~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/l2tp/l2tp_core.c

Version: ~ [ linux-5.18-rc6 ] ~ [ linux-5.17.6 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.38 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.114 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.192 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.241 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.277 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.312 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.302 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * L2TP core.
  3  *
  4  * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
  5  *
  6  * This file contains some code of the original L2TPv2 pppol2tp
  7  * driver, which has the following copyright:
  8  *
  9  * Authors:     Martijn van Oosterhout <kleptog@svana.org>
 10  *              James Chapman (jchapman@katalix.com)
 11  * Contributors:
 12  *              Michal Ostrowski <mostrows@speakeasy.net>
 13  *              Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
 14  *              David S. Miller (davem@redhat.com)
 15  *
 16  * This program is free software; you can redistribute it and/or modify
 17  * it under the terms of the GNU General Public License version 2 as
 18  * published by the Free Software Foundation.
 19  */
 20 
 21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 22 
 23 #include <linux/module.h>
 24 #include <linux/string.h>
 25 #include <linux/list.h>
 26 #include <linux/rculist.h>
 27 #include <linux/uaccess.h>
 28 
 29 #include <linux/kernel.h>
 30 #include <linux/spinlock.h>
 31 #include <linux/kthread.h>
 32 #include <linux/sched.h>
 33 #include <linux/slab.h>
 34 #include <linux/errno.h>
 35 #include <linux/jiffies.h>
 36 
 37 #include <linux/netdevice.h>
 38 #include <linux/net.h>
 39 #include <linux/inetdevice.h>
 40 #include <linux/skbuff.h>
 41 #include <linux/init.h>
 42 #include <linux/in.h>
 43 #include <linux/ip.h>
 44 #include <linux/udp.h>
 45 #include <linux/l2tp.h>
 46 #include <linux/hash.h>
 47 #include <linux/sort.h>
 48 #include <linux/file.h>
 49 #include <linux/nsproxy.h>
 50 #include <net/net_namespace.h>
 51 #include <net/netns/generic.h>
 52 #include <net/dst.h>
 53 #include <net/ip.h>
 54 #include <net/udp.h>
 55 #include <net/udp_tunnel.h>
 56 #include <net/inet_common.h>
 57 #include <net/xfrm.h>
 58 #include <net/protocol.h>
 59 #include <net/inet6_connection_sock.h>
 60 #include <net/inet_ecn.h>
 61 #include <net/ip6_route.h>
 62 #include <net/ip6_checksum.h>
 63 
 64 #include <asm/byteorder.h>
 65 #include <linux/atomic.h>
 66 
 67 #include "l2tp_core.h"
 68 
 69 #define L2TP_DRV_VERSION        "V2.0"
 70 
 71 /* L2TP header constants */
 72 #define L2TP_HDRFLAG_T     0x8000
 73 #define L2TP_HDRFLAG_L     0x4000
 74 #define L2TP_HDRFLAG_S     0x0800
 75 #define L2TP_HDRFLAG_O     0x0200
 76 #define L2TP_HDRFLAG_P     0x0100
 77 
 78 #define L2TP_HDR_VER_MASK  0x000F
 79 #define L2TP_HDR_VER_2     0x0002
 80 #define L2TP_HDR_VER_3     0x0003
 81 
 82 /* L2TPv3 default L2-specific sublayer */
 83 #define L2TP_SLFLAG_S      0x40000000
 84 #define L2TP_SL_SEQ_MASK   0x00ffffff
 85 
 86 #define L2TP_HDR_SIZE_SEQ               10
 87 #define L2TP_HDR_SIZE_NOSEQ             6
 88 
 89 /* Default trace flags */
 90 #define L2TP_DEFAULT_DEBUG_FLAGS        0
 91 
 92 /* Private data stored for received packets in the skb.
 93  */
 94 struct l2tp_skb_cb {
 95         u32                     ns;
 96         u16                     has_seq;
 97         u16                     length;
 98         unsigned long           expires;
 99 };
100 
101 #define L2TP_SKB_CB(skb)        ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
102 
103 static atomic_t l2tp_tunnel_count;
104 static atomic_t l2tp_session_count;
105 static struct workqueue_struct *l2tp_wq;
106 
107 /* per-net private data for this module */
108 static unsigned int l2tp_net_id;
109 struct l2tp_net {
110         struct list_head l2tp_tunnel_list;
111         spinlock_t l2tp_tunnel_list_lock;
112         struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
113         spinlock_t l2tp_session_hlist_lock;
114 };
115 
116 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
117 
118 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
119 {
120         return sk->sk_user_data;
121 }
122 
123 static inline struct l2tp_net *l2tp_pernet(struct net *net)
124 {
125         BUG_ON(!net);
126 
127         return net_generic(net, l2tp_net_id);
128 }
129 
130 /* Tunnel reference counts. Incremented per session that is added to
131  * the tunnel.
132  */
133 static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
134 {
135         atomic_inc(&tunnel->ref_count);
136 }
137 
138 static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
139 {
140         if (atomic_dec_and_test(&tunnel->ref_count))
141                 l2tp_tunnel_free(tunnel);
142 }
143 #ifdef L2TP_REFCNT_DEBUG
144 #define l2tp_tunnel_inc_refcount(_t)                                    \
145 do {                                                                    \
146         pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n",        \
147                  __func__, __LINE__, (_t)->name,                        \
148                  atomic_read(&_t->ref_count));                          \
149         l2tp_tunnel_inc_refcount_1(_t);                                 \
150 } while (0)
151 #define l2tp_tunnel_dec_refcount(_t)                                    \
152 do {                                                                    \
153         pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n",        \
154                  __func__, __LINE__, (_t)->name,                        \
155                  atomic_read(&_t->ref_count));                          \
156         l2tp_tunnel_dec_refcount_1(_t);                                 \
157 } while (0)
158 #else
159 #define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
160 #define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
161 #endif
162 
163 /* Session hash global list for L2TPv3.
164  * The session_id SHOULD be random according to RFC3931, but several
165  * L2TP implementations use incrementing session_ids.  So we do a real
166  * hash on the session_id, rather than a simple bitmask.
167  */
168 static inline struct hlist_head *
169 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
170 {
171         return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
172 
173 }
174 
175 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
176  * owned by userspace.  A struct sock returned from this function must be
177  * released using l2tp_tunnel_sock_put once you're done with it.
178  */
179 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
180 {
181         int err = 0;
182         struct socket *sock = NULL;
183         struct sock *sk = NULL;
184 
185         if (!tunnel)
186                 goto out;
187 
188         if (tunnel->fd >= 0) {
189                 /* Socket is owned by userspace, who might be in the process
190                  * of closing it.  Look the socket up using the fd to ensure
191                  * consistency.
192                  */
193                 sock = sockfd_lookup(tunnel->fd, &err);
194                 if (sock)
195                         sk = sock->sk;
196         } else {
197                 /* Socket is owned by kernelspace */
198                 sk = tunnel->sock;
199                 sock_hold(sk);
200         }
201 
202 out:
203         return sk;
204 }
205 
206 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
207 static void l2tp_tunnel_sock_put(struct sock *sk)
208 {
209         struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
210         if (tunnel) {
211                 if (tunnel->fd >= 0) {
212                         /* Socket is owned by userspace */
213                         sockfd_put(sk->sk_socket);
214                 }
215                 sock_put(sk);
216         }
217         sock_put(sk);
218 }
219 
220 /* Lookup a session by id in the global session list
221  */
222 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
223 {
224         struct l2tp_net *pn = l2tp_pernet(net);
225         struct hlist_head *session_list =
226                 l2tp_session_id_hash_2(pn, session_id);
227         struct l2tp_session *session;
228 
229         rcu_read_lock_bh();
230         hlist_for_each_entry_rcu(session, session_list, global_hlist) {
231                 if (session->session_id == session_id) {
232                         rcu_read_unlock_bh();
233                         return session;
234                 }
235         }
236         rcu_read_unlock_bh();
237 
238         return NULL;
239 }
240 
241 /* Session hash list.
242  * The session_id SHOULD be random according to RFC2661, but several
243  * L2TP implementations (Cisco and Microsoft) use incrementing
244  * session_ids.  So we do a real hash on the session_id, rather than a
245  * simple bitmask.
246  */
247 static inline struct hlist_head *
248 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
249 {
250         return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
251 }
252 
253 /* Lookup a session by id
254  */
255 struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id)
256 {
257         struct hlist_head *session_list;
258         struct l2tp_session *session;
259 
260         /* In L2TPv3, session_ids are unique over all tunnels and we
261          * sometimes need to look them up before we know the
262          * tunnel.
263          */
264         if (tunnel == NULL)
265                 return l2tp_session_find_2(net, session_id);
266 
267         session_list = l2tp_session_id_hash(tunnel, session_id);
268         read_lock_bh(&tunnel->hlist_lock);
269         hlist_for_each_entry(session, session_list, hlist) {
270                 if (session->session_id == session_id) {
271                         read_unlock_bh(&tunnel->hlist_lock);
272                         return session;
273                 }
274         }
275         read_unlock_bh(&tunnel->hlist_lock);
276 
277         return NULL;
278 }
279 EXPORT_SYMBOL_GPL(l2tp_session_find);
280 
281 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
282                                           bool do_ref)
283 {
284         int hash;
285         struct l2tp_session *session;
286         int count = 0;
287 
288         read_lock_bh(&tunnel->hlist_lock);
289         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
290                 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
291                         if (++count > nth) {
292                                 l2tp_session_inc_refcount(session);
293                                 if (do_ref && session->ref)
294                                         session->ref(session);
295                                 read_unlock_bh(&tunnel->hlist_lock);
296                                 return session;
297                         }
298                 }
299         }
300 
301         read_unlock_bh(&tunnel->hlist_lock);
302 
303         return NULL;
304 }
305 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
306 
307 /* Lookup a session by interface name.
308  * This is very inefficient but is only used by management interfaces.
309  */
310 struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
311 {
312         struct l2tp_net *pn = l2tp_pernet(net);
313         int hash;
314         struct l2tp_session *session;
315 
316         rcu_read_lock_bh();
317         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
318                 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
319                         if (!strcmp(session->ifname, ifname)) {
320                                 rcu_read_unlock_bh();
321                                 return session;
322                         }
323                 }
324         }
325 
326         rcu_read_unlock_bh();
327 
328         return NULL;
329 }
330 EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
331 
332 /* Lookup a tunnel by id
333  */
334 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)
335 {
336         struct l2tp_tunnel *tunnel;
337         struct l2tp_net *pn = l2tp_pernet(net);
338 
339         rcu_read_lock_bh();
340         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
341                 if (tunnel->tunnel_id == tunnel_id) {
342                         rcu_read_unlock_bh();
343                         return tunnel;
344                 }
345         }
346         rcu_read_unlock_bh();
347 
348         return NULL;
349 }
350 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
351 
352 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth)
353 {
354         struct l2tp_net *pn = l2tp_pernet(net);
355         struct l2tp_tunnel *tunnel;
356         int count = 0;
357 
358         rcu_read_lock_bh();
359         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
360                 if (++count > nth) {
361                         rcu_read_unlock_bh();
362                         return tunnel;
363                 }
364         }
365 
366         rcu_read_unlock_bh();
367 
368         return NULL;
369 }
370 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
371 
372 /*****************************************************************************
373  * Receive data handling
374  *****************************************************************************/
375 
376 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
377  * number.
378  */
379 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
380 {
381         struct sk_buff *skbp;
382         struct sk_buff *tmp;
383         u32 ns = L2TP_SKB_CB(skb)->ns;
384 
385         spin_lock_bh(&session->reorder_q.lock);
386         skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
387                 if (L2TP_SKB_CB(skbp)->ns > ns) {
388                         __skb_queue_before(&session->reorder_q, skbp, skb);
389                         l2tp_dbg(session, L2TP_MSG_SEQ,
390                                  "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
391                                  session->name, ns, L2TP_SKB_CB(skbp)->ns,
392                                  skb_queue_len(&session->reorder_q));
393                         atomic_long_inc(&session->stats.rx_oos_packets);
394                         goto out;
395                 }
396         }
397 
398         __skb_queue_tail(&session->reorder_q, skb);
399 
400 out:
401         spin_unlock_bh(&session->reorder_q.lock);
402 }
403 
404 /* Dequeue a single skb.
405  */
406 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
407 {
408         struct l2tp_tunnel *tunnel = session->tunnel;
409         int length = L2TP_SKB_CB(skb)->length;
410 
411         /* We're about to requeue the skb, so return resources
412          * to its current owner (a socket receive buffer).
413          */
414         skb_orphan(skb);
415 
416         atomic_long_inc(&tunnel->stats.rx_packets);
417         atomic_long_add(length, &tunnel->stats.rx_bytes);
418         atomic_long_inc(&session->stats.rx_packets);
419         atomic_long_add(length, &session->stats.rx_bytes);
420 
421         if (L2TP_SKB_CB(skb)->has_seq) {
422                 /* Bump our Nr */
423                 session->nr++;
424                 session->nr &= session->nr_max;
425 
426                 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
427                          session->name, session->nr);
428         }
429 
430         /* call private receive handler */
431         if (session->recv_skb != NULL)
432                 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
433         else
434                 kfree_skb(skb);
435 
436         if (session->deref)
437                 (*session->deref)(session);
438 }
439 
440 /* Dequeue skbs from the session's reorder_q, subject to packet order.
441  * Skbs that have been in the queue for too long are simply discarded.
442  */
443 static void l2tp_recv_dequeue(struct l2tp_session *session)
444 {
445         struct sk_buff *skb;
446         struct sk_buff *tmp;
447 
448         /* If the pkt at the head of the queue has the nr that we
449          * expect to send up next, dequeue it and any other
450          * in-sequence packets behind it.
451          */
452 start:
453         spin_lock_bh(&session->reorder_q.lock);
454         skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
455                 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
456                         atomic_long_inc(&session->stats.rx_seq_discards);
457                         atomic_long_inc(&session->stats.rx_errors);
458                         l2tp_dbg(session, L2TP_MSG_SEQ,
459                                  "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
460                                  session->name, L2TP_SKB_CB(skb)->ns,
461                                  L2TP_SKB_CB(skb)->length, session->nr,
462                                  skb_queue_len(&session->reorder_q));
463                         session->reorder_skip = 1;
464                         __skb_unlink(skb, &session->reorder_q);
465                         kfree_skb(skb);
466                         if (session->deref)
467                                 (*session->deref)(session);
468                         continue;
469                 }
470 
471                 if (L2TP_SKB_CB(skb)->has_seq) {
472                         if (session->reorder_skip) {
473                                 l2tp_dbg(session, L2TP_MSG_SEQ,
474                                          "%s: advancing nr to next pkt: %u -> %u",
475                                          session->name, session->nr,
476                                          L2TP_SKB_CB(skb)->ns);
477                                 session->reorder_skip = 0;
478                                 session->nr = L2TP_SKB_CB(skb)->ns;
479                         }
480                         if (L2TP_SKB_CB(skb)->ns != session->nr) {
481                                 l2tp_dbg(session, L2TP_MSG_SEQ,
482                                          "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
483                                          session->name, L2TP_SKB_CB(skb)->ns,
484                                          L2TP_SKB_CB(skb)->length, session->nr,
485                                          skb_queue_len(&session->reorder_q));
486                                 goto out;
487                         }
488                 }
489                 __skb_unlink(skb, &session->reorder_q);
490 
491                 /* Process the skb. We release the queue lock while we
492                  * do so to let other contexts process the queue.
493                  */
494                 spin_unlock_bh(&session->reorder_q.lock);
495                 l2tp_recv_dequeue_skb(session, skb);
496                 goto start;
497         }
498 
499 out:
500         spin_unlock_bh(&session->reorder_q.lock);
501 }
502 
503 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
504 {
505         u32 nws;
506 
507         if (nr >= session->nr)
508                 nws = nr - session->nr;
509         else
510                 nws = (session->nr_max + 1) - (session->nr - nr);
511 
512         return nws < session->nr_window_size;
513 }
514 
515 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
516  * acceptable, else non-zero.
517  */
518 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
519 {
520         if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
521                 /* Packet sequence number is outside allowed window.
522                  * Discard it.
523                  */
524                 l2tp_dbg(session, L2TP_MSG_SEQ,
525                          "%s: pkt %u len %d discarded, outside window, nr=%u\n",
526                          session->name, L2TP_SKB_CB(skb)->ns,
527                          L2TP_SKB_CB(skb)->length, session->nr);
528                 goto discard;
529         }
530 
531         if (session->reorder_timeout != 0) {
532                 /* Packet reordering enabled. Add skb to session's
533                  * reorder queue, in order of ns.
534                  */
535                 l2tp_recv_queue_skb(session, skb);
536                 goto out;
537         }
538 
539         /* Packet reordering disabled. Discard out-of-sequence packets, while
540          * tracking the number if in-sequence packets after the first OOS packet
541          * is seen. After nr_oos_count_max in-sequence packets, reset the
542          * sequence number to re-enable packet reception.
543          */
544         if (L2TP_SKB_CB(skb)->ns == session->nr) {
545                 skb_queue_tail(&session->reorder_q, skb);
546         } else {
547                 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
548                 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
549 
550                 if (nr_oos == nr_next)
551                         session->nr_oos_count++;
552                 else
553                         session->nr_oos_count = 0;
554 
555                 session->nr_oos = nr_oos;
556                 if (session->nr_oos_count > session->nr_oos_count_max) {
557                         session->reorder_skip = 1;
558                         l2tp_dbg(session, L2TP_MSG_SEQ,
559                                  "%s: %d oos packets received. Resetting sequence numbers\n",
560                                  session->name, session->nr_oos_count);
561                 }
562                 if (!session->reorder_skip) {
563                         atomic_long_inc(&session->stats.rx_seq_discards);
564                         l2tp_dbg(session, L2TP_MSG_SEQ,
565                                  "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
566                                  session->name, L2TP_SKB_CB(skb)->ns,
567                                  L2TP_SKB_CB(skb)->length, session->nr,
568                                  skb_queue_len(&session->reorder_q));
569                         goto discard;
570                 }
571                 skb_queue_tail(&session->reorder_q, skb);
572         }
573 
574 out:
575         return 0;
576 
577 discard:
578         return 1;
579 }
580 
581 /* Do receive processing of L2TP data frames. We handle both L2TPv2
582  * and L2TPv3 data frames here.
583  *
584  * L2TPv2 Data Message Header
585  *
586  *  0                   1                   2                   3
587  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
588  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
589  * |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
590  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
591  * |           Tunnel ID           |           Session ID          |
592  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
593  * |             Ns (opt)          |             Nr (opt)          |
594  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
595  * |      Offset Size (opt)        |    Offset pad... (opt)
596  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
597  *
598  * Data frames are marked by T=0. All other fields are the same as
599  * those in L2TP control frames.
600  *
601  * L2TPv3 Data Message Header
602  *
603  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
604  * |                      L2TP Session Header                      |
605  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
606  * |                      L2-Specific Sublayer                     |
607  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
608  * |                        Tunnel Payload                      ...
609  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
610  *
611  * L2TPv3 Session Header Over IP
612  *
613  *  0                   1                   2                   3
614  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
615  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
616  * |                           Session ID                          |
617  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
618  * |               Cookie (optional, maximum 64 bits)...
619  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
620  *                                                                 |
621  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
622  *
623  * L2TPv3 L2-Specific Sublayer Format
624  *
625  *  0                   1                   2                   3
626  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
627  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
628  * |x|S|x|x|x|x|x|x|              Sequence Number                  |
629  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
630  *
631  * Cookie value, sublayer format and offset (pad) are negotiated with
632  * the peer when the session is set up. Unlike L2TPv2, we do not need
633  * to parse the packet header to determine if optional fields are
634  * present.
635  *
636  * Caller must already have parsed the frame and determined that it is
637  * a data (not control) frame before coming here. Fields up to the
638  * session-id have already been parsed and ptr points to the data
639  * after the session-id.
640  */
641 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
642                       unsigned char *ptr, unsigned char *optr, u16 hdrflags,
643                       int length, int (*payload_hook)(struct sk_buff *skb))
644 {
645         struct l2tp_tunnel *tunnel = session->tunnel;
646         int offset;
647         u32 ns, nr;
648 
649         /* The ref count is increased since we now hold a pointer to
650          * the session. Take care to decrement the refcnt when exiting
651          * this function from now on...
652          */
653         l2tp_session_inc_refcount(session);
654         if (session->ref)
655                 (*session->ref)(session);
656 
657         /* Parse and check optional cookie */
658         if (session->peer_cookie_len > 0) {
659                 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
660                         l2tp_info(tunnel, L2TP_MSG_DATA,
661                                   "%s: cookie mismatch (%u/%u). Discarding.\n",
662                                   tunnel->name, tunnel->tunnel_id,
663                                   session->session_id);
664                         atomic_long_inc(&session->stats.rx_cookie_discards);
665                         goto discard;
666                 }
667                 ptr += session->peer_cookie_len;
668         }
669 
670         /* Handle the optional sequence numbers. Sequence numbers are
671          * in different places for L2TPv2 and L2TPv3.
672          *
673          * If we are the LAC, enable/disable sequence numbers under
674          * the control of the LNS.  If no sequence numbers present but
675          * we were expecting them, discard frame.
676          */
677         ns = nr = 0;
678         L2TP_SKB_CB(skb)->has_seq = 0;
679         if (tunnel->version == L2TP_HDR_VER_2) {
680                 if (hdrflags & L2TP_HDRFLAG_S) {
681                         ns = ntohs(*(__be16 *) ptr);
682                         ptr += 2;
683                         nr = ntohs(*(__be16 *) ptr);
684                         ptr += 2;
685 
686                         /* Store L2TP info in the skb */
687                         L2TP_SKB_CB(skb)->ns = ns;
688                         L2TP_SKB_CB(skb)->has_seq = 1;
689 
690                         l2tp_dbg(session, L2TP_MSG_SEQ,
691                                  "%s: recv data ns=%u, nr=%u, session nr=%u\n",
692                                  session->name, ns, nr, session->nr);
693                 }
694         } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
695                 u32 l2h = ntohl(*(__be32 *) ptr);
696 
697                 if (l2h & 0x40000000) {
698                         ns = l2h & 0x00ffffff;
699 
700                         /* Store L2TP info in the skb */
701                         L2TP_SKB_CB(skb)->ns = ns;
702                         L2TP_SKB_CB(skb)->has_seq = 1;
703 
704                         l2tp_dbg(session, L2TP_MSG_SEQ,
705                                  "%s: recv data ns=%u, session nr=%u\n",
706                                  session->name, ns, session->nr);
707                 }
708         }
709 
710         /* Advance past L2-specific header, if present */
711         ptr += session->l2specific_len;
712 
713         if (L2TP_SKB_CB(skb)->has_seq) {
714                 /* Received a packet with sequence numbers. If we're the LNS,
715                  * check if we sre sending sequence numbers and if not,
716                  * configure it so.
717                  */
718                 if ((!session->lns_mode) && (!session->send_seq)) {
719                         l2tp_info(session, L2TP_MSG_SEQ,
720                                   "%s: requested to enable seq numbers by LNS\n",
721                                   session->name);
722                         session->send_seq = 1;
723                         l2tp_session_set_header_len(session, tunnel->version);
724                 }
725         } else {
726                 /* No sequence numbers.
727                  * If user has configured mandatory sequence numbers, discard.
728                  */
729                 if (session->recv_seq) {
730                         l2tp_warn(session, L2TP_MSG_SEQ,
731                                   "%s: recv data has no seq numbers when required. Discarding.\n",
732                                   session->name);
733                         atomic_long_inc(&session->stats.rx_seq_discards);
734                         goto discard;
735                 }
736 
737                 /* If we're the LAC and we're sending sequence numbers, the
738                  * LNS has requested that we no longer send sequence numbers.
739                  * If we're the LNS and we're sending sequence numbers, the
740                  * LAC is broken. Discard the frame.
741                  */
742                 if ((!session->lns_mode) && (session->send_seq)) {
743                         l2tp_info(session, L2TP_MSG_SEQ,
744                                   "%s: requested to disable seq numbers by LNS\n",
745                                   session->name);
746                         session->send_seq = 0;
747                         l2tp_session_set_header_len(session, tunnel->version);
748                 } else if (session->send_seq) {
749                         l2tp_warn(session, L2TP_MSG_SEQ,
750                                   "%s: recv data has no seq numbers when required. Discarding.\n",
751                                   session->name);
752                         atomic_long_inc(&session->stats.rx_seq_discards);
753                         goto discard;
754                 }
755         }
756 
757         /* Session data offset is handled differently for L2TPv2 and
758          * L2TPv3. For L2TPv2, there is an optional 16-bit value in
759          * the header. For L2TPv3, the offset is negotiated using AVPs
760          * in the session setup control protocol.
761          */
762         if (tunnel->version == L2TP_HDR_VER_2) {
763                 /* If offset bit set, skip it. */
764                 if (hdrflags & L2TP_HDRFLAG_O) {
765                         offset = ntohs(*(__be16 *)ptr);
766                         ptr += 2 + offset;
767                 }
768         } else
769                 ptr += session->offset;
770 
771         offset = ptr - optr;
772         if (!pskb_may_pull(skb, offset))
773                 goto discard;
774 
775         __skb_pull(skb, offset);
776 
777         /* If caller wants to process the payload before we queue the
778          * packet, do so now.
779          */
780         if (payload_hook)
781                 if ((*payload_hook)(skb))
782                         goto discard;
783 
784         /* Prepare skb for adding to the session's reorder_q.  Hold
785          * packets for max reorder_timeout or 1 second if not
786          * reordering.
787          */
788         L2TP_SKB_CB(skb)->length = length;
789         L2TP_SKB_CB(skb)->expires = jiffies +
790                 (session->reorder_timeout ? session->reorder_timeout : HZ);
791 
792         /* Add packet to the session's receive queue. Reordering is done here, if
793          * enabled. Saved L2TP protocol info is stored in skb->sb[].
794          */
795         if (L2TP_SKB_CB(skb)->has_seq) {
796                 if (l2tp_recv_data_seq(session, skb))
797                         goto discard;
798         } else {
799                 /* No sequence numbers. Add the skb to the tail of the
800                  * reorder queue. This ensures that it will be
801                  * delivered after all previous sequenced skbs.
802                  */
803                 skb_queue_tail(&session->reorder_q, skb);
804         }
805 
806         /* Try to dequeue as many skbs from reorder_q as we can. */
807         l2tp_recv_dequeue(session);
808 
809         l2tp_session_dec_refcount(session);
810 
811         return;
812 
813 discard:
814         atomic_long_inc(&session->stats.rx_errors);
815         kfree_skb(skb);
816 
817         if (session->deref)
818                 (*session->deref)(session);
819 
820         l2tp_session_dec_refcount(session);
821 }
822 EXPORT_SYMBOL(l2tp_recv_common);
823 
824 /* Drop skbs from the session's reorder_q
825  */
826 int l2tp_session_queue_purge(struct l2tp_session *session)
827 {
828         struct sk_buff *skb = NULL;
829         BUG_ON(!session);
830         BUG_ON(session->magic != L2TP_SESSION_MAGIC);
831         while ((skb = skb_dequeue(&session->reorder_q))) {
832                 atomic_long_inc(&session->stats.rx_errors);
833                 kfree_skb(skb);
834                 if (session->deref)
835                         (*session->deref)(session);
836         }
837         return 0;
838 }
839 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
840 
841 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
842  * here. The skb is not on a list when we get here.
843  * Returns 0 if the packet was a data packet and was successfully passed on.
844  * Returns 1 if the packet was not a good data packet and could not be
845  * forwarded.  All such packets are passed up to userspace to deal with.
846  */
847 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
848                               int (*payload_hook)(struct sk_buff *skb))
849 {
850         struct l2tp_session *session = NULL;
851         unsigned char *ptr, *optr;
852         u16 hdrflags;
853         u32 tunnel_id, session_id;
854         u16 version;
855         int length;
856 
857         /* UDP has verifed checksum */
858 
859         /* UDP always verifies the packet length. */
860         __skb_pull(skb, sizeof(struct udphdr));
861 
862         /* Short packet? */
863         if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
864                 l2tp_info(tunnel, L2TP_MSG_DATA,
865                           "%s: recv short packet (len=%d)\n",
866                           tunnel->name, skb->len);
867                 goto error;
868         }
869 
870         /* Trace packet contents, if enabled */
871         if (tunnel->debug & L2TP_MSG_DATA) {
872                 length = min(32u, skb->len);
873                 if (!pskb_may_pull(skb, length))
874                         goto error;
875 
876                 pr_debug("%s: recv\n", tunnel->name);
877                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
878         }
879 
880         /* Point to L2TP header */
881         optr = ptr = skb->data;
882 
883         /* Get L2TP header flags */
884         hdrflags = ntohs(*(__be16 *) ptr);
885 
886         /* Check protocol version */
887         version = hdrflags & L2TP_HDR_VER_MASK;
888         if (version != tunnel->version) {
889                 l2tp_info(tunnel, L2TP_MSG_DATA,
890                           "%s: recv protocol version mismatch: got %d expected %d\n",
891                           tunnel->name, version, tunnel->version);
892                 goto error;
893         }
894 
895         /* Get length of L2TP packet */
896         length = skb->len;
897 
898         /* If type is control packet, it is handled by userspace. */
899         if (hdrflags & L2TP_HDRFLAG_T) {
900                 l2tp_dbg(tunnel, L2TP_MSG_DATA,
901                          "%s: recv control packet, len=%d\n",
902                          tunnel->name, length);
903                 goto error;
904         }
905 
906         /* Skip flags */
907         ptr += 2;
908 
909         if (tunnel->version == L2TP_HDR_VER_2) {
910                 /* If length is present, skip it */
911                 if (hdrflags & L2TP_HDRFLAG_L)
912                         ptr += 2;
913 
914                 /* Extract tunnel and session ID */
915                 tunnel_id = ntohs(*(__be16 *) ptr);
916                 ptr += 2;
917                 session_id = ntohs(*(__be16 *) ptr);
918                 ptr += 2;
919         } else {
920                 ptr += 2;       /* skip reserved bits */
921                 tunnel_id = tunnel->tunnel_id;
922                 session_id = ntohl(*(__be32 *) ptr);
923                 ptr += 4;
924         }
925 
926         /* Find the session context */
927         session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
928         if (!session || !session->recv_skb) {
929                 /* Not found? Pass to userspace to deal with */
930                 l2tp_info(tunnel, L2TP_MSG_DATA,
931                           "%s: no session found (%u/%u). Passing up.\n",
932                           tunnel->name, tunnel_id, session_id);
933                 goto error;
934         }
935 
936         l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
937 
938         return 0;
939 
940 error:
941         /* Put UDP header back */
942         __skb_push(skb, sizeof(struct udphdr));
943 
944         return 1;
945 }
946 
947 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
948  * Return codes:
949  * 0 : success.
950  * <0: error
951  * >0: skb should be passed up to userspace as UDP.
952  */
953 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
954 {
955         struct l2tp_tunnel *tunnel;
956 
957         tunnel = l2tp_sock_to_tunnel(sk);
958         if (tunnel == NULL)
959                 goto pass_up;
960 
961         l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
962                  tunnel->name, skb->len);
963 
964         if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
965                 goto pass_up_put;
966 
967         sock_put(sk);
968         return 0;
969 
970 pass_up_put:
971         sock_put(sk);
972 pass_up:
973         return 1;
974 }
975 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
976 
977 /************************************************************************
978  * Transmit handling
979  ***********************************************************************/
980 
981 /* Build an L2TP header for the session into the buffer provided.
982  */
983 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
984 {
985         struct l2tp_tunnel *tunnel = session->tunnel;
986         __be16 *bufp = buf;
987         __be16 *optr = buf;
988         u16 flags = L2TP_HDR_VER_2;
989         u32 tunnel_id = tunnel->peer_tunnel_id;
990         u32 session_id = session->peer_session_id;
991 
992         if (session->send_seq)
993                 flags |= L2TP_HDRFLAG_S;
994 
995         /* Setup L2TP header. */
996         *bufp++ = htons(flags);
997         *bufp++ = htons(tunnel_id);
998         *bufp++ = htons(session_id);
999         if (session->send_seq) {
1000                 *bufp++ = htons(session->ns);
1001                 *bufp++ = 0;
1002                 session->ns++;
1003                 session->ns &= 0xffff;
1004                 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1005                          session->name, session->ns);
1006         }
1007 
1008         return bufp - optr;
1009 }
1010 
1011 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1012 {
1013         struct l2tp_tunnel *tunnel = session->tunnel;
1014         char *bufp = buf;
1015         char *optr = bufp;
1016 
1017         /* Setup L2TP header. The header differs slightly for UDP and
1018          * IP encapsulations. For UDP, there is 4 bytes of flags.
1019          */
1020         if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1021                 u16 flags = L2TP_HDR_VER_3;
1022                 *((__be16 *) bufp) = htons(flags);
1023                 bufp += 2;
1024                 *((__be16 *) bufp) = 0;
1025                 bufp += 2;
1026         }
1027 
1028         *((__be32 *) bufp) = htonl(session->peer_session_id);
1029         bufp += 4;
1030         if (session->cookie_len) {
1031                 memcpy(bufp, &session->cookie[0], session->cookie_len);
1032                 bufp += session->cookie_len;
1033         }
1034         if (session->l2specific_len) {
1035                 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1036                         u32 l2h = 0;
1037                         if (session->send_seq) {
1038                                 l2h = 0x40000000 | session->ns;
1039                                 session->ns++;
1040                                 session->ns &= 0xffffff;
1041                                 l2tp_dbg(session, L2TP_MSG_SEQ,
1042                                          "%s: updated ns to %u\n",
1043                                          session->name, session->ns);
1044                         }
1045 
1046                         *((__be32 *) bufp) = htonl(l2h);
1047                 }
1048                 bufp += session->l2specific_len;
1049         }
1050         if (session->offset)
1051                 bufp += session->offset;
1052 
1053         return bufp - optr;
1054 }
1055 
1056 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1057                           struct flowi *fl, size_t data_len)
1058 {
1059         struct l2tp_tunnel *tunnel = session->tunnel;
1060         unsigned int len = skb->len;
1061         int error;
1062 
1063         /* Debug */
1064         if (session->send_seq)
1065                 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1066                          session->name, data_len, session->ns - 1);
1067         else
1068                 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1069                          session->name, data_len);
1070 
1071         if (session->debug & L2TP_MSG_DATA) {
1072                 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1073                 unsigned char *datap = skb->data + uhlen;
1074 
1075                 pr_debug("%s: xmit\n", session->name);
1076                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1077                                      datap, min_t(size_t, 32, len - uhlen));
1078         }
1079 
1080         /* Queue the packet to IP for output */
1081         skb->ignore_df = 1;
1082 #if IS_ENABLED(CONFIG_IPV6)
1083         if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1084                 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1085         else
1086 #endif
1087                 error = ip_queue_xmit(tunnel->sock, skb, fl);
1088 
1089         /* Update stats */
1090         if (error >= 0) {
1091                 atomic_long_inc(&tunnel->stats.tx_packets);
1092                 atomic_long_add(len, &tunnel->stats.tx_bytes);
1093                 atomic_long_inc(&session->stats.tx_packets);
1094                 atomic_long_add(len, &session->stats.tx_bytes);
1095         } else {
1096                 atomic_long_inc(&tunnel->stats.tx_errors);
1097                 atomic_long_inc(&session->stats.tx_errors);
1098         }
1099 
1100         return 0;
1101 }
1102 
1103 /* If caller requires the skb to have a ppp header, the header must be
1104  * inserted in the skb data before calling this function.
1105  */
1106 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1107 {
1108         int data_len = skb->len;
1109         struct l2tp_tunnel *tunnel = session->tunnel;
1110         struct sock *sk = tunnel->sock;
1111         struct flowi *fl;
1112         struct udphdr *uh;
1113         struct inet_sock *inet;
1114         int headroom;
1115         int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1116         int udp_len;
1117         int ret = NET_XMIT_SUCCESS;
1118 
1119         /* Check that there's enough headroom in the skb to insert IP,
1120          * UDP and L2TP headers. If not enough, expand it to
1121          * make room. Adjust truesize.
1122          */
1123         headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1124                 uhlen + hdr_len;
1125         if (skb_cow_head(skb, headroom)) {
1126                 kfree_skb(skb);
1127                 return NET_XMIT_DROP;
1128         }
1129 
1130         /* Setup L2TP header */
1131         session->build_header(session, __skb_push(skb, hdr_len));
1132 
1133         /* Reset skb netfilter state */
1134         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1135         IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1136                               IPSKB_REROUTED);
1137         nf_reset(skb);
1138 
1139         bh_lock_sock(sk);
1140         if (sock_owned_by_user(sk)) {
1141                 kfree_skb(skb);
1142                 ret = NET_XMIT_DROP;
1143                 goto out_unlock;
1144         }
1145 
1146         /* Get routing info from the tunnel socket */
1147         skb_dst_drop(skb);
1148         skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1149 
1150         inet = inet_sk(sk);
1151         fl = &inet->cork.fl;
1152         switch (tunnel->encap) {
1153         case L2TP_ENCAPTYPE_UDP:
1154                 /* Setup UDP header */
1155                 __skb_push(skb, sizeof(*uh));
1156                 skb_reset_transport_header(skb);
1157                 uh = udp_hdr(skb);
1158                 uh->source = inet->inet_sport;
1159                 uh->dest = inet->inet_dport;
1160                 udp_len = uhlen + hdr_len + data_len;
1161                 uh->len = htons(udp_len);
1162 
1163                 /* Calculate UDP checksum if configured to do so */
1164 #if IS_ENABLED(CONFIG_IPV6)
1165                 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1166                         udp6_set_csum(udp_get_no_check6_tx(sk),
1167                                       skb, &inet6_sk(sk)->saddr,
1168                                       &sk->sk_v6_daddr, udp_len);
1169                 else
1170 #endif
1171                 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1172                              inet->inet_daddr, udp_len);
1173                 break;
1174 
1175         case L2TP_ENCAPTYPE_IP:
1176                 break;
1177         }
1178 
1179         l2tp_xmit_core(session, skb, fl, data_len);
1180 out_unlock:
1181         bh_unlock_sock(sk);
1182 
1183         return ret;
1184 }
1185 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1186 
1187 /*****************************************************************************
1188  * Tinnel and session create/destroy.
1189  *****************************************************************************/
1190 
1191 /* Tunnel socket destruct hook.
1192  * The tunnel context is deleted only when all session sockets have been
1193  * closed.
1194  */
1195 static void l2tp_tunnel_destruct(struct sock *sk)
1196 {
1197         struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1198         struct l2tp_net *pn;
1199 
1200         if (tunnel == NULL)
1201                 goto end;
1202 
1203         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1204 
1205 
1206         /* Disable udp encapsulation */
1207         switch (tunnel->encap) {
1208         case L2TP_ENCAPTYPE_UDP:
1209                 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1210                 (udp_sk(sk))->encap_type = 0;
1211                 (udp_sk(sk))->encap_rcv = NULL;
1212                 (udp_sk(sk))->encap_destroy = NULL;
1213                 break;
1214         case L2TP_ENCAPTYPE_IP:
1215                 break;
1216         }
1217 
1218         /* Remove hooks into tunnel socket */
1219         sk->sk_destruct = tunnel->old_sk_destruct;
1220         sk->sk_user_data = NULL;
1221         tunnel->sock = NULL;
1222 
1223         /* Remove the tunnel struct from the tunnel list */
1224         pn = l2tp_pernet(tunnel->l2tp_net);
1225         spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1226         list_del_rcu(&tunnel->list);
1227         spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1228         atomic_dec(&l2tp_tunnel_count);
1229 
1230         l2tp_tunnel_closeall(tunnel);
1231         l2tp_tunnel_dec_refcount(tunnel);
1232 
1233         /* Call the original destructor */
1234         if (sk->sk_destruct)
1235                 (*sk->sk_destruct)(sk);
1236 end:
1237         return;
1238 }
1239 
1240 /* When the tunnel is closed, all the attached sessions need to go too.
1241  */
1242 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1243 {
1244         int hash;
1245         struct hlist_node *walk;
1246         struct hlist_node *tmp;
1247         struct l2tp_session *session;
1248 
1249         BUG_ON(tunnel == NULL);
1250 
1251         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1252                   tunnel->name);
1253 
1254         write_lock_bh(&tunnel->hlist_lock);
1255         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1256 again:
1257                 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1258                         session = hlist_entry(walk, struct l2tp_session, hlist);
1259 
1260                         l2tp_info(session, L2TP_MSG_CONTROL,
1261                                   "%s: closing session\n", session->name);
1262 
1263                         hlist_del_init(&session->hlist);
1264 
1265                         if (session->ref != NULL)
1266                                 (*session->ref)(session);
1267 
1268                         write_unlock_bh(&tunnel->hlist_lock);
1269 
1270                         __l2tp_session_unhash(session);
1271                         l2tp_session_queue_purge(session);
1272 
1273                         if (session->session_close != NULL)
1274                                 (*session->session_close)(session);
1275 
1276                         if (session->deref != NULL)
1277                                 (*session->deref)(session);
1278 
1279                         l2tp_session_dec_refcount(session);
1280 
1281                         write_lock_bh(&tunnel->hlist_lock);
1282 
1283                         /* Now restart from the beginning of this hash
1284                          * chain.  We always remove a session from the
1285                          * list so we are guaranteed to make forward
1286                          * progress.
1287                          */
1288                         goto again;
1289                 }
1290         }
1291         write_unlock_bh(&tunnel->hlist_lock);
1292 }
1293 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1294 
1295 /* Tunnel socket destroy hook for UDP encapsulation */
1296 static void l2tp_udp_encap_destroy(struct sock *sk)
1297 {
1298         struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1299         if (tunnel) {
1300                 l2tp_tunnel_closeall(tunnel);
1301                 sock_put(sk);
1302         }
1303 }
1304 
1305 /* Really kill the tunnel.
1306  * Come here only when all sessions have been cleared from the tunnel.
1307  */
1308 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1309 {
1310         BUG_ON(atomic_read(&tunnel->ref_count) != 0);
1311         BUG_ON(tunnel->sock != NULL);
1312         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
1313         kfree_rcu(tunnel, rcu);
1314 }
1315 
1316 /* Workqueue tunnel deletion function */
1317 static void l2tp_tunnel_del_work(struct work_struct *work)
1318 {
1319         struct l2tp_tunnel *tunnel = NULL;
1320         struct socket *sock = NULL;
1321         struct sock *sk = NULL;
1322 
1323         tunnel = container_of(work, struct l2tp_tunnel, del_work);
1324         sk = l2tp_tunnel_sock_lookup(tunnel);
1325         if (!sk)
1326                 goto out;
1327 
1328         sock = sk->sk_socket;
1329 
1330         /* If the tunnel socket was created by userspace, then go through the
1331          * inet layer to shut the socket down, and let userspace close it.
1332          * Otherwise, if we created the socket directly within the kernel, use
1333          * the sk API to release it here.
1334          * In either case the tunnel resources are freed in the socket
1335          * destructor when the tunnel socket goes away.
1336          */
1337         if (tunnel->fd >= 0) {
1338                 if (sock)
1339                         inet_shutdown(sock, 2);
1340         } else {
1341                 if (sock) {
1342                         kernel_sock_shutdown(sock, SHUT_RDWR);
1343                         sock_release(sock);
1344                 }
1345         }
1346 
1347         l2tp_tunnel_sock_put(sk);
1348 out:
1349         l2tp_tunnel_dec_refcount(tunnel);
1350 }
1351 
1352 /* Create a socket for the tunnel, if one isn't set up by
1353  * userspace. This is used for static tunnels where there is no
1354  * managing L2TP daemon.
1355  *
1356  * Since we don't want these sockets to keep a namespace alive by
1357  * themselves, we drop the socket's namespace refcount after creation.
1358  * These sockets are freed when the namespace exits using the pernet
1359  * exit hook.
1360  */
1361 static int l2tp_tunnel_sock_create(struct net *net,
1362                                 u32 tunnel_id,
1363                                 u32 peer_tunnel_id,
1364                                 struct l2tp_tunnel_cfg *cfg,
1365                                 struct socket **sockp)
1366 {
1367         int err = -EINVAL;
1368         struct socket *sock = NULL;
1369         struct udp_port_cfg udp_conf;
1370 
1371         switch (cfg->encap) {
1372         case L2TP_ENCAPTYPE_UDP:
1373                 memset(&udp_conf, 0, sizeof(udp_conf));
1374 
1375 #if IS_ENABLED(CONFIG_IPV6)
1376                 if (cfg->local_ip6 && cfg->peer_ip6) {
1377                         udp_conf.family = AF_INET6;
1378                         memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1379                                sizeof(udp_conf.local_ip6));
1380                         memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1381                                sizeof(udp_conf.peer_ip6));
1382                         udp_conf.use_udp6_tx_checksums =
1383                           ! cfg->udp6_zero_tx_checksums;
1384                         udp_conf.use_udp6_rx_checksums =
1385                           ! cfg->udp6_zero_rx_checksums;
1386                 } else
1387 #endif
1388                 {
1389                         udp_conf.family = AF_INET;
1390                         udp_conf.local_ip = cfg->local_ip;
1391                         udp_conf.peer_ip = cfg->peer_ip;
1392                         udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1393                 }
1394 
1395                 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1396                 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1397 
1398                 err = udp_sock_create(net, &udp_conf, &sock);
1399                 if (err < 0)
1400                         goto out;
1401 
1402                 break;
1403 
1404         case L2TP_ENCAPTYPE_IP:
1405 #if IS_ENABLED(CONFIG_IPV6)
1406                 if (cfg->local_ip6 && cfg->peer_ip6) {
1407                         struct sockaddr_l2tpip6 ip6_addr = {0};
1408 
1409                         err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1410                                           IPPROTO_L2TP, &sock);
1411                         if (err < 0)
1412                                 goto out;
1413 
1414                         ip6_addr.l2tp_family = AF_INET6;
1415                         memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1416                                sizeof(ip6_addr.l2tp_addr));
1417                         ip6_addr.l2tp_conn_id = tunnel_id;
1418                         err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1419                                           sizeof(ip6_addr));
1420                         if (err < 0)
1421                                 goto out;
1422 
1423                         ip6_addr.l2tp_family = AF_INET6;
1424                         memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1425                                sizeof(ip6_addr.l2tp_addr));
1426                         ip6_addr.l2tp_conn_id = peer_tunnel_id;
1427                         err = kernel_connect(sock,
1428                                              (struct sockaddr *) &ip6_addr,
1429                                              sizeof(ip6_addr), 0);
1430                         if (err < 0)
1431                                 goto out;
1432                 } else
1433 #endif
1434                 {
1435                         struct sockaddr_l2tpip ip_addr = {0};
1436 
1437                         err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1438                                           IPPROTO_L2TP, &sock);
1439                         if (err < 0)
1440                                 goto out;
1441 
1442                         ip_addr.l2tp_family = AF_INET;
1443                         ip_addr.l2tp_addr = cfg->local_ip;
1444                         ip_addr.l2tp_conn_id = tunnel_id;
1445                         err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1446                                           sizeof(ip_addr));
1447                         if (err < 0)
1448                                 goto out;
1449 
1450                         ip_addr.l2tp_family = AF_INET;
1451                         ip_addr.l2tp_addr = cfg->peer_ip;
1452                         ip_addr.l2tp_conn_id = peer_tunnel_id;
1453                         err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1454                                              sizeof(ip_addr), 0);
1455                         if (err < 0)
1456                                 goto out;
1457                 }
1458                 break;
1459 
1460         default:
1461                 goto out;
1462         }
1463 
1464 out:
1465         *sockp = sock;
1466         if ((err < 0) && sock) {
1467                 kernel_sock_shutdown(sock, SHUT_RDWR);
1468                 sock_release(sock);
1469                 *sockp = NULL;
1470         }
1471 
1472         return err;
1473 }
1474 
1475 static struct lock_class_key l2tp_socket_class;
1476 
1477 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1478 {
1479         struct l2tp_tunnel *tunnel = NULL;
1480         int err;
1481         struct socket *sock = NULL;
1482         struct sock *sk = NULL;
1483         struct l2tp_net *pn;
1484         enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1485 
1486         /* Get the tunnel socket from the fd, which was opened by
1487          * the userspace L2TP daemon. If not specified, create a
1488          * kernel socket.
1489          */
1490         if (fd < 0) {
1491                 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1492                                 cfg, &sock);
1493                 if (err < 0)
1494                         goto err;
1495         } else {
1496                 sock = sockfd_lookup(fd, &err);
1497                 if (!sock) {
1498                         pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1499                                tunnel_id, fd, err);
1500                         err = -EBADF;
1501                         goto err;
1502                 }
1503 
1504                 /* Reject namespace mismatches */
1505                 if (!net_eq(sock_net(sock->sk), net)) {
1506                         pr_err("tunl %u: netns mismatch\n", tunnel_id);
1507                         err = -EINVAL;
1508                         goto err;
1509                 }
1510         }
1511 
1512         sk = sock->sk;
1513 
1514         if (cfg != NULL)
1515                 encap = cfg->encap;
1516 
1517         /* Quick sanity checks */
1518         switch (encap) {
1519         case L2TP_ENCAPTYPE_UDP:
1520                 err = -EPROTONOSUPPORT;
1521                 if (sk->sk_protocol != IPPROTO_UDP) {
1522                         pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1523                                tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1524                         goto err;
1525                 }
1526                 break;
1527         case L2TP_ENCAPTYPE_IP:
1528                 err = -EPROTONOSUPPORT;
1529                 if (sk->sk_protocol != IPPROTO_L2TP) {
1530                         pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1531                                tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1532                         goto err;
1533                 }
1534                 break;
1535         }
1536 
1537         /* Check if this socket has already been prepped */
1538         tunnel = l2tp_tunnel(sk);
1539         if (tunnel != NULL) {
1540                 /* This socket has already been prepped */
1541                 err = -EBUSY;
1542                 goto err;
1543         }
1544 
1545         tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1546         if (tunnel == NULL) {
1547                 err = -ENOMEM;
1548                 goto err;
1549         }
1550 
1551         tunnel->version = version;
1552         tunnel->tunnel_id = tunnel_id;
1553         tunnel->peer_tunnel_id = peer_tunnel_id;
1554         tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1555 
1556         tunnel->magic = L2TP_TUNNEL_MAGIC;
1557         sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1558         rwlock_init(&tunnel->hlist_lock);
1559 
1560         /* The net we belong to */
1561         tunnel->l2tp_net = net;
1562         pn = l2tp_pernet(net);
1563 
1564         if (cfg != NULL)
1565                 tunnel->debug = cfg->debug;
1566 
1567 #if IS_ENABLED(CONFIG_IPV6)
1568         if (sk->sk_family == PF_INET6) {
1569                 struct ipv6_pinfo *np = inet6_sk(sk);
1570 
1571                 if (ipv6_addr_v4mapped(&np->saddr) &&
1572                     ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1573                         struct inet_sock *inet = inet_sk(sk);
1574 
1575                         tunnel->v4mapped = true;
1576                         inet->inet_saddr = np->saddr.s6_addr32[3];
1577                         inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1578                         inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1579                 } else {
1580                         tunnel->v4mapped = false;
1581                 }
1582         }
1583 #endif
1584 
1585         /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1586         tunnel->encap = encap;
1587         if (encap == L2TP_ENCAPTYPE_UDP) {
1588                 struct udp_tunnel_sock_cfg udp_cfg = { };
1589 
1590                 udp_cfg.sk_user_data = tunnel;
1591                 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1592                 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1593                 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1594 
1595                 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1596         } else {
1597                 sk->sk_user_data = tunnel;
1598         }
1599 
1600         /* Hook on the tunnel socket destructor so that we can cleanup
1601          * if the tunnel socket goes away.
1602          */
1603         tunnel->old_sk_destruct = sk->sk_destruct;
1604         sk->sk_destruct = &l2tp_tunnel_destruct;
1605         tunnel->sock = sk;
1606         tunnel->fd = fd;
1607         lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1608 
1609         sk->sk_allocation = GFP_ATOMIC;
1610 
1611         /* Init delete workqueue struct */
1612         INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1613 
1614         /* Add tunnel to our list */
1615         INIT_LIST_HEAD(&tunnel->list);
1616         atomic_inc(&l2tp_tunnel_count);
1617 
1618         /* Bump the reference count. The tunnel context is deleted
1619          * only when this drops to zero. Must be done before list insertion
1620          */
1621         l2tp_tunnel_inc_refcount(tunnel);
1622         spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1623         list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1624         spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1625 
1626         err = 0;
1627 err:
1628         if (tunnelp)
1629                 *tunnelp = tunnel;
1630 
1631         /* If tunnel's socket was created by the kernel, it doesn't
1632          *  have a file.
1633          */
1634         if (sock && sock->file)
1635                 sockfd_put(sock);
1636 
1637         return err;
1638 }
1639 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1640 
1641 /* This function is used by the netlink TUNNEL_DELETE command.
1642  */
1643 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1644 {
1645         l2tp_tunnel_inc_refcount(tunnel);
1646         l2tp_tunnel_closeall(tunnel);
1647         if (false == queue_work(l2tp_wq, &tunnel->del_work)) {
1648                 l2tp_tunnel_dec_refcount(tunnel);
1649                 return 1;
1650         }
1651         return 0;
1652 }
1653 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1654 
1655 /* Really kill the session.
1656  */
1657 void l2tp_session_free(struct l2tp_session *session)
1658 {
1659         struct l2tp_tunnel *tunnel = session->tunnel;
1660 
1661         BUG_ON(atomic_read(&session->ref_count) != 0);
1662 
1663         if (tunnel) {
1664                 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1665                 if (session->session_id != 0)
1666                         atomic_dec(&l2tp_session_count);
1667                 sock_put(tunnel->sock);
1668                 session->tunnel = NULL;
1669                 l2tp_tunnel_dec_refcount(tunnel);
1670         }
1671 
1672         kfree(session);
1673 }
1674 EXPORT_SYMBOL_GPL(l2tp_session_free);
1675 
1676 /* Remove an l2tp session from l2tp_core's hash lists.
1677  * Provides a tidyup interface for pseudowire code which can't just route all
1678  * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1679  * callback.
1680  */
1681 void __l2tp_session_unhash(struct l2tp_session *session)
1682 {
1683         struct l2tp_tunnel *tunnel = session->tunnel;
1684 
1685         /* Remove the session from core hashes */
1686         if (tunnel) {
1687                 /* Remove from the per-tunnel hash */
1688                 write_lock_bh(&tunnel->hlist_lock);
1689                 hlist_del_init(&session->hlist);
1690                 write_unlock_bh(&tunnel->hlist_lock);
1691 
1692                 /* For L2TPv3 we have a per-net hash: remove from there, too */
1693                 if (tunnel->version != L2TP_HDR_VER_2) {
1694                         struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1695                         spin_lock_bh(&pn->l2tp_session_hlist_lock);
1696                         hlist_del_init_rcu(&session->global_hlist);
1697                         spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1698                         synchronize_rcu();
1699                 }
1700         }
1701 }
1702 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1703 
1704 /* This function is used by the netlink SESSION_DELETE command and by
1705    pseudowire modules.
1706  */
1707 int l2tp_session_delete(struct l2tp_session *session)
1708 {
1709         if (session->ref)
1710                 (*session->ref)(session);
1711         __l2tp_session_unhash(session);
1712         l2tp_session_queue_purge(session);
1713         if (session->session_close != NULL)
1714                 (*session->session_close)(session);
1715         if (session->deref)
1716                 (*session->deref)(session);
1717         l2tp_session_dec_refcount(session);
1718         return 0;
1719 }
1720 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1721 
1722 /* We come here whenever a session's send_seq, cookie_len or
1723  * l2specific_len parameters are set.
1724  */
1725 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1726 {
1727         if (version == L2TP_HDR_VER_2) {
1728                 session->hdr_len = 6;
1729                 if (session->send_seq)
1730                         session->hdr_len += 4;
1731         } else {
1732                 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1733                 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1734                         session->hdr_len += 4;
1735         }
1736 
1737 }
1738 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1739 
1740 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1741 {
1742         struct l2tp_session *session;
1743 
1744         session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1745         if (session != NULL) {
1746                 session->magic = L2TP_SESSION_MAGIC;
1747                 session->tunnel = tunnel;
1748 
1749                 session->session_id = session_id;
1750                 session->peer_session_id = peer_session_id;
1751                 session->nr = 0;
1752                 if (tunnel->version == L2TP_HDR_VER_2)
1753                         session->nr_max = 0xffff;
1754                 else
1755                         session->nr_max = 0xffffff;
1756                 session->nr_window_size = session->nr_max / 2;
1757                 session->nr_oos_count_max = 4;
1758 
1759                 /* Use NR of first received packet */
1760                 session->reorder_skip = 1;
1761 
1762                 sprintf(&session->name[0], "sess %u/%u",
1763                         tunnel->tunnel_id, session->session_id);
1764 
1765                 skb_queue_head_init(&session->reorder_q);
1766 
1767                 INIT_HLIST_NODE(&session->hlist);
1768                 INIT_HLIST_NODE(&session->global_hlist);
1769 
1770                 /* Inherit debug options from tunnel */
1771                 session->debug = tunnel->debug;
1772 
1773                 if (cfg) {
1774                         session->pwtype = cfg->pw_type;
1775                         session->debug = cfg->debug;
1776                         session->mtu = cfg->mtu;
1777                         session->mru = cfg->mru;
1778                         session->send_seq = cfg->send_seq;
1779                         session->recv_seq = cfg->recv_seq;
1780                         session->lns_mode = cfg->lns_mode;
1781                         session->reorder_timeout = cfg->reorder_timeout;
1782                         session->offset = cfg->offset;
1783                         session->l2specific_type = cfg->l2specific_type;
1784                         session->l2specific_len = cfg->l2specific_len;
1785                         session->cookie_len = cfg->cookie_len;
1786                         memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1787                         session->peer_cookie_len = cfg->peer_cookie_len;
1788                         memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1789                 }
1790 
1791                 if (tunnel->version == L2TP_HDR_VER_2)
1792                         session->build_header = l2tp_build_l2tpv2_header;
1793                 else
1794                         session->build_header = l2tp_build_l2tpv3_header;
1795 
1796                 l2tp_session_set_header_len(session, tunnel->version);
1797 
1798                 /* Bump the reference count. The session context is deleted
1799                  * only when this drops to zero.
1800                  */
1801                 l2tp_session_inc_refcount(session);
1802                 l2tp_tunnel_inc_refcount(tunnel);
1803 
1804                 /* Ensure tunnel socket isn't deleted */
1805                 sock_hold(tunnel->sock);
1806 
1807                 /* Add session to the tunnel's hash list */
1808                 write_lock_bh(&tunnel->hlist_lock);
1809                 hlist_add_head(&session->hlist,
1810                                l2tp_session_id_hash(tunnel, session_id));
1811                 write_unlock_bh(&tunnel->hlist_lock);
1812 
1813                 /* And to the global session list if L2TPv3 */
1814                 if (tunnel->version != L2TP_HDR_VER_2) {
1815                         struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1816 
1817                         spin_lock_bh(&pn->l2tp_session_hlist_lock);
1818                         hlist_add_head_rcu(&session->global_hlist,
1819                                            l2tp_session_id_hash_2(pn, session_id));
1820                         spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1821                 }
1822 
1823                 /* Ignore management session in session count value */
1824                 if (session->session_id != 0)
1825                         atomic_inc(&l2tp_session_count);
1826         }
1827 
1828         return session;
1829 }
1830 EXPORT_SYMBOL_GPL(l2tp_session_create);
1831 
1832 /*****************************************************************************
1833  * Init and cleanup
1834  *****************************************************************************/
1835 
1836 static __net_init int l2tp_init_net(struct net *net)
1837 {
1838         struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1839         int hash;
1840 
1841         INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1842         spin_lock_init(&pn->l2tp_tunnel_list_lock);
1843 
1844         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1845                 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1846 
1847         spin_lock_init(&pn->l2tp_session_hlist_lock);
1848 
1849         return 0;
1850 }
1851 
1852 static __net_exit void l2tp_exit_net(struct net *net)
1853 {
1854         struct l2tp_net *pn = l2tp_pernet(net);
1855         struct l2tp_tunnel *tunnel = NULL;
1856 
1857         rcu_read_lock_bh();
1858         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1859                 (void)l2tp_tunnel_delete(tunnel);
1860         }
1861         rcu_read_unlock_bh();
1862 
1863         flush_workqueue(l2tp_wq);
1864         rcu_barrier();
1865 }
1866 
1867 static struct pernet_operations l2tp_net_ops = {
1868         .init = l2tp_init_net,
1869         .exit = l2tp_exit_net,
1870         .id   = &l2tp_net_id,
1871         .size = sizeof(struct l2tp_net),
1872 };
1873 
1874 static int __init l2tp_init(void)
1875 {
1876         int rc = 0;
1877 
1878         rc = register_pernet_device(&l2tp_net_ops);
1879         if (rc)
1880                 goto out;
1881 
1882         l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1883         if (!l2tp_wq) {
1884                 pr_err("alloc_workqueue failed\n");
1885                 unregister_pernet_device(&l2tp_net_ops);
1886                 rc = -ENOMEM;
1887                 goto out;
1888         }
1889 
1890         pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1891 
1892 out:
1893         return rc;
1894 }
1895 
1896 static void __exit l2tp_exit(void)
1897 {
1898         unregister_pernet_device(&l2tp_net_ops);
1899         if (l2tp_wq) {
1900                 destroy_workqueue(l2tp_wq);
1901                 l2tp_wq = NULL;
1902         }
1903 }
1904 
1905 module_init(l2tp_init);
1906 module_exit(l2tp_exit);
1907 
1908 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1909 MODULE_DESCRIPTION("L2TP core");
1910 MODULE_LICENSE("GPL");
1911 MODULE_VERSION(L2TP_DRV_VERSION);
1912 
1913 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp