~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/l2tp/l2tp_core.c

Version: ~ [ linux-5.3-rc5 ] ~ [ linux-5.2.9 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.67 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.139 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.189 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.189 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.72 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * L2TP core.
  3  *
  4  * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
  5  *
  6  * This file contains some code of the original L2TPv2 pppol2tp
  7  * driver, which has the following copyright:
  8  *
  9  * Authors:     Martijn van Oosterhout <kleptog@svana.org>
 10  *              James Chapman (jchapman@katalix.com)
 11  * Contributors:
 12  *              Michal Ostrowski <mostrows@speakeasy.net>
 13  *              Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
 14  *              David S. Miller (davem@redhat.com)
 15  *
 16  * This program is free software; you can redistribute it and/or modify
 17  * it under the terms of the GNU General Public License version 2 as
 18  * published by the Free Software Foundation.
 19  */
 20 
 21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 22 
 23 #include <linux/module.h>
 24 #include <linux/string.h>
 25 #include <linux/list.h>
 26 #include <linux/rculist.h>
 27 #include <linux/uaccess.h>
 28 
 29 #include <linux/kernel.h>
 30 #include <linux/spinlock.h>
 31 #include <linux/kthread.h>
 32 #include <linux/sched.h>
 33 #include <linux/slab.h>
 34 #include <linux/errno.h>
 35 #include <linux/jiffies.h>
 36 
 37 #include <linux/netdevice.h>
 38 #include <linux/net.h>
 39 #include <linux/inetdevice.h>
 40 #include <linux/skbuff.h>
 41 #include <linux/init.h>
 42 #include <linux/in.h>
 43 #include <linux/ip.h>
 44 #include <linux/udp.h>
 45 #include <linux/l2tp.h>
 46 #include <linux/hash.h>
 47 #include <linux/sort.h>
 48 #include <linux/file.h>
 49 #include <linux/nsproxy.h>
 50 #include <net/net_namespace.h>
 51 #include <net/netns/generic.h>
 52 #include <net/dst.h>
 53 #include <net/ip.h>
 54 #include <net/udp.h>
 55 #include <net/udp_tunnel.h>
 56 #include <net/inet_common.h>
 57 #include <net/xfrm.h>
 58 #include <net/protocol.h>
 59 #include <net/inet6_connection_sock.h>
 60 #include <net/inet_ecn.h>
 61 #include <net/ip6_route.h>
 62 #include <net/ip6_checksum.h>
 63 
 64 #include <asm/byteorder.h>
 65 #include <linux/atomic.h>
 66 
 67 #include "l2tp_core.h"
 68 
 69 #define L2TP_DRV_VERSION        "V2.0"
 70 
 71 /* L2TP header constants */
 72 #define L2TP_HDRFLAG_T     0x8000
 73 #define L2TP_HDRFLAG_L     0x4000
 74 #define L2TP_HDRFLAG_S     0x0800
 75 #define L2TP_HDRFLAG_O     0x0200
 76 #define L2TP_HDRFLAG_P     0x0100
 77 
 78 #define L2TP_HDR_VER_MASK  0x000F
 79 #define L2TP_HDR_VER_2     0x0002
 80 #define L2TP_HDR_VER_3     0x0003
 81 
 82 /* L2TPv3 default L2-specific sublayer */
 83 #define L2TP_SLFLAG_S      0x40000000
 84 #define L2TP_SL_SEQ_MASK   0x00ffffff
 85 
 86 #define L2TP_HDR_SIZE_SEQ               10
 87 #define L2TP_HDR_SIZE_NOSEQ             6
 88 
 89 /* Default trace flags */
 90 #define L2TP_DEFAULT_DEBUG_FLAGS        0
 91 
 92 /* Private data stored for received packets in the skb.
 93  */
 94 struct l2tp_skb_cb {
 95         u32                     ns;
 96         u16                     has_seq;
 97         u16                     length;
 98         unsigned long           expires;
 99 };
100 
101 #define L2TP_SKB_CB(skb)        ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
102 
103 static atomic_t l2tp_tunnel_count;
104 static atomic_t l2tp_session_count;
105 static struct workqueue_struct *l2tp_wq;
106 
107 /* per-net private data for this module */
108 static unsigned int l2tp_net_id;
109 struct l2tp_net {
110         struct list_head l2tp_tunnel_list;
111         spinlock_t l2tp_tunnel_list_lock;
112         struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
113         spinlock_t l2tp_session_hlist_lock;
114 };
115 
116 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
117 
118 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
119 {
120         return sk->sk_user_data;
121 }
122 
123 static inline struct l2tp_net *l2tp_pernet(struct net *net)
124 {
125         BUG_ON(!net);
126 
127         return net_generic(net, l2tp_net_id);
128 }
129 
130 /* Tunnel reference counts. Incremented per session that is added to
131  * the tunnel.
132  */
133 static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
134 {
135         atomic_inc(&tunnel->ref_count);
136 }
137 
138 static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
139 {
140         if (atomic_dec_and_test(&tunnel->ref_count))
141                 l2tp_tunnel_free(tunnel);
142 }
143 #ifdef L2TP_REFCNT_DEBUG
144 #define l2tp_tunnel_inc_refcount(_t)                                    \
145 do {                                                                    \
146         pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n",        \
147                  __func__, __LINE__, (_t)->name,                        \
148                  atomic_read(&_t->ref_count));                          \
149         l2tp_tunnel_inc_refcount_1(_t);                                 \
150 } while (0)
151 #define l2tp_tunnel_dec_refcount(_t)                                    \
152 do {                                                                    \
153         pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n",        \
154                  __func__, __LINE__, (_t)->name,                        \
155                  atomic_read(&_t->ref_count));                          \
156         l2tp_tunnel_dec_refcount_1(_t);                                 \
157 } while (0)
158 #else
159 #define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
160 #define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
161 #endif
162 
163 /* Session hash global list for L2TPv3.
164  * The session_id SHOULD be random according to RFC3931, but several
165  * L2TP implementations use incrementing session_ids.  So we do a real
166  * hash on the session_id, rather than a simple bitmask.
167  */
168 static inline struct hlist_head *
169 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
170 {
171         return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
172 
173 }
174 
175 /* Lookup the tunnel socket, possibly involving the fs code if the socket is
176  * owned by userspace.  A struct sock returned from this function must be
177  * released using l2tp_tunnel_sock_put once you're done with it.
178  */
179 static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
180 {
181         int err = 0;
182         struct socket *sock = NULL;
183         struct sock *sk = NULL;
184 
185         if (!tunnel)
186                 goto out;
187 
188         if (tunnel->fd >= 0) {
189                 /* Socket is owned by userspace, who might be in the process
190                  * of closing it.  Look the socket up using the fd to ensure
191                  * consistency.
192                  */
193                 sock = sockfd_lookup(tunnel->fd, &err);
194                 if (sock)
195                         sk = sock->sk;
196         } else {
197                 /* Socket is owned by kernelspace */
198                 sk = tunnel->sock;
199                 sock_hold(sk);
200         }
201 
202 out:
203         return sk;
204 }
205 
206 /* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
207 static void l2tp_tunnel_sock_put(struct sock *sk)
208 {
209         struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
210         if (tunnel) {
211                 if (tunnel->fd >= 0) {
212                         /* Socket is owned by userspace */
213                         sockfd_put(sk->sk_socket);
214                 }
215                 sock_put(sk);
216         }
217         sock_put(sk);
218 }
219 
220 /* Lookup a session by id in the global session list
221  */
222 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
223 {
224         struct l2tp_net *pn = l2tp_pernet(net);
225         struct hlist_head *session_list =
226                 l2tp_session_id_hash_2(pn, session_id);
227         struct l2tp_session *session;
228 
229         rcu_read_lock_bh();
230         hlist_for_each_entry_rcu(session, session_list, global_hlist) {
231                 if (session->session_id == session_id) {
232                         rcu_read_unlock_bh();
233                         return session;
234                 }
235         }
236         rcu_read_unlock_bh();
237 
238         return NULL;
239 }
240 
241 /* Session hash list.
242  * The session_id SHOULD be random according to RFC2661, but several
243  * L2TP implementations (Cisco and Microsoft) use incrementing
244  * session_ids.  So we do a real hash on the session_id, rather than a
245  * simple bitmask.
246  */
247 static inline struct hlist_head *
248 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
249 {
250         return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
251 }
252 
253 /* Lookup a session by id
254  */
255 struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id)
256 {
257         struct hlist_head *session_list;
258         struct l2tp_session *session;
259 
260         /* In L2TPv3, session_ids are unique over all tunnels and we
261          * sometimes need to look them up before we know the
262          * tunnel.
263          */
264         if (tunnel == NULL)
265                 return l2tp_session_find_2(net, session_id);
266 
267         session_list = l2tp_session_id_hash(tunnel, session_id);
268         read_lock_bh(&tunnel->hlist_lock);
269         hlist_for_each_entry(session, session_list, hlist) {
270                 if (session->session_id == session_id) {
271                         read_unlock_bh(&tunnel->hlist_lock);
272                         return session;
273                 }
274         }
275         read_unlock_bh(&tunnel->hlist_lock);
276 
277         return NULL;
278 }
279 EXPORT_SYMBOL_GPL(l2tp_session_find);
280 
281 struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
282 {
283         int hash;
284         struct l2tp_session *session;
285         int count = 0;
286 
287         read_lock_bh(&tunnel->hlist_lock);
288         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
289                 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
290                         if (++count > nth) {
291                                 read_unlock_bh(&tunnel->hlist_lock);
292                                 return session;
293                         }
294                 }
295         }
296 
297         read_unlock_bh(&tunnel->hlist_lock);
298 
299         return NULL;
300 }
301 EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
302 
303 /* Lookup a session by interface name.
304  * This is very inefficient but is only used by management interfaces.
305  */
306 struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
307 {
308         struct l2tp_net *pn = l2tp_pernet(net);
309         int hash;
310         struct l2tp_session *session;
311 
312         rcu_read_lock_bh();
313         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
314                 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
315                         if (!strcmp(session->ifname, ifname)) {
316                                 rcu_read_unlock_bh();
317                                 return session;
318                         }
319                 }
320         }
321 
322         rcu_read_unlock_bh();
323 
324         return NULL;
325 }
326 EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
327 
328 /* Lookup a tunnel by id
329  */
330 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)
331 {
332         struct l2tp_tunnel *tunnel;
333         struct l2tp_net *pn = l2tp_pernet(net);
334 
335         rcu_read_lock_bh();
336         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
337                 if (tunnel->tunnel_id == tunnel_id) {
338                         rcu_read_unlock_bh();
339                         return tunnel;
340                 }
341         }
342         rcu_read_unlock_bh();
343 
344         return NULL;
345 }
346 EXPORT_SYMBOL_GPL(l2tp_tunnel_find);
347 
348 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth)
349 {
350         struct l2tp_net *pn = l2tp_pernet(net);
351         struct l2tp_tunnel *tunnel;
352         int count = 0;
353 
354         rcu_read_lock_bh();
355         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
356                 if (++count > nth) {
357                         rcu_read_unlock_bh();
358                         return tunnel;
359                 }
360         }
361 
362         rcu_read_unlock_bh();
363 
364         return NULL;
365 }
366 EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
367 
368 /*****************************************************************************
369  * Receive data handling
370  *****************************************************************************/
371 
372 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
373  * number.
374  */
375 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
376 {
377         struct sk_buff *skbp;
378         struct sk_buff *tmp;
379         u32 ns = L2TP_SKB_CB(skb)->ns;
380 
381         spin_lock_bh(&session->reorder_q.lock);
382         skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
383                 if (L2TP_SKB_CB(skbp)->ns > ns) {
384                         __skb_queue_before(&session->reorder_q, skbp, skb);
385                         l2tp_dbg(session, L2TP_MSG_SEQ,
386                                  "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
387                                  session->name, ns, L2TP_SKB_CB(skbp)->ns,
388                                  skb_queue_len(&session->reorder_q));
389                         atomic_long_inc(&session->stats.rx_oos_packets);
390                         goto out;
391                 }
392         }
393 
394         __skb_queue_tail(&session->reorder_q, skb);
395 
396 out:
397         spin_unlock_bh(&session->reorder_q.lock);
398 }
399 
400 /* Dequeue a single skb.
401  */
402 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
403 {
404         struct l2tp_tunnel *tunnel = session->tunnel;
405         int length = L2TP_SKB_CB(skb)->length;
406 
407         /* We're about to requeue the skb, so return resources
408          * to its current owner (a socket receive buffer).
409          */
410         skb_orphan(skb);
411 
412         atomic_long_inc(&tunnel->stats.rx_packets);
413         atomic_long_add(length, &tunnel->stats.rx_bytes);
414         atomic_long_inc(&session->stats.rx_packets);
415         atomic_long_add(length, &session->stats.rx_bytes);
416 
417         if (L2TP_SKB_CB(skb)->has_seq) {
418                 /* Bump our Nr */
419                 session->nr++;
420                 session->nr &= session->nr_max;
421 
422                 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
423                          session->name, session->nr);
424         }
425 
426         /* call private receive handler */
427         if (session->recv_skb != NULL)
428                 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
429         else
430                 kfree_skb(skb);
431 
432         if (session->deref)
433                 (*session->deref)(session);
434 }
435 
436 /* Dequeue skbs from the session's reorder_q, subject to packet order.
437  * Skbs that have been in the queue for too long are simply discarded.
438  */
439 static void l2tp_recv_dequeue(struct l2tp_session *session)
440 {
441         struct sk_buff *skb;
442         struct sk_buff *tmp;
443 
444         /* If the pkt at the head of the queue has the nr that we
445          * expect to send up next, dequeue it and any other
446          * in-sequence packets behind it.
447          */
448 start:
449         spin_lock_bh(&session->reorder_q.lock);
450         skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
451                 if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
452                         atomic_long_inc(&session->stats.rx_seq_discards);
453                         atomic_long_inc(&session->stats.rx_errors);
454                         l2tp_dbg(session, L2TP_MSG_SEQ,
455                                  "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
456                                  session->name, L2TP_SKB_CB(skb)->ns,
457                                  L2TP_SKB_CB(skb)->length, session->nr,
458                                  skb_queue_len(&session->reorder_q));
459                         session->reorder_skip = 1;
460                         __skb_unlink(skb, &session->reorder_q);
461                         kfree_skb(skb);
462                         if (session->deref)
463                                 (*session->deref)(session);
464                         continue;
465                 }
466 
467                 if (L2TP_SKB_CB(skb)->has_seq) {
468                         if (session->reorder_skip) {
469                                 l2tp_dbg(session, L2TP_MSG_SEQ,
470                                          "%s: advancing nr to next pkt: %u -> %u",
471                                          session->name, session->nr,
472                                          L2TP_SKB_CB(skb)->ns);
473                                 session->reorder_skip = 0;
474                                 session->nr = L2TP_SKB_CB(skb)->ns;
475                         }
476                         if (L2TP_SKB_CB(skb)->ns != session->nr) {
477                                 l2tp_dbg(session, L2TP_MSG_SEQ,
478                                          "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
479                                          session->name, L2TP_SKB_CB(skb)->ns,
480                                          L2TP_SKB_CB(skb)->length, session->nr,
481                                          skb_queue_len(&session->reorder_q));
482                                 goto out;
483                         }
484                 }
485                 __skb_unlink(skb, &session->reorder_q);
486 
487                 /* Process the skb. We release the queue lock while we
488                  * do so to let other contexts process the queue.
489                  */
490                 spin_unlock_bh(&session->reorder_q.lock);
491                 l2tp_recv_dequeue_skb(session, skb);
492                 goto start;
493         }
494 
495 out:
496         spin_unlock_bh(&session->reorder_q.lock);
497 }
498 
499 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
500 {
501         u32 nws;
502 
503         if (nr >= session->nr)
504                 nws = nr - session->nr;
505         else
506                 nws = (session->nr_max + 1) - (session->nr - nr);
507 
508         return nws < session->nr_window_size;
509 }
510 
511 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
512  * acceptable, else non-zero.
513  */
514 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
515 {
516         if (!l2tp_seq_check_rx_window(session, L2TP_SKB_CB(skb)->ns)) {
517                 /* Packet sequence number is outside allowed window.
518                  * Discard it.
519                  */
520                 l2tp_dbg(session, L2TP_MSG_SEQ,
521                          "%s: pkt %u len %d discarded, outside window, nr=%u\n",
522                          session->name, L2TP_SKB_CB(skb)->ns,
523                          L2TP_SKB_CB(skb)->length, session->nr);
524                 goto discard;
525         }
526 
527         if (session->reorder_timeout != 0) {
528                 /* Packet reordering enabled. Add skb to session's
529                  * reorder queue, in order of ns.
530                  */
531                 l2tp_recv_queue_skb(session, skb);
532                 goto out;
533         }
534 
535         /* Packet reordering disabled. Discard out-of-sequence packets, while
536          * tracking the number if in-sequence packets after the first OOS packet
537          * is seen. After nr_oos_count_max in-sequence packets, reset the
538          * sequence number to re-enable packet reception.
539          */
540         if (L2TP_SKB_CB(skb)->ns == session->nr) {
541                 skb_queue_tail(&session->reorder_q, skb);
542         } else {
543                 u32 nr_oos = L2TP_SKB_CB(skb)->ns;
544                 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
545 
546                 if (nr_oos == nr_next)
547                         session->nr_oos_count++;
548                 else
549                         session->nr_oos_count = 0;
550 
551                 session->nr_oos = nr_oos;
552                 if (session->nr_oos_count > session->nr_oos_count_max) {
553                         session->reorder_skip = 1;
554                         l2tp_dbg(session, L2TP_MSG_SEQ,
555                                  "%s: %d oos packets received. Resetting sequence numbers\n",
556                                  session->name, session->nr_oos_count);
557                 }
558                 if (!session->reorder_skip) {
559                         atomic_long_inc(&session->stats.rx_seq_discards);
560                         l2tp_dbg(session, L2TP_MSG_SEQ,
561                                  "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
562                                  session->name, L2TP_SKB_CB(skb)->ns,
563                                  L2TP_SKB_CB(skb)->length, session->nr,
564                                  skb_queue_len(&session->reorder_q));
565                         goto discard;
566                 }
567                 skb_queue_tail(&session->reorder_q, skb);
568         }
569 
570 out:
571         return 0;
572 
573 discard:
574         return 1;
575 }
576 
577 /* Do receive processing of L2TP data frames. We handle both L2TPv2
578  * and L2TPv3 data frames here.
579  *
580  * L2TPv2 Data Message Header
581  *
582  *  0                   1                   2                   3
583  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
584  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
585  * |T|L|x|x|S|x|O|P|x|x|x|x|  Ver  |          Length (opt)         |
586  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
587  * |           Tunnel ID           |           Session ID          |
588  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
589  * |             Ns (opt)          |             Nr (opt)          |
590  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
591  * |      Offset Size (opt)        |    Offset pad... (opt)
592  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
593  *
594  * Data frames are marked by T=0. All other fields are the same as
595  * those in L2TP control frames.
596  *
597  * L2TPv3 Data Message Header
598  *
599  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
600  * |                      L2TP Session Header                      |
601  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
602  * |                      L2-Specific Sublayer                     |
603  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
604  * |                        Tunnel Payload                      ...
605  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
606  *
607  * L2TPv3 Session Header Over IP
608  *
609  *  0                   1                   2                   3
610  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
611  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
612  * |                           Session ID                          |
613  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
614  * |               Cookie (optional, maximum 64 bits)...
615  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
616  *                                                                 |
617  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
618  *
619  * L2TPv3 L2-Specific Sublayer Format
620  *
621  *  0                   1                   2                   3
622  *  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
623  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
624  * |x|S|x|x|x|x|x|x|              Sequence Number                  |
625  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
626  *
627  * Cookie value, sublayer format and offset (pad) are negotiated with
628  * the peer when the session is set up. Unlike L2TPv2, we do not need
629  * to parse the packet header to determine if optional fields are
630  * present.
631  *
632  * Caller must already have parsed the frame and determined that it is
633  * a data (not control) frame before coming here. Fields up to the
634  * session-id have already been parsed and ptr points to the data
635  * after the session-id.
636  */
637 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
638                       unsigned char *ptr, unsigned char *optr, u16 hdrflags,
639                       int length, int (*payload_hook)(struct sk_buff *skb))
640 {
641         struct l2tp_tunnel *tunnel = session->tunnel;
642         int offset;
643         u32 ns, nr;
644 
645         /* The ref count is increased since we now hold a pointer to
646          * the session. Take care to decrement the refcnt when exiting
647          * this function from now on...
648          */
649         l2tp_session_inc_refcount(session);
650         if (session->ref)
651                 (*session->ref)(session);
652 
653         /* Parse and check optional cookie */
654         if (session->peer_cookie_len > 0) {
655                 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
656                         l2tp_info(tunnel, L2TP_MSG_DATA,
657                                   "%s: cookie mismatch (%u/%u). Discarding.\n",
658                                   tunnel->name, tunnel->tunnel_id,
659                                   session->session_id);
660                         atomic_long_inc(&session->stats.rx_cookie_discards);
661                         goto discard;
662                 }
663                 ptr += session->peer_cookie_len;
664         }
665 
666         /* Handle the optional sequence numbers. Sequence numbers are
667          * in different places for L2TPv2 and L2TPv3.
668          *
669          * If we are the LAC, enable/disable sequence numbers under
670          * the control of the LNS.  If no sequence numbers present but
671          * we were expecting them, discard frame.
672          */
673         ns = nr = 0;
674         L2TP_SKB_CB(skb)->has_seq = 0;
675         if (tunnel->version == L2TP_HDR_VER_2) {
676                 if (hdrflags & L2TP_HDRFLAG_S) {
677                         ns = ntohs(*(__be16 *) ptr);
678                         ptr += 2;
679                         nr = ntohs(*(__be16 *) ptr);
680                         ptr += 2;
681 
682                         /* Store L2TP info in the skb */
683                         L2TP_SKB_CB(skb)->ns = ns;
684                         L2TP_SKB_CB(skb)->has_seq = 1;
685 
686                         l2tp_dbg(session, L2TP_MSG_SEQ,
687                                  "%s: recv data ns=%u, nr=%u, session nr=%u\n",
688                                  session->name, ns, nr, session->nr);
689                 }
690         } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
691                 u32 l2h = ntohl(*(__be32 *) ptr);
692 
693                 if (l2h & 0x40000000) {
694                         ns = l2h & 0x00ffffff;
695 
696                         /* Store L2TP info in the skb */
697                         L2TP_SKB_CB(skb)->ns = ns;
698                         L2TP_SKB_CB(skb)->has_seq = 1;
699 
700                         l2tp_dbg(session, L2TP_MSG_SEQ,
701                                  "%s: recv data ns=%u, session nr=%u\n",
702                                  session->name, ns, session->nr);
703                 }
704         }
705 
706         /* Advance past L2-specific header, if present */
707         ptr += session->l2specific_len;
708 
709         if (L2TP_SKB_CB(skb)->has_seq) {
710                 /* Received a packet with sequence numbers. If we're the LNS,
711                  * check if we sre sending sequence numbers and if not,
712                  * configure it so.
713                  */
714                 if ((!session->lns_mode) && (!session->send_seq)) {
715                         l2tp_info(session, L2TP_MSG_SEQ,
716                                   "%s: requested to enable seq numbers by LNS\n",
717                                   session->name);
718                         session->send_seq = -1;
719                         l2tp_session_set_header_len(session, tunnel->version);
720                 }
721         } else {
722                 /* No sequence numbers.
723                  * If user has configured mandatory sequence numbers, discard.
724                  */
725                 if (session->recv_seq) {
726                         l2tp_warn(session, L2TP_MSG_SEQ,
727                                   "%s: recv data has no seq numbers when required. Discarding.\n",
728                                   session->name);
729                         atomic_long_inc(&session->stats.rx_seq_discards);
730                         goto discard;
731                 }
732 
733                 /* If we're the LAC and we're sending sequence numbers, the
734                  * LNS has requested that we no longer send sequence numbers.
735                  * If we're the LNS and we're sending sequence numbers, the
736                  * LAC is broken. Discard the frame.
737                  */
738                 if ((!session->lns_mode) && (session->send_seq)) {
739                         l2tp_info(session, L2TP_MSG_SEQ,
740                                   "%s: requested to disable seq numbers by LNS\n",
741                                   session->name);
742                         session->send_seq = 0;
743                         l2tp_session_set_header_len(session, tunnel->version);
744                 } else if (session->send_seq) {
745                         l2tp_warn(session, L2TP_MSG_SEQ,
746                                   "%s: recv data has no seq numbers when required. Discarding.\n",
747                                   session->name);
748                         atomic_long_inc(&session->stats.rx_seq_discards);
749                         goto discard;
750                 }
751         }
752 
753         /* Session data offset is handled differently for L2TPv2 and
754          * L2TPv3. For L2TPv2, there is an optional 16-bit value in
755          * the header. For L2TPv3, the offset is negotiated using AVPs
756          * in the session setup control protocol.
757          */
758         if (tunnel->version == L2TP_HDR_VER_2) {
759                 /* If offset bit set, skip it. */
760                 if (hdrflags & L2TP_HDRFLAG_O) {
761                         offset = ntohs(*(__be16 *)ptr);
762                         ptr += 2 + offset;
763                 }
764         } else
765                 ptr += session->offset;
766 
767         offset = ptr - optr;
768         if (!pskb_may_pull(skb, offset))
769                 goto discard;
770 
771         __skb_pull(skb, offset);
772 
773         /* If caller wants to process the payload before we queue the
774          * packet, do so now.
775          */
776         if (payload_hook)
777                 if ((*payload_hook)(skb))
778                         goto discard;
779 
780         /* Prepare skb for adding to the session's reorder_q.  Hold
781          * packets for max reorder_timeout or 1 second if not
782          * reordering.
783          */
784         L2TP_SKB_CB(skb)->length = length;
785         L2TP_SKB_CB(skb)->expires = jiffies +
786                 (session->reorder_timeout ? session->reorder_timeout : HZ);
787 
788         /* Add packet to the session's receive queue. Reordering is done here, if
789          * enabled. Saved L2TP protocol info is stored in skb->sb[].
790          */
791         if (L2TP_SKB_CB(skb)->has_seq) {
792                 if (l2tp_recv_data_seq(session, skb))
793                         goto discard;
794         } else {
795                 /* No sequence numbers. Add the skb to the tail of the
796                  * reorder queue. This ensures that it will be
797                  * delivered after all previous sequenced skbs.
798                  */
799                 skb_queue_tail(&session->reorder_q, skb);
800         }
801 
802         /* Try to dequeue as many skbs from reorder_q as we can. */
803         l2tp_recv_dequeue(session);
804 
805         l2tp_session_dec_refcount(session);
806 
807         return;
808 
809 discard:
810         atomic_long_inc(&session->stats.rx_errors);
811         kfree_skb(skb);
812 
813         if (session->deref)
814                 (*session->deref)(session);
815 
816         l2tp_session_dec_refcount(session);
817 }
818 EXPORT_SYMBOL(l2tp_recv_common);
819 
820 /* Drop skbs from the session's reorder_q
821  */
822 int l2tp_session_queue_purge(struct l2tp_session *session)
823 {
824         struct sk_buff *skb = NULL;
825         BUG_ON(!session);
826         BUG_ON(session->magic != L2TP_SESSION_MAGIC);
827         while ((skb = skb_dequeue(&session->reorder_q))) {
828                 atomic_long_inc(&session->stats.rx_errors);
829                 kfree_skb(skb);
830                 if (session->deref)
831                         (*session->deref)(session);
832         }
833         return 0;
834 }
835 EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
836 
837 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
838  * here. The skb is not on a list when we get here.
839  * Returns 0 if the packet was a data packet and was successfully passed on.
840  * Returns 1 if the packet was not a good data packet and could not be
841  * forwarded.  All such packets are passed up to userspace to deal with.
842  */
843 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
844                               int (*payload_hook)(struct sk_buff *skb))
845 {
846         struct l2tp_session *session = NULL;
847         unsigned char *ptr, *optr;
848         u16 hdrflags;
849         u32 tunnel_id, session_id;
850         u16 version;
851         int length;
852 
853         /* UDP has verifed checksum */
854 
855         /* UDP always verifies the packet length. */
856         __skb_pull(skb, sizeof(struct udphdr));
857 
858         /* Short packet? */
859         if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
860                 l2tp_info(tunnel, L2TP_MSG_DATA,
861                           "%s: recv short packet (len=%d)\n",
862                           tunnel->name, skb->len);
863                 goto error;
864         }
865 
866         /* Trace packet contents, if enabled */
867         if (tunnel->debug & L2TP_MSG_DATA) {
868                 length = min(32u, skb->len);
869                 if (!pskb_may_pull(skb, length))
870                         goto error;
871 
872                 pr_debug("%s: recv\n", tunnel->name);
873                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
874         }
875 
876         /* Point to L2TP header */
877         optr = ptr = skb->data;
878 
879         /* Get L2TP header flags */
880         hdrflags = ntohs(*(__be16 *) ptr);
881 
882         /* Check protocol version */
883         version = hdrflags & L2TP_HDR_VER_MASK;
884         if (version != tunnel->version) {
885                 l2tp_info(tunnel, L2TP_MSG_DATA,
886                           "%s: recv protocol version mismatch: got %d expected %d\n",
887                           tunnel->name, version, tunnel->version);
888                 goto error;
889         }
890 
891         /* Get length of L2TP packet */
892         length = skb->len;
893 
894         /* If type is control packet, it is handled by userspace. */
895         if (hdrflags & L2TP_HDRFLAG_T) {
896                 l2tp_dbg(tunnel, L2TP_MSG_DATA,
897                          "%s: recv control packet, len=%d\n",
898                          tunnel->name, length);
899                 goto error;
900         }
901 
902         /* Skip flags */
903         ptr += 2;
904 
905         if (tunnel->version == L2TP_HDR_VER_2) {
906                 /* If length is present, skip it */
907                 if (hdrflags & L2TP_HDRFLAG_L)
908                         ptr += 2;
909 
910                 /* Extract tunnel and session ID */
911                 tunnel_id = ntohs(*(__be16 *) ptr);
912                 ptr += 2;
913                 session_id = ntohs(*(__be16 *) ptr);
914                 ptr += 2;
915         } else {
916                 ptr += 2;       /* skip reserved bits */
917                 tunnel_id = tunnel->tunnel_id;
918                 session_id = ntohl(*(__be32 *) ptr);
919                 ptr += 4;
920         }
921 
922         /* Find the session context */
923         session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
924         if (!session || !session->recv_skb) {
925                 /* Not found? Pass to userspace to deal with */
926                 l2tp_info(tunnel, L2TP_MSG_DATA,
927                           "%s: no session found (%u/%u). Passing up.\n",
928                           tunnel->name, tunnel_id, session_id);
929                 goto error;
930         }
931 
932         l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
933 
934         return 0;
935 
936 error:
937         /* Put UDP header back */
938         __skb_push(skb, sizeof(struct udphdr));
939 
940         return 1;
941 }
942 
943 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
944  * Return codes:
945  * 0 : success.
946  * <0: error
947  * >0: skb should be passed up to userspace as UDP.
948  */
949 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
950 {
951         struct l2tp_tunnel *tunnel;
952 
953         tunnel = l2tp_sock_to_tunnel(sk);
954         if (tunnel == NULL)
955                 goto pass_up;
956 
957         l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
958                  tunnel->name, skb->len);
959 
960         if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
961                 goto pass_up_put;
962 
963         sock_put(sk);
964         return 0;
965 
966 pass_up_put:
967         sock_put(sk);
968 pass_up:
969         return 1;
970 }
971 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
972 
973 /************************************************************************
974  * Transmit handling
975  ***********************************************************************/
976 
977 /* Build an L2TP header for the session into the buffer provided.
978  */
979 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
980 {
981         struct l2tp_tunnel *tunnel = session->tunnel;
982         __be16 *bufp = buf;
983         __be16 *optr = buf;
984         u16 flags = L2TP_HDR_VER_2;
985         u32 tunnel_id = tunnel->peer_tunnel_id;
986         u32 session_id = session->peer_session_id;
987 
988         if (session->send_seq)
989                 flags |= L2TP_HDRFLAG_S;
990 
991         /* Setup L2TP header. */
992         *bufp++ = htons(flags);
993         *bufp++ = htons(tunnel_id);
994         *bufp++ = htons(session_id);
995         if (session->send_seq) {
996                 *bufp++ = htons(session->ns);
997                 *bufp++ = 0;
998                 session->ns++;
999                 session->ns &= 0xffff;
1000                 l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
1001                          session->name, session->ns);
1002         }
1003 
1004         return bufp - optr;
1005 }
1006 
1007 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1008 {
1009         struct l2tp_tunnel *tunnel = session->tunnel;
1010         char *bufp = buf;
1011         char *optr = bufp;
1012 
1013         /* Setup L2TP header. The header differs slightly for UDP and
1014          * IP encapsulations. For UDP, there is 4 bytes of flags.
1015          */
1016         if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1017                 u16 flags = L2TP_HDR_VER_3;
1018                 *((__be16 *) bufp) = htons(flags);
1019                 bufp += 2;
1020                 *((__be16 *) bufp) = 0;
1021                 bufp += 2;
1022         }
1023 
1024         *((__be32 *) bufp) = htonl(session->peer_session_id);
1025         bufp += 4;
1026         if (session->cookie_len) {
1027                 memcpy(bufp, &session->cookie[0], session->cookie_len);
1028                 bufp += session->cookie_len;
1029         }
1030         if (session->l2specific_len) {
1031                 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1032                         u32 l2h = 0;
1033                         if (session->send_seq) {
1034                                 l2h = 0x40000000 | session->ns;
1035                                 session->ns++;
1036                                 session->ns &= 0xffffff;
1037                                 l2tp_dbg(session, L2TP_MSG_SEQ,
1038                                          "%s: updated ns to %u\n",
1039                                          session->name, session->ns);
1040                         }
1041 
1042                         *((__be32 *) bufp) = htonl(l2h);
1043                 }
1044                 bufp += session->l2specific_len;
1045         }
1046         if (session->offset)
1047                 bufp += session->offset;
1048 
1049         return bufp - optr;
1050 }
1051 
1052 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1053                           struct flowi *fl, size_t data_len)
1054 {
1055         struct l2tp_tunnel *tunnel = session->tunnel;
1056         unsigned int len = skb->len;
1057         int error;
1058 
1059         /* Debug */
1060         if (session->send_seq)
1061                 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1062                          session->name, data_len, session->ns - 1);
1063         else
1064                 l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1065                          session->name, data_len);
1066 
1067         if (session->debug & L2TP_MSG_DATA) {
1068                 int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1069                 unsigned char *datap = skb->data + uhlen;
1070 
1071                 pr_debug("%s: xmit\n", session->name);
1072                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1073                                      datap, min_t(size_t, 32, len - uhlen));
1074         }
1075 
1076         /* Queue the packet to IP for output */
1077         skb->ignore_df = 1;
1078 #if IS_ENABLED(CONFIG_IPV6)
1079         if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
1080                 error = inet6_csk_xmit(tunnel->sock, skb, NULL);
1081         else
1082 #endif
1083                 error = ip_queue_xmit(tunnel->sock, skb, fl);
1084 
1085         /* Update stats */
1086         if (error >= 0) {
1087                 atomic_long_inc(&tunnel->stats.tx_packets);
1088                 atomic_long_add(len, &tunnel->stats.tx_bytes);
1089                 atomic_long_inc(&session->stats.tx_packets);
1090                 atomic_long_add(len, &session->stats.tx_bytes);
1091         } else {
1092                 atomic_long_inc(&tunnel->stats.tx_errors);
1093                 atomic_long_inc(&session->stats.tx_errors);
1094         }
1095 
1096         return 0;
1097 }
1098 
1099 /* If caller requires the skb to have a ppp header, the header must be
1100  * inserted in the skb data before calling this function.
1101  */
1102 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1103 {
1104         int data_len = skb->len;
1105         struct l2tp_tunnel *tunnel = session->tunnel;
1106         struct sock *sk = tunnel->sock;
1107         struct flowi *fl;
1108         struct udphdr *uh;
1109         struct inet_sock *inet;
1110         int headroom;
1111         int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1112         int udp_len;
1113         int ret = NET_XMIT_SUCCESS;
1114 
1115         /* Check that there's enough headroom in the skb to insert IP,
1116          * UDP and L2TP headers. If not enough, expand it to
1117          * make room. Adjust truesize.
1118          */
1119         headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1120                 uhlen + hdr_len;
1121         if (skb_cow_head(skb, headroom)) {
1122                 kfree_skb(skb);
1123                 return NET_XMIT_DROP;
1124         }
1125 
1126         /* Setup L2TP header */
1127         session->build_header(session, __skb_push(skb, hdr_len));
1128 
1129         /* Reset skb netfilter state */
1130         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1131         IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
1132                               IPSKB_REROUTED);
1133         nf_reset(skb);
1134 
1135         bh_lock_sock(sk);
1136         if (sock_owned_by_user(sk)) {
1137                 kfree_skb(skb);
1138                 ret = NET_XMIT_DROP;
1139                 goto out_unlock;
1140         }
1141 
1142         /* Get routing info from the tunnel socket */
1143         skb_dst_drop(skb);
1144         skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1145 
1146         inet = inet_sk(sk);
1147         fl = &inet->cork.fl;
1148         switch (tunnel->encap) {
1149         case L2TP_ENCAPTYPE_UDP:
1150                 /* Setup UDP header */
1151                 __skb_push(skb, sizeof(*uh));
1152                 skb_reset_transport_header(skb);
1153                 uh = udp_hdr(skb);
1154                 uh->source = inet->inet_sport;
1155                 uh->dest = inet->inet_dport;
1156                 udp_len = uhlen + hdr_len + data_len;
1157                 uh->len = htons(udp_len);
1158 
1159                 /* Calculate UDP checksum if configured to do so */
1160 #if IS_ENABLED(CONFIG_IPV6)
1161                 if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
1162                         udp6_set_csum(udp_get_no_check6_tx(sk),
1163                                       skb, &inet6_sk(sk)->saddr,
1164                                       &sk->sk_v6_daddr, udp_len);
1165                 else
1166 #endif
1167                 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1168                              inet->inet_daddr, udp_len);
1169                 break;
1170 
1171         case L2TP_ENCAPTYPE_IP:
1172                 break;
1173         }
1174 
1175         l2tp_xmit_core(session, skb, fl, data_len);
1176 out_unlock:
1177         bh_unlock_sock(sk);
1178 
1179         return ret;
1180 }
1181 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1182 
1183 /*****************************************************************************
1184  * Tinnel and session create/destroy.
1185  *****************************************************************************/
1186 
1187 /* Tunnel socket destruct hook.
1188  * The tunnel context is deleted only when all session sockets have been
1189  * closed.
1190  */
1191 static void l2tp_tunnel_destruct(struct sock *sk)
1192 {
1193         struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
1194         struct l2tp_net *pn;
1195 
1196         if (tunnel == NULL)
1197                 goto end;
1198 
1199         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1200 
1201 
1202         /* Disable udp encapsulation */
1203         switch (tunnel->encap) {
1204         case L2TP_ENCAPTYPE_UDP:
1205                 /* No longer an encapsulation socket. See net/ipv4/udp.c */
1206                 (udp_sk(sk))->encap_type = 0;
1207                 (udp_sk(sk))->encap_rcv = NULL;
1208                 (udp_sk(sk))->encap_destroy = NULL;
1209                 break;
1210         case L2TP_ENCAPTYPE_IP:
1211                 break;
1212         }
1213 
1214         /* Remove hooks into tunnel socket */
1215         sk->sk_destruct = tunnel->old_sk_destruct;
1216         sk->sk_user_data = NULL;
1217         tunnel->sock = NULL;
1218 
1219         /* Remove the tunnel struct from the tunnel list */
1220         pn = l2tp_pernet(tunnel->l2tp_net);
1221         spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1222         list_del_rcu(&tunnel->list);
1223         spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1224         atomic_dec(&l2tp_tunnel_count);
1225 
1226         l2tp_tunnel_closeall(tunnel);
1227         l2tp_tunnel_dec_refcount(tunnel);
1228 
1229         /* Call the original destructor */
1230         if (sk->sk_destruct)
1231                 (*sk->sk_destruct)(sk);
1232 end:
1233         return;
1234 }
1235 
1236 /* When the tunnel is closed, all the attached sessions need to go too.
1237  */
1238 void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1239 {
1240         int hash;
1241         struct hlist_node *walk;
1242         struct hlist_node *tmp;
1243         struct l2tp_session *session;
1244 
1245         BUG_ON(tunnel == NULL);
1246 
1247         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1248                   tunnel->name);
1249 
1250         write_lock_bh(&tunnel->hlist_lock);
1251         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1252 again:
1253                 hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1254                         session = hlist_entry(walk, struct l2tp_session, hlist);
1255 
1256                         l2tp_info(session, L2TP_MSG_CONTROL,
1257                                   "%s: closing session\n", session->name);
1258 
1259                         hlist_del_init(&session->hlist);
1260 
1261                         if (session->ref != NULL)
1262                                 (*session->ref)(session);
1263 
1264                         write_unlock_bh(&tunnel->hlist_lock);
1265 
1266                         __l2tp_session_unhash(session);
1267                         l2tp_session_queue_purge(session);
1268 
1269                         if (session->session_close != NULL)
1270                                 (*session->session_close)(session);
1271 
1272                         if (session->deref != NULL)
1273                                 (*session->deref)(session);
1274 
1275                         l2tp_session_dec_refcount(session);
1276 
1277                         write_lock_bh(&tunnel->hlist_lock);
1278 
1279                         /* Now restart from the beginning of this hash
1280                          * chain.  We always remove a session from the
1281                          * list so we are guaranteed to make forward
1282                          * progress.
1283                          */
1284                         goto again;
1285                 }
1286         }
1287         write_unlock_bh(&tunnel->hlist_lock);
1288 }
1289 EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
1290 
1291 /* Tunnel socket destroy hook for UDP encapsulation */
1292 static void l2tp_udp_encap_destroy(struct sock *sk)
1293 {
1294         struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
1295         if (tunnel) {
1296                 l2tp_tunnel_closeall(tunnel);
1297                 sock_put(sk);
1298         }
1299 }
1300 
1301 /* Really kill the tunnel.
1302  * Come here only when all sessions have been cleared from the tunnel.
1303  */
1304 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1305 {
1306         BUG_ON(atomic_read(&tunnel->ref_count) != 0);
1307         BUG_ON(tunnel->sock != NULL);
1308         l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
1309         kfree_rcu(tunnel, rcu);
1310 }
1311 
1312 /* Workqueue tunnel deletion function */
1313 static void l2tp_tunnel_del_work(struct work_struct *work)
1314 {
1315         struct l2tp_tunnel *tunnel = NULL;
1316         struct socket *sock = NULL;
1317         struct sock *sk = NULL;
1318 
1319         tunnel = container_of(work, struct l2tp_tunnel, del_work);
1320         sk = l2tp_tunnel_sock_lookup(tunnel);
1321         if (!sk)
1322                 goto out;
1323 
1324         sock = sk->sk_socket;
1325 
1326         /* If the tunnel socket was created by userspace, then go through the
1327          * inet layer to shut the socket down, and let userspace close it.
1328          * Otherwise, if we created the socket directly within the kernel, use
1329          * the sk API to release it here.
1330          * In either case the tunnel resources are freed in the socket
1331          * destructor when the tunnel socket goes away.
1332          */
1333         if (tunnel->fd >= 0) {
1334                 if (sock)
1335                         inet_shutdown(sock, 2);
1336         } else {
1337                 if (sock) {
1338                         kernel_sock_shutdown(sock, SHUT_RDWR);
1339                         sock_release(sock);
1340                 }
1341         }
1342 
1343         l2tp_tunnel_sock_put(sk);
1344 out:
1345         l2tp_tunnel_dec_refcount(tunnel);
1346 }
1347 
1348 /* Create a socket for the tunnel, if one isn't set up by
1349  * userspace. This is used for static tunnels where there is no
1350  * managing L2TP daemon.
1351  *
1352  * Since we don't want these sockets to keep a namespace alive by
1353  * themselves, we drop the socket's namespace refcount after creation.
1354  * These sockets are freed when the namespace exits using the pernet
1355  * exit hook.
1356  */
1357 static int l2tp_tunnel_sock_create(struct net *net,
1358                                 u32 tunnel_id,
1359                                 u32 peer_tunnel_id,
1360                                 struct l2tp_tunnel_cfg *cfg,
1361                                 struct socket **sockp)
1362 {
1363         int err = -EINVAL;
1364         struct socket *sock = NULL;
1365         struct udp_port_cfg udp_conf;
1366 
1367         switch (cfg->encap) {
1368         case L2TP_ENCAPTYPE_UDP:
1369                 memset(&udp_conf, 0, sizeof(udp_conf));
1370 
1371 #if IS_ENABLED(CONFIG_IPV6)
1372                 if (cfg->local_ip6 && cfg->peer_ip6) {
1373                         udp_conf.family = AF_INET6;
1374                         memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1375                                sizeof(udp_conf.local_ip6));
1376                         memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1377                                sizeof(udp_conf.peer_ip6));
1378                         udp_conf.use_udp6_tx_checksums =
1379                           ! cfg->udp6_zero_tx_checksums;
1380                         udp_conf.use_udp6_rx_checksums =
1381                           ! cfg->udp6_zero_rx_checksums;
1382                 } else
1383 #endif
1384                 {
1385                         udp_conf.family = AF_INET;
1386                         udp_conf.local_ip = cfg->local_ip;
1387                         udp_conf.peer_ip = cfg->peer_ip;
1388                         udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1389                 }
1390 
1391                 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1392                 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1393 
1394                 err = udp_sock_create(net, &udp_conf, &sock);
1395                 if (err < 0)
1396                         goto out;
1397 
1398                 break;
1399 
1400         case L2TP_ENCAPTYPE_IP:
1401 #if IS_ENABLED(CONFIG_IPV6)
1402                 if (cfg->local_ip6 && cfg->peer_ip6) {
1403                         struct sockaddr_l2tpip6 ip6_addr = {0};
1404 
1405                         err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1406                                           IPPROTO_L2TP, &sock);
1407                         if (err < 0)
1408                                 goto out;
1409 
1410                         ip6_addr.l2tp_family = AF_INET6;
1411                         memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1412                                sizeof(ip6_addr.l2tp_addr));
1413                         ip6_addr.l2tp_conn_id = tunnel_id;
1414                         err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1415                                           sizeof(ip6_addr));
1416                         if (err < 0)
1417                                 goto out;
1418 
1419                         ip6_addr.l2tp_family = AF_INET6;
1420                         memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1421                                sizeof(ip6_addr.l2tp_addr));
1422                         ip6_addr.l2tp_conn_id = peer_tunnel_id;
1423                         err = kernel_connect(sock,
1424                                              (struct sockaddr *) &ip6_addr,
1425                                              sizeof(ip6_addr), 0);
1426                         if (err < 0)
1427                                 goto out;
1428                 } else
1429 #endif
1430                 {
1431                         struct sockaddr_l2tpip ip_addr = {0};
1432 
1433                         err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1434                                           IPPROTO_L2TP, &sock);
1435                         if (err < 0)
1436                                 goto out;
1437 
1438                         ip_addr.l2tp_family = AF_INET;
1439                         ip_addr.l2tp_addr = cfg->local_ip;
1440                         ip_addr.l2tp_conn_id = tunnel_id;
1441                         err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1442                                           sizeof(ip_addr));
1443                         if (err < 0)
1444                                 goto out;
1445 
1446                         ip_addr.l2tp_family = AF_INET;
1447                         ip_addr.l2tp_addr = cfg->peer_ip;
1448                         ip_addr.l2tp_conn_id = peer_tunnel_id;
1449                         err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1450                                              sizeof(ip_addr), 0);
1451                         if (err < 0)
1452                                 goto out;
1453                 }
1454                 break;
1455 
1456         default:
1457                 goto out;
1458         }
1459 
1460 out:
1461         *sockp = sock;
1462         if ((err < 0) && sock) {
1463                 kernel_sock_shutdown(sock, SHUT_RDWR);
1464                 sock_release(sock);
1465                 *sockp = NULL;
1466         }
1467 
1468         return err;
1469 }
1470 
1471 static struct lock_class_key l2tp_socket_class;
1472 
1473 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1474 {
1475         struct l2tp_tunnel *tunnel = NULL;
1476         int err;
1477         struct socket *sock = NULL;
1478         struct sock *sk = NULL;
1479         struct l2tp_net *pn;
1480         enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1481 
1482         /* Get the tunnel socket from the fd, which was opened by
1483          * the userspace L2TP daemon. If not specified, create a
1484          * kernel socket.
1485          */
1486         if (fd < 0) {
1487                 err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
1488                                 cfg, &sock);
1489                 if (err < 0)
1490                         goto err;
1491         } else {
1492                 sock = sockfd_lookup(fd, &err);
1493                 if (!sock) {
1494                         pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
1495                                tunnel_id, fd, err);
1496                         err = -EBADF;
1497                         goto err;
1498                 }
1499 
1500                 /* Reject namespace mismatches */
1501                 if (!net_eq(sock_net(sock->sk), net)) {
1502                         pr_err("tunl %u: netns mismatch\n", tunnel_id);
1503                         err = -EINVAL;
1504                         goto err;
1505                 }
1506         }
1507 
1508         sk = sock->sk;
1509 
1510         if (cfg != NULL)
1511                 encap = cfg->encap;
1512 
1513         /* Quick sanity checks */
1514         switch (encap) {
1515         case L2TP_ENCAPTYPE_UDP:
1516                 err = -EPROTONOSUPPORT;
1517                 if (sk->sk_protocol != IPPROTO_UDP) {
1518                         pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1519                                tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1520                         goto err;
1521                 }
1522                 break;
1523         case L2TP_ENCAPTYPE_IP:
1524                 err = -EPROTONOSUPPORT;
1525                 if (sk->sk_protocol != IPPROTO_L2TP) {
1526                         pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1527                                tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1528                         goto err;
1529                 }
1530                 break;
1531         }
1532 
1533         /* Check if this socket has already been prepped */
1534         tunnel = l2tp_tunnel(sk);
1535         if (tunnel != NULL) {
1536                 /* This socket has already been prepped */
1537                 err = -EBUSY;
1538                 goto err;
1539         }
1540 
1541         tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1542         if (tunnel == NULL) {
1543                 err = -ENOMEM;
1544                 goto err;
1545         }
1546 
1547         tunnel->version = version;
1548         tunnel->tunnel_id = tunnel_id;
1549         tunnel->peer_tunnel_id = peer_tunnel_id;
1550         tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1551 
1552         tunnel->magic = L2TP_TUNNEL_MAGIC;
1553         sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1554         rwlock_init(&tunnel->hlist_lock);
1555 
1556         /* The net we belong to */
1557         tunnel->l2tp_net = net;
1558         pn = l2tp_pernet(net);
1559 
1560         if (cfg != NULL)
1561                 tunnel->debug = cfg->debug;
1562 
1563 #if IS_ENABLED(CONFIG_IPV6)
1564         if (sk->sk_family == PF_INET6) {
1565                 struct ipv6_pinfo *np = inet6_sk(sk);
1566 
1567                 if (ipv6_addr_v4mapped(&np->saddr) &&
1568                     ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
1569                         struct inet_sock *inet = inet_sk(sk);
1570 
1571                         tunnel->v4mapped = true;
1572                         inet->inet_saddr = np->saddr.s6_addr32[3];
1573                         inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
1574                         inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
1575                 } else {
1576                         tunnel->v4mapped = false;
1577                 }
1578         }
1579 #endif
1580 
1581         /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1582         tunnel->encap = encap;
1583         if (encap == L2TP_ENCAPTYPE_UDP) {
1584                 struct udp_tunnel_sock_cfg udp_cfg = { };
1585 
1586                 udp_cfg.sk_user_data = tunnel;
1587                 udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
1588                 udp_cfg.encap_rcv = l2tp_udp_encap_recv;
1589                 udp_cfg.encap_destroy = l2tp_udp_encap_destroy;
1590 
1591                 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1592         } else {
1593                 sk->sk_user_data = tunnel;
1594         }
1595 
1596         /* Hook on the tunnel socket destructor so that we can cleanup
1597          * if the tunnel socket goes away.
1598          */
1599         tunnel->old_sk_destruct = sk->sk_destruct;
1600         sk->sk_destruct = &l2tp_tunnel_destruct;
1601         tunnel->sock = sk;
1602         tunnel->fd = fd;
1603         lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1604 
1605         sk->sk_allocation = GFP_ATOMIC;
1606 
1607         /* Init delete workqueue struct */
1608         INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1609 
1610         /* Add tunnel to our list */
1611         INIT_LIST_HEAD(&tunnel->list);
1612         atomic_inc(&l2tp_tunnel_count);
1613 
1614         /* Bump the reference count. The tunnel context is deleted
1615          * only when this drops to zero. Must be done before list insertion
1616          */
1617         l2tp_tunnel_inc_refcount(tunnel);
1618         spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1619         list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1620         spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1621 
1622         err = 0;
1623 err:
1624         if (tunnelp)
1625                 *tunnelp = tunnel;
1626 
1627         /* If tunnel's socket was created by the kernel, it doesn't
1628          *  have a file.
1629          */
1630         if (sock && sock->file)
1631                 sockfd_put(sock);
1632 
1633         return err;
1634 }
1635 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1636 
1637 /* This function is used by the netlink TUNNEL_DELETE command.
1638  */
1639 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1640 {
1641         l2tp_tunnel_inc_refcount(tunnel);
1642         l2tp_tunnel_closeall(tunnel);
1643         if (false == queue_work(l2tp_wq, &tunnel->del_work)) {
1644                 l2tp_tunnel_dec_refcount(tunnel);
1645                 return 1;
1646         }
1647         return 0;
1648 }
1649 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1650 
1651 /* Really kill the session.
1652  */
1653 void l2tp_session_free(struct l2tp_session *session)
1654 {
1655         struct l2tp_tunnel *tunnel = session->tunnel;
1656 
1657         BUG_ON(atomic_read(&session->ref_count) != 0);
1658 
1659         if (tunnel) {
1660                 BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1661                 if (session->session_id != 0)
1662                         atomic_dec(&l2tp_session_count);
1663                 sock_put(tunnel->sock);
1664                 session->tunnel = NULL;
1665                 l2tp_tunnel_dec_refcount(tunnel);
1666         }
1667 
1668         kfree(session);
1669 }
1670 EXPORT_SYMBOL_GPL(l2tp_session_free);
1671 
1672 /* Remove an l2tp session from l2tp_core's hash lists.
1673  * Provides a tidyup interface for pseudowire code which can't just route all
1674  * shutdown via. l2tp_session_delete and a pseudowire-specific session_close
1675  * callback.
1676  */
1677 void __l2tp_session_unhash(struct l2tp_session *session)
1678 {
1679         struct l2tp_tunnel *tunnel = session->tunnel;
1680 
1681         /* Remove the session from core hashes */
1682         if (tunnel) {
1683                 /* Remove from the per-tunnel hash */
1684                 write_lock_bh(&tunnel->hlist_lock);
1685                 hlist_del_init(&session->hlist);
1686                 write_unlock_bh(&tunnel->hlist_lock);
1687 
1688                 /* For L2TPv3 we have a per-net hash: remove from there, too */
1689                 if (tunnel->version != L2TP_HDR_VER_2) {
1690                         struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1691                         spin_lock_bh(&pn->l2tp_session_hlist_lock);
1692                         hlist_del_init_rcu(&session->global_hlist);
1693                         spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1694                         synchronize_rcu();
1695                 }
1696         }
1697 }
1698 EXPORT_SYMBOL_GPL(__l2tp_session_unhash);
1699 
1700 /* This function is used by the netlink SESSION_DELETE command and by
1701    pseudowire modules.
1702  */
1703 int l2tp_session_delete(struct l2tp_session *session)
1704 {
1705         if (session->ref)
1706                 (*session->ref)(session);
1707         __l2tp_session_unhash(session);
1708         l2tp_session_queue_purge(session);
1709         if (session->session_close != NULL)
1710                 (*session->session_close)(session);
1711         if (session->deref)
1712                 (*session->deref)(session);
1713         l2tp_session_dec_refcount(session);
1714         return 0;
1715 }
1716 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1717 
1718 /* We come here whenever a session's send_seq, cookie_len or
1719  * l2specific_len parameters are set.
1720  */
1721 void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1722 {
1723         if (version == L2TP_HDR_VER_2) {
1724                 session->hdr_len = 6;
1725                 if (session->send_seq)
1726                         session->hdr_len += 4;
1727         } else {
1728                 session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1729                 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1730                         session->hdr_len += 4;
1731         }
1732 
1733 }
1734 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1735 
1736 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1737 {
1738         struct l2tp_session *session;
1739 
1740         session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1741         if (session != NULL) {
1742                 session->magic = L2TP_SESSION_MAGIC;
1743                 session->tunnel = tunnel;
1744 
1745                 session->session_id = session_id;
1746                 session->peer_session_id = peer_session_id;
1747                 session->nr = 0;
1748                 if (tunnel->version == L2TP_HDR_VER_2)
1749                         session->nr_max = 0xffff;
1750                 else
1751                         session->nr_max = 0xffffff;
1752                 session->nr_window_size = session->nr_max / 2;
1753                 session->nr_oos_count_max = 4;
1754 
1755                 /* Use NR of first received packet */
1756                 session->reorder_skip = 1;
1757 
1758                 sprintf(&session->name[0], "sess %u/%u",
1759                         tunnel->tunnel_id, session->session_id);
1760 
1761                 skb_queue_head_init(&session->reorder_q);
1762 
1763                 INIT_HLIST_NODE(&session->hlist);
1764                 INIT_HLIST_NODE(&session->global_hlist);
1765 
1766                 /* Inherit debug options from tunnel */
1767                 session->debug = tunnel->debug;
1768 
1769                 if (cfg) {
1770                         session->pwtype = cfg->pw_type;
1771                         session->debug = cfg->debug;
1772                         session->mtu = cfg->mtu;
1773                         session->mru = cfg->mru;
1774                         session->send_seq = cfg->send_seq;
1775                         session->recv_seq = cfg->recv_seq;
1776                         session->lns_mode = cfg->lns_mode;
1777                         session->reorder_timeout = cfg->reorder_timeout;
1778                         session->offset = cfg->offset;
1779                         session->l2specific_type = cfg->l2specific_type;
1780                         session->l2specific_len = cfg->l2specific_len;
1781                         session->cookie_len = cfg->cookie_len;
1782                         memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1783                         session->peer_cookie_len = cfg->peer_cookie_len;
1784                         memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1785                 }
1786 
1787                 if (tunnel->version == L2TP_HDR_VER_2)
1788                         session->build_header = l2tp_build_l2tpv2_header;
1789                 else
1790                         session->build_header = l2tp_build_l2tpv3_header;
1791 
1792                 l2tp_session_set_header_len(session, tunnel->version);
1793 
1794                 /* Bump the reference count. The session context is deleted
1795                  * only when this drops to zero.
1796                  */
1797                 l2tp_session_inc_refcount(session);
1798                 l2tp_tunnel_inc_refcount(tunnel);
1799 
1800                 /* Ensure tunnel socket isn't deleted */
1801                 sock_hold(tunnel->sock);
1802 
1803                 /* Add session to the tunnel's hash list */
1804                 write_lock_bh(&tunnel->hlist_lock);
1805                 hlist_add_head(&session->hlist,
1806                                l2tp_session_id_hash(tunnel, session_id));
1807                 write_unlock_bh(&tunnel->hlist_lock);
1808 
1809                 /* And to the global session list if L2TPv3 */
1810                 if (tunnel->version != L2TP_HDR_VER_2) {
1811                         struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1812 
1813                         spin_lock_bh(&pn->l2tp_session_hlist_lock);
1814                         hlist_add_head_rcu(&session->global_hlist,
1815                                            l2tp_session_id_hash_2(pn, session_id));
1816                         spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1817                 }
1818 
1819                 /* Ignore management session in session count value */
1820                 if (session->session_id != 0)
1821                         atomic_inc(&l2tp_session_count);
1822         }
1823 
1824         return session;
1825 }
1826 EXPORT_SYMBOL_GPL(l2tp_session_create);
1827 
1828 /*****************************************************************************
1829  * Init and cleanup
1830  *****************************************************************************/
1831 
1832 static __net_init int l2tp_init_net(struct net *net)
1833 {
1834         struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1835         int hash;
1836 
1837         INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1838         spin_lock_init(&pn->l2tp_tunnel_list_lock);
1839 
1840         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1841                 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1842 
1843         spin_lock_init(&pn->l2tp_session_hlist_lock);
1844 
1845         return 0;
1846 }
1847 
1848 static __net_exit void l2tp_exit_net(struct net *net)
1849 {
1850         struct l2tp_net *pn = l2tp_pernet(net);
1851         struct l2tp_tunnel *tunnel = NULL;
1852 
1853         rcu_read_lock_bh();
1854         list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
1855                 (void)l2tp_tunnel_delete(tunnel);
1856         }
1857         rcu_read_unlock_bh();
1858 
1859         flush_workqueue(l2tp_wq);
1860         rcu_barrier();
1861 }
1862 
1863 static struct pernet_operations l2tp_net_ops = {
1864         .init = l2tp_init_net,
1865         .exit = l2tp_exit_net,
1866         .id   = &l2tp_net_id,
1867         .size = sizeof(struct l2tp_net),
1868 };
1869 
1870 static int __init l2tp_init(void)
1871 {
1872         int rc = 0;
1873 
1874         rc = register_pernet_device(&l2tp_net_ops);
1875         if (rc)
1876                 goto out;
1877 
1878         l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1879         if (!l2tp_wq) {
1880                 pr_err("alloc_workqueue failed\n");
1881                 unregister_pernet_device(&l2tp_net_ops);
1882                 rc = -ENOMEM;
1883                 goto out;
1884         }
1885 
1886         pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1887 
1888 out:
1889         return rc;
1890 }
1891 
1892 static void __exit l2tp_exit(void)
1893 {
1894         unregister_pernet_device(&l2tp_net_ops);
1895         if (l2tp_wq) {
1896                 destroy_workqueue(l2tp_wq);
1897                 l2tp_wq = NULL;
1898         }
1899 }
1900 
1901 module_init(l2tp_init);
1902 module_exit(l2tp_exit);
1903 
1904 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1905 MODULE_DESCRIPTION("L2TP core");
1906 MODULE_LICENSE("GPL");
1907 MODULE_VERSION(L2TP_DRV_VERSION);
1908 
1909 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp