linux/net/l2tp/l2tp_core.c
<<
>>
Prefs
   1/*
   2 * L2TP core.
   3 *
   4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
   5 *
   6 * This file contains some code of the original L2TPv2 pppol2tp
   7 * driver, which has the following copyright:
   8 *
   9 * Authors:     Martijn van Oosterhout <kleptog@svana.org>
  10 *              James Chapman (jchapman@katalix.com)
  11 * Contributors:
  12 *              Michal Ostrowski <mostrows@speakeasy.net>
  13 *              Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
  14 *              David S. Miller (davem@redhat.com)
  15 *
  16 * This program is free software; you can redistribute it and/or modify
  17 * it under the terms of the GNU General Public License version 2 as
  18 * published by the Free Software Foundation.
  19 */
  20
  21#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  22
  23#include <linux/module.h>
  24#include <linux/string.h>
  25#include <linux/list.h>
  26#include <linux/rculist.h>
  27#include <linux/uaccess.h>
  28
  29#include <linux/kernel.h>
  30#include <linux/spinlock.h>
  31#include <linux/kthread.h>
  32#include <linux/sched.h>
  33#include <linux/slab.h>
  34#include <linux/errno.h>
  35#include <linux/jiffies.h>
  36
  37#include <linux/netdevice.h>
  38#include <linux/net.h>
  39#include <linux/inetdevice.h>
  40#include <linux/skbuff.h>
  41#include <linux/init.h>
  42#include <linux/in.h>
  43#include <linux/ip.h>
  44#include <linux/udp.h>
  45#include <linux/l2tp.h>
  46#include <linux/hash.h>
  47#include <linux/sort.h>
  48#include <linux/file.h>
  49#include <linux/nsproxy.h>
  50#include <net/net_namespace.h>
  51#include <net/netns/generic.h>
  52#include <net/dst.h>
  53#include <net/ip.h>
  54#include <net/udp.h>
  55#include <net/inet_common.h>
  56#include <net/xfrm.h>
  57#include <net/protocol.h>
  58#include <net/inet6_connection_sock.h>
  59#include <net/inet_ecn.h>
  60#include <net/ip6_route.h>
  61#include <net/ip6_checksum.h>
  62
  63#include <asm/byteorder.h>
  64#include <linux/atomic.h>
  65
  66#include "l2tp_core.h"
  67
  68#define L2TP_DRV_VERSION        "V2.0"
  69
  70/* L2TP header constants */
  71#define L2TP_HDRFLAG_T     0x8000
  72#define L2TP_HDRFLAG_L     0x4000
  73#define L2TP_HDRFLAG_S     0x0800
  74#define L2TP_HDRFLAG_O     0x0200
  75#define L2TP_HDRFLAG_P     0x0100
  76
  77#define L2TP_HDR_VER_MASK  0x000F
  78#define L2TP_HDR_VER_2     0x0002
  79#define L2TP_HDR_VER_3     0x0003
  80
  81/* L2TPv3 default L2-specific sublayer */
  82#define L2TP_SLFLAG_S      0x40000000
  83#define L2TP_SL_SEQ_MASK   0x00ffffff
  84
  85#define L2TP_HDR_SIZE_SEQ               10
  86#define L2TP_HDR_SIZE_NOSEQ             6
  87
  88/* Default trace flags */
  89#define L2TP_DEFAULT_DEBUG_FLAGS        0
  90
  91/* Private data stored for received packets in the skb.
  92 */
  93struct l2tp_skb_cb {
  94        u32                     ns;
  95        u16                     has_seq;
  96        u16                     length;
  97        unsigned long           expires;
  98};
  99
 100#define L2TP_SKB_CB(skb)        ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
 101
 102static atomic_t l2tp_tunnel_count;
 103static atomic_t l2tp_session_count;
 104
 105/* per-net private data for this module */
 106static unsigned int l2tp_net_id;
 107struct l2tp_net {
 108        struct list_head l2tp_tunnel_list;
 109        spinlock_t l2tp_tunnel_list_lock;
 110        struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
 111        spinlock_t l2tp_session_hlist_lock;
 112};
 113
 114static void l2tp_session_set_header_len(struct l2tp_session *session, int version);
 115static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
 116static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
 117
 118static inline struct l2tp_net *l2tp_pernet(struct net *net)
 119{
 120        BUG_ON(!net);
 121
 122        return net_generic(net, l2tp_net_id);
 123}
 124
 125
 126/* Tunnel reference counts. Incremented per session that is added to
 127 * the tunnel.
 128 */
 129static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
 130{
 131        atomic_inc(&tunnel->ref_count);
 132}
 133
 134static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
 135{
 136        if (atomic_dec_and_test(&tunnel->ref_count))
 137                l2tp_tunnel_free(tunnel);
 138}
 139#ifdef L2TP_REFCNT_DEBUG
 140#define l2tp_tunnel_inc_refcount(_t)                                    \
 141do {                                                                    \
 142        pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n",        \
 143                 __func__, __LINE__, (_t)->name,                        \
 144                 atomic_read(&_t->ref_count));                          \
 145        l2tp_tunnel_inc_refcount_1(_t);                                 \
 146} while (0)
 147#define l2tp_tunnel_dec_refcount(_t)
 148do {                                                                    \
 149        pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n",        \
 150                 __func__, __LINE__, (_t)->name,                        \
 151                 atomic_read(&_t->ref_count));                          \
 152        l2tp_tunnel_dec_refcount_1(_t);                                 \
 153} while (0)
 154#else
 155#define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
 156#define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
 157#endif
 158
 159/* Session hash global list for L2TPv3.
 160 * The session_id SHOULD be random according to RFC3931, but several
 161 * L2TP implementations use incrementing session_ids.  So we do a real
 162 * hash on the session_id, rather than a simple bitmask.
 163 */
 164static inline struct hlist_head *
 165l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
 166{
 167        return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
 168
 169}
 170
 171/* Lookup the tunnel socket, possibly involving the fs code if the socket is
 172 * owned by userspace.  A struct sock returned from this function must be
 173 * released using l2tp_tunnel_sock_put once you're done with it.
 174 */
 175struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
 176{
 177        int err = 0;
 178        struct socket *sock = NULL;
 179        struct sock *sk = NULL;
 180
 181        if (!tunnel)
 182                goto out;
 183
 184        if (tunnel->fd >= 0) {
 185                /* Socket is owned by userspace, who might be in the process
 186                 * of closing it.  Look the socket up using the fd to ensure
 187                 * consistency.
 188                 */
 189                sock = sockfd_lookup(tunnel->fd, &err);
 190                if (sock)
 191                        sk = sock->sk;
 192        } else {
 193                /* Socket is owned by kernelspace */
 194                sk = tunnel->sock;
 195        }
 196
 197out:
 198        return sk;
 199}
 200EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_lookup);
 201
 202/* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
 203void l2tp_tunnel_sock_put(struct sock *sk)
 204{
 205        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
 206        if (tunnel) {
 207                if (tunnel->fd >= 0) {
 208                        /* Socket is owned by userspace */
 209                        sockfd_put(sk->sk_socket);
 210                }
 211                sock_put(sk);
 212        }
 213}
 214EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_put);
 215
 216/* Lookup a session by id in the global session list
 217 */
 218static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
 219{
 220        struct l2tp_net *pn = l2tp_pernet(net);
 221        struct hlist_head *session_list =
 222                l2tp_session_id_hash_2(pn, session_id);
 223        struct l2tp_session *session;
 224        struct hlist_node *walk;
 225
 226        rcu_read_lock_bh();
 227        hlist_for_each_entry_rcu(session, walk, session_list, global_hlist) {
 228                if (session->session_id == session_id) {
 229                        rcu_read_unlock_bh();
 230                        return session;
 231                }
 232        }
 233        rcu_read_unlock_bh();
 234
 235        return NULL;
 236}
 237
 238/* Session hash list.
 239 * The session_id SHOULD be random according to RFC2661, but several
 240 * L2TP implementations (Cisco and Microsoft) use incrementing
 241 * session_ids.  So we do a real hash on the session_id, rather than a
 242 * simple bitmask.
 243 */
 244static inline struct hlist_head *
 245l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
 246{
 247        return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
 248}
 249
 250/* Lookup a session by id
 251 */
 252struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id)
 253{
 254        struct hlist_head *session_list;
 255        struct l2tp_session *session;
 256        struct hlist_node *walk;
 257
 258        /* In L2TPv3, session_ids are unique over all tunnels and we
 259         * sometimes need to look them up before we know the
 260         * tunnel.
 261         */
 262        if (tunnel == NULL)
 263                return l2tp_session_find_2(net, session_id);
 264
 265        session_list = l2tp_session_id_hash(tunnel, session_id);
 266        read_lock_bh(&tunnel->hlist_lock);
 267        hlist_for_each_entry(session, walk, session_list, hlist) {
 268                if (session->session_id == session_id) {
 269                        read_unlock_bh(&tunnel->hlist_lock);
 270                        return session;
 271                }
 272        }
 273        read_unlock_bh(&tunnel->hlist_lock);
 274
 275        return NULL;
 276}
 277EXPORT_SYMBOL_GPL(l2tp_session_find);
 278
 279struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
 280{
 281        int hash;
 282        struct hlist_node *walk;
 283        struct l2tp_session *session;
 284        int count = 0;
 285
 286        read_lock_bh(&tunnel->hlist_lock);
 287        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
 288                hlist_for_each_entry(session, walk, &tunnel->session_hlist[hash], hlist) {
 289                        if (++count > nth) {
 290                                read_unlock_bh(&tunnel->hlist_lock);
 291                                return session;
 292                        }
 293                }
 294        }
 295
 296        read_unlock_bh(&tunnel->hlist_lock);
 297
 298        return NULL;
 299}
 300EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
 301
 302/* Lookup a session by interface name.
 303 * This is very inefficient but is only used by management interfaces.
 304 */
 305struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
 306{
 307        struct l2tp_net *pn = l2tp_pernet(net);
 308        int hash;
 309        struct hlist_node *walk;
 310        struct l2tp_session *session;
 311
 312        rcu_read_lock_bh();
 313        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
 314                hlist_for_each_entry_rcu(session, walk, &pn->l2tp_session_hlist[hash], global_hlist) {
 315                        if (!strcmp(session->ifname, ifname)) {
 316                                rcu_read_unlock_bh();
 317                                return session;
 318                        }
 319                }
 320        }
 321
 322        rcu_read_unlock_bh();
 323
 324        return NULL;
 325}
 326EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
 327
 328/* Lookup a tunnel by id
 329 */
 330struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)
 331{
 332        struct l2tp_tunnel *tunnel;
 333        struct l2tp_net *pn = l2tp_pernet(net);
 334
 335        rcu_read_lock_bh();
 336        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 337                if (tunnel->tunnel_id == tunnel_id) {
 338                        rcu_read_unlock_bh();
 339                        return tunnel;
 340                }
 341        }
 342        rcu_read_unlock_bh();
 343
 344        return NULL;
 345}
 346EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
 347
 348struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth)
 349{
 350        struct l2tp_net *pn = l2tp_pernet(net);
 351        struct l2tp_tunnel *tunnel;
 352        int count = 0;
 353
 354        rcu_read_lock_bh();
 355        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 356                if (++count > nth) {
 357                        rcu_read_unlock_bh();
 358                        return tunnel;
 359                }
 360        }
 361
 362        rcu_read_unlock_bh();
 363
 364        return NULL;
 365}
 366EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
 367
 368/*****************************************************************************
 369 * Receive data handling
 370 *****************************************************************************/
 371
 372/* Queue a skb in order. We come here only if the skb has an L2TP sequence
 373 * number.
 374 */
 375static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
 376{
 377        struct sk_buff *skbp;
 378        struct sk_buff *tmp;
 379        u32 ns = L2TP_SKB_CB(skb)->ns;
 380        struct l2tp_stats *sstats;
 381
 382        spin_lock_bh(&session->reorder_q.lock);
 383        sstats = &session->stats;
 384        skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
 385                if (L2TP_SKB_CB(skbp)->ns > ns) {
 386                        __skb_queue_before(&session->reorder_q, skbp, skb);
 387                        l2tp_dbg(session, L2TP_MSG_SEQ,
 388                                 "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
 389                                 session->name, ns, L2TP_SKB_CB(skbp)->ns,
 390                                 skb_queue_len(&session->reorder_q));
 391                        u64_stats_update_begin(&sstats->syncp);
 392                        sstats->rx_oos_packets++;
 393                        u64_stats_update_end(&sstats->syncp);
 394                        goto out;
 395                }
 396        }
 397
 398        __skb_queue_tail(&session->reorder_q, skb);
 399
 400out:
 401        spin_unlock_bh(&session->reorder_q.lock);
 402}
 403
 404/* Dequeue a single skb.
 405 */
 406static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
 407{
 408        struct l2tp_tunnel *tunnel = session->tunnel;
 409        int length = L2TP_SKB_CB(skb)->length;
 410        struct l2tp_stats *tstats, *sstats;
 411
 412        /* We're about to requeue the skb, so return resources
 413         * to its current owner (a socket receive buffer).
 414         */
 415        skb_orphan(skb);
 416
 417        tstats = &tunnel->stats;
 418        u64_stats_update_begin(&tstats->syncp);
 419        sstats = &session->stats;
 420        u64_stats_update_begin(&sstats->syncp);
 421        tstats->rx_packets++;
 422        tstats->rx_bytes += length;
 423        sstats->rx_packets++;
 424        sstats->rx_bytes += length;
 425        u64_stats_update_end(&tstats->syncp);
 426        u64_stats_update_end(&sstats->syncp);
 427
 428        if (L2TP_SKB_CB(skb)->has_seq) {
 429                /* Bump our Nr */
 430                session->nr++;
 431                if (tunnel->version == L2TP_HDR_VER_2)
 432                        session->nr &= 0xffff;
 433                else
 434                        session->nr &= 0xffffff;
 435
 436                l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
 437                         session->name, session->nr);
 438        }
 439
 440        /* call private receive handler */
 441        if (session->recv_skb != NULL)
 442                (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
 443        else
 444                kfree_skb(skb);
 445
 446        if (session->deref)
 447                (*session->deref)(session);
 448}
 449
 450/* Dequeue skbs from the session's reorder_q, subject to packet order.
 451 * Skbs that have been in the queue for too long are simply discarded.
 452 */
 453static void l2tp_recv_dequeue(struct l2tp_session *session)
 454{
 455        struct sk_buff *skb;
 456        struct sk_buff *tmp;
 457        struct l2tp_stats *sstats;
 458
 459        /* If the pkt at the head of the queue has the nr that we
 460         * expect to send up next, dequeue it and any other
 461         * in-sequence packets behind it.
 462         */
 463start:
 464        spin_lock_bh(&session->reorder_q.lock);
 465        sstats = &session->stats;
 466        skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
 467                if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
 468                        u64_stats_update_begin(&sstats->syncp);
 469                        sstats->rx_seq_discards++;
 470                        sstats->rx_errors++;
 471                        u64_stats_update_end(&sstats->syncp);
 472                        l2tp_dbg(session, L2TP_MSG_SEQ,
 473                                 "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
 474                                 session->name, L2TP_SKB_CB(skb)->ns,
 475                                 L2TP_SKB_CB(skb)->length, session->nr,
 476                                 skb_queue_len(&session->reorder_q));
 477                        session->reorder_skip = 1;
 478                        __skb_unlink(skb, &session->reorder_q);
 479                        kfree_skb(skb);
 480                        if (session->deref)
 481                                (*session->deref)(session);
 482                        continue;
 483                }
 484
 485                if (L2TP_SKB_CB(skb)->has_seq) {
 486                        if (session->reorder_skip) {
 487                                l2tp_dbg(session, L2TP_MSG_SEQ,
 488                                         "%s: advancing nr to next pkt: %u -> %u",
 489                                         session->name, session->nr,
 490                                         L2TP_SKB_CB(skb)->ns);
 491                                session->reorder_skip = 0;
 492                                session->nr = L2TP_SKB_CB(skb)->ns;
 493                        }
 494                        if (L2TP_SKB_CB(skb)->ns != session->nr) {
 495                                l2tp_dbg(session, L2TP_MSG_SEQ,
 496                                         "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
 497                                         session->name, L2TP_SKB_CB(skb)->ns,
 498                                         L2TP_SKB_CB(skb)->length, session->nr,
 499                                         skb_queue_len(&session->reorder_q));
 500                                goto out;
 501                        }
 502                }
 503                __skb_unlink(skb, &session->reorder_q);
 504
 505                /* Process the skb. We release the queue lock while we
 506                 * do so to let other contexts process the queue.
 507                 */
 508                spin_unlock_bh(&session->reorder_q.lock);
 509                l2tp_recv_dequeue_skb(session, skb);
 510                goto start;
 511        }
 512
 513out:
 514        spin_unlock_bh(&session->reorder_q.lock);
 515}
 516
 517static inline int l2tp_verify_udp_checksum(struct sock *sk,
 518                                           struct sk_buff *skb)
 519{
 520        struct udphdr *uh = udp_hdr(skb);
 521        u16 ulen = ntohs(uh->len);
 522        __wsum psum;
 523
 524        if (sk->sk_no_check || skb_csum_unnecessary(skb))
 525                return 0;
 526
 527#if IS_ENABLED(CONFIG_IPV6)
 528        if (sk->sk_family == PF_INET6) {
 529                if (!uh->check) {
 530                        LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
 531                        return 1;
 532                }
 533                if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
 534                    !csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
 535                                     &ipv6_hdr(skb)->daddr, ulen,
 536                                     IPPROTO_UDP, skb->csum)) {
 537                        skb->ip_summed = CHECKSUM_UNNECESSARY;
 538                        return 0;
 539                }
 540                skb->csum = ~csum_unfold(csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
 541                                                         &ipv6_hdr(skb)->daddr,
 542                                                         skb->len, IPPROTO_UDP,
 543                                                         0));
 544        } else
 545#endif
 546        {
 547                struct inet_sock *inet;
 548                if (!uh->check)
 549                        return 0;
 550                inet = inet_sk(sk);
 551                psum = csum_tcpudp_nofold(inet->inet_saddr, inet->inet_daddr,
 552                                          ulen, IPPROTO_UDP, 0);
 553
 554                if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
 555                    !csum_fold(csum_add(psum, skb->csum)))
 556                        return 0;
 557                skb->csum = psum;
 558        }
 559
 560        return __skb_checksum_complete(skb);
 561}
 562
 563/* Do receive processing of L2TP data frames. We handle both L2TPv2
 564 * and L2TPv3 data frames here.
 565 *
 566 * L2TPv2 Data Message Header
 567 *
 568 *  0                   1                   2                   3
 569 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 570 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 571 * |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
 572 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 573 * |           Tunnel ID           |           Session ID          |
 574 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 575 * |             Ns (opt)          |             Nr (opt)          |
 576 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 577 * |      Offset Size (opt)        |    Offset pad... (opt)
 578 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 579 *
 580 * Data frames are marked by T=0. All other fields are the same as
 581 * those in L2TP control frames.
 582 *
 583 * L2TPv3 Data Message Header
 584 *
 585 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 586 * |                      L2TP Session Header                      |
 587 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 588 * |                      L2-Specific Sublayer                     |
 589 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 590 * |                        Tunnel Payload                      ...
 591 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 592 *
 593 * L2TPv3 Session Header Over IP
 594 *
 595 *  0                   1                   2                   3
 596 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 597 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 598 * |                           Session ID                          |
 599 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 600 * |               Cookie (optional, maximum 64 bits)...
 601 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 602 *                                                                 |
 603 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 604 *
 605 * L2TPv3 L2-Specific Sublayer Format
 606 *
 607 *  0                   1                   2                   3
 608 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 609 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 610 * |x|S|x|x|x|x|x|x|              Sequence Number                  |
 611 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 612 *
 613 * Cookie value, sublayer format and offset (pad) are negotiated with
 614 * the peer when the session is set up. Unlike L2TPv2, we do not need
 615 * to parse the packet header to determine if optional fields are
 616 * present.
 617 *
 618 * Caller must already have parsed the frame and determined that it is
 619 * a data (not control) frame before coming here. Fields up to the
 620 * session-id have already been parsed and ptr points to the data
 621 * after the session-id.
 622 */
 623void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
 624                      unsigned char *ptr, unsigned char *optr, u16 hdrflags,
 625                      int length, int (*payload_hook)(struct sk_buff *skb))
 626{
 627        struct l2tp_tunnel *tunnel = session->tunnel;
 628        int offset;
 629        u32 ns, nr;
 630        struct l2tp_stats *sstats = &session->stats;
 631
 632        /* The ref count is increased since we now hold a pointer to
 633         * the session. Take care to decrement the refcnt when exiting
 634         * this function from now on...
 635         */
 636        l2tp_session_inc_refcount(session);
 637        if (session->ref)
 638                (*session->ref)(session);
 639
 640        /* Parse and check optional cookie */
 641        if (session->peer_cookie_len > 0) {
 642                if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
 643                        l2tp_info(tunnel, L2TP_MSG_DATA,
 644                                  "%s: cookie mismatch (%u/%u). Discarding.\n",
 645                                  tunnel->name, tunnel->tunnel_id,
 646                                  session->session_id);
 647                        u64_stats_update_begin(&sstats->syncp);
 648                        sstats->rx_cookie_discards++;
 649                        u64_stats_update_end(&sstats->syncp);
 650                        goto discard;
 651                }
 652                ptr += session->peer_cookie_len;
 653        }
 654
 655        /* Handle the optional sequence numbers. Sequence numbers are
 656         * in different places for L2TPv2 and L2TPv3.
 657         *
 658         * If we are the LAC, enable/disable sequence numbers under
 659         * the control of the LNS.  If no sequence numbers present but
 660         * we were expecting them, discard frame.
 661         */
 662        ns = nr = 0;
 663        L2TP_SKB_CB(skb)->has_seq = 0;
 664        if (tunnel->version == L2TP_HDR_VER_2) {
 665                if (hdrflags & L2TP_HDRFLAG_S) {
 666                        ns = ntohs(*(__be16 *) ptr);
 667                        ptr += 2;
 668                        nr = ntohs(*(__be16 *) ptr);
 669                        ptr += 2;
 670
 671                        /* Store L2TP info in the skb */
 672                        L2TP_SKB_CB(skb)->ns = ns;
 673                        L2TP_SKB_CB(skb)->has_seq = 1;
 674
 675                        l2tp_dbg(session, L2TP_MSG_SEQ,
 676                                 "%s: recv data ns=%u, nr=%u, session nr=%u\n",
 677                                 session->name, ns, nr, session->nr);
 678                }
 679        } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
 680                u32 l2h = ntohl(*(__be32 *) ptr);
 681
 682                if (l2h & 0x40000000) {
 683                        ns = l2h & 0x00ffffff;
 684
 685                        /* Store L2TP info in the skb */
 686                        L2TP_SKB_CB(skb)->ns = ns;
 687                        L2TP_SKB_CB(skb)->has_seq = 1;
 688
 689                        l2tp_dbg(session, L2TP_MSG_SEQ,
 690                                 "%s: recv data ns=%u, session nr=%u\n",
 691                                 session->name, ns, session->nr);
 692                }
 693        }
 694
 695        /* Advance past L2-specific header, if present */
 696        ptr += session->l2specific_len;
 697
 698        if (L2TP_SKB_CB(skb)->has_seq) {
 699                /* Received a packet with sequence numbers. If we're the LNS,
 700                 * check if we sre sending sequence numbers and if not,
 701                 * configure it so.
 702                 */
 703                if ((!session->lns_mode) && (!session->send_seq)) {
 704                        l2tp_info(session, L2TP_MSG_SEQ,
 705                                  "%s: requested to enable seq numbers by LNS\n",
 706                                  session->name);
 707                        session->send_seq = -1;
 708                        l2tp_session_set_header_len(session, tunnel->version);
 709                }
 710        } else {
 711                /* No sequence numbers.
 712                 * If user has configured mandatory sequence numbers, discard.
 713                 */
 714                if (session->recv_seq) {
 715                        l2tp_warn(session, L2TP_MSG_SEQ,
 716                                  "%s: recv data has no seq numbers when required. Discarding.\n",
 717                                  session->name);
 718                        u64_stats_update_begin(&sstats->syncp);
 719                        sstats->rx_seq_discards++;
 720                        u64_stats_update_end(&sstats->syncp);
 721                        goto discard;
 722                }
 723
 724                /* If we're the LAC and we're sending sequence numbers, the
 725                 * LNS has requested that we no longer send sequence numbers.
 726                 * If we're the LNS and we're sending sequence numbers, the
 727                 * LAC is broken. Discard the frame.
 728                 */
 729                if ((!session->lns_mode) && (session->send_seq)) {
 730                        l2tp_info(session, L2TP_MSG_SEQ,
 731                                  "%s: requested to disable seq numbers by LNS\n",
 732                                  session->name);
 733                        session->send_seq = 0;
 734                        l2tp_session_set_header_len(session, tunnel->version);
 735                } else if (session->send_seq) {
 736                        l2tp_warn(session, L2TP_MSG_SEQ,
 737                                  "%s: recv data has no seq numbers when required. Discarding.\n",
 738                                  session->name);
 739                        u64_stats_update_begin(&sstats->syncp);
 740                        sstats->rx_seq_discards++;
 741                        u64_stats_update_end(&sstats->syncp);
 742                        goto discard;
 743                }
 744        }
 745
 746        /* Session data offset is handled differently for L2TPv2 and
 747         * L2TPv3. For L2TPv2, there is an optional 16-bit value in
 748         * the header. For L2TPv3, the offset is negotiated using AVPs
 749         * in the session setup control protocol.
 750         */
 751        if (tunnel->version == L2TP_HDR_VER_2) {
 752                /* If offset bit set, skip it. */
 753                if (hdrflags & L2TP_HDRFLAG_O) {
 754                        offset = ntohs(*(__be16 *)ptr);
 755                        ptr += 2 + offset;
 756                }
 757        } else
 758                ptr += session->offset;
 759
 760        offset = ptr - optr;
 761        if (!pskb_may_pull(skb, offset))
 762                goto discard;
 763
 764        __skb_pull(skb, offset);
 765
 766        /* If caller wants to process the payload before we queue the
 767         * packet, do so now.
 768         */
 769        if (payload_hook)
 770                if ((*payload_hook)(skb))
 771                        goto discard;
 772
 773        /* Prepare skb for adding to the session's reorder_q.  Hold
 774         * packets for max reorder_timeout or 1 second if not
 775         * reordering.
 776         */
 777        L2TP_SKB_CB(skb)->length = length;
 778        L2TP_SKB_CB(skb)->expires = jiffies +
 779                (session->reorder_timeout ? session->reorder_timeout : HZ);
 780
 781        /* Add packet to the session's receive queue. Reordering is done here, if
 782         * enabled. Saved L2TP protocol info is stored in skb->sb[].
 783         */
 784        if (L2TP_SKB_CB(skb)->has_seq) {
 785                if (session->reorder_timeout != 0) {
 786                        /* Packet reordering enabled. Add skb to session's
 787                         * reorder queue, in order of ns.
 788                         */
 789                        l2tp_recv_queue_skb(session, skb);
 790                } else {
 791                        /* Packet reordering disabled. Discard out-of-sequence
 792                         * packets
 793                         */
 794                        if (L2TP_SKB_CB(skb)->ns != session->nr) {
 795                                u64_stats_update_begin(&sstats->syncp);
 796                                sstats->rx_seq_discards++;
 797                                u64_stats_update_end(&sstats->syncp);
 798                                l2tp_dbg(session, L2TP_MSG_SEQ,
 799                                         "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
 800                                         session->name, L2TP_SKB_CB(skb)->ns,
 801                                         L2TP_SKB_CB(skb)->length, session->nr,
 802                                         skb_queue_len(&session->reorder_q));
 803                                goto discard;
 804                        }
 805                        skb_queue_tail(&session->reorder_q, skb);
 806                }
 807        } else {
 808                /* No sequence numbers. Add the skb to the tail of the
 809                 * reorder queue. This ensures that it will be
 810                 * delivered after all previous sequenced skbs.
 811                 */
 812                skb_queue_tail(&session->reorder_q, skb);
 813        }
 814
 815        /* Try to dequeue as many skbs from reorder_q as we can. */
 816        l2tp_recv_dequeue(session);
 817
 818        l2tp_session_dec_refcount(session);
 819
 820        return;
 821
 822discard:
 823        u64_stats_update_begin(&sstats->syncp);
 824        sstats->rx_errors++;
 825        u64_stats_update_end(&sstats->syncp);
 826        kfree_skb(skb);
 827
 828        if (session->deref)
 829                (*session->deref)(session);
 830
 831        l2tp_session_dec_refcount(session);
 832}
 833EXPORT_SYMBOL(l2tp_recv_common);
 834
 835/* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
 836 * here. The skb is not on a list when we get here.
 837 * Returns 0 if the packet was a data packet and was successfully passed on.
 838 * Returns 1 if the packet was not a good data packet and could not be
 839 * forwarded.  All such packets are passed up to userspace to deal with.
 840 */
 841static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 842                              int (*payload_hook)(struct sk_buff *skb))
 843{
 844        struct l2tp_session *session = NULL;
 845        unsigned char *ptr, *optr;
 846        u16 hdrflags;
 847        u32 tunnel_id, session_id;
 848        u16 version;
 849        int length;
 850        struct l2tp_stats *tstats;
 851
 852        if (tunnel->sock && l2tp_verify_udp_checksum(tunnel->sock, skb))
 853                goto discard_bad_csum;
 854
 855        /* UDP always verifies the packet length. */
 856        __skb_pull(skb, sizeof(struct udphdr));
 857
 858        /* Short packet? */
 859        if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
 860                l2tp_info(tunnel, L2TP_MSG_DATA,
 861                          "%s: recv short packet (len=%d)\n",
 862                          tunnel->name, skb->len);
 863                goto error;
 864        }
 865
 866        /* Trace packet contents, if enabled */
 867        if (tunnel->debug & L2TP_MSG_DATA) {
 868                length = min(32u, skb->len);
 869                if (!pskb_may_pull(skb, length))
 870                        goto error;
 871
 872                pr_debug("%s: recv\n", tunnel->name);
 873                print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
 874        }
 875
 876        /* Point to L2TP header */
 877        optr = ptr = skb->data;
 878
 879        /* Get L2TP header flags */
 880        hdrflags = ntohs(*(__be16 *) ptr);
 881
 882        /* Check protocol version */
 883        version = hdrflags & L2TP_HDR_VER_MASK;
 884        if (version != tunnel->version) {
 885                l2tp_info(tunnel, L2TP_MSG_DATA,
 886                          "%s: recv protocol version mismatch: got %d expected %d\n",
 887                          tunnel->name, version, tunnel->version);
 888                goto error;
 889        }
 890
 891        /* Get length of L2TP packet */
 892        length = skb->len;
 893
 894        /* If type is control packet, it is handled by userspace. */
 895        if (hdrflags & L2TP_HDRFLAG_T) {
 896                l2tp_dbg(tunnel, L2TP_MSG_DATA,
 897                         "%s: recv control packet, len=%d\n",
 898                         tunnel->name, length);
 899                goto error;
 900        }
 901
 902        /* Skip flags */
 903        ptr += 2;
 904
 905        if (tunnel->version == L2TP_HDR_VER_2) {
 906                /* If length is present, skip it */
 907                if (hdrflags & L2TP_HDRFLAG_L)
 908                        ptr += 2;
 909
 910                /* Extract tunnel and session ID */
 911                tunnel_id = ntohs(*(__be16 *) ptr);
 912                ptr += 2;
 913                session_id = ntohs(*(__be16 *) ptr);
 914                ptr += 2;
 915        } else {
 916                ptr += 2;       /* skip reserved bits */
 917                tunnel_id = tunnel->tunnel_id;
 918                session_id = ntohl(*(__be32 *) ptr);
 919                ptr += 4;
 920        }
 921
 922        /* Find the session context */
 923        session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
 924        if (!session || !session->recv_skb) {
 925                /* Not found? Pass to userspace to deal with */
 926                l2tp_info(tunnel, L2TP_MSG_DATA,
 927                          "%s: no session found (%u/%u). Passing up.\n",
 928                          tunnel->name, tunnel_id, session_id);
 929                goto error;
 930        }
 931
 932        l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
 933
 934        return 0;
 935
 936discard_bad_csum:
 937        LIMIT_NETDEBUG("%s: UDP: bad checksum\n", tunnel->name);
 938        UDP_INC_STATS_USER(tunnel->l2tp_net, UDP_MIB_INERRORS, 0);
 939        tstats = &tunnel->stats;
 940        u64_stats_update_begin(&tstats->syncp);
 941        tstats->rx_errors++;
 942        u64_stats_update_end(&tstats->syncp);
 943        kfree_skb(skb);
 944
 945        return 0;
 946
 947error:
 948        /* Put UDP header back */
 949        __skb_push(skb, sizeof(struct udphdr));
 950
 951        return 1;
 952}
 953
 954/* UDP encapsulation receive handler. See net/ipv4/udp.c.
 955 * Return codes:
 956 * 0 : success.
 957 * <0: error
 958 * >0: skb should be passed up to userspace as UDP.
 959 */
 960int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 961{
 962        struct l2tp_tunnel *tunnel;
 963
 964        tunnel = l2tp_sock_to_tunnel(sk);
 965        if (tunnel == NULL)
 966                goto pass_up;
 967
 968        l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
 969                 tunnel->name, skb->len);
 970
 971        if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
 972                goto pass_up_put;
 973
 974        sock_put(sk);
 975        return 0;
 976
 977pass_up_put:
 978        sock_put(sk);
 979pass_up:
 980        return 1;
 981}
 982EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
 983
 984/************************************************************************
 985 * Transmit handling
 986 ***********************************************************************/
 987
 988/* Build an L2TP header for the session into the buffer provided.
 989 */
 990static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
 991{
 992        struct l2tp_tunnel *tunnel = session->tunnel;
 993        __be16 *bufp = buf;
 994        __be16 *optr = buf;
 995        u16 flags = L2TP_HDR_VER_2;
 996        u32 tunnel_id = tunnel->peer_tunnel_id;
 997        u32 session_id = session->peer_session_id;
 998
 999        if (session->send_seq)
1000                flags |= L2TP_HDRFLAG_S;
1001
1002        /* Setup L2TP header. */
1003        *bufp++ = htons(flags);
1004        *bufp++ = htons(tunnel_id);
1005        *bufp++ = htons(session_id);
1006        if (session->send_seq) {
1007                *bufp++ = htons(session->ns);
1008                *bufp++ = 0;
1009                session->ns++;
1010                session->ns &= 0xffff;
1011                l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1012                         session->name, session->ns);
1013        }
1014
1015        return bufp - optr;
1016}
1017
1018static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1019{
1020        struct l2tp_tunnel *tunnel = session->tunnel;
1021        char *bufp = buf;
1022        char *optr = bufp;
1023
1024        /* Setup L2TP header. The header differs slightly for UDP and
1025         * IP encapsulations. For UDP, there is 4 bytes of flags.
1026         */
1027        if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1028                u16 flags = L2TP_HDR_VER_3;
1029                *((__be16 *) bufp) = htons(flags);
1030                bufp += 2;
1031                *((__be16 *) bufp) = 0;
1032                bufp += 2;
1033        }
1034
1035        *((__be32 *) bufp) = htonl(session->peer_session_id);
1036        bufp += 4;
1037        if (session->cookie_len) {
1038                memcpy(bufp, &session->cookie[0], session->cookie_len);
1039                bufp += session->cookie_len;
1040        }
1041        if (session->l2specific_len) {
1042                if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1043                        u32 l2h = 0;
1044                        if (session->send_seq) {
1045                                l2h = 0x40000000 | session->ns;
1046                                session->ns++;
1047                                session->ns &= 0xffffff;
1048                                l2tp_dbg(session, L2TP_MSG_SEQ,
1049                                         "%s: updated ns to %u\n",
1050                                         session->name, session->ns);
1051                        }
1052
1053                        *((__be32 *) bufp) = htonl(l2h);
1054                }
1055                bufp += session->l2specific_len;
1056        }
1057        if (session->offset)
1058                bufp += session->offset;
1059
1060        return bufp - optr;
1061}
1062
1063static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1064                          struct flowi *fl, size_t data_len)
1065{
1066        struct l2tp_tunnel *tunnel = session->tunnel;
1067        unsigned int len = skb->len;
1068        int error;
1069        struct l2tp_stats *tstats, *sstats;
1070
1071        /* Debug */
1072        if (session->send_seq)
1073                l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1074                         session->name, data_len, session->ns - 1);
1075        else
1076                l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1077                         session->name, data_len);
1078
1079        if (session->debug & L2TP_MSG_DATA) {
1080                int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1081                unsigned char *datap = skb->data + uhlen;
1082
1083                pr_debug("%s: xmit\n", session->name);
1084                print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1085                                     datap, min_t(size_t, 32, len - uhlen));
1086        }
1087
1088        /* Queue the packet to IP for output */
1089        skb->local_df = 1;
1090#if IS_ENABLED(CONFIG_IPV6)
1091        if (skb->sk->sk_family == PF_INET6)
1092                error = inet6_csk_xmit(skb, NULL);
1093        else
1094#endif
1095                error = ip_queue_xmit(skb, fl);
1096
1097        /* Update stats */
1098        tstats = &tunnel->stats;
1099        u64_stats_update_begin(&tstats->syncp);
1100        sstats = &session->stats;
1101        u64_stats_update_begin(&sstats->syncp);
1102        if (error >= 0) {
1103                tstats->tx_packets++;
1104                tstats->tx_bytes += len;
1105                sstats->tx_packets++;
1106                sstats->tx_bytes += len;
1107        } else {
1108                tstats->tx_errors++;
1109                sstats->tx_errors++;
1110        }
1111        u64_stats_update_end(&tstats->syncp);
1112        u64_stats_update_end(&sstats->syncp);
1113
1114        return 0;
1115}
1116
1117/* Automatically called when the skb is freed.
1118 */
1119static void l2tp_sock_wfree(struct sk_buff *skb)
1120{
1121        sock_put(skb->sk);
1122}
1123
1124/* For data skbs that we transmit, we associate with the tunnel socket
1125 * but don't do accounting.
1126 */
1127static inline void l2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
1128{
1129        sock_hold(sk);
1130        skb->sk = sk;
1131        skb->destructor = l2tp_sock_wfree;
1132}
1133
1134#if IS_ENABLED(CONFIG_IPV6)
1135static void l2tp_xmit_ipv6_csum(struct sock *sk, struct sk_buff *skb,
1136                                int udp_len)
1137{
1138        struct ipv6_pinfo *np = inet6_sk(sk);
1139        struct udphdr *uh = udp_hdr(skb);
1140
1141        if (!skb_dst(skb) || !skb_dst(skb)->dev ||
1142            !(skb_dst(skb)->dev->features & NETIF_F_IPV6_CSUM)) {
1143                __wsum csum = skb_checksum(skb, 0, udp_len, 0);
1144                skb->ip_summed = CHECKSUM_UNNECESSARY;
1145                uh->check = csum_ipv6_magic(&np->saddr, &np->daddr, udp_len,
1146                                            IPPROTO_UDP, csum);
1147                if (uh->check == 0)
1148                        uh->check = CSUM_MANGLED_0;
1149        } else {
1150                skb->ip_summed = CHECKSUM_PARTIAL;
1151                skb->csum_start = skb_transport_header(skb) - skb->head;
1152                skb->csum_offset = offsetof(struct udphdr, check);
1153                uh->check = ~csum_ipv6_magic(&np->saddr, &np->daddr,
1154                                             udp_len, IPPROTO_UDP, 0);
1155        }
1156}
1157#endif
1158
1159/* If caller requires the skb to have a ppp header, the header must be
1160 * inserted in the skb data before calling this function.
1161 */
1162int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1163{
1164        int data_len = skb->len;
1165        struct l2tp_tunnel *tunnel = session->tunnel;
1166        struct sock *sk = tunnel->sock;
1167        struct flowi *fl;
1168        struct udphdr *uh;
1169        struct inet_sock *inet;
1170        __wsum csum;
1171        int headroom;
1172        int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1173        int udp_len;
1174        int ret = NET_XMIT_SUCCESS;
1175
1176        /* Check that there's enough headroom in the skb to insert IP,
1177         * UDP and L2TP headers. If not enough, expand it to
1178         * make room. Adjust truesize.
1179         */
1180        headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1181                uhlen + hdr_len;
1182        if (skb_cow_head(skb, headroom)) {
1183                kfree_skb(skb);
1184                return NET_XMIT_DROP;
1185        }
1186
1187        skb_orphan(skb);
1188        /* Setup L2TP header */
1189        session->build_header(session, __skb_push(skb, hdr_len));
1190
1191        /* Reset skb netfilter state */
1192        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1193        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1194                              IPSKB_REROUTED);
1195        nf_reset(skb);
1196
1197        bh_lock_sock(sk);
1198        if (sock_owned_by_user(sk)) {
1199                kfree_skb(skb);
1200                ret = NET_XMIT_DROP;
1201                goto out_unlock;
1202        }
1203
1204        /* Get routing info from the tunnel socket */
1205        skb_dst_drop(skb);
1206        skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1207
1208        inet = inet_sk(sk);
1209        fl = &inet->cork.fl;
1210        switch (tunnel->encap) {
1211        case L2TP_ENCAPTYPE_UDP:
1212                /* Setup UDP header */
1213                __skb_push(skb, sizeof(*uh));
1214                skb_reset_transport_header(skb);
1215                uh = udp_hdr(skb);
1216                uh->source = inet->inet_sport;
1217                uh->dest = inet->inet_dport;
1218                udp_len = uhlen + hdr_len + data_len;
1219                uh->len = htons(udp_len);
1220                uh->check = 0;
1221
1222                /* Calculate UDP checksum if configured to do so */
1223#if IS_ENABLED(CONFIG_IPV6)
1224                if (sk->sk_family == PF_INET6)
1225                        l2tp_xmit_ipv6_csum(sk, skb, udp_len);
1226                else
1227#endif
1228                if (sk->sk_no_check == UDP_CSUM_NOXMIT)
1229                        skb->ip_summed = CHECKSUM_NONE;
1230                else if ((skb_dst(skb) && skb_dst(skb)->dev) &&
1231                         (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) {
1232                        skb->ip_summed = CHECKSUM_COMPLETE;
1233                        csum = skb_checksum(skb, 0, udp_len, 0);
1234                        uh->check = csum_tcpudp_magic(inet->inet_saddr,
1235                                                      inet->inet_daddr,
1236                                                      udp_len, IPPROTO_UDP, csum);
1237                        if (uh->check == 0)
1238                                uh->check = CSUM_MANGLED_0;
1239                } else {
1240                        skb->ip_summed = CHECKSUM_PARTIAL;
1241                        skb->csum_start = skb_transport_header(skb) - skb->head;
1242                        skb->csum_offset = offsetof(struct udphdr, check);
1243                        uh->check = ~csum_tcpudp_magic(inet->inet_saddr,
1244                                                       inet->inet_daddr,
1245                                                       udp_len, IPPROTO_UDP, 0);
1246                }
1247                break;
1248
1249        case L2TP_ENCAPTYPE_IP:
1250                break;
1251        }
1252
1253        l2tp_skb_set_owner_w(skb, sk);
1254
1255        l2tp_xmit_core(session, skb, fl, data_len);
1256out_unlock:
1257        bh_unlock_sock(sk);
1258
1259        return ret;
1260}
1261EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1262
1263/*****************************************************************************
1264 * Tinnel and session create/destroy.
1265 *****************************************************************************/
1266
1267/* Tunnel socket destruct hook.
1268 * The tunnel context is deleted only when all session sockets have been
1269 * closed.
1270 */
1271static void l2tp_tunnel_destruct(struct sock *sk)
1272{
1273        struct l2tp_tunnel *tunnel;
1274
1275        tunnel = sk->sk_user_data;
1276        if (tunnel == NULL)
1277                goto end;
1278
1279        l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1280
1281        /* Close all sessions */
1282        l2tp_tunnel_closeall(tunnel);
1283
1284        switch (tunnel->encap) {
1285        case L2TP_ENCAPTYPE_UDP:
1286                /* No longer an encapsulation socket. See net/ipv4/udp.c */
1287                (udp_sk(sk))->encap_type = 0;
1288                (udp_sk(sk))->encap_rcv = NULL;
1289                break;
1290        case L2TP_ENCAPTYPE_IP:
1291                break;
1292        }
1293
1294        /* Remove hooks into tunnel socket */
1295        tunnel->sock = NULL;
1296        sk->sk_destruct = tunnel->old_sk_destruct;
1297        sk->sk_user_data = NULL;
1298
1299        /* Call the original destructor */
1300        if (sk->sk_destruct)
1301                (*sk->sk_destruct)(sk);
1302
1303        /* We're finished with the socket */
1304        l2tp_tunnel_dec_refcount(tunnel);
1305
1306end:
1307        return;
1308}
1309
1310/* When the tunnel is closed, all the attached sessions need to go too.
1311 */
1312static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1313{
1314        int hash;
1315        struct hlist_node *walk;
1316        struct hlist_node *tmp;
1317        struct l2tp_session *session;
1318
1319        BUG_ON(tunnel == NULL);
1320
1321        l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1322                  tunnel->name);
1323
1324        write_lock_bh(&tunnel->hlist_lock);
1325        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1326again:
1327                hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1328                        session = hlist_entry(walk, struct l2tp_session, hlist);
1329
1330                        l2tp_info(session, L2TP_MSG_CONTROL,
1331                                  "%s: closing session\n", session->name);
1332
1333                        hlist_del_init(&session->hlist);
1334
1335                        /* Since we should hold the sock lock while
1336                         * doing any unbinding, we need to release the
1337                         * lock we're holding before taking that lock.
1338                         * Hold a reference to the sock so it doesn't
1339                         * disappear as we're jumping between locks.
1340                         */
1341                        if (session->ref != NULL)
1342                                (*session->ref)(session);
1343
1344                        write_unlock_bh(&tunnel->hlist_lock);
1345
1346                        if (tunnel->version != L2TP_HDR_VER_2) {
1347                                struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1348
1349                                spin_lock_bh(&pn->l2tp_session_hlist_lock);
1350                                hlist_del_init_rcu(&session->global_hlist);
1351                                spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1352                                synchronize_rcu();
1353                        }
1354
1355                        if (session->session_close != NULL)
1356                                (*session->session_close)(session);
1357
1358                        if (session->deref != NULL)
1359                                (*session->deref)(session);
1360
1361                        write_lock_bh(&tunnel->hlist_lock);
1362
1363                        /* Now restart from the beginning of this hash
1364                         * chain.  We always remove a session from the
1365                         * list so we are guaranteed to make forward
1366                         * progress.
1367                         */
1368                        goto again;
1369                }
1370        }
1371        write_unlock_bh(&tunnel->hlist_lock);
1372}
1373
1374/* Really kill the tunnel.
1375 * Come here only when all sessions have been cleared from the tunnel.
1376 */
1377static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1378{
1379        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1380
1381        BUG_ON(atomic_read(&tunnel->ref_count) != 0);
1382        BUG_ON(tunnel->sock != NULL);
1383
1384        l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
1385
1386        /* Remove from tunnel list */
1387        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1388        list_del_rcu(&tunnel->list);
1389        kfree_rcu(tunnel, rcu);
1390        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1391
1392        atomic_dec(&l2tp_tunnel_count);
1393}
1394
1395/* Create a socket for the tunnel, if one isn't set up by
1396 * userspace. This is used for static tunnels where there is no
1397 * managing L2TP daemon.
1398 */
1399static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct socket **sockp)
1400{
1401        int err = -EINVAL;
1402        struct sockaddr_in udp_addr;
1403#if IS_ENABLED(CONFIG_IPV6)
1404        struct sockaddr_in6 udp6_addr;
1405        struct sockaddr_l2tpip6 ip6_addr;
1406#endif
1407        struct sockaddr_l2tpip ip_addr;
1408        struct socket *sock = NULL;
1409
1410        switch (cfg->encap) {
1411        case L2TP_ENCAPTYPE_UDP:
1412#if IS_ENABLED(CONFIG_IPV6)
1413                if (cfg->local_ip6 && cfg->peer_ip6) {
1414                        err = sock_create(AF_INET6, SOCK_DGRAM, 0, sockp);
1415                        if (err < 0)
1416                                goto out;
1417
1418                        sock = *sockp;
1419
1420                        memset(&udp6_addr, 0, sizeof(udp6_addr));
1421                        udp6_addr.sin6_family = AF_INET6;
1422                        memcpy(&udp6_addr.sin6_addr, cfg->local_ip6,
1423                               sizeof(udp6_addr.sin6_addr));
1424                        udp6_addr.sin6_port = htons(cfg->local_udp_port);
1425                        err = kernel_bind(sock, (struct sockaddr *) &udp6_addr,
1426                                          sizeof(udp6_addr));
1427                        if (err < 0)
1428                                goto out;
1429
1430                        udp6_addr.sin6_family = AF_INET6;
1431                        memcpy(&udp6_addr.sin6_addr, cfg->peer_ip6,
1432                               sizeof(udp6_addr.sin6_addr));
1433                        udp6_addr.sin6_port = htons(cfg->peer_udp_port);
1434                        err = kernel_connect(sock,
1435                                             (struct sockaddr *) &udp6_addr,
1436                                             sizeof(udp6_addr), 0);
1437                        if (err < 0)
1438                                goto out;
1439                } else
1440#endif
1441                {
1442                        err = sock_create(AF_INET, SOCK_DGRAM, 0, sockp);
1443                        if (err < 0)
1444                                goto out;
1445
1446                        sock = *sockp;
1447
1448                        memset(&udp_addr, 0, sizeof(udp_addr));
1449                        udp_addr.sin_family = AF_INET;
1450                        udp_addr.sin_addr = cfg->local_ip;
1451                        udp_addr.sin_port = htons(cfg->local_udp_port);
1452                        err = kernel_bind(sock, (struct sockaddr *) &udp_addr,
1453                                          sizeof(udp_addr));
1454                        if (err < 0)
1455                                goto out;
1456
1457                        udp_addr.sin_family = AF_INET;
1458                        udp_addr.sin_addr = cfg->peer_ip;
1459                        udp_addr.sin_port = htons(cfg->peer_udp_port);
1460                        err = kernel_connect(sock,
1461                                             (struct sockaddr *) &udp_addr,
1462                                             sizeof(udp_addr), 0);
1463                        if (err < 0)
1464                                goto out;
1465                }
1466
1467                if (!cfg->use_udp_checksums)
1468                        sock->sk->sk_no_check = UDP_CSUM_NOXMIT;
1469
1470                break;
1471
1472        case L2TP_ENCAPTYPE_IP:
1473#if IS_ENABLED(CONFIG_IPV6)
1474                if (cfg->local_ip6 && cfg->peer_ip6) {
1475                        err = sock_create(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP,
1476                                          sockp);
1477                        if (err < 0)
1478                                goto out;
1479
1480                        sock = *sockp;
1481
1482                        memset(&ip6_addr, 0, sizeof(ip6_addr));
1483                        ip6_addr.l2tp_family = AF_INET6;
1484                        memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1485                               sizeof(ip6_addr.l2tp_addr));
1486                        ip6_addr.l2tp_conn_id = tunnel_id;
1487                        err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1488                                          sizeof(ip6_addr));
1489                        if (err < 0)
1490                                goto out;
1491
1492                        ip6_addr.l2tp_family = AF_INET6;
1493                        memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1494                               sizeof(ip6_addr.l2tp_addr));
1495                        ip6_addr.l2tp_conn_id = peer_tunnel_id;
1496                        err = kernel_connect(sock,
1497                                             (struct sockaddr *) &ip6_addr,
1498                                             sizeof(ip6_addr), 0);
1499                        if (err < 0)
1500                                goto out;
1501                } else
1502#endif
1503                {
1504                        err = sock_create(AF_INET, SOCK_DGRAM, IPPROTO_L2TP,
1505                                          sockp);
1506                        if (err < 0)
1507                                goto out;
1508
1509                        sock = *sockp;
1510
1511                        memset(&ip_addr, 0, sizeof(ip_addr));
1512                        ip_addr.l2tp_family = AF_INET;
1513                        ip_addr.l2tp_addr = cfg->local_ip;
1514                        ip_addr.l2tp_conn_id = tunnel_id;
1515                        err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1516                                          sizeof(ip_addr));
1517                        if (err < 0)
1518                                goto out;
1519
1520                        ip_addr.l2tp_family = AF_INET;
1521                        ip_addr.l2tp_addr = cfg->peer_ip;
1522                        ip_addr.l2tp_conn_id = peer_tunnel_id;
1523                        err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1524                                             sizeof(ip_addr), 0);
1525                        if (err < 0)
1526                                goto out;
1527                }
1528                break;
1529
1530        default:
1531                goto out;
1532        }
1533
1534out:
1535        if ((err < 0) && sock) {
1536                sock_release(sock);
1537                *sockp = NULL;
1538        }
1539
1540        return err;
1541}
1542
1543static struct lock_class_key l2tp_socket_class;
1544
1545int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1546{
1547        struct l2tp_tunnel *tunnel = NULL;
1548        int err;
1549        struct socket *sock = NULL;
1550        struct sock *sk = NULL;
1551        struct l2tp_net *pn;
1552        enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1553
1554        /* Get the tunnel socket from the fd, which was opened by
1555         * the userspace L2TP daemon. If not specified, create a
1556         * kernel socket.
1557         */
1558        if (fd < 0) {
1559                err = l2tp_tunnel_sock_create(tunnel_id, peer_tunnel_id, cfg, &sock);
1560                if (err < 0)
1561                        goto err;
1562        } else {
1563                err = -EBADF;
1564                sock = sockfd_lookup(fd, &err);
1565                if (!sock) {
1566                        pr_err("tunl %hu: sockfd_lookup(fd=%d) returned %d\n",
1567                               tunnel_id, fd, err);
1568                        goto err;
1569                }
1570        }
1571
1572        sk = sock->sk;
1573
1574        if (cfg != NULL)
1575                encap = cfg->encap;
1576
1577        /* Quick sanity checks */
1578        switch (encap) {
1579        case L2TP_ENCAPTYPE_UDP:
1580                err = -EPROTONOSUPPORT;
1581                if (sk->sk_protocol != IPPROTO_UDP) {
1582                        pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1583                               tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1584                        goto err;
1585                }
1586                break;
1587        case L2TP_ENCAPTYPE_IP:
1588                err = -EPROTONOSUPPORT;
1589                if (sk->sk_protocol != IPPROTO_L2TP) {
1590                        pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1591                               tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1592                        goto err;
1593                }
1594                break;
1595        }
1596
1597        /* Check if this socket has already been prepped */
1598        tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
1599        if (tunnel != NULL) {
1600                /* This socket has already been prepped */
1601                err = -EBUSY;
1602                goto err;
1603        }
1604
1605        tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1606        if (tunnel == NULL) {
1607                err = -ENOMEM;
1608                goto err;
1609        }
1610
1611        tunnel->version = version;
1612        tunnel->tunnel_id = tunnel_id;
1613        tunnel->peer_tunnel_id = peer_tunnel_id;
1614        tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1615
1616        tunnel->magic = L2TP_TUNNEL_MAGIC;
1617        sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1618        rwlock_init(&tunnel->hlist_lock);
1619
1620        /* The net we belong to */
1621        tunnel->l2tp_net = net;
1622        pn = l2tp_pernet(net);
1623
1624        if (cfg != NULL)
1625                tunnel->debug = cfg->debug;
1626
1627        /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1628        tunnel->encap = encap;
1629        if (encap == L2TP_ENCAPTYPE_UDP) {
1630                /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1631                udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
1632                udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
1633#if IS_ENABLED(CONFIG_IPV6)
1634                if (sk->sk_family == PF_INET6)
1635                        udpv6_encap_enable();
1636                else
1637#endif
1638                udp_encap_enable();
1639        }
1640
1641        sk->sk_user_data = tunnel;
1642
1643        /* Hook on the tunnel socket destructor so that we can cleanup
1644         * if the tunnel socket goes away.
1645         */
1646        tunnel->old_sk_destruct = sk->sk_destruct;
1647        sk->sk_destruct = &l2tp_tunnel_destruct;
1648        tunnel->sock = sk;
1649        tunnel->fd = fd;
1650        lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1651
1652        sk->sk_allocation = GFP_ATOMIC;
1653
1654        /* Add tunnel to our list */
1655        INIT_LIST_HEAD(&tunnel->list);
1656        atomic_inc(&l2tp_tunnel_count);
1657
1658        /* Bump the reference count. The tunnel context is deleted
1659         * only when this drops to zero. Must be done before list insertion
1660         */
1661        l2tp_tunnel_inc_refcount(tunnel);
1662        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1663        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1664        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1665
1666        err = 0;
1667err:
1668        if (tunnelp)
1669                *tunnelp = tunnel;
1670
1671        /* If tunnel's socket was created by the kernel, it doesn't
1672         *  have a file.
1673         */
1674        if (sock && sock->file)
1675                sockfd_put(sock);
1676
1677        return err;
1678}
1679EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1680
1681/* This function is used by the netlink TUNNEL_DELETE command.
1682 */
1683int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1684{
1685        int err = -EBADF;
1686        struct socket *sock = NULL;
1687        struct sock *sk = NULL;
1688
1689        sk = l2tp_tunnel_sock_lookup(tunnel);
1690        if (!sk)
1691                goto out;
1692
1693        sock = sk->sk_socket;
1694        BUG_ON(!sock);
1695
1696        /* Force the tunnel socket to close. This will eventually
1697         * cause the tunnel to be deleted via the normal socket close
1698         * mechanisms when userspace closes the tunnel socket.
1699         */
1700        err = inet_shutdown(sock, 2);
1701
1702        /* If the tunnel's socket was created by the kernel,
1703         * close the socket here since the socket was not
1704         * created by userspace.
1705         */
1706        if (sock->file == NULL)
1707                err = inet_release(sock);
1708
1709        l2tp_tunnel_sock_put(sk);
1710out:
1711        return err;
1712}
1713EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1714
1715/* Really kill the session.
1716 */
1717void l2tp_session_free(struct l2tp_session *session)
1718{
1719        struct l2tp_tunnel *tunnel;
1720
1721        BUG_ON(atomic_read(&session->ref_count) != 0);
1722
1723        tunnel = session->tunnel;
1724        if (tunnel != NULL) {
1725                BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1726
1727                /* Delete the session from the hash */
1728                write_lock_bh(&tunnel->hlist_lock);
1729                hlist_del_init(&session->hlist);
1730                write_unlock_bh(&tunnel->hlist_lock);
1731
1732                /* Unlink from the global hash if not L2TPv2 */
1733                if (tunnel->version != L2TP_HDR_VER_2) {
1734                        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1735
1736                        spin_lock_bh(&pn->l2tp_session_hlist_lock);
1737                        hlist_del_init_rcu(&session->global_hlist);
1738                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1739                        synchronize_rcu();
1740                }
1741
1742                if (session->session_id != 0)
1743                        atomic_dec(&l2tp_session_count);
1744
1745                sock_put(tunnel->sock);
1746
1747                /* This will delete the tunnel context if this
1748                 * is the last session on the tunnel.
1749                 */
1750                session->tunnel = NULL;
1751                l2tp_tunnel_dec_refcount(tunnel);
1752        }
1753
1754        kfree(session);
1755
1756        return;
1757}
1758EXPORT_SYMBOL_GPL(l2tp_session_free);
1759
1760/* This function is used by the netlink SESSION_DELETE command and by
1761   pseudowire modules.
1762 */
1763int l2tp_session_delete(struct l2tp_session *session)
1764{
1765        if (session->session_close != NULL)
1766                (*session->session_close)(session);
1767
1768        l2tp_session_dec_refcount(session);
1769
1770        return 0;
1771}
1772EXPORT_SYMBOL_GPL(l2tp_session_delete);
1773
1774
1775/* We come here whenever a session's send_seq, cookie_len or
1776 * l2specific_len parameters are set.
1777 */
1778static void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1779{
1780        if (version == L2TP_HDR_VER_2) {
1781                session->hdr_len = 6;
1782                if (session->send_seq)
1783                        session->hdr_len += 4;
1784        } else {
1785                session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1786                if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1787                        session->hdr_len += 4;
1788        }
1789
1790}
1791
1792struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1793{
1794        struct l2tp_session *session;
1795
1796        session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1797        if (session != NULL) {
1798                session->magic = L2TP_SESSION_MAGIC;
1799                session->tunnel = tunnel;
1800
1801                session->session_id = session_id;
1802                session->peer_session_id = peer_session_id;
1803                session->nr = 0;
1804
1805                sprintf(&session->name[0], "sess %u/%u",
1806                        tunnel->tunnel_id, session->session_id);
1807
1808                skb_queue_head_init(&session->reorder_q);
1809
1810                INIT_HLIST_NODE(&session->hlist);
1811                INIT_HLIST_NODE(&session->global_hlist);
1812
1813                /* Inherit debug options from tunnel */
1814                session->debug = tunnel->debug;
1815
1816                if (cfg) {
1817                        session->pwtype = cfg->pw_type;
1818                        session->debug = cfg->debug;
1819                        session->mtu = cfg->mtu;
1820                        session->mru = cfg->mru;
1821                        session->send_seq = cfg->send_seq;
1822                        session->recv_seq = cfg->recv_seq;
1823                        session->lns_mode = cfg->lns_mode;
1824                        session->reorder_timeout = cfg->reorder_timeout;
1825                        session->offset = cfg->offset;
1826                        session->l2specific_type = cfg->l2specific_type;
1827                        session->l2specific_len = cfg->l2specific_len;
1828                        session->cookie_len = cfg->cookie_len;
1829                        memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1830                        session->peer_cookie_len = cfg->peer_cookie_len;
1831                        memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1832                }
1833
1834                if (tunnel->version == L2TP_HDR_VER_2)
1835                        session->build_header = l2tp_build_l2tpv2_header;
1836                else
1837                        session->build_header = l2tp_build_l2tpv3_header;
1838
1839                l2tp_session_set_header_len(session, tunnel->version);
1840
1841                /* Bump the reference count. The session context is deleted
1842                 * only when this drops to zero.
1843                 */
1844                l2tp_session_inc_refcount(session);
1845                l2tp_tunnel_inc_refcount(tunnel);
1846
1847                /* Ensure tunnel socket isn't deleted */
1848                sock_hold(tunnel->sock);
1849
1850                /* Add session to the tunnel's hash list */
1851                write_lock_bh(&tunnel->hlist_lock);
1852                hlist_add_head(&session->hlist,
1853                               l2tp_session_id_hash(tunnel, session_id));
1854                write_unlock_bh(&tunnel->hlist_lock);
1855
1856                /* And to the global session list if L2TPv3 */
1857                if (tunnel->version != L2TP_HDR_VER_2) {
1858                        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1859
1860                        spin_lock_bh(&pn->l2tp_session_hlist_lock);
1861                        hlist_add_head_rcu(&session->global_hlist,
1862                                           l2tp_session_id_hash_2(pn, session_id));
1863                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1864                }
1865
1866                /* Ignore management session in session count value */
1867                if (session->session_id != 0)
1868                        atomic_inc(&l2tp_session_count);
1869        }
1870
1871        return session;
1872}
1873EXPORT_SYMBOL_GPL(l2tp_session_create);
1874
1875/*****************************************************************************
1876 * Init and cleanup
1877 *****************************************************************************/
1878
1879static __net_init int l2tp_init_net(struct net *net)
1880{
1881        struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1882        int hash;
1883
1884        INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1885        spin_lock_init(&pn->l2tp_tunnel_list_lock);
1886
1887        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1888                INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1889
1890        spin_lock_init(&pn->l2tp_session_hlist_lock);
1891
1892        return 0;
1893}
1894
1895static struct pernet_operations l2tp_net_ops = {
1896        .init = l2tp_init_net,
1897        .id   = &l2tp_net_id,
1898        .size = sizeof(struct l2tp_net),
1899};
1900
1901static int __init l2tp_init(void)
1902{
1903        int rc = 0;
1904
1905        rc = register_pernet_device(&l2tp_net_ops);
1906        if (rc)
1907                goto out;
1908
1909        pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1910
1911out:
1912        return rc;
1913}
1914
1915static void __exit l2tp_exit(void)
1916{
1917        unregister_pernet_device(&l2tp_net_ops);
1918}
1919
1920module_init(l2tp_init);
1921module_exit(l2tp_exit);
1922
1923MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1924MODULE_DESCRIPTION("L2TP core");
1925MODULE_LICENSE("GPL");
1926MODULE_VERSION(L2TP_DRV_VERSION);
1927
1928
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.