linux/net/l2tp/l2tp_core.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/* L2TP core.
   3 *
   4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
   5 *
   6 * This file contains some code of the original L2TPv2 pppol2tp
   7 * driver, which has the following copyright:
   8 *
   9 * Authors:     Martijn van Oosterhout <kleptog@svana.org>
  10 *              James Chapman (jchapman@katalix.com)
  11 * Contributors:
  12 *              Michal Ostrowski <mostrows@speakeasy.net>
  13 *              Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
  14 *              David S. Miller (davem@redhat.com)
  15 */
  16
  17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  18
  19#include <linux/module.h>
  20#include <linux/string.h>
  21#include <linux/list.h>
  22#include <linux/rculist.h>
  23#include <linux/uaccess.h>
  24
  25#include <linux/kernel.h>
  26#include <linux/spinlock.h>
  27#include <linux/kthread.h>
  28#include <linux/sched.h>
  29#include <linux/slab.h>
  30#include <linux/errno.h>
  31#include <linux/jiffies.h>
  32
  33#include <linux/netdevice.h>
  34#include <linux/net.h>
  35#include <linux/inetdevice.h>
  36#include <linux/skbuff.h>
  37#include <linux/init.h>
  38#include <linux/in.h>
  39#include <linux/ip.h>
  40#include <linux/udp.h>
  41#include <linux/l2tp.h>
  42#include <linux/hash.h>
  43#include <linux/sort.h>
  44#include <linux/file.h>
  45#include <linux/nsproxy.h>
  46#include <net/net_namespace.h>
  47#include <net/netns/generic.h>
  48#include <net/dst.h>
  49#include <net/ip.h>
  50#include <net/udp.h>
  51#include <net/udp_tunnel.h>
  52#include <net/inet_common.h>
  53#include <net/xfrm.h>
  54#include <net/protocol.h>
  55#include <net/inet6_connection_sock.h>
  56#include <net/inet_ecn.h>
  57#include <net/ip6_route.h>
  58#include <net/ip6_checksum.h>
  59
  60#include <asm/byteorder.h>
  61#include <linux/atomic.h>
  62
  63#include "l2tp_core.h"
  64#include "trace.h"
  65
  66#define CREATE_TRACE_POINTS
  67#include "trace.h"
  68
  69#define L2TP_DRV_VERSION        "V2.0"
  70
  71/* L2TP header constants */
  72#define L2TP_HDRFLAG_T     0x8000
  73#define L2TP_HDRFLAG_L     0x4000
  74#define L2TP_HDRFLAG_S     0x0800
  75#define L2TP_HDRFLAG_O     0x0200
  76#define L2TP_HDRFLAG_P     0x0100
  77
  78#define L2TP_HDR_VER_MASK  0x000F
  79#define L2TP_HDR_VER_2     0x0002
  80#define L2TP_HDR_VER_3     0x0003
  81
  82/* L2TPv3 default L2-specific sublayer */
  83#define L2TP_SLFLAG_S      0x40000000
  84#define L2TP_SL_SEQ_MASK   0x00ffffff
  85
  86#define L2TP_HDR_SIZE_MAX               14
  87
  88/* Default trace flags */
  89#define L2TP_DEFAULT_DEBUG_FLAGS        0
  90
  91/* Private data stored for received packets in the skb.
  92 */
  93struct l2tp_skb_cb {
  94        u32                     ns;
  95        u16                     has_seq;
  96        u16                     length;
  97        unsigned long           expires;
  98};
  99
 100#define L2TP_SKB_CB(skb)        ((struct l2tp_skb_cb *)&(skb)->cb[sizeof(struct inet_skb_parm)])
 101
 102static struct workqueue_struct *l2tp_wq;
 103
 104/* per-net private data for this module */
 105static unsigned int l2tp_net_id;
 106struct l2tp_net {
 107        struct list_head l2tp_tunnel_list;
 108        /* Lock for write access to l2tp_tunnel_list */
 109        spinlock_t l2tp_tunnel_list_lock;
 110        struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
 111        /* Lock for write access to l2tp_session_hlist */
 112        spinlock_t l2tp_session_hlist_lock;
 113};
 114
 115#if IS_ENABLED(CONFIG_IPV6)
 116static bool l2tp_sk_is_v6(struct sock *sk)
 117{
 118        return sk->sk_family == PF_INET6 &&
 119               !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
 120}
 121#endif
 122
 123static inline struct l2tp_net *l2tp_pernet(const struct net *net)
 124{
 125        return net_generic(net, l2tp_net_id);
 126}
 127
 128/* Session hash global list for L2TPv3.
 129 * The session_id SHOULD be random according to RFC3931, but several
 130 * L2TP implementations use incrementing session_ids.  So we do a real
 131 * hash on the session_id, rather than a simple bitmask.
 132 */
 133static inline struct hlist_head *
 134l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
 135{
 136        return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
 137}
 138
 139/* Session hash list.
 140 * The session_id SHOULD be random according to RFC2661, but several
 141 * L2TP implementations (Cisco and Microsoft) use incrementing
 142 * session_ids.  So we do a real hash on the session_id, rather than a
 143 * simple bitmask.
 144 */
 145static inline struct hlist_head *
 146l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
 147{
 148        return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
 149}
 150
 151static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
 152{
 153        trace_free_tunnel(tunnel);
 154        sock_put(tunnel->sock);
 155        /* the tunnel is freed in the socket destructor */
 156}
 157
 158static void l2tp_session_free(struct l2tp_session *session)
 159{
 160        trace_free_session(session);
 161        if (session->tunnel)
 162                l2tp_tunnel_dec_refcount(session->tunnel);
 163        kfree(session);
 164}
 165
 166struct l2tp_tunnel *l2tp_sk_to_tunnel(struct sock *sk)
 167{
 168        struct l2tp_tunnel *tunnel = sk->sk_user_data;
 169
 170        if (tunnel)
 171                if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC))
 172                        return NULL;
 173
 174        return tunnel;
 175}
 176EXPORT_SYMBOL_GPL(l2tp_sk_to_tunnel);
 177
 178void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel)
 179{
 180        refcount_inc(&tunnel->ref_count);
 181}
 182EXPORT_SYMBOL_GPL(l2tp_tunnel_inc_refcount);
 183
 184void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
 185{
 186        if (refcount_dec_and_test(&tunnel->ref_count))
 187                l2tp_tunnel_free(tunnel);
 188}
 189EXPORT_SYMBOL_GPL(l2tp_tunnel_dec_refcount);
 190
 191void l2tp_session_inc_refcount(struct l2tp_session *session)
 192{
 193        refcount_inc(&session->ref_count);
 194}
 195EXPORT_SYMBOL_GPL(l2tp_session_inc_refcount);
 196
 197void l2tp_session_dec_refcount(struct l2tp_session *session)
 198{
 199        if (refcount_dec_and_test(&session->ref_count))
 200                l2tp_session_free(session);
 201}
 202EXPORT_SYMBOL_GPL(l2tp_session_dec_refcount);
 203
 204/* Lookup a tunnel. A new reference is held on the returned tunnel. */
 205struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
 206{
 207        const struct l2tp_net *pn = l2tp_pernet(net);
 208        struct l2tp_tunnel *tunnel;
 209
 210        rcu_read_lock_bh();
 211        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 212                if (tunnel->tunnel_id == tunnel_id &&
 213                    refcount_inc_not_zero(&tunnel->ref_count)) {
 214                        rcu_read_unlock_bh();
 215
 216                        return tunnel;
 217                }
 218        }
 219        rcu_read_unlock_bh();
 220
 221        return NULL;
 222}
 223EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
 224
 225struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
 226{
 227        const struct l2tp_net *pn = l2tp_pernet(net);
 228        struct l2tp_tunnel *tunnel;
 229        int count = 0;
 230
 231        rcu_read_lock_bh();
 232        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
 233                if (++count > nth &&
 234                    refcount_inc_not_zero(&tunnel->ref_count)) {
 235                        rcu_read_unlock_bh();
 236                        return tunnel;
 237                }
 238        }
 239        rcu_read_unlock_bh();
 240
 241        return NULL;
 242}
 243EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth);
 244
 245struct l2tp_session *l2tp_tunnel_get_session(struct l2tp_tunnel *tunnel,
 246                                             u32 session_id)
 247{
 248        struct hlist_head *session_list;
 249        struct l2tp_session *session;
 250
 251        session_list = l2tp_session_id_hash(tunnel, session_id);
 252
 253        read_lock_bh(&tunnel->hlist_lock);
 254        hlist_for_each_entry(session, session_list, hlist)
 255                if (session->session_id == session_id) {
 256                        l2tp_session_inc_refcount(session);
 257                        read_unlock_bh(&tunnel->hlist_lock);
 258
 259                        return session;
 260                }
 261        read_unlock_bh(&tunnel->hlist_lock);
 262
 263        return NULL;
 264}
 265EXPORT_SYMBOL_GPL(l2tp_tunnel_get_session);
 266
 267struct l2tp_session *l2tp_session_get(const struct net *net, u32 session_id)
 268{
 269        struct hlist_head *session_list;
 270        struct l2tp_session *session;
 271
 272        session_list = l2tp_session_id_hash_2(l2tp_pernet(net), session_id);
 273
 274        rcu_read_lock_bh();
 275        hlist_for_each_entry_rcu(session, session_list, global_hlist)
 276                if (session->session_id == session_id) {
 277                        l2tp_session_inc_refcount(session);
 278                        rcu_read_unlock_bh();
 279
 280                        return session;
 281                }
 282        rcu_read_unlock_bh();
 283
 284        return NULL;
 285}
 286EXPORT_SYMBOL_GPL(l2tp_session_get);
 287
 288struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth)
 289{
 290        int hash;
 291        struct l2tp_session *session;
 292        int count = 0;
 293
 294        read_lock_bh(&tunnel->hlist_lock);
 295        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
 296                hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
 297                        if (++count > nth) {
 298                                l2tp_session_inc_refcount(session);
 299                                read_unlock_bh(&tunnel->hlist_lock);
 300                                return session;
 301                        }
 302                }
 303        }
 304
 305        read_unlock_bh(&tunnel->hlist_lock);
 306
 307        return NULL;
 308}
 309EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
 310
 311/* Lookup a session by interface name.
 312 * This is very inefficient but is only used by management interfaces.
 313 */
 314struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
 315                                                const char *ifname)
 316{
 317        struct l2tp_net *pn = l2tp_pernet(net);
 318        int hash;
 319        struct l2tp_session *session;
 320
 321        rcu_read_lock_bh();
 322        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
 323                hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
 324                        if (!strcmp(session->ifname, ifname)) {
 325                                l2tp_session_inc_refcount(session);
 326                                rcu_read_unlock_bh();
 327
 328                                return session;
 329                        }
 330                }
 331        }
 332
 333        rcu_read_unlock_bh();
 334
 335        return NULL;
 336}
 337EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
 338
 339int l2tp_session_register(struct l2tp_session *session,
 340                          struct l2tp_tunnel *tunnel)
 341{
 342        struct l2tp_session *session_walk;
 343        struct hlist_head *g_head;
 344        struct hlist_head *head;
 345        struct l2tp_net *pn;
 346        int err;
 347
 348        head = l2tp_session_id_hash(tunnel, session->session_id);
 349
 350        write_lock_bh(&tunnel->hlist_lock);
 351        if (!tunnel->acpt_newsess) {
 352                err = -ENODEV;
 353                goto err_tlock;
 354        }
 355
 356        hlist_for_each_entry(session_walk, head, hlist)
 357                if (session_walk->session_id == session->session_id) {
 358                        err = -EEXIST;
 359                        goto err_tlock;
 360                }
 361
 362        if (tunnel->version == L2TP_HDR_VER_3) {
 363                pn = l2tp_pernet(tunnel->l2tp_net);
 364                g_head = l2tp_session_id_hash_2(pn, session->session_id);
 365
 366                spin_lock_bh(&pn->l2tp_session_hlist_lock);
 367
 368                /* IP encap expects session IDs to be globally unique, while
 369                 * UDP encap doesn't.
 370                 */
 371                hlist_for_each_entry(session_walk, g_head, global_hlist)
 372                        if (session_walk->session_id == session->session_id &&
 373                            (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
 374                             tunnel->encap == L2TP_ENCAPTYPE_IP)) {
 375                                err = -EEXIST;
 376                                goto err_tlock_pnlock;
 377                        }
 378
 379                l2tp_tunnel_inc_refcount(tunnel);
 380                hlist_add_head_rcu(&session->global_hlist, g_head);
 381
 382                spin_unlock_bh(&pn->l2tp_session_hlist_lock);
 383        } else {
 384                l2tp_tunnel_inc_refcount(tunnel);
 385        }
 386
 387        hlist_add_head(&session->hlist, head);
 388        write_unlock_bh(&tunnel->hlist_lock);
 389
 390        trace_register_session(session);
 391
 392        return 0;
 393
 394err_tlock_pnlock:
 395        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
 396err_tlock:
 397        write_unlock_bh(&tunnel->hlist_lock);
 398
 399        return err;
 400}
 401EXPORT_SYMBOL_GPL(l2tp_session_register);
 402
 403/*****************************************************************************
 404 * Receive data handling
 405 *****************************************************************************/
 406
 407/* Queue a skb in order. We come here only if the skb has an L2TP sequence
 408 * number.
 409 */
 410static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
 411{
 412        struct sk_buff *skbp;
 413        struct sk_buff *tmp;
 414        u32 ns = L2TP_SKB_CB(skb)->ns;
 415
 416        spin_lock_bh(&session->reorder_q.lock);
 417        skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
 418                if (L2TP_SKB_CB(skbp)->ns > ns) {
 419                        __skb_queue_before(&session->reorder_q, skbp, skb);
 420                        atomic_long_inc(&session->stats.rx_oos_packets);
 421                        goto out;
 422                }
 423        }
 424
 425        __skb_queue_tail(&session->reorder_q, skb);
 426
 427out:
 428        spin_unlock_bh(&session->reorder_q.lock);
 429}
 430
 431/* Dequeue a single skb.
 432 */
 433static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
 434{
 435        struct l2tp_tunnel *tunnel = session->tunnel;
 436        int length = L2TP_SKB_CB(skb)->length;
 437
 438        /* We're about to requeue the skb, so return resources
 439         * to its current owner (a socket receive buffer).
 440         */
 441        skb_orphan(skb);
 442
 443        atomic_long_inc(&tunnel->stats.rx_packets);
 444        atomic_long_add(length, &tunnel->stats.rx_bytes);
 445        atomic_long_inc(&session->stats.rx_packets);
 446        atomic_long_add(length, &session->stats.rx_bytes);
 447
 448        if (L2TP_SKB_CB(skb)->has_seq) {
 449                /* Bump our Nr */
 450                session->nr++;
 451                session->nr &= session->nr_max;
 452                trace_session_seqnum_update(session);
 453        }
 454
 455        /* call private receive handler */
 456        if (session->recv_skb)
 457                (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
 458        else
 459                kfree_skb(skb);
 460}
 461
 462/* Dequeue skbs from the session's reorder_q, subject to packet order.
 463 * Skbs that have been in the queue for too long are simply discarded.
 464 */
 465static void l2tp_recv_dequeue(struct l2tp_session *session)
 466{
 467        struct sk_buff *skb;
 468        struct sk_buff *tmp;
 469
 470        /* If the pkt at the head of the queue has the nr that we
 471         * expect to send up next, dequeue it and any other
 472         * in-sequence packets behind it.
 473         */
 474start:
 475        spin_lock_bh(&session->reorder_q.lock);
 476        skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
 477                struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
 478
 479                /* If the packet has been pending on the queue for too long, discard it */
 480                if (time_after(jiffies, cb->expires)) {
 481                        atomic_long_inc(&session->stats.rx_seq_discards);
 482                        atomic_long_inc(&session->stats.rx_errors);
 483                        trace_session_pkt_expired(session, cb->ns);
 484                        session->reorder_skip = 1;
 485                        __skb_unlink(skb, &session->reorder_q);
 486                        kfree_skb(skb);
 487                        continue;
 488                }
 489
 490                if (cb->has_seq) {
 491                        if (session->reorder_skip) {
 492                                session->reorder_skip = 0;
 493                                session->nr = cb->ns;
 494                                trace_session_seqnum_reset(session);
 495                        }
 496                        if (cb->ns != session->nr)
 497                                goto out;
 498                }
 499                __skb_unlink(skb, &session->reorder_q);
 500
 501                /* Process the skb. We release the queue lock while we
 502                 * do so to let other contexts process the queue.
 503                 */
 504                spin_unlock_bh(&session->reorder_q.lock);
 505                l2tp_recv_dequeue_skb(session, skb);
 506                goto start;
 507        }
 508
 509out:
 510        spin_unlock_bh(&session->reorder_q.lock);
 511}
 512
 513static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
 514{
 515        u32 nws;
 516
 517        if (nr >= session->nr)
 518                nws = nr - session->nr;
 519        else
 520                nws = (session->nr_max + 1) - (session->nr - nr);
 521
 522        return nws < session->nr_window_size;
 523}
 524
 525/* If packet has sequence numbers, queue it if acceptable. Returns 0 if
 526 * acceptable, else non-zero.
 527 */
 528static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
 529{
 530        struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
 531
 532        if (!l2tp_seq_check_rx_window(session, cb->ns)) {
 533                /* Packet sequence number is outside allowed window.
 534                 * Discard it.
 535                 */
 536                trace_session_pkt_outside_rx_window(session, cb->ns);
 537                goto discard;
 538        }
 539
 540        if (session->reorder_timeout != 0) {
 541                /* Packet reordering enabled. Add skb to session's
 542                 * reorder queue, in order of ns.
 543                 */
 544                l2tp_recv_queue_skb(session, skb);
 545                goto out;
 546        }
 547
 548        /* Packet reordering disabled. Discard out-of-sequence packets, while
 549         * tracking the number if in-sequence packets after the first OOS packet
 550         * is seen. After nr_oos_count_max in-sequence packets, reset the
 551         * sequence number to re-enable packet reception.
 552         */
 553        if (cb->ns == session->nr) {
 554                skb_queue_tail(&session->reorder_q, skb);
 555        } else {
 556                u32 nr_oos = cb->ns;
 557                u32 nr_next = (session->nr_oos + 1) & session->nr_max;
 558
 559                if (nr_oos == nr_next)
 560                        session->nr_oos_count++;
 561                else
 562                        session->nr_oos_count = 0;
 563
 564                session->nr_oos = nr_oos;
 565                if (session->nr_oos_count > session->nr_oos_count_max) {
 566                        session->reorder_skip = 1;
 567                }
 568                if (!session->reorder_skip) {
 569                        atomic_long_inc(&session->stats.rx_seq_discards);
 570                        trace_session_pkt_oos(session, cb->ns);
 571                        goto discard;
 572                }
 573                skb_queue_tail(&session->reorder_q, skb);
 574        }
 575
 576out:
 577        return 0;
 578
 579discard:
 580        return 1;
 581}
 582
 583/* Do receive processing of L2TP data frames. We handle both L2TPv2
 584 * and L2TPv3 data frames here.
 585 *
 586 * L2TPv2 Data Message Header
 587 *
 588 *  0                   1                   2                   3
 589 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 590 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 591 * |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
 592 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 593 * |           Tunnel ID           |           Session ID          |
 594 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 595 * |             Ns (opt)          |             Nr (opt)          |
 596 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 597 * |      Offset Size (opt)        |    Offset pad... (opt)
 598 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 599 *
 600 * Data frames are marked by T=0. All other fields are the same as
 601 * those in L2TP control frames.
 602 *
 603 * L2TPv3 Data Message Header
 604 *
 605 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 606 * |                      L2TP Session Header                      |
 607 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 608 * |                      L2-Specific Sublayer                     |
 609 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 610 * |                        Tunnel Payload                      ...
 611 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 612 *
 613 * L2TPv3 Session Header Over IP
 614 *
 615 *  0                   1                   2                   3
 616 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 617 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 618 * |                           Session ID                          |
 619 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 620 * |               Cookie (optional, maximum 64 bits)...
 621 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 622 *                                                                 |
 623 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 624 *
 625 * L2TPv3 L2-Specific Sublayer Format
 626 *
 627 *  0                   1                   2                   3
 628 *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 629 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 630 * |x|S|x|x|x|x|x|x|              Sequence Number                  |
 631 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 632 *
 633 * Cookie value and sublayer format are negotiated with the peer when
 634 * the session is set up. Unlike L2TPv2, we do not need to parse the
 635 * packet header to determine if optional fields are present.
 636 *
 637 * Caller must already have parsed the frame and determined that it is
 638 * a data (not control) frame before coming here. Fields up to the
 639 * session-id have already been parsed and ptr points to the data
 640 * after the session-id.
 641 */
 642void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
 643                      unsigned char *ptr, unsigned char *optr, u16 hdrflags,
 644                      int length)
 645{
 646        struct l2tp_tunnel *tunnel = session->tunnel;
 647        int offset;
 648
 649        /* Parse and check optional cookie */
 650        if (session->peer_cookie_len > 0) {
 651                if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
 652                        pr_debug_ratelimited("%s: cookie mismatch (%u/%u). Discarding.\n",
 653                                             tunnel->name, tunnel->tunnel_id,
 654                                             session->session_id);
 655                        atomic_long_inc(&session->stats.rx_cookie_discards);
 656                        goto discard;
 657                }
 658                ptr += session->peer_cookie_len;
 659        }
 660
 661        /* Handle the optional sequence numbers. Sequence numbers are
 662         * in different places for L2TPv2 and L2TPv3.
 663         *
 664         * If we are the LAC, enable/disable sequence numbers under
 665         * the control of the LNS.  If no sequence numbers present but
 666         * we were expecting them, discard frame.
 667         */
 668        L2TP_SKB_CB(skb)->has_seq = 0;
 669        if (tunnel->version == L2TP_HDR_VER_2) {
 670                if (hdrflags & L2TP_HDRFLAG_S) {
 671                        /* Store L2TP info in the skb */
 672                        L2TP_SKB_CB(skb)->ns = ntohs(*(__be16 *)ptr);
 673                        L2TP_SKB_CB(skb)->has_seq = 1;
 674                        ptr += 2;
 675                        /* Skip past nr in the header */
 676                        ptr += 2;
 677
 678                }
 679        } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
 680                u32 l2h = ntohl(*(__be32 *)ptr);
 681
 682                if (l2h & 0x40000000) {
 683                        /* Store L2TP info in the skb */
 684                        L2TP_SKB_CB(skb)->ns = l2h & 0x00ffffff;
 685                        L2TP_SKB_CB(skb)->has_seq = 1;
 686                }
 687                ptr += 4;
 688        }
 689
 690        if (L2TP_SKB_CB(skb)->has_seq) {
 691                /* Received a packet with sequence numbers. If we're the LAC,
 692                 * check if we sre sending sequence numbers and if not,
 693                 * configure it so.
 694                 */
 695                if (!session->lns_mode && !session->send_seq) {
 696                        trace_session_seqnum_lns_enable(session);
 697                        session->send_seq = 1;
 698                        l2tp_session_set_header_len(session, tunnel->version);
 699                }
 700        } else {
 701                /* No sequence numbers.
 702                 * If user has configured mandatory sequence numbers, discard.
 703                 */
 704                if (session->recv_seq) {
 705                        pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
 706                                             session->name);
 707                        atomic_long_inc(&session->stats.rx_seq_discards);
 708                        goto discard;
 709                }
 710
 711                /* If we're the LAC and we're sending sequence numbers, the
 712                 * LNS has requested that we no longer send sequence numbers.
 713                 * If we're the LNS and we're sending sequence numbers, the
 714                 * LAC is broken. Discard the frame.
 715                 */
 716                if (!session->lns_mode && session->send_seq) {
 717                        trace_session_seqnum_lns_disable(session);
 718                        session->send_seq = 0;
 719                        l2tp_session_set_header_len(session, tunnel->version);
 720                } else if (session->send_seq) {
 721                        pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
 722                                             session->name);
 723                        atomic_long_inc(&session->stats.rx_seq_discards);
 724                        goto discard;
 725                }
 726        }
 727
 728        /* Session data offset is defined only for L2TPv2 and is
 729         * indicated by an optional 16-bit value in the header.
 730         */
 731        if (tunnel->version == L2TP_HDR_VER_2) {
 732                /* If offset bit set, skip it. */
 733                if (hdrflags & L2TP_HDRFLAG_O) {
 734                        offset = ntohs(*(__be16 *)ptr);
 735                        ptr += 2 + offset;
 736                }
 737        }
 738
 739        offset = ptr - optr;
 740        if (!pskb_may_pull(skb, offset))
 741                goto discard;
 742
 743        __skb_pull(skb, offset);
 744
 745        /* Prepare skb for adding to the session's reorder_q.  Hold
 746         * packets for max reorder_timeout or 1 second if not
 747         * reordering.
 748         */
 749        L2TP_SKB_CB(skb)->length = length;
 750        L2TP_SKB_CB(skb)->expires = jiffies +
 751                (session->reorder_timeout ? session->reorder_timeout : HZ);
 752
 753        /* Add packet to the session's receive queue. Reordering is done here, if
 754         * enabled. Saved L2TP protocol info is stored in skb->sb[].
 755         */
 756        if (L2TP_SKB_CB(skb)->has_seq) {
 757                if (l2tp_recv_data_seq(session, skb))
 758                        goto discard;
 759        } else {
 760                /* No sequence numbers. Add the skb to the tail of the
 761                 * reorder queue. This ensures that it will be
 762                 * delivered after all previous sequenced skbs.
 763                 */
 764                skb_queue_tail(&session->reorder_q, skb);
 765        }
 766
 767        /* Try to dequeue as many skbs from reorder_q as we can. */
 768        l2tp_recv_dequeue(session);
 769
 770        return;
 771
 772discard:
 773        atomic_long_inc(&session->stats.rx_errors);
 774        kfree_skb(skb);
 775}
 776EXPORT_SYMBOL_GPL(l2tp_recv_common);
 777
 778/* Drop skbs from the session's reorder_q
 779 */
 780static void l2tp_session_queue_purge(struct l2tp_session *session)
 781{
 782        struct sk_buff *skb = NULL;
 783
 784        while ((skb = skb_dequeue(&session->reorder_q))) {
 785                atomic_long_inc(&session->stats.rx_errors);
 786                kfree_skb(skb);
 787        }
 788}
 789
 790/* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
 791 * here. The skb is not on a list when we get here.
 792 * Returns 0 if the packet was a data packet and was successfully passed on.
 793 * Returns 1 if the packet was not a good data packet and could not be
 794 * forwarded.  All such packets are passed up to userspace to deal with.
 795 */
 796static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
 797{
 798        struct l2tp_session *session = NULL;
 799        unsigned char *ptr, *optr;
 800        u16 hdrflags;
 801        u32 tunnel_id, session_id;
 802        u16 version;
 803        int length;
 804
 805        /* UDP has verified checksum */
 806
 807        /* UDP always verifies the packet length. */
 808        __skb_pull(skb, sizeof(struct udphdr));
 809
 810        /* Short packet? */
 811        if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
 812                pr_debug_ratelimited("%s: recv short packet (len=%d)\n",
 813                                     tunnel->name, skb->len);
 814                goto invalid;
 815        }
 816
 817        /* Point to L2TP header */
 818        optr = skb->data;
 819        ptr = skb->data;
 820
 821        /* Get L2TP header flags */
 822        hdrflags = ntohs(*(__be16 *)ptr);
 823
 824        /* Check protocol version */
 825        version = hdrflags & L2TP_HDR_VER_MASK;
 826        if (version != tunnel->version) {
 827                pr_debug_ratelimited("%s: recv protocol version mismatch: got %d expected %d\n",
 828                                     tunnel->name, version, tunnel->version);
 829                goto invalid;
 830        }
 831
 832        /* Get length of L2TP packet */
 833        length = skb->len;
 834
 835        /* If type is control packet, it is handled by userspace. */
 836        if (hdrflags & L2TP_HDRFLAG_T)
 837                goto pass;
 838
 839        /* Skip flags */
 840        ptr += 2;
 841
 842        if (tunnel->version == L2TP_HDR_VER_2) {
 843                /* If length is present, skip it */
 844                if (hdrflags & L2TP_HDRFLAG_L)
 845                        ptr += 2;
 846
 847                /* Extract tunnel and session ID */
 848                tunnel_id = ntohs(*(__be16 *)ptr);
 849                ptr += 2;
 850                session_id = ntohs(*(__be16 *)ptr);
 851                ptr += 2;
 852        } else {
 853                ptr += 2;       /* skip reserved bits */
 854                tunnel_id = tunnel->tunnel_id;
 855                session_id = ntohl(*(__be32 *)ptr);
 856                ptr += 4;
 857        }
 858
 859        /* Find the session context */
 860        session = l2tp_tunnel_get_session(tunnel, session_id);
 861        if (!session || !session->recv_skb) {
 862                if (session)
 863                        l2tp_session_dec_refcount(session);
 864
 865                /* Not found? Pass to userspace to deal with */
 866                pr_debug_ratelimited("%s: no session found (%u/%u). Passing up.\n",
 867                                     tunnel->name, tunnel_id, session_id);
 868                goto pass;
 869        }
 870
 871        if (tunnel->version == L2TP_HDR_VER_3 &&
 872            l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
 873                goto invalid;
 874
 875        l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
 876        l2tp_session_dec_refcount(session);
 877
 878        return 0;
 879
 880invalid:
 881        atomic_long_inc(&tunnel->stats.rx_invalid);
 882
 883pass:
 884        /* Put UDP header back */
 885        __skb_push(skb, sizeof(struct udphdr));
 886
 887        return 1;
 888}
 889
 890/* UDP encapsulation receive handler. See net/ipv4/udp.c.
 891 * Return codes:
 892 * 0 : success.
 893 * <0: error
 894 * >0: skb should be passed up to userspace as UDP.
 895 */
 896int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 897{
 898        struct l2tp_tunnel *tunnel;
 899
 900        /* Note that this is called from the encap_rcv hook inside an
 901         * RCU-protected region, but without the socket being locked.
 902         * Hence we use rcu_dereference_sk_user_data to access the
 903         * tunnel data structure rather the usual l2tp_sk_to_tunnel
 904         * accessor function.
 905         */
 906        tunnel = rcu_dereference_sk_user_data(sk);
 907        if (!tunnel)
 908                goto pass_up;
 909        if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC))
 910                goto pass_up;
 911
 912        if (l2tp_udp_recv_core(tunnel, skb))
 913                goto pass_up;
 914
 915        return 0;
 916
 917pass_up:
 918        return 1;
 919}
 920EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
 921
 922/************************************************************************
 923 * Transmit handling
 924 ***********************************************************************/
 925
 926/* Build an L2TP header for the session into the buffer provided.
 927 */
 928static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
 929{
 930        struct l2tp_tunnel *tunnel = session->tunnel;
 931        __be16 *bufp = buf;
 932        __be16 *optr = buf;
 933        u16 flags = L2TP_HDR_VER_2;
 934        u32 tunnel_id = tunnel->peer_tunnel_id;
 935        u32 session_id = session->peer_session_id;
 936
 937        if (session->send_seq)
 938                flags |= L2TP_HDRFLAG_S;
 939
 940        /* Setup L2TP header. */
 941        *bufp++ = htons(flags);
 942        *bufp++ = htons(tunnel_id);
 943        *bufp++ = htons(session_id);
 944        if (session->send_seq) {
 945                *bufp++ = htons(session->ns);
 946                *bufp++ = 0;
 947                session->ns++;
 948                session->ns &= 0xffff;
 949                trace_session_seqnum_update(session);
 950        }
 951
 952        return bufp - optr;
 953}
 954
 955static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
 956{
 957        struct l2tp_tunnel *tunnel = session->tunnel;
 958        char *bufp = buf;
 959        char *optr = bufp;
 960
 961        /* Setup L2TP header. The header differs slightly for UDP and
 962         * IP encapsulations. For UDP, there is 4 bytes of flags.
 963         */
 964        if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
 965                u16 flags = L2TP_HDR_VER_3;
 966                *((__be16 *)bufp) = htons(flags);
 967                bufp += 2;
 968                *((__be16 *)bufp) = 0;
 969                bufp += 2;
 970        }
 971
 972        *((__be32 *)bufp) = htonl(session->peer_session_id);
 973        bufp += 4;
 974        if (session->cookie_len) {
 975                memcpy(bufp, &session->cookie[0], session->cookie_len);
 976                bufp += session->cookie_len;
 977        }
 978        if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
 979                u32 l2h = 0;
 980
 981                if (session->send_seq) {
 982                        l2h = 0x40000000 | session->ns;
 983                        session->ns++;
 984                        session->ns &= 0xffffff;
 985                        trace_session_seqnum_update(session);
 986                }
 987
 988                *((__be32 *)bufp) = htonl(l2h);
 989                bufp += 4;
 990        }
 991
 992        return bufp - optr;
 993}
 994
 995/* Queue the packet to IP for output: tunnel socket lock must be held */
 996static int l2tp_xmit_queue(struct l2tp_tunnel *tunnel, struct sk_buff *skb, struct flowi *fl)
 997{
 998        int err;
 999
1000        skb->ignore_df = 1;
1001        skb_dst_drop(skb);
1002#if IS_ENABLED(CONFIG_IPV6)
1003        if (l2tp_sk_is_v6(tunnel->sock))
1004                err = inet6_csk_xmit(tunnel->sock, skb, NULL);
1005        else
1006#endif
1007                err = ip_queue_xmit(tunnel->sock, skb, fl);
1008
1009        return err >= 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
1010}
1011
1012static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, unsigned int *len)
1013{
1014        struct l2tp_tunnel *tunnel = session->tunnel;
1015        unsigned int data_len = skb->len;
1016        struct sock *sk = tunnel->sock;
1017        int headroom, uhlen, udp_len;
1018        int ret = NET_XMIT_SUCCESS;
1019        struct inet_sock *inet;
1020        struct udphdr *uh;
1021
1022        /* Check that there's enough headroom in the skb to insert IP,
1023         * UDP and L2TP headers. If not enough, expand it to
1024         * make room. Adjust truesize.
1025         */
1026        uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(*uh) : 0;
1027        headroom = NET_SKB_PAD + sizeof(struct iphdr) + uhlen + session->hdr_len;
1028        if (skb_cow_head(skb, headroom)) {
1029                kfree_skb(skb);
1030                return NET_XMIT_DROP;
1031        }
1032
1033        /* Setup L2TP header */
1034        if (tunnel->version == L2TP_HDR_VER_2)
1035                l2tp_build_l2tpv2_header(session, __skb_push(skb, session->hdr_len));
1036        else
1037                l2tp_build_l2tpv3_header(session, __skb_push(skb, session->hdr_len));
1038
1039        /* Reset skb netfilter state */
1040        memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1041        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED);
1042        nf_reset_ct(skb);
1043
1044        bh_lock_sock(sk);
1045        if (sock_owned_by_user(sk)) {
1046                kfree_skb(skb);
1047                ret = NET_XMIT_DROP;
1048                goto out_unlock;
1049        }
1050
1051        /* The user-space may change the connection status for the user-space
1052         * provided socket at run time: we must check it under the socket lock
1053         */
1054        if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1055                kfree_skb(skb);
1056                ret = NET_XMIT_DROP;
1057                goto out_unlock;
1058        }
1059
1060        /* Report transmitted length before we add encap header, which keeps
1061         * statistics consistent for both UDP and IP encap tx/rx paths.
1062         */
1063        *len = skb->len;
1064
1065        inet = inet_sk(sk);
1066        switch (tunnel->encap) {
1067        case L2TP_ENCAPTYPE_UDP:
1068                /* Setup UDP header */
1069                __skb_push(skb, sizeof(*uh));
1070                skb_reset_transport_header(skb);
1071                uh = udp_hdr(skb);
1072                uh->source = inet->inet_sport;
1073                uh->dest = inet->inet_dport;
1074                udp_len = uhlen + session->hdr_len + data_len;
1075                uh->len = htons(udp_len);
1076
1077                /* Calculate UDP checksum if configured to do so */
1078#if IS_ENABLED(CONFIG_IPV6)
1079                if (l2tp_sk_is_v6(sk))
1080                        udp6_set_csum(udp_get_no_check6_tx(sk),
1081                                      skb, &inet6_sk(sk)->saddr,
1082                                      &sk->sk_v6_daddr, udp_len);
1083                else
1084#endif
1085                        udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1086                                     inet->inet_daddr, udp_len);
1087                break;
1088
1089        case L2TP_ENCAPTYPE_IP:
1090                break;
1091        }
1092
1093        ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl);
1094
1095out_unlock:
1096        bh_unlock_sock(sk);
1097
1098        return ret;
1099}
1100
1101/* If caller requires the skb to have a ppp header, the header must be
1102 * inserted in the skb data before calling this function.
1103 */
1104int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb)
1105{
1106        unsigned int len = 0;
1107        int ret;
1108
1109        ret = l2tp_xmit_core(session, skb, &len);
1110        if (ret == NET_XMIT_SUCCESS) {
1111                atomic_long_inc(&session->tunnel->stats.tx_packets);
1112                atomic_long_add(len, &session->tunnel->stats.tx_bytes);
1113                atomic_long_inc(&session->stats.tx_packets);
1114                atomic_long_add(len, &session->stats.tx_bytes);
1115        } else {
1116                atomic_long_inc(&session->tunnel->stats.tx_errors);
1117                atomic_long_inc(&session->stats.tx_errors);
1118        }
1119        return ret;
1120}
1121EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1122
1123/*****************************************************************************
1124 * Tinnel and session create/destroy.
1125 *****************************************************************************/
1126
1127/* Tunnel socket destruct hook.
1128 * The tunnel context is deleted only when all session sockets have been
1129 * closed.
1130 */
1131static void l2tp_tunnel_destruct(struct sock *sk)
1132{
1133        struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk);
1134
1135        if (!tunnel)
1136                goto end;
1137
1138        /* Disable udp encapsulation */
1139        switch (tunnel->encap) {
1140        case L2TP_ENCAPTYPE_UDP:
1141                /* No longer an encapsulation socket. See net/ipv4/udp.c */
1142                (udp_sk(sk))->encap_type = 0;
1143                (udp_sk(sk))->encap_rcv = NULL;
1144                (udp_sk(sk))->encap_destroy = NULL;
1145                break;
1146        case L2TP_ENCAPTYPE_IP:
1147                break;
1148        }
1149
1150        /* Remove hooks into tunnel socket */
1151        sk->sk_destruct = tunnel->old_sk_destruct;
1152        sk->sk_user_data = NULL;
1153
1154        /* Call the original destructor */
1155        if (sk->sk_destruct)
1156                (*sk->sk_destruct)(sk);
1157
1158        kfree_rcu(tunnel, rcu);
1159end:
1160        return;
1161}
1162
1163/* Remove an l2tp session from l2tp_core's hash lists. */
1164static void l2tp_session_unhash(struct l2tp_session *session)
1165{
1166        struct l2tp_tunnel *tunnel = session->tunnel;
1167
1168        /* Remove the session from core hashes */
1169        if (tunnel) {
1170                /* Remove from the per-tunnel hash */
1171                write_lock_bh(&tunnel->hlist_lock);
1172                hlist_del_init(&session->hlist);
1173                write_unlock_bh(&tunnel->hlist_lock);
1174
1175                /* For L2TPv3 we have a per-net hash: remove from there, too */
1176                if (tunnel->version != L2TP_HDR_VER_2) {
1177                        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1178
1179                        spin_lock_bh(&pn->l2tp_session_hlist_lock);
1180                        hlist_del_init_rcu(&session->global_hlist);
1181                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1182                        synchronize_rcu();
1183                }
1184        }
1185}
1186
1187/* When the tunnel is closed, all the attached sessions need to go too.
1188 */
1189static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1190{
1191        int hash;
1192        struct hlist_node *walk;
1193        struct hlist_node *tmp;
1194        struct l2tp_session *session;
1195
1196        write_lock_bh(&tunnel->hlist_lock);
1197        tunnel->acpt_newsess = false;
1198        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1199again:
1200                hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1201                        session = hlist_entry(walk, struct l2tp_session, hlist);
1202                        hlist_del_init(&session->hlist);
1203
1204                        write_unlock_bh(&tunnel->hlist_lock);
1205                        l2tp_session_delete(session);
1206                        write_lock_bh(&tunnel->hlist_lock);
1207
1208                        /* Now restart from the beginning of this hash
1209                         * chain.  We always remove a session from the
1210                         * list so we are guaranteed to make forward
1211                         * progress.
1212                         */
1213                        goto again;
1214                }
1215        }
1216        write_unlock_bh(&tunnel->hlist_lock);
1217}
1218
1219/* Tunnel socket destroy hook for UDP encapsulation */
1220static void l2tp_udp_encap_destroy(struct sock *sk)
1221{
1222        struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk);
1223
1224        if (tunnel)
1225                l2tp_tunnel_delete(tunnel);
1226}
1227
1228/* Workqueue tunnel deletion function */
1229static void l2tp_tunnel_del_work(struct work_struct *work)
1230{
1231        struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
1232                                                  del_work);
1233        struct sock *sk = tunnel->sock;
1234        struct socket *sock = sk->sk_socket;
1235        struct l2tp_net *pn;
1236
1237        l2tp_tunnel_closeall(tunnel);
1238
1239        /* If the tunnel socket was created within the kernel, use
1240         * the sk API to release it here.
1241         */
1242        if (tunnel->fd < 0) {
1243                if (sock) {
1244                        kernel_sock_shutdown(sock, SHUT_RDWR);
1245                        sock_release(sock);
1246                }
1247        }
1248
1249        /* Remove the tunnel struct from the tunnel list */
1250        pn = l2tp_pernet(tunnel->l2tp_net);
1251        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1252        list_del_rcu(&tunnel->list);
1253        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1254
1255        /* drop initial ref */
1256        l2tp_tunnel_dec_refcount(tunnel);
1257
1258        /* drop workqueue ref */
1259        l2tp_tunnel_dec_refcount(tunnel);
1260}
1261
1262/* Create a socket for the tunnel, if one isn't set up by
1263 * userspace. This is used for static tunnels where there is no
1264 * managing L2TP daemon.
1265 *
1266 * Since we don't want these sockets to keep a namespace alive by
1267 * themselves, we drop the socket's namespace refcount after creation.
1268 * These sockets are freed when the namespace exits using the pernet
1269 * exit hook.
1270 */
1271static int l2tp_tunnel_sock_create(struct net *net,
1272                                   u32 tunnel_id,
1273                                   u32 peer_tunnel_id,
1274                                   struct l2tp_tunnel_cfg *cfg,
1275                                   struct socket **sockp)
1276{
1277        int err = -EINVAL;
1278        struct socket *sock = NULL;
1279        struct udp_port_cfg udp_conf;
1280
1281        switch (cfg->encap) {
1282        case L2TP_ENCAPTYPE_UDP:
1283                memset(&udp_conf, 0, sizeof(udp_conf));
1284
1285#if IS_ENABLED(CONFIG_IPV6)
1286                if (cfg->local_ip6 && cfg->peer_ip6) {
1287                        udp_conf.family = AF_INET6;
1288                        memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1289                               sizeof(udp_conf.local_ip6));
1290                        memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1291                               sizeof(udp_conf.peer_ip6));
1292                        udp_conf.use_udp6_tx_checksums =
1293                          !cfg->udp6_zero_tx_checksums;
1294                        udp_conf.use_udp6_rx_checksums =
1295                          !cfg->udp6_zero_rx_checksums;
1296                } else
1297#endif
1298                {
1299                        udp_conf.family = AF_INET;
1300                        udp_conf.local_ip = cfg->local_ip;
1301                        udp_conf.peer_ip = cfg->peer_ip;
1302                        udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1303                }
1304
1305                udp_conf.local_udp_port = htons(cfg->local_udp_port);
1306                udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1307
1308                err = udp_sock_create(net, &udp_conf, &sock);
1309                if (err < 0)
1310                        goto out;
1311
1312                break;
1313
1314        case L2TP_ENCAPTYPE_IP:
1315#if IS_ENABLED(CONFIG_IPV6)
1316                if (cfg->local_ip6 && cfg->peer_ip6) {
1317                        struct sockaddr_l2tpip6 ip6_addr = {0};
1318
1319                        err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1320                                               IPPROTO_L2TP, &sock);
1321                        if (err < 0)
1322                                goto out;
1323
1324                        ip6_addr.l2tp_family = AF_INET6;
1325                        memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1326                               sizeof(ip6_addr.l2tp_addr));
1327                        ip6_addr.l2tp_conn_id = tunnel_id;
1328                        err = kernel_bind(sock, (struct sockaddr *)&ip6_addr,
1329                                          sizeof(ip6_addr));
1330                        if (err < 0)
1331                                goto out;
1332
1333                        ip6_addr.l2tp_family = AF_INET6;
1334                        memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1335                               sizeof(ip6_addr.l2tp_addr));
1336                        ip6_addr.l2tp_conn_id = peer_tunnel_id;
1337                        err = kernel_connect(sock,
1338                                             (struct sockaddr *)&ip6_addr,
1339                                             sizeof(ip6_addr), 0);
1340                        if (err < 0)
1341                                goto out;
1342                } else
1343#endif
1344                {
1345                        struct sockaddr_l2tpip ip_addr = {0};
1346
1347                        err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1348                                               IPPROTO_L2TP, &sock);
1349                        if (err < 0)
1350                                goto out;
1351
1352                        ip_addr.l2tp_family = AF_INET;
1353                        ip_addr.l2tp_addr = cfg->local_ip;
1354                        ip_addr.l2tp_conn_id = tunnel_id;
1355                        err = kernel_bind(sock, (struct sockaddr *)&ip_addr,
1356                                          sizeof(ip_addr));
1357                        if (err < 0)
1358                                goto out;
1359
1360                        ip_addr.l2tp_family = AF_INET;
1361                        ip_addr.l2tp_addr = cfg->peer_ip;
1362                        ip_addr.l2tp_conn_id = peer_tunnel_id;
1363                        err = kernel_connect(sock, (struct sockaddr *)&ip_addr,
1364                                             sizeof(ip_addr), 0);
1365                        if (err < 0)
1366                                goto out;
1367                }
1368                break;
1369
1370        default:
1371                goto out;
1372        }
1373
1374out:
1375        *sockp = sock;
1376        if (err < 0 && sock) {
1377                kernel_sock_shutdown(sock, SHUT_RDWR);
1378                sock_release(sock);
1379                *sockp = NULL;
1380        }
1381
1382        return err;
1383}
1384
1385static struct lock_class_key l2tp_socket_class;
1386
1387int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
1388                       struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1389{
1390        struct l2tp_tunnel *tunnel = NULL;
1391        int err;
1392        enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1393
1394        if (cfg)
1395                encap = cfg->encap;
1396
1397        tunnel = kzalloc(sizeof(*tunnel), GFP_KERNEL);
1398        if (!tunnel) {
1399                err = -ENOMEM;
1400                goto err;
1401        }
1402
1403        tunnel->version = version;
1404        tunnel->tunnel_id = tunnel_id;
1405        tunnel->peer_tunnel_id = peer_tunnel_id;
1406
1407        tunnel->magic = L2TP_TUNNEL_MAGIC;
1408        sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1409        rwlock_init(&tunnel->hlist_lock);
1410        tunnel->acpt_newsess = true;
1411
1412        tunnel->encap = encap;
1413
1414        refcount_set(&tunnel->ref_count, 1);
1415        tunnel->fd = fd;
1416
1417        /* Init delete workqueue struct */
1418        INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1419
1420        INIT_LIST_HEAD(&tunnel->list);
1421
1422        err = 0;
1423err:
1424        if (tunnelp)
1425                *tunnelp = tunnel;
1426
1427        return err;
1428}
1429EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1430
1431static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
1432                                enum l2tp_encap_type encap)
1433{
1434        if (!net_eq(sock_net(sk), net))
1435                return -EINVAL;
1436
1437        if (sk->sk_type != SOCK_DGRAM)
1438                return -EPROTONOSUPPORT;
1439
1440        if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1441                return -EPROTONOSUPPORT;
1442
1443        if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
1444            (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
1445                return -EPROTONOSUPPORT;
1446
1447        if (sk->sk_user_data)
1448                return -EBUSY;
1449
1450        return 0;
1451}
1452
1453int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
1454                         struct l2tp_tunnel_cfg *cfg)
1455{
1456        struct l2tp_tunnel *tunnel_walk;
1457        struct l2tp_net *pn;
1458        struct socket *sock;
1459        struct sock *sk;
1460        int ret;
1461
1462        if (tunnel->fd < 0) {
1463                ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
1464                                              tunnel->peer_tunnel_id, cfg,
1465                                              &sock);
1466                if (ret < 0)
1467                        goto err;
1468        } else {
1469                sock = sockfd_lookup(tunnel->fd, &ret);
1470                if (!sock)
1471                        goto err;
1472
1473                ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
1474                if (ret < 0)
1475                        goto err_sock;
1476        }
1477
1478        tunnel->l2tp_net = net;
1479        pn = l2tp_pernet(net);
1480
1481        sk = sock->sk;
1482        sock_hold(sk);
1483        tunnel->sock = sk;
1484
1485        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1486        list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {
1487                if (tunnel_walk->tunnel_id == tunnel->tunnel_id) {
1488                        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1489                        sock_put(sk);
1490                        ret = -EEXIST;
1491                        goto err_sock;
1492                }
1493        }
1494        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1495        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1496
1497        if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1498                struct udp_tunnel_sock_cfg udp_cfg = {
1499                        .sk_user_data = tunnel,
1500                        .encap_type = UDP_ENCAP_L2TPINUDP,
1501                        .encap_rcv = l2tp_udp_encap_recv,
1502                        .encap_destroy = l2tp_udp_encap_destroy,
1503                };
1504
1505                setup_udp_tunnel_sock(net, sock, &udp_cfg);
1506        } else {
1507                sk->sk_user_data = tunnel;
1508        }
1509
1510        tunnel->old_sk_destruct = sk->sk_destruct;
1511        sk->sk_destruct = &l2tp_tunnel_destruct;
1512        lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
1513                                   "l2tp_sock");
1514        sk->sk_allocation = GFP_ATOMIC;
1515
1516        trace_register_tunnel(tunnel);
1517
1518        if (tunnel->fd >= 0)
1519                sockfd_put(sock);
1520
1521        return 0;
1522
1523err_sock:
1524        if (tunnel->fd < 0)
1525                sock_release(sock);
1526        else
1527                sockfd_put(sock);
1528err:
1529        return ret;
1530}
1531EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
1532
1533/* This function is used by the netlink TUNNEL_DELETE command.
1534 */
1535void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1536{
1537        if (!test_and_set_bit(0, &tunnel->dead)) {
1538                trace_delete_tunnel(tunnel);
1539                l2tp_tunnel_inc_refcount(tunnel);
1540                queue_work(l2tp_wq, &tunnel->del_work);
1541        }
1542}
1543EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1544
1545void l2tp_session_delete(struct l2tp_session *session)
1546{
1547        if (test_and_set_bit(0, &session->dead))
1548                return;
1549
1550        trace_delete_session(session);
1551        l2tp_session_unhash(session);
1552        l2tp_session_queue_purge(session);
1553        if (session->session_close)
1554                (*session->session_close)(session);
1555
1556        l2tp_session_dec_refcount(session);
1557}
1558EXPORT_SYMBOL_GPL(l2tp_session_delete);
1559
1560/* We come here whenever a session's send_seq, cookie_len or
1561 * l2specific_type parameters are set.
1562 */
1563void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1564{
1565        if (version == L2TP_HDR_VER_2) {
1566                session->hdr_len = 6;
1567                if (session->send_seq)
1568                        session->hdr_len += 4;
1569        } else {
1570                session->hdr_len = 4 + session->cookie_len;
1571                session->hdr_len += l2tp_get_l2specific_len(session);
1572                if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1573                        session->hdr_len += 4;
1574        }
1575}
1576EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1577
1578struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id,
1579                                         u32 peer_session_id, struct l2tp_session_cfg *cfg)
1580{
1581        struct l2tp_session *session;
1582
1583        session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL);
1584        if (session) {
1585                session->magic = L2TP_SESSION_MAGIC;
1586                session->tunnel = tunnel;
1587
1588                session->session_id = session_id;
1589                session->peer_session_id = peer_session_id;
1590                session->nr = 0;
1591                if (tunnel->version == L2TP_HDR_VER_2)
1592                        session->nr_max = 0xffff;
1593                else
1594                        session->nr_max = 0xffffff;
1595                session->nr_window_size = session->nr_max / 2;
1596                session->nr_oos_count_max = 4;
1597
1598                /* Use NR of first received packet */
1599                session->reorder_skip = 1;
1600
1601                sprintf(&session->name[0], "sess %u/%u",
1602                        tunnel->tunnel_id, session->session_id);
1603
1604                skb_queue_head_init(&session->reorder_q);
1605
1606                INIT_HLIST_NODE(&session->hlist);
1607                INIT_HLIST_NODE(&session->global_hlist);
1608
1609                if (cfg) {
1610                        session->pwtype = cfg->pw_type;
1611                        session->send_seq = cfg->send_seq;
1612                        session->recv_seq = cfg->recv_seq;
1613                        session->lns_mode = cfg->lns_mode;
1614                        session->reorder_timeout = cfg->reorder_timeout;
1615                        session->l2specific_type = cfg->l2specific_type;
1616                        session->cookie_len = cfg->cookie_len;
1617                        memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1618                        session->peer_cookie_len = cfg->peer_cookie_len;
1619                        memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1620                }
1621
1622                l2tp_session_set_header_len(session, tunnel->version);
1623
1624                refcount_set(&session->ref_count, 1);
1625
1626                return session;
1627        }
1628
1629        return ERR_PTR(-ENOMEM);
1630}
1631EXPORT_SYMBOL_GPL(l2tp_session_create);
1632
1633/*****************************************************************************
1634 * Init and cleanup
1635 *****************************************************************************/
1636
1637static __net_init int l2tp_init_net(struct net *net)
1638{
1639        struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1640        int hash;
1641
1642        INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1643        spin_lock_init(&pn->l2tp_tunnel_list_lock);
1644
1645        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1646                INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1647
1648        spin_lock_init(&pn->l2tp_session_hlist_lock);
1649
1650        return 0;
1651}
1652
1653static __net_exit void l2tp_exit_net(struct net *net)
1654{
1655        struct l2tp_net *pn = l2tp_pernet(net);
1656        struct l2tp_tunnel *tunnel = NULL;
1657        int hash;
1658
1659        rcu_read_lock_bh();
1660        list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1661                l2tp_tunnel_delete(tunnel);
1662        }
1663        rcu_read_unlock_bh();
1664
1665        if (l2tp_wq)
1666                flush_workqueue(l2tp_wq);
1667        rcu_barrier();
1668
1669        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1670                WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash]));
1671}
1672
1673static struct pernet_operations l2tp_net_ops = {
1674        .init = l2tp_init_net,
1675        .exit = l2tp_exit_net,
1676        .id   = &l2tp_net_id,
1677        .size = sizeof(struct l2tp_net),
1678};
1679
1680static int __init l2tp_init(void)
1681{
1682        int rc = 0;
1683
1684        rc = register_pernet_device(&l2tp_net_ops);
1685        if (rc)
1686                goto out;
1687
1688        l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1689        if (!l2tp_wq) {
1690                pr_err("alloc_workqueue failed\n");
1691                unregister_pernet_device(&l2tp_net_ops);
1692                rc = -ENOMEM;
1693                goto out;
1694        }
1695
1696        pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1697
1698out:
1699        return rc;
1700}
1701
1702static void __exit l2tp_exit(void)
1703{
1704        unregister_pernet_device(&l2tp_net_ops);
1705        if (l2tp_wq) {
1706                destroy_workqueue(l2tp_wq);
1707                l2tp_wq = NULL;
1708        }
1709}
1710
1711module_init(l2tp_init);
1712module_exit(l2tp_exit);
1713
1714MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1715MODULE_DESCRIPTION("L2TP core");
1716MODULE_LICENSE("GPL");
1717MODULE_VERSION(L2TP_DRV_VERSION);
1718