~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/l2tp/l2tp_core.c

Version: ~ [ linux-5.12-rc1 ] ~ [ linux-5.11.2 ] ~ [ linux-5.10.19 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.101 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.177 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.222 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.258 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.258 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * L2TP core.
  3  *
  4  * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
  5  *
  6  * This file contains some code of the original L2TPv2 pppol2tp
  7  * driver, which has the following copyright:
  8  *
  9  * Authors:     Martijn van Oosterhout <kleptog@svana.org>
 10  *              James Chapman (jchapman@katalix.com)
 11  * Contributors:
 12  *              Michal Ostrowski <mostrows@speakeasy.net>
 13  *              Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
 14  *              David S. Miller (davem@redhat.com)
 15  *
 16  * This program is free software; you can redistribute it and/or modify
 17  * it under the terms of the GNU General Public License version 2 as
 18  * published by the Free Software Foundation.
 19  */
 20 
 21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 22 
 23 #include <linux/module.h>
 24 #include <linux/string.h>
 25 #include <linux/list.h>
 26 #include <linux/rculist.h>
 27 #include <linux/uaccess.h>
 28 
 29 #include <linux/kernel.h>
 30 #include <linux/spinlock.h>
 31 #include <linux/kthread.h>
 32 #include <linux/sched.h>
 33 #include <linux/slab.h>
 34 #include <linux/errno.h>
 35 #include <linux/jiffies.h>
 36 
 37 #include <linux/netdevice.h>
 38 #include <linux/net.h>
 39 #include <linux/inetdevice.h>
 40 #include <linux/skbuff.h>
 41 #include <linux/init.h>
 42 #include <linux/in.h>
 43 #include <linux/ip.h>
 44 #include <linux/udp.h>
 45 #include <linux/l2tp.h>
 46 #include <linux/hash.h>
 47 #include <linux/sort.h>
 48 #include <linux/file.h>
 49 #include <linux/nsproxy.h>
 50 #include <net/net_namespace.h>
 51 #include <net/netns/generic.h>
 52 #include <net/dst.h>
 53 #include <net/ip.h>
 54 #include <net/udp.h>
 55 #include <net/udp_tunnel.h>
 56 #include <net/inet_common.h>
 57 #include <net/xfrm.h>
 58 #include <net/protocol.h>
 59 #include <net/inet6_connection_sock.h>
 60 #include <net/inet_ecn.h>
 61 #include <net/ip6_route.h>
 62 #include <net/ip6_checksum.h>
 63 
 64 #include <asm/byteorder.h>
 65 #include <linux/atomic.h>
 66 
 67 #include "l2tp_core.h"
 68 
 69 #define L2TP_DRV_VERSION        "V2.0"
 70 
 71 /* L2TP header constants */
 72 #define L2TP_HDRFLAG_T     0x8000
 73 #define L2TP_HDRFLAG_L     0x4000
 74 #define L2TP_HDRFLAG_S     0x0800
 75 #define L2TP_HDRFLAG_O     0x0200
 76 #define L2TP_HDRFLAG_P     0x0100
 77 
 78 #define L2TP_HDR_VER_MASK  0x000F
 79 #define L2TP_HDR_VER_2     0x0002
 80 #define L2TP_HDR_VER_3     0x0003
 81 
 82 /* L2TPv3 default L2-specific sublayer */
 83 #define L2TP_SLFLAG_S      0x40000000
 84 #define L2TP_SL_SEQ_MASK   0x00ffffff
 85 
 86 #define L2TP_HDR_SIZE_SEQ               10
 87 #define L2TP_HDR_SIZE_NOSEQ             6
 88 
 89 /* Default trace flags */
 90 #define L2TP_DEFAULT_DEBUG_FLAGS        0
 91 
 92 /* Private data stored for received packets in the skb.
 93  */
 94 struct l2tp_skb_cb {
 95         u32                     ns;
 96         u16                     has_seq;
 97         u16                     length;
 98         unsigned long           expires;
 99 };
100 
101 #define L2TP_SKB_CB(skb)        ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
102 
103 static atomic_t l2tp_tunnel_count;
104 static atomic_t l2tp_session_count;
105 static struct workqueue_struct *l2tp_wq;
106 
107 /* per-net private data for this module */
108 static unsigned int l2tp_net_id;
109 struct l2tp_net {
110         struct list_head l2tp_tunnel_list;
111         spinlock_t l2tp_tunnel_list_lock;
112         struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
113         spinlock_t l2tp_session_hlist_lock;
114 };
115 
116 
117 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
118 {
119         return sk->sk_user_data;
120 }
121 
122 static inline struct l2tp_net *l2tp_pernet(const struct net *net)
123 {
124         BUG_ON(!net);
125 
126         return net_generic(net, l2tp_net_id);
127 }
128 
129 /* Session hash global list for L2TPv3.
130  * The session_id SHOULD be random according to RFC3931, but several
131  * L2TP implementations use incrementing session_ids.  So we do a real
132  * hash on the session_id, rather than a simple bitmask.
133  */
134 static inline struct hlist_head *
135 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
136 {
137         return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
138 
139 }
140 
141 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
142  * owned by userspace.  A struct sock returned from this function must be
143  * released using l2tp_tunnel_sock_put once you're done with it.
144  */
145 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
146 {
147         int err = 0;
148         struct socket *sock = NULL;
149         struct sock *sk = NULL;
150 
151         if (!tunnel)
152                 goto out;
153 
154         if (tunnel->fd >= 0) {
155                 /* Socket is owned by userspace, who might be in the process
156                  * of closing it.  Look the socket up using the fd to ensure
157                  * consistency.
158                  */
159                 sock = sockfd_lookup(tunnel->fd, &err);
160                 if (sock)
161                         sk = sock->sk;
162         } else {
163                 /* Socket is owned by kernelspace */
164                 sk = tunnel->sock;
165                 sock_hold(sk);
166         }
167 
168 out:
169         return sk;
170 }
171 
172 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
173 static void l2tp_tunnel_sock_put(struct sock *sk)
174 {
175         struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
176         if (tunnel) {
177                 if (tunnel->fd >= 0) {
178                         /* Socket is owned by userspace */
179                         sockfd_put(sk->sk_socket);
180                 }
181                 sock_put(sk);
182         }
183         sock_put(sk);
184 }
185 
186 /* Session hash list.
187  * The session_id SHOULD be random according to RFC2661, but several
188  * L2TP implementations (Cisco and Microsoft) use incrementing
189  * session_ids.  So we do a real hash on the session_id, rather than a
190  * simple bitmask.
191  */
192 static inline struct hlist_head *
193 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
194 {
195         return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
196 }
197 
198 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
199 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
200 {
201         const struct l2tp_net *pn = l2tp_pernet(net);
202         struct l2tp_tunnel *tunnel;
203 
204         rcu_read_lock_bh();
205         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
206                 if (tunnel->tunnel_id == tunnel_id) {
207                         l2tp_tunnel_inc_refcount(tunnel);
208                         rcu_read_unlock_bh();
209 
210                         return tunnel;
211                 }
212         }
213         rcu_read_unlock_bh();
214 
215         return NULL;
216 }
217 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
218 
219 /* Lookup a session. A new reference is held on the returned session.
220  * Optionally calls session->ref() too if do_ref is true.
221  */
222 struct l2tp_session *l2tp_session_get(const struct net *net,
223                                       struct l2tp_tunnel *tunnel,
224                                       u32 session_id, bool do_ref)
225 {
226         struct hlist_head *session_list;
227         struct l2tp_session *session;
228 
229         if (!tunnel) {
230                 struct l2tp_net *pn = l2tp_pernet(net);
231 
232                 session_list = l2tp_session_id_hash_2(pn, session_id);
233 
234                 rcu_read_lock_bh();
235                 hlist_for_each_entry_rcu(session, session_list, global_hlist) {
236                         if (session->session_id == session_id) {
237                                 l2tp_session_inc_refcount(session);
238                                 if (do_ref && session->ref)
239                                         session->ref(session);
240                                 rcu_read_unlock_bh();
241 
242                                 return session;
243                         }
244                 }
245                 rcu_read_unlock_bh();
246 
247                 return NULL;
248         }
249 
250         session_list = l2tp_session_id_hash(tunnel, session_id);
251         read_lock_bh(&tunnel->hlist_lock);
252         hlist_for_each_entry(session, session_list, hlist) {
253                 if (session->session_id == session_id) {
254                         l2tp_session_inc_refcount(session);
255                         if (do_ref && session->ref)
256                                 session->ref(session);
257                         read_unlock_bh(&tunnel->hlist_lock);
258 
259                         return session;
260                 }
261         }
262         read_unlock_bh(&tunnel->hlist_lock);
263 
264         return NULL;
265 }
266 EXPORT_SYMBOL_GPL(l2tp_session_get);
267 
268 struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
269                                           bool do_ref)
270 {
271         int hash;
272         struct l2tp_session *session;
273         int count = 0;
274 
275         read_lock_bh(&tunnel->hlist_lock);
276         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
277                 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
278                         if (++count > nth) {
279                                 l2tp_session_inc_refcount(session);
280                                 if (do_ref && session->ref)
281                                         session->ref(session);
282                                 read_unlock_bh(&tunnel->hlist_lock);
283                                 return session;
284                         }
285                 }
286         }
287 
288         read_unlock_bh(&tunnel->hlist_lock);
289 
290         return NULL;
291 }
292 EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
293 
294 /* Lookup a session by interface name.
295  * This is very inefficient but is only used by management interfaces.
296  */
297 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
298                                                 const char *ifname,
299                                                 bool do_ref)
300 {
301         struct l2tp_net *pn = l2tp_pernet(net);
302         int hash;
303         struct l2tp_session *session;
304 
305         rcu_read_lock_bh();
306         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
307                 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
308                         if (!strcmp(session->ifname, ifname)) {
309                                 l2tp_session_inc_refcount(session);
310                                 if (do_ref && session->ref)
311                                         session->ref(session);
312                                 rcu_read_unlock_bh();
313 
314                                 return session;
315                         }
316                 }
317         }
318 
319         rcu_read_unlock_bh();
320 
321         return NULL;
322 }
323 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
324 
325 static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
326                                       struct l2tp_session *session)
327 {
328         struct l2tp_session *session_walk;
329         struct hlist_head *g_head;
330         struct hlist_head *head;
331         struct l2tp_net *pn;
332 
333         head = l2tp_session_id_hash(tunnel, session->session_id);
334 
335         write_lock_bh(&tunnel->hlist_lock);
336         hlist_for_each_entry(session_walk, head, hlist)
337                 if (session_walk->session_id == session->session_id)
338                         goto exist;
339 
340         if (tunnel->version == L2TP_HDR_VER_3) {
341                 pn = l2tp_pernet(tunnel->l2tp_net);
342                 g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
343                                                 session->session_id);
344 
345                 spin_lock_bh(&pn->l2tp_session_hlist_lock);
346                 hlist_for_each_entry(session_walk, g_head, global_hlist)
347                         if (session_walk->session_id == session->session_id)
348                                 goto exist_glob;
349 
350                 hlist_add_head_rcu(&session->global_hlist, g_head);
351                 spin_unlock_bh(&pn->l2tp_session_hlist_lock);
352         }
353 
354         hlist_add_head(&session->hlist, head);
355         write_unlock_bh(&tunnel->hlist_lock);
356 
357         return 0;
358 
359 exist_glob:
360         spin_unlock_bh(&pn->l2tp_session_hlist_lock);
361 exist:
362         write_unlock_bh(&tunnel->hlist_lock);
363 
364         return -EEXIST;
365 }
366 
367 /* Lookup a tunnel by id
368  */
369 struct l2tp_tunnel *l2tp_tunnel_find(const struct net *net, u32 tunnel_id)
370 {
371         struct l2tp_tunnel *tunnel;
372         struct l2tp_net *pn = l2tp_pernet(net);
373 
374         rcu_read_lock_bh();
375         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
376                 if (tunnel->tunnel_id == tunnel_id) {
377                         rcu_read_unlock_bh();
378                         return tunnel;
379                 }
380         }
381         rcu_read_unlock_bh();
382 
383         return NULL;
384 }
385 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
386 
387 struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)
388 {
389         struct l2tp_net *pn = l2tp_pernet(net);
390         struct l2tp_tunnel *tunnel;
391         int count = 0;
392 
393         rcu_read_lock_bh();
394         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
395                 if (++count > nth) {
396                         rcu_read_unlock_bh();
397                         return tunnel;
398                 }
399         }
400 
401         rcu_read_unlock_bh();
402 
403         return NULL;
404 }
405 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
406 
407 /*****************************************************************************
408  * Receive data handling
409  *****************************************************************************/
410 
411 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
412  * number.
413  */
414 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
415 {
416         struct sk_buff *skbp;
417         struct sk_buff *tmp;
418         u32 ns = L2TP_SKB_CB(skb)->ns;
419 
420         spin_lock_bh(&session->reorder_q.lock);
421         skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
422                 if (L2TP_SKB_CB(skbp)->ns > ns) {
423                         __skb_queue_before(&session->reorder_q, skbp, skb);
424                         l2tp_dbg(session, L2TP_MSG_SEQ,
425                                  "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
426                                  session->name, ns, L2TP_SKB_CB(skbp)->ns,
427                                  skb_queue_len(&session->reorder_q));
428                         atomic_long_inc(&session->stats.rx_oos_packets);
429                         goto out;
430                 }
431         }
432 
433         __skb_queue_tail(&session->reorder_q, skb);
434 
435 out:
436         spin_unlock_bh(&session->reorder_q.lock);
437 }
438 
439 /* Dequeue a single skb.
440  */
441 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
442 {
443         struct l2tp_tunnel *tunnel = session->tunnel;
444         int length = L2TP_SKB_CB(skb)->length;
445 
446         /* We're about to requeue the skb, so return resources
447          * to its current owner (a socket receive buffer).
448          */
449         skb_orphan(skb);
450 
451         atomic_long_inc(&tunnel->stats.rx_packets);
452         atomic_long_add(length, &tunnel->stats.rx_bytes);
453         atomic_long_inc(&session->stats.rx_packets);
454         atomic_long_add(length, &session->stats.rx_bytes);
455 
456         if (L2TP_SKB_CB(skb)->has_seq) {
457                 /* Bump our Nr */
458                 session->nr++;
459                 session->nr &= session->nr_max;
460 
461                 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
462                          session->name, session->nr);
463         }
464 
465         /* call private receive handler */
466         if (session->recv_skb != NULL)
467                 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
468         else
469                 kfree_skb(skb);
470 
471         if (session->deref)
472                 (*session->deref)(session);
473 }
474 
475 /* Dequeue skbs from the session's reorder_q, subject to packet order.
476  * Skbs that have been in the queue for too long are simply discarded.
477  */
478 static void l2tp_recv_dequeue(struct l2tp_session *session)
479 {
480         struct sk_buff *skb;
481         struct sk_buff *tmp;
482 
483         /* If the pkt at the head of the queue has the nr that we
484          * expect to send up next, dequeue it and any other
485          * in-sequence packets behind it.
486          */
487 start:
488         spin_lock_bh(&session->reorder_q.lock);
489         skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
490                 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
491                         atomic_long_inc(&session->stats.rx_seq_discards);
492                         atomic_long_inc(&session->stats.rx_errors);
493                         l2tp_dbg(session, L2TP_MSG_SEQ,
494                                  "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
495                                  session->name, L2TP_SKB_CB(skb)->ns,
496                                  L2TP_SKB_CB(skb)->length, session->nr,
497                                  skb_queue_len(&session->reorder_q));
498                         session->reorder_skip = 1;
499                         __skb_unlink(skb, &session->reorder_q);
500                         kfree_skb(skb);
501                         if (session->deref)
502                                 (*session->deref)(session);
503                         continue;
504                 }
505 
506                 if (L2TP_SKB_CB(skb)->has_seq) {
507                         if (session->reorder_skip) {
508                                 l2tp_dbg(session, L2TP_MSG_SEQ,
509                                          "%s: advancing nr to next pkt: %u -> %u",
510                                          session->name, session->nr,
511                                          L2TP_SKB_CB(skb)->ns);
512                                 session->reorder_skip = 0;
513                                 session->nr = L2TP_SKB_CB(skb)->ns;
514                         }
515                         if (L2TP_SKB_CB(skb)->ns != session->nr) {
516                                 l2tp_dbg(session, L2TP_MSG_SEQ,
517                                          "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
518                                          session->name, L2TP_SKB_CB(skb)->ns,
519                                          L2TP_SKB_CB(skb)->length, session->nr,
520                                          skb_queue_len(&session->reorder_q));
521                                 goto out;
522                         }
523                 }
524                 __skb_unlink(skb, &session->reorder_q);
525 
526                 /* Process the skb. We release the queue lock while we
527                  * do so to let other contexts process the queue.
528                  */
529                 spin_unlock_bh(&session->reorder_q.lock);
530                 l2tp_recv_dequeue_skb(session, skb);
531                 goto start;
532         }
533 
534 out:
535         spin_unlock_bh(&session->reorder_q.lock);
536 }
537 
538 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
539 {
540         u32 nws;
541 
542         if (nr >= session->nr)
543                 nws = nr - session->nr;
544         else
545                 nws = (session->nr_max + 1) - (session->nr - nr);
546 
547         return nws < session->nr_window_size;
548 }
549 
550 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
551  * acceptable, else non-zero.
552  */
553 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
554 {
555         if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
556                 /* Packet sequence number is outside allowed window.
557                  * Discard it.
558                  */
559                 l2tp_dbg(session, L2TP_MSG_SEQ,
560                          "%s: pkt %u len %d discarded, outside window, nr=%u\n",
561                          session->name, L2TP_SKB_CB(skb)->ns,
562                          L2TP_SKB_CB(skb)->length, session->nr);
563                 goto discard;
564         }
565 
566         if (session->reorder_timeout != 0) {
567                 /* Packet reordering enabled. Add skb to session's
568                  * reorder queue, in order of ns.
569                  */
570                 l2tp_recv_queue_skb(session, skb);
571                 goto out;
572         }
573 
574         /* Packet reordering disabled. Discard out-of-sequence packets, while
575          * tracking the number if in-sequence packets after the first OOS packet
576          * is seen. After nr_oos_count_max in-sequence packets, reset the
577          * sequence number to re-enable packet reception.
578          */
579         if (L2TP_SKB_CB(skb)->ns == session->nr) {
580                 skb_queue_tail(&session->reorder_q, skb);
581         } else {
582                 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
583                 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
584 
585                 if (nr_oos == nr_next)
586                         session->nr_oos_count++;
587                 else
588                         session->nr_oos_count = 0;
589 
590                 session->nr_oos = nr_oos;
591                 if (session->nr_oos_count > session->nr_oos_count_max) {
592                         session->reorder_skip = 1;
593                         l2tp_dbg(session, L2TP_MSG_SEQ,
594                                  "%s: %d oos packets received. Resetting sequence numbers\n",
595                                  session->name, session->nr_oos_count);
596                 }
597                 if (!session->reorder_skip) {
598                         atomic_long_inc(&session->stats.rx_seq_discards);
599                         l2tp_dbg(session, L2TP_MSG_SEQ,
600                                  "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
601                                  session->name, L2TP_SKB_CB(skb)->ns,
602                                  L2TP_SKB_CB(skb)->length, session->nr,
603                                  skb_queue_len(&session->reorder_q));
604                         goto discard;
605                 }
606                 skb_queue_tail(&session->reorder_q, skb);
607         }
608 
609 out:
610         return 0;
611 
612 discard:
613         return 1;
614 }
615 
616 /* Do receive processing of L2TP data frames. We handle both L2TPv2
617  * and L2TPv3 data frames here.
618  *
619  * L2TPv2 Data Message Header
620  *
621  *  0                   1                   2                   3
622  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
623  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
624  * |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
625  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
626  * |           Tunnel ID           |           Session ID          |
627  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
628  * |             Ns (opt)          |             Nr (opt)          |
629  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
630  * |      Offset Size (opt)        |    Offset pad... (opt)
631  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
632  *
633  * Data frames are marked by T=0. All other fields are the same as
634  * those in L2TP control frames.
635  *
636  * L2TPv3 Data Message Header
637  *
638  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
639  * |                      L2TP Session Header                      |
640  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
641  * |                      L2-Specific Sublayer                     |
642  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
643  * |                        Tunnel Payload                      ...
644  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
645  *
646  * L2TPv3 Session Header Over IP
647  *
648  *  0                   1                   2                   3
649  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
650  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
651  * |                           Session ID                          |
652  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
653  * |               Cookie (optional, maximum 64 bits)...
654  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
655  *                                                                 |
656  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
657  *
658  * L2TPv3 L2-Specific Sublayer Format
659  *
660  *  0                   1                   2                   3
661  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
662  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
663  * |x|S|x|x|x|x|x|x|              Sequence Number                  |
664  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
665  *
666  * Cookie value, sublayer format and offset (pad) are negotiated with
667  * the peer when the session is set up. Unlike L2TPv2, we do not need
668  * to parse the packet header to determine if optional fields are
669  * present.
670  *
671  * Caller must already have parsed the frame and determined that it is
672  * a data (not control) frame before coming here. Fields up to the
673  * session-id have already been parsed and ptr points to the data
674  * after the session-id.
675  *
676  * session->ref() must have been called prior to l2tp_recv_common().
677  * session->deref() will be called automatically after skb is processed.
678  */
679 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
680                       unsigned char *ptr, unsigned char *optr, u16 hdrflags,
681                       int length, int (*payload_hook)(struct sk_buff *skb))
682 {
683         struct l2tp_tunnel *tunnel = session->tunnel;
684         int offset;
685         u32 ns, nr;
686 
687         /* Parse and check optional cookie */
688         if (session->peer_cookie_len > 0) {
689                 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
690                         l2tp_info(tunnel, L2TP_MSG_DATA,
691                                   "%s: cookie mismatch (%u/%u). Discarding.\n",
692                                   tunnel->name, tunnel->tunnel_id,
693                                   session->session_id);
694                         atomic_long_inc(&session->stats.rx_cookie_discards);
695                         goto discard;
696                 }
697                 ptr += session->peer_cookie_len;
698         }
699 
700         /* Handle the optional sequence numbers. Sequence numbers are
701          * in different places for L2TPv2 and L2TPv3.
702          *
703          * If we are the LAC, enable/disable sequence numbers under
704          * the control of the LNS.  If no sequence numbers present but
705          * we were expecting them, discard frame.
706          */
707         ns = nr = 0;
708         L2TP_SKB_CB(skb)->has_seq = 0;
709         if (tunnel->version == L2TP_HDR_VER_2) {
710                 if (hdrflags & L2TP_HDRFLAG_S) {
711                         ns = ntohs(*(__be16 *) ptr);
712                         ptr += 2;
713                         nr = ntohs(*(__be16 *) ptr);
714                         ptr += 2;
715 
716                         /* Store L2TP info in the skb */
717                         L2TP_SKB_CB(skb)->ns = ns;
718                         L2TP_SKB_CB(skb)->has_seq = 1;
719 
720                         l2tp_dbg(session, L2TP_MSG_SEQ,
721                                  "%s: recv data ns=%u, nr=%u, session nr=%u\n",
722                                  session->name, ns, nr, session->nr);
723                 }
724         } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
725                 u32 l2h = ntohl(*(__be32 *) ptr);
726 
727                 if (l2h & 0x40000000) {
728                         ns = l2h & 0x00ffffff;
729 
730                         /* Store L2TP info in the skb */
731                         L2TP_SKB_CB(skb)->ns = ns;
732                         L2TP_SKB_CB(skb)->has_seq = 1;
733 
734                         l2tp_dbg(session, L2TP_MSG_SEQ,
735                                  "%s: recv data ns=%u, session nr=%u\n",
736                                  session->name, ns, session->nr);
737                 }
738         }
739 
740         /* Advance past L2-specific header, if present */
741         ptr += session->l2specific_len;
742 
743         if (L2TP_SKB_CB(skb)->has_seq) {
744                 /* Received a packet with sequence numbers. If we're the LNS,
745                  * check if we sre sending sequence numbers and if not,
746                  * configure it so.
747                  */
748                 if ((!session->lns_mode) && (!session->send_seq)) {
749                         l2tp_info(session, L2TP_MSG_SEQ,
750                                   "%s: requested to enable seq numbers by LNS\n",
751                                   session->name);
752                         session->send_seq = 1;
753                         l2tp_session_set_header_len(session, tunnel->version);
754                 }
755         } else {
756                 /* No sequence numbers.
757                  * If user has configured mandatory sequence numbers, discard.
758                  */
759                 if (session->recv_seq) {
760                         l2tp_warn(session, L2TP_MSG_SEQ,
761                                   "%s: recv data has no seq numbers when required. Discarding.\n",
762                                   session->name);
763                         atomic_long_inc(&session->stats.rx_seq_discards);
764                         goto discard;
765                 }
766 
767                 /* If we're the LAC and we're sending sequence numbers, the
768                  * LNS has requested that we no longer send sequence numbers.
769                  * If we're the LNS and we're sending sequence numbers, the
770                  * LAC is broken. Discard the frame.
771                  */
772                 if ((!session->lns_mode) && (session->send_seq)) {
773                         l2tp_info(session, L2TP_MSG_SEQ,
774                                   "%s: requested to disable seq numbers by LNS\n",
775                                   session->name);
776                         session->send_seq = 0;
777                         l2tp_session_set_header_len(session, tunnel->version);
778                 } else if (session->send_seq) {
779                         l2tp_warn(session, L2TP_MSG_SEQ,
780                                   "%s: recv data has no seq numbers when required. Discarding.\n",
781                                   session->name);
782                         atomic_long_inc(&session->stats.rx_seq_discards);
783                         goto discard;
784                 }
785         }
786 
787         /* Session data offset is handled differently for L2TPv2 and
788          * L2TPv3. For L2TPv2, there is an optional 16-bit value in
789          * the header. For L2TPv3, the offset is negotiated using AVPs
790          * in the session setup control protocol.
791          */
792         if (tunnel->version == L2TP_HDR_VER_2) {
793                 /* If offset bit set, skip it. */
794                 if (hdrflags & L2TP_HDRFLAG_O) {
795                         offset = ntohs(*(__be16 *)ptr);
796                         ptr += 2 + offset;
797                 }
798         } else
799                 ptr += session->offset;
800 
801         offset = ptr - optr;
802         if (!pskb_may_pull(skb, offset))
803                 goto discard;
804 
805         __skb_pull(skb, offset);
806 
807         /* If caller wants to process the payload before we queue the
808          * packet, do so now.
809          */
810         if (payload_hook)
811                 if ((*payload_hook)(skb))
812                         goto discard;
813 
814         /* Prepare skb for adding to the session's reorder_q.  Hold
815          * packets for max reorder_timeout or 1 second if not
816          * reordering.
817          */
818         L2TP_SKB_CB(skb)->length = length;
819         L2TP_SKB_CB(skb)->expires = jiffies +
820                 (session->reorder_timeout ? session->reorder_timeout : HZ);
821 
822         /* Add packet to the session's receive queue. Reordering is done here, if
823          * enabled. Saved L2TP protocol info is stored in skb->sb[].
824          */
825         if (L2TP_SKB_CB(skb)->has_seq) {
826                 if (l2tp_recv_data_seq(session, skb))
827                         goto discard;
828         } else {
829                 /* No sequence numbers. Add the skb to the tail of the
830                  * reorder queue. This ensures that it will be
831                  * delivered after all previous sequenced skbs.
832                  */
833                 skb_queue_tail(&session->reorder_q, skb);
834         }
835 
836         /* Try to dequeue as many skbs from reorder_q as we can. */
837         l2tp_recv_dequeue(session);
838 
839         return;
840 
841 discard:
842         atomic_long_inc(&session->stats.rx_errors);
843         kfree_skb(skb);
844 
845         if (session->deref)
846                 (*session->deref)(session);
847 }
848 EXPORT_SYMBOL(l2tp_recv_common);
849 
850 /* Drop skbs from the session's reorder_q
851  */
852 int l2tp_session_queue_purge(struct l2tp_session *session)
853 {
854         struct sk_buff *skb = NULL;
855         BUG_ON(!session);
856         BUG_ON(session->magic != L2TP_SESSION_MAGIC);
857         while ((skb = skb_dequeue(&session->reorder_q))) {
858                 atomic_long_inc(&session->stats.rx_errors);
859                 kfree_skb(skb);
860                 if (session->deref)
861                         (*session->deref)(session);
862         }
863         return 0;
864 }
865 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
866 
867 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
868  * here. The skb is not on a list when we get here.
869  * Returns 0 if the packet was a data packet and was successfully passed on.
870  * Returns 1 if the packet was not a good data packet and could not be
871  * forwarded.  All such packets are passed up to userspace to deal with.
872  */
873 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
874                               int (*payload_hook)(struct sk_buff *skb))
875 {
876         struct l2tp_session *session = NULL;
877         unsigned char *ptr, *optr;
878         u16 hdrflags;
879         u32 tunnel_id, session_id;
880         u16 version;
881         int length;
882 
883         /* UDP has verifed checksum */
884 
885         /* UDP always verifies the packet length. */
886         __skb_pull(skb, sizeof(struct udphdr));
887 
888         /* Short packet? */
889         if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
890                 l2tp_info(tunnel, L2TP_MSG_DATA,
891                           "%s: recv short packet (len=%d)\n",
892                           tunnel->name, skb->len);
893                 goto error;
894         }
895 
896         /* Trace packet contents, if enabled */
897         if (tunnel->debug & L2TP_MSG_DATA) {
898                 length = min(32u, skb->len);
899                 if (!pskb_may_pull(skb, length))
900                         goto error;
901 
902                 pr_debug("%s: recv\n", tunnel->name);
903                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
904         }
905 
906         /* Point to L2TP header */
907         optr = ptr = skb->data;
908 
909         /* Get L2TP header flags */
910         hdrflags = ntohs(*(__be16 *) ptr);
911 
912         /* Check protocol version */
913         version = hdrflags & L2TP_HDR_VER_MASK;
914         if (version != tunnel->version) {
915                 l2tp_info(tunnel, L2TP_MSG_DATA,
916                           "%s: recv protocol version mismatch: got %d expected %d\n",
917                           tunnel->name, version, tunnel->version);
918                 goto error;
919         }
920 
921         /* Get length of L2TP packet */
922         length = skb->len;
923 
924         /* If type is control packet, it is handled by userspace. */
925         if (hdrflags & L2TP_HDRFLAG_T) {
926                 l2tp_dbg(tunnel, L2TP_MSG_DATA,
927                          "%s: recv control packet, len=%d\n",
928                          tunnel->name, length);
929                 goto error;
930         }
931 
932         /* Skip flags */
933         ptr += 2;
934 
935         if (tunnel->version == L2TP_HDR_VER_2) {
936                 /* If length is present, skip it */
937                 if (hdrflags & L2TP_HDRFLAG_L)
938                         ptr += 2;
939 
940                 /* Extract tunnel and session ID */
941                 tunnel_id = ntohs(*(__be16 *) ptr);
942                 ptr += 2;
943                 session_id = ntohs(*(__be16 *) ptr);
944                 ptr += 2;
945         } else {
946                 ptr += 2;       /* skip reserved bits */
947                 tunnel_id = tunnel->tunnel_id;
948                 session_id = ntohl(*(__be32 *) ptr);
949                 ptr += 4;
950         }
951 
952         /* Find the session context */
953         session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
954         if (!session || !session->recv_skb) {
955                 if (session) {
956                         if (session->deref)
957                                 session->deref(session);
958                         l2tp_session_dec_refcount(session);
959                 }
960 
961                 /* Not found? Pass to userspace to deal with */
962                 l2tp_info(tunnel, L2TP_MSG_DATA,
963                           "%s: no session found (%u/%u). Passing up.\n",
964                           tunnel->name, tunnel_id, session_id);
965                 goto error;
966         }
967 
968         l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
969         l2tp_session_dec_refcount(session);
970 
971         return 0;
972 
973 error:
974         /* Put UDP header back */
975         __skb_push(skb, sizeof(struct udphdr));
976 
977         return 1;
978 }
979 
980 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
981  * Return codes:
982  * 0 : success.
983  * <0: error
984  * >0: skb should be passed up to userspace as UDP.
985  */
986 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
987 {
988         struct l2tp_tunnel *tunnel;
989 
990         tunnel = l2tp_sock_to_tunnel(sk);
991         if (tunnel == NULL)
992                 goto pass_up;
993 
994         l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
995                  tunnel->name, skb->len);
996 
997         if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
998                 goto pass_up_put;
999 
1000         sock_put(sk);
1001         return 0;
1002 
1003 pass_up_put:
1004         sock_put(sk);
1005 pass_up:
1006         return 1;
1007 }
1008 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1009 
1010 /************************************************************************
1011  * Transmit handling
1012  ***********************************************************************/
1013 
1014 /* Build an L2TP header for the session into the buffer provided.
1015  */
1016 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1017 {
1018         struct l2tp_tunnel *tunnel = session->tunnel;
1019         __be16 *bufp = buf;
1020         __be16 *optr = buf;
1021         u16 flags = L2TP_HDR_VER_2;
1022         u32 tunnel_id = tunnel->peer_tunnel_id;
1023         u32 session_id = session->peer_session_id;
1024 
1025         if (session->send_seq)
1026                 flags |= L2TP_HDRFLAG_S;
1027 
1028         /* Setup L2TP header. */
1029         *bufp++ = htons(flags);
1030         *bufp++ = htons(tunnel_id);
1031         *bufp++ = htons(session_id);
1032         if (session->send_seq) {
1033                 *bufp++ = htons(session->ns);
1034                 *bufp++ = 0;
1035                 session->ns++;
1036                 session->ns &= 0xffff;
1037                 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1038                          session->name, session->ns);
1039         }
1040 
1041         return bufp - optr;
1042 }
1043 
1044 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1045 {
1046         struct l2tp_tunnel *tunnel = session->tunnel;
1047         char *bufp = buf;
1048         char *optr = bufp;
1049 
1050         /* Setup L2TP header. The header differs slightly for UDP and
1051          * IP encapsulations. For UDP, there is 4 bytes of flags.
1052          */
1053         if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1054                 u16 flags = L2TP_HDR_VER_3;
1055                 *((__be16 *) bufp) = htons(flags);
1056                 bufp += 2;
1057                 *((__be16 *) bufp) = 0;
1058                 bufp += 2;
1059         }
1060 
1061         *((__be32 *) bufp) = htonl(session->peer_session_id);
1062         bufp += 4;
1063         if (session->cookie_len) {
1064                 memcpy(bufp, &session->cookie[0], session->cookie_len);
1065                 bufp += session->cookie_len;
1066         }
1067         if (session->l2specific_len) {
1068                 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1069                         u32 l2h = 0;
1070                         if (session->send_seq) {
1071                                 l2h = 0x40000000 | session->ns;
1072                                 session->ns++;
1073                                 session->ns &= 0xffffff;
1074                                 l2tp_dbg(session, L2TP_MSG_SEQ,
1075                                          "%s: updated ns to %u\n",
1076                                          session->name, session->ns);
1077                         }
1078 
1079                         *((__be32 *) bufp) = htonl(l2h);
1080                 }
1081                 bufp += session->l2specific_len;
1082         }
1083         if (session->offset)
1084                 bufp += session->offset;
1085 
1086         return bufp - optr;
1087 }
1088 
1089 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1090                           struct flowi *fl, size_t data_len)
1091 {
1092         struct l2tp_tunnel *tunnel = session->tunnel;
1093         unsigned int len = skb->len;
1094         int error;
1095 
1096         /* Debug */
1097         if (session->send_seq)
1098                 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes, ns=%u\n",
1099                          session->name, data_len, session->ns - 1);
1100         else
1101                 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %zd bytes\n",
1102                          session->name, data_len);
1103 
1104         if (session->debug & L2TP_MSG_DATA) {
1105                 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1106                 unsigned char *datap = skb->data + uhlen;
1107 
1108                 pr_debug("%s: xmit\n", session->name);
1109                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1110                                      datap, min_t(size_t, 32, len - uhlen));
1111         }
1112 
1113         /* Queue the packet to IP for output */
1114         skb->ignore_df = 1;
1115 #if IS_ENABLED(CONFIG_IPV6)
1116         if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1117                 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1118         else
1119 #endif
1120                 error = ip_queue_xmit(tunnel->sock, skb, fl);
1121 
1122         /* Update stats */
1123         if (error >= 0) {
1124                 atomic_long_inc(&tunnel->stats.tx_packets);
1125                 atomic_long_add(len, &tunnel->stats.tx_bytes);
1126                 atomic_long_inc(&session->stats.tx_packets);
1127                 atomic_long_add(len, &session->stats.tx_bytes);
1128         } else {
1129                 atomic_long_inc(&tunnel->stats.tx_errors);
1130                 atomic_long_inc(&session->stats.tx_errors);
1131         }
1132 
1133         return 0;
1134 }
1135 
1136 /* If caller requires the skb to have a ppp header, the header must be
1137  * inserted in the skb data before calling this function.
1138  */
1139 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1140 {
1141         int data_len = skb->len;
1142         struct l2tp_tunnel *tunnel = session->tunnel;
1143         struct sock *sk = tunnel->sock;
1144         struct flowi *fl;
1145         struct udphdr *uh;
1146         struct inet_sock *inet;
1147         int headroom;
1148         int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1149         int udp_len;
1150         int ret = NET_XMIT_SUCCESS;
1151 
1152         /* Check that there's enough headroom in the skb to insert IP,
1153          * UDP and L2TP headers. If not enough, expand it to
1154          * make room. Adjust truesize.
1155          */
1156         headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1157                 uhlen + hdr_len;
1158         if (skb_cow_head(skb, headroom)) {
1159                 kfree_skb(skb);
1160                 return NET_XMIT_DROP;
1161         }
1162 
1163         /* Setup L2TP header */
1164         session->build_header(session, __skb_push(skb, hdr_len));
1165 
1166         /* Reset skb netfilter state */
1167         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1168         IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1169                               IPSKB_REROUTED);
1170         nf_reset(skb);
1171 
1172         bh_lock_sock(sk);
1173         if (sock_owned_by_user(sk)) {
1174                 kfree_skb(skb);
1175                 ret = NET_XMIT_DROP;
1176                 goto out_unlock;
1177         }
1178 
1179         /* Get routing info from the tunnel socket */
1180         skb_dst_drop(skb);
1181         skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1182 
1183         inet = inet_sk(sk);
1184         fl = &inet->cork.fl;
1185         switch (tunnel->encap) {
1186         case L2TP_ENCAPTYPE_UDP:
1187                 /* Setup UDP header */
1188                 __skb_push(skb, sizeof(*uh));
1189                 skb_reset_transport_header(skb);
1190                 uh = udp_hdr(skb);
1191                 uh->source = inet->inet_sport;
1192                 uh->dest = inet->inet_dport;
1193                 udp_len = uhlen + hdr_len + data_len;
1194                 uh->len = htons(udp_len);
1195 
1196                 /* Calculate UDP checksum if configured to do so */
1197 #if IS_ENABLED(CONFIG_IPV6)
1198                 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1199                         udp6_set_csum(udp_get_no_check6_tx(sk),
1200                                       skb, &inet6_sk(sk)->saddr,
1201                                       &sk->sk_v6_daddr, udp_len);
1202                 else
1203 #endif
1204                 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1205                              inet->inet_daddr, udp_len);
1206                 break;
1207 
1208         case L2TP_ENCAPTYPE_IP:
1209                 break;
1210         }
1211 
1212         l2tp_xmit_core(session, skb, fl, data_len);
1213 out_unlock:
1214         bh_unlock_sock(sk);
1215 
1216         return ret;
1217 }
1218 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1219 
1220 /*****************************************************************************
1221  * Tinnel and session create/destroy.
1222  *****************************************************************************/
1223 
1224 /* Tunnel socket destruct hook.
1225  * The tunnel context is deleted only when all session sockets have been
1226  * closed.
1227  */
1228 static void l2tp_tunnel_destruct(struct sock *sk)
1229 {
1230         struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1231         struct l2tp_net *pn;
1232 
1233         if (tunnel == NULL)
1234                 goto end;
1235 
1236         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1237 
1238 
1239         /* Disable udp encapsulation */
1240         switch (tunnel->encap) {
1241         case L2TP_ENCAPTYPE_UDP:
1242                 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1243                 (udp_sk(sk))->encap_type = 0;
1244                 (udp_sk(sk))->encap_rcv = NULL;
1245                 (udp_sk(sk))->encap_destroy = NULL;
1246                 break;
1247         case L2TP_ENCAPTYPE_IP:
1248                 break;
1249         }
1250 
1251         /* Remove hooks into tunnel socket */
1252         sk->sk_destruct = tunnel->old_sk_destruct;
1253         sk->sk_user_data = NULL;
1254         tunnel->sock = NULL;
1255 
1256         /* Remove the tunnel struct from the tunnel list */
1257         pn = l2tp_pernet(tunnel->l2tp_net);
1258         spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1259         list_del_rcu(&tunnel->list);
1260         spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1261         atomic_dec(&l2tp_tunnel_count);
1262 
1263         l2tp_tunnel_closeall(tunnel);
1264         l2tp_tunnel_dec_refcount(tunnel);
1265 
1266         /* Call the original destructor */
1267         if (sk->sk_destruct)
1268                 (*sk->sk_destruct)(sk);
1269 end:
1270         return;
1271 }
1272 
1273 /* When the tunnel is closed, all the attached sessions need to go too.
1274  */
1275 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1276 {
1277         int hash;
1278         struct hlist_node *walk;
1279         struct hlist_node *tmp;
1280         struct l2tp_session *session;
1281 
1282         BUG_ON(tunnel == NULL);
1283 
1284         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1285                   tunnel->name);
1286 
1287         write_lock_bh(&tunnel->hlist_lock);
1288         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1289 again:
1290                 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1291                         session = hlist_entry(walk, struct l2tp_session, hlist);
1292 
1293                         l2tp_info(session, L2TP_MSG_CONTROL,
1294                                   "%s: closing session\n", session->name);
1295 
1296                         hlist_del_init(&session->hlist);
1297 
1298                         if (session->ref != NULL)
1299                                 (*session->ref)(session);
1300 
1301                         write_unlock_bh(&tunnel->hlist_lock);
1302 
1303                         __l2tp_session_unhash(session);
1304                         l2tp_session_queue_purge(session);
1305 
1306                         if (session->session_close != NULL)
1307                                 (*session->session_close)(session);
1308 
1309                         if (session->deref != NULL)
1310                                 (*session->deref)(session);
1311 
1312                         l2tp_session_dec_refcount(session);
1313 
1314                         write_lock_bh(&tunnel->hlist_lock);
1315 
1316                         /* Now restart from the beginning of this hash
1317                          * chain.  We always remove a session from the
1318                          * list so we are guaranteed to make forward
1319                          * progress.
1320                          */
1321                         goto again;
1322                 }
1323         }
1324         write_unlock_bh(&tunnel->hlist_lock);
1325 }
1326 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1327 
1328 /* Tunnel socket destroy hook for UDP encapsulation */
1329 static void l2tp_udp_encap_destroy(struct sock *sk)
1330 {
1331         struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1332         if (tunnel) {
1333                 l2tp_tunnel_closeall(tunnel);
1334                 sock_put(sk);
1335         }
1336 }
1337 
1338 /* Workqueue tunnel deletion function */
1339 static void l2tp_tunnel_del_work(struct work_struct *work)
1340 {
1341         struct l2tp_tunnel *tunnel = NULL;
1342         struct socket *sock = NULL;
1343         struct sock *sk = NULL;
1344 
1345         tunnel = container_of(work, struct l2tp_tunnel, del_work);
1346 
1347         l2tp_tunnel_closeall(tunnel);
1348 
1349         sk = l2tp_tunnel_sock_lookup(tunnel);
1350         if (!sk)
1351                 goto out;
1352 
1353         sock = sk->sk_socket;
1354 
1355         /* If the tunnel socket was created by userspace, then go through the
1356          * inet layer to shut the socket down, and let userspace close it.
1357          * Otherwise, if we created the socket directly within the kernel, use
1358          * the sk API to release it here.
1359          * In either case the tunnel resources are freed in the socket
1360          * destructor when the tunnel socket goes away.
1361          */
1362         if (tunnel->fd >= 0) {
1363                 if (sock)
1364                         inet_shutdown(sock, 2);
1365         } else {
1366                 if (sock) {
1367                         kernel_sock_shutdown(sock, SHUT_RDWR);
1368                         sock_release(sock);
1369                 }
1370         }
1371 
1372         l2tp_tunnel_sock_put(sk);
1373 out:
1374         l2tp_tunnel_dec_refcount(tunnel);
1375 }
1376 
1377 /* Create a socket for the tunnel, if one isn't set up by
1378  * userspace. This is used for static tunnels where there is no
1379  * managing L2TP daemon.
1380  *
1381  * Since we don't want these sockets to keep a namespace alive by
1382  * themselves, we drop the socket's namespace refcount after creation.
1383  * These sockets are freed when the namespace exits using the pernet
1384  * exit hook.
1385  */
1386 static int l2tp_tunnel_sock_create(struct net *net,
1387                                 u32 tunnel_id,
1388                                 u32 peer_tunnel_id,
1389                                 struct l2tp_tunnel_cfg *cfg,
1390                                 struct socket **sockp)
1391 {
1392         int err = -EINVAL;
1393         struct socket *sock = NULL;
1394         struct udp_port_cfg udp_conf;
1395 
1396         switch (cfg->encap) {
1397         case L2TP_ENCAPTYPE_UDP:
1398                 memset(&udp_conf, 0, sizeof(udp_conf));
1399 
1400 #if IS_ENABLED(CONFIG_IPV6)
1401                 if (cfg->local_ip6 && cfg->peer_ip6) {
1402                         udp_conf.family = AF_INET6;
1403                         memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1404                                sizeof(udp_conf.local_ip6));
1405                         memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1406                                sizeof(udp_conf.peer_ip6));
1407                         udp_conf.use_udp6_tx_checksums =
1408                           ! cfg->udp6_zero_tx_checksums;
1409                         udp_conf.use_udp6_rx_checksums =
1410                           ! cfg->udp6_zero_rx_checksums;
1411                 } else
1412 #endif
1413                 {
1414                         udp_conf.family = AF_INET;
1415                         udp_conf.local_ip = cfg->local_ip;
1416                         udp_conf.peer_ip = cfg->peer_ip;
1417                         udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1418                 }
1419 
1420                 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1421                 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1422 
1423                 err = udp_sock_create(net, &udp_conf, &sock);
1424                 if (err < 0)
1425                         goto out;
1426 
1427                 break;
1428 
1429         case L2TP_ENCAPTYPE_IP:
1430 #if IS_ENABLED(CONFIG_IPV6)
1431                 if (cfg->local_ip6 && cfg->peer_ip6) {
1432                         struct sockaddr_l2tpip6 ip6_addr = {0};
1433 
1434                         err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1435                                           IPPROTO_L2TP, &sock);
1436                         if (err < 0)
1437                                 goto out;
1438 
1439                         ip6_addr.l2tp_family = AF_INET6;
1440                         memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1441                                sizeof(ip6_addr.l2tp_addr));
1442                         ip6_addr.l2tp_conn_id = tunnel_id;
1443                         err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1444                                           sizeof(ip6_addr));
1445                         if (err < 0)
1446                                 goto out;
1447 
1448                         ip6_addr.l2tp_family = AF_INET6;
1449                         memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1450                                sizeof(ip6_addr.l2tp_addr));
1451                         ip6_addr.l2tp_conn_id = peer_tunnel_id;
1452                         err = kernel_connect(sock,
1453                                              (struct sockaddr *) &ip6_addr,
1454                                              sizeof(ip6_addr), 0);
1455                         if (err < 0)
1456                                 goto out;
1457                 } else
1458 #endif
1459                 {
1460                         struct sockaddr_l2tpip ip_addr = {0};
1461 
1462                         err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1463                                           IPPROTO_L2TP, &sock);
1464                         if (err < 0)
1465                                 goto out;
1466 
1467                         ip_addr.l2tp_family = AF_INET;
1468                         ip_addr.l2tp_addr = cfg->local_ip;
1469                         ip_addr.l2tp_conn_id = tunnel_id;
1470                         err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1471                                           sizeof(ip_addr));
1472                         if (err < 0)
1473                                 goto out;
1474 
1475                         ip_addr.l2tp_family = AF_INET;
1476                         ip_addr.l2tp_addr = cfg->peer_ip;
1477                         ip_addr.l2tp_conn_id = peer_tunnel_id;
1478                         err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1479                                              sizeof(ip_addr), 0);
1480                         if (err < 0)
1481                                 goto out;
1482                 }
1483                 break;
1484 
1485         default:
1486                 goto out;
1487         }
1488 
1489 out:
1490         *sockp = sock;
1491         if ((err < 0) && sock) {
1492                 kernel_sock_shutdown(sock, SHUT_RDWR);
1493                 sock_release(sock);
1494                 *sockp = NULL;
1495         }
1496 
1497         return err;
1498 }
1499 
1500 static struct lock_class_key l2tp_socket_class;
1501 
1502 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1503 {
1504         struct l2tp_tunnel *tunnel = NULL;
1505         int err;
1506         struct socket *sock = NULL;
1507         struct sock *sk = NULL;
1508         struct l2tp_net *pn;
1509         enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1510 
1511         /* Get the tunnel socket from the fd, which was opened by
1512          * the userspace L2TP daemon. If not specified, create a
1513          * kernel socket.
1514          */
1515         if (fd < 0) {
1516                 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1517                                 cfg, &sock);
1518                 if (err < 0)
1519                         goto err;
1520         } else {
1521                 sock = sockfd_lookup(fd, &err);
1522                 if (!sock) {
1523                         pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1524                                tunnel_id, fd, err);
1525                         err = -EBADF;
1526                         goto err;
1527                 }
1528 
1529                 /* Reject namespace mismatches */
1530                 if (!net_eq(sock_net(sock->sk), net)) {
1531                         pr_err("tunl %u: netns mismatch\n", tunnel_id);
1532                         err = -EINVAL;
1533                         goto err;
1534                 }
1535         }
1536 
1537         sk = sock->sk;
1538 
1539         if (cfg != NULL)
1540                 encap = cfg->encap;
1541 
1542         /* Quick sanity checks */
1543         switch (encap) {
1544         case L2TP_ENCAPTYPE_UDP:
1545                 err = -EPROTONOSUPPORT;
1546                 if (sk->sk_protocol != IPPROTO_UDP) {
1547                         pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1548                                tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1549                         goto err;
1550                 }
1551                 break;
1552         case L2TP_ENCAPTYPE_IP:
1553                 err = -EPROTONOSUPPORT;
1554                 if (sk->sk_protocol != IPPROTO_L2TP) {
1555                         pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1556                                tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1557                         goto err;
1558                 }
1559                 break;
1560         }
1561 
1562         /* Check if this socket has already been prepped */
1563         tunnel = l2tp_tunnel(sk);
1564         if (tunnel != NULL) {
1565                 /* This socket has already been prepped */
1566                 err = -EBUSY;
1567                 goto err;
1568         }
1569 
1570         tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1571         if (tunnel == NULL) {
1572                 err = -ENOMEM;
1573                 goto err;
1574         }
1575 
1576         tunnel->version = version;
1577         tunnel->tunnel_id = tunnel_id;
1578         tunnel->peer_tunnel_id = peer_tunnel_id;
1579         tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1580 
1581         tunnel->magic = L2TP_TUNNEL_MAGIC;
1582         sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1583         rwlock_init(&tunnel->hlist_lock);
1584 
1585         /* The net we belong to */
1586         tunnel->l2tp_net = net;
1587         pn = l2tp_pernet(net);
1588 
1589         if (cfg != NULL)
1590                 tunnel->debug = cfg->debug;
1591 
1592 #if IS_ENABLED(CONFIG_IPV6)
1593         if (sk->sk_family == PF_INET6) {
1594                 struct ipv6_pinfo *np = inet6_sk(sk);
1595 
1596                 if (ipv6_addr_v4mapped(&np->saddr) &&
1597                     ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1598                         struct inet_sock *inet = inet_sk(sk);
1599 
1600                         tunnel->v4mapped = true;
1601                         inet->inet_saddr = np->saddr.s6_addr32[3];
1602                         inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1603                         inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1604                 } else {
1605                         tunnel->v4mapped = false;
1606                 }
1607         }
1608 #endif
1609 
1610         /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1611         tunnel->encap = encap;
1612         if (encap == L2TP_ENCAPTYPE_UDP) {
1613                 struct udp_tunnel_sock_cfg udp_cfg = { };
1614 
1615                 udp_cfg.sk_user_data = tunnel;
1616                 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1617                 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1618                 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1619 
1620                 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1621         } else {
1622                 sk->sk_user_data = tunnel;
1623         }
1624 
1625         /* Hook on the tunnel socket destructor so that we can cleanup
1626          * if the tunnel socket goes away.
1627          */
1628         tunnel->old_sk_destruct = sk->sk_destruct;
1629         sk->sk_destruct = &l2tp_tunnel_destruct;
1630         tunnel->sock = sk;
1631         tunnel->fd = fd;
1632         lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1633 
1634         sk->sk_allocation = GFP_ATOMIC;
1635 
1636         /* Init delete workqueue struct */
1637         INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1638 
1639         /* Add tunnel to our list */
1640         INIT_LIST_HEAD(&tunnel->list);
1641         atomic_inc(&l2tp_tunnel_count);
1642 
1643         /* Bump the reference count. The tunnel context is deleted
1644          * only when this drops to zero. Must be done before list insertion
1645          */
1646         refcount_set(&tunnel->ref_count, 1);
1647         spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1648         list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1649         spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1650 
1651         err = 0;
1652 err:
1653         if (tunnelp)
1654                 *tunnelp = tunnel;
1655 
1656         /* If tunnel's socket was created by the kernel, it doesn't
1657          *  have a file.
1658          */
1659         if (sock && sock->file)
1660                 sockfd_put(sock);
1661 
1662         return err;
1663 }
1664 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1665 
1666 /* This function is used by the netlink TUNNEL_DELETE command.
1667  */
1668 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1669 {
1670         if (!test_and_set_bit(0, &tunnel->dead)) {
1671                 l2tp_tunnel_inc_refcount(tunnel);
1672                 queue_work(l2tp_wq, &tunnel->del_work);
1673         }
1674 }
1675 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1676 
1677 /* Really kill the session.
1678  */
1679 void l2tp_session_free(struct l2tp_session *session)
1680 {
1681         struct l2tp_tunnel *tunnel = session->tunnel;
1682 
1683         BUG_ON(refcount_read(&session->ref_count) != 0);
1684 
1685         if (tunnel) {
1686                 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1687                 if (session->session_id != 0)
1688                         atomic_dec(&l2tp_session_count);
1689                 sock_put(tunnel->sock);
1690                 session->tunnel = NULL;
1691                 l2tp_tunnel_dec_refcount(tunnel);
1692         }
1693 
1694         kfree(session);
1695 }
1696 EXPORT_SYMBOL_GPL(l2tp_session_free);
1697 
1698 /* Remove an l2tp session from l2tp_core's hash lists.
1699  * Provides a tidyup interface for pseudowire code which can't just route all
1700  * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1701  * callback.
1702  */
1703 void __l2tp_session_unhash(struct l2tp_session *session)
1704 {
1705         struct l2tp_tunnel *tunnel = session->tunnel;
1706 
1707         /* Remove the session from core hashes */
1708         if (tunnel) {
1709                 /* Remove from the per-tunnel hash */
1710                 write_lock_bh(&tunnel->hlist_lock);
1711                 hlist_del_init(&session->hlist);
1712                 write_unlock_bh(&tunnel->hlist_lock);
1713 
1714                 /* For L2TPv3 we have a per-net hash: remove from there, too */
1715                 if (tunnel->version != L2TP_HDR_VER_2) {
1716                         struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1717                         spin_lock_bh(&pn->l2tp_session_hlist_lock);
1718                         hlist_del_init_rcu(&session->global_hlist);
1719                         spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1720                         synchronize_rcu();
1721                 }
1722         }
1723 }
1724 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1725 
1726 /* This function is used by the netlink SESSION_DELETE command and by
1727    pseudowire modules.
1728  */
1729 int l2tp_session_delete(struct l2tp_session *session)
1730 {
1731         if (session->ref)
1732                 (*session->ref)(session);
1733         __l2tp_session_unhash(session);
1734         l2tp_session_queue_purge(session);
1735         if (session->session_close != NULL)
1736                 (*session->session_close)(session);
1737         if (session->deref)
1738                 (*session->deref)(session);
1739         l2tp_session_dec_refcount(session);
1740         return 0;
1741 }
1742 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1743 
1744 /* We come here whenever a session's send_seq, cookie_len or
1745  * l2specific_len parameters are set.
1746  */
1747 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1748 {
1749         if (version == L2TP_HDR_VER_2) {
1750                 session->hdr_len = 6;
1751                 if (session->send_seq)
1752                         session->hdr_len += 4;
1753         } else {
1754                 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1755                 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1756                         session->hdr_len += 4;
1757         }
1758 
1759 }
1760 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1761 
1762 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1763 {
1764         struct l2tp_session *session;
1765         int err;
1766 
1767         session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1768         if (session != NULL) {
1769                 session->magic = L2TP_SESSION_MAGIC;
1770                 session->tunnel = tunnel;
1771 
1772                 session->session_id = session_id;
1773                 session->peer_session_id = peer_session_id;
1774                 session->nr = 0;
1775                 if (tunnel->version == L2TP_HDR_VER_2)
1776                         session->nr_max = 0xffff;
1777                 else
1778                         session->nr_max = 0xffffff;
1779                 session->nr_window_size = session->nr_max / 2;
1780                 session->nr_oos_count_max = 4;
1781 
1782                 /* Use NR of first received packet */
1783                 session->reorder_skip = 1;
1784 
1785                 sprintf(&session->name[0], "sess %u/%u",
1786                         tunnel->tunnel_id, session->session_id);
1787 
1788                 skb_queue_head_init(&session->reorder_q);
1789 
1790                 INIT_HLIST_NODE(&session->hlist);
1791                 INIT_HLIST_NODE(&session->global_hlist);
1792 
1793                 /* Inherit debug options from tunnel */
1794                 session->debug = tunnel->debug;
1795 
1796                 if (cfg) {
1797                         session->pwtype = cfg->pw_type;
1798                         session->debug = cfg->debug;
1799                         session->mtu = cfg->mtu;
1800                         session->mru = cfg->mru;
1801                         session->send_seq = cfg->send_seq;
1802                         session->recv_seq = cfg->recv_seq;
1803                         session->lns_mode = cfg->lns_mode;
1804                         session->reorder_timeout = cfg->reorder_timeout;
1805                         session->offset = cfg->offset;
1806                         session->l2specific_type = cfg->l2specific_type;
1807                         session->l2specific_len = cfg->l2specific_len;
1808                         session->cookie_len = cfg->cookie_len;
1809                         memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1810                         session->peer_cookie_len = cfg->peer_cookie_len;
1811                         memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1812                 }
1813 
1814                 if (tunnel->version == L2TP_HDR_VER_2)
1815                         session->build_header = l2tp_build_l2tpv2_header;
1816                 else
1817                         session->build_header = l2tp_build_l2tpv3_header;
1818 
1819                 l2tp_session_set_header_len(session, tunnel->version);
1820 
1821                 refcount_set(&session->ref_count, 1);
1822 
1823                 err = l2tp_session_add_to_tunnel(tunnel, session);
1824                 if (err) {
1825                         kfree(session);
1826 
1827                         return ERR_PTR(err);
1828                 }
1829 
1830                 l2tp_tunnel_inc_refcount(tunnel);
1831 
1832                 /* Ensure tunnel socket isn't deleted */
1833                 sock_hold(tunnel->sock);
1834 
1835                 /* Ignore management session in session count value */
1836                 if (session->session_id != 0)
1837                         atomic_inc(&l2tp_session_count);
1838 
1839                 return session;
1840         }
1841 
1842         return ERR_PTR(-ENOMEM);
1843 }
1844 EXPORT_SYMBOL_GPL(l2tp_session_create);
1845 
1846 /*****************************************************************************
1847  * Init and cleanup
1848  *****************************************************************************/
1849 
1850 static __net_init int l2tp_init_net(struct net *net)
1851 {
1852         struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1853         int hash;
1854 
1855         INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1856         spin_lock_init(&pn->l2tp_tunnel_list_lock);
1857 
1858         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1859                 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1860 
1861         spin_lock_init(&pn->l2tp_session_hlist_lock);
1862 
1863         return 0;
1864 }
1865 
1866 static __net_exit void l2tp_exit_net(struct net *net)
1867 {
1868         struct l2tp_net *pn = l2tp_pernet(net);
1869         struct l2tp_tunnel *tunnel = NULL;
1870 
1871         rcu_read_lock_bh();
1872         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1873                 (void)l2tp_tunnel_delete(tunnel);
1874         }
1875         rcu_read_unlock_bh();
1876 
1877         flush_workqueue(l2tp_wq);
1878         rcu_barrier();
1879 }
1880 
1881 static struct pernet_operations l2tp_net_ops = {
1882         .init = l2tp_init_net,
1883         .exit = l2tp_exit_net,
1884         .id   = &l2tp_net_id,
1885         .size = sizeof(struct l2tp_net),
1886 };
1887 
1888 static int __init l2tp_init(void)
1889 {
1890         int rc = 0;
1891 
1892         rc = register_pernet_device(&l2tp_net_ops);
1893         if (rc)
1894                 goto out;
1895 
1896         l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1897         if (!l2tp_wq) {
1898                 pr_err("alloc_workqueue failed\n");
1899                 unregister_pernet_device(&l2tp_net_ops);
1900                 rc = -ENOMEM;
1901                 goto out;
1902         }
1903 
1904         pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1905 
1906 out:
1907         return rc;
1908 }
1909 
1910 static void __exit l2tp_exit(void)
1911 {
1912         unregister_pernet_device(&l2tp_net_ops);
1913         if (l2tp_wq) {
1914                 destroy_workqueue(l2tp_wq);
1915                 l2tp_wq = NULL;
1916         }
1917 }
1918 
1919 module_init(l2tp_init);
1920 module_exit(l2tp_exit);
1921 
1922 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1923 MODULE_DESCRIPTION("L2TP core");
1924 MODULE_LICENSE("GPL");
1925 MODULE_VERSION(L2TP_DRV_VERSION);
1926 
1927 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp