        return 0;
1648}
1649
1650static __net_exit void l2tp_exit_net(struct net *net)
1651{
1652        struct l2tp_net *pn = l2tp_pernet(net);
1653        struct l2tp_tunnel *tunnel = NULL;
1654        int hash;
1655
1656        rcu_read_lock_bh();
1657        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1658                l2tp_tunnel_delete(tunnel);
1659        }
1660        rcu_read_unlock_bh();
1661
1662        if (l2tp_wq)
1663                flush_workqueue(l2tp_wq);
1664        rcu_barrier();
1665
1666        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1667                WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash]));
1668}
1669
1670static struct pernet_operations l2tp_net_ops = {
1671        .init = l2tp_init_net,
1672        .exit = l2tp_exit_net,
1673        .id   = &l2tp_net_id,
1674        .size = sizeof(struct l2tp_net),
1675};
1676
1677static int __init l2tp_init(void)
1678{
1679        int rc = 0;
1680
1681        rc = register_pernet_device(&l2tp_net_ops);
1682        if (rc)
1683                goto out;
1684
1685        l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1686        if (!l2tp_wq) {
1687                pr_err("alloc_workqueue failed\n");
1688                unregister_pernet_device(&l2tp_net_ops);
1689                rc = -ENOMEM;
1690                goto out;
1691        }
1692
1693        pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1694
1695out:
1696        return rc;
1697}
1698
1699static void __exit l2tp_exit(void)
1700{
1701        unregister_pernet_device(&l2tp_net_ops);
1702        if (l2tp_wq) {
1703                destroy_workqueue(l2tp_wq);
1704                l2tp_wq = NULL;
1705        }
1706}
1707
1708module_init(l2tp_init);
1709module_exit(l2tp_exit);
1710
1711MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1712MODULE_DESCRIPTION("L2TP core");
1713MODULE_LICENSE("GPL");
1714MODULE_VERSION(L2TP_DRV_VERSION);
1715