Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
l2tp_core.c
Go to the documentation of this file.
1 /*
2  * L2TP core.
3  *
4  * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
5  *
6  * This file contains some code of the original L2TPv2 pppol2tp
7  * driver, which has the following copyright:
8  *
9  * Authors: Martijn van Oosterhout <[email protected]>
10  * James Chapman ([email protected])
11  * Contributors:
12  * Michal Ostrowski <[email protected]>
13  * Arnaldo Carvalho de Melo <[email protected]>
14  * David S. Miller ([email protected])
15  *
16  * This program is free software; you can redistribute it and/or modify
17  * it under the terms of the GNU General Public License version 2 as
18  * published by the Free Software Foundation.
19  */
20 
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
22 
23 #include <linux/module.h>
24 #include <linux/string.h>
25 #include <linux/list.h>
26 #include <linux/rculist.h>
27 #include <linux/uaccess.h>
28 
29 #include <linux/kernel.h>
30 #include <linux/spinlock.h>
31 #include <linux/kthread.h>
32 #include <linux/sched.h>
33 #include <linux/slab.h>
34 #include <linux/errno.h>
35 #include <linux/jiffies.h>
36 
37 #include <linux/netdevice.h>
38 #include <linux/net.h>
39 #include <linux/inetdevice.h>
40 #include <linux/skbuff.h>
41 #include <linux/init.h>
42 #include <linux/in.h>
43 #include <linux/ip.h>
44 #include <linux/udp.h>
45 #include <linux/l2tp.h>
46 #include <linux/hash.h>
47 #include <linux/sort.h>
48 #include <linux/file.h>
49 #include <linux/nsproxy.h>
50 #include <net/net_namespace.h>
51 #include <net/netns/generic.h>
52 #include <net/dst.h>
53 #include <net/ip.h>
54 #include <net/udp.h>
55 #include <net/inet_common.h>
56 #include <net/xfrm.h>
57 #include <net/protocol.h>
59 #include <net/inet_ecn.h>
60 #include <net/ip6_route.h>
61 #include <net/ip6_checksum.h>
62 
63 #include <asm/byteorder.h>
64 #include <linux/atomic.h>
65 
66 #include "l2tp_core.h"
67 
68 #define L2TP_DRV_VERSION "V2.0"
69 
70 /* L2TP header constants */
71 #define L2TP_HDRFLAG_T 0x8000
72 #define L2TP_HDRFLAG_L 0x4000
73 #define L2TP_HDRFLAG_S 0x0800
74 #define L2TP_HDRFLAG_O 0x0200
75 #define L2TP_HDRFLAG_P 0x0100
76 
77 #define L2TP_HDR_VER_MASK 0x000F
78 #define L2TP_HDR_VER_2 0x0002
79 #define L2TP_HDR_VER_3 0x0003
80 
81 /* L2TPv3 default L2-specific sublayer */
82 #define L2TP_SLFLAG_S 0x40000000
83 #define L2TP_SL_SEQ_MASK 0x00ffffff
84 
85 #define L2TP_HDR_SIZE_SEQ 10
86 #define L2TP_HDR_SIZE_NOSEQ 6
87 
88 /* Default trace flags */
89 #define L2TP_DEFAULT_DEBUG_FLAGS 0
90 
91 /* Private data stored for received packets in the skb.
92  */
93 struct l2tp_skb_cb {
97  unsigned long expires;
98 };
99 
100 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
101 
102 static atomic_t l2tp_tunnel_count;
103 static atomic_t l2tp_session_count;
104 
105 /* per-net private data for this module */
106 static unsigned int l2tp_net_id;
107 struct l2tp_net {
112 };
113 
114 static void l2tp_session_set_header_len(struct l2tp_session *session, int version);
115 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
116 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel);
117 
118 static inline struct l2tp_net *l2tp_pernet(struct net *net)
119 {
120  BUG_ON(!net);
121 
122  return net_generic(net, l2tp_net_id);
123 }
124 
125 
126 /* Tunnel reference counts. Incremented per session that is added to
127  * the tunnel.
128  */
129 static inline void l2tp_tunnel_inc_refcount_1(struct l2tp_tunnel *tunnel)
130 {
131  atomic_inc(&tunnel->ref_count);
132 }
133 
134 static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
135 {
136  if (atomic_dec_and_test(&tunnel->ref_count))
137  l2tp_tunnel_free(tunnel);
138 }
139 #ifdef L2TP_REFCNT_DEBUG
140 #define l2tp_tunnel_inc_refcount(_t) \
141 do { \
142  pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n", \
143  __func__, __LINE__, (_t)->name, \
144  atomic_read(&_t->ref_count)); \
145  l2tp_tunnel_inc_refcount_1(_t); \
146 } while (0)
147 #define l2tp_tunnel_dec_refcount(_t)
148 do { \
149  pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n", \
150  __func__, __LINE__, (_t)->name, \
151  atomic_read(&_t->ref_count)); \
152  l2tp_tunnel_dec_refcount_1(_t); \
153 } while (0)
154 #else
155 #define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
156 #define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
157 #endif
158 
159 /* Session hash global list for L2TPv3.
160  * The session_id SHOULD be random according to RFC3931, but several
161  * L2TP implementations use incrementing session_ids. So we do a real
162  * hash on the session_id, rather than a simple bitmask.
163  */
164 static inline struct hlist_head *
165 l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
166 {
167  return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)];
168 
169 }
170 
171 /* Lookup a session by id in the global session list
172  */
173 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
174 {
175  struct l2tp_net *pn = l2tp_pernet(net);
176  struct hlist_head *session_list =
177  l2tp_session_id_hash_2(pn, session_id);
178  struct l2tp_session *session;
179  struct hlist_node *walk;
180 
181  rcu_read_lock_bh();
182  hlist_for_each_entry_rcu(session, walk, session_list, global_hlist) {
183  if (session->session_id == session_id) {
184  rcu_read_unlock_bh();
185  return session;
186  }
187  }
188  rcu_read_unlock_bh();
189 
190  return NULL;
191 }
192 
193 /* Session hash list.
194  * The session_id SHOULD be random according to RFC2661, but several
195  * L2TP implementations (Cisco and Microsoft) use incrementing
196  * session_ids. So we do a real hash on the session_id, rather than a
197  * simple bitmask.
198  */
199 static inline struct hlist_head *
200 l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
201 {
202  return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
203 }
204 
205 /* Lookup a session by id
206  */
207 struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunnel, u32 session_id)
208 {
209  struct hlist_head *session_list;
210  struct l2tp_session *session;
211  struct hlist_node *walk;
212 
213  /* In L2TPv3, session_ids are unique over all tunnels and we
214  * sometimes need to look them up before we know the
215  * tunnel.
216  */
217  if (tunnel == NULL)
218  return l2tp_session_find_2(net, session_id);
219 
220  session_list = l2tp_session_id_hash(tunnel, session_id);
221  read_lock_bh(&tunnel->hlist_lock);
222  hlist_for_each_entry(session, walk, session_list, hlist) {
223  if (session->session_id == session_id) {
224  read_unlock_bh(&tunnel->hlist_lock);
225  return session;
226  }
227  }
228  read_unlock_bh(&tunnel->hlist_lock);
229 
230  return NULL;
231 }
233 
234 struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
235 {
236  int hash;
237  struct hlist_node *walk;
238  struct l2tp_session *session;
239  int count = 0;
240 
241  read_lock_bh(&tunnel->hlist_lock);
242  for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
243  hlist_for_each_entry(session, walk, &tunnel->session_hlist[hash], hlist) {
244  if (++count > nth) {
245  read_unlock_bh(&tunnel->hlist_lock);
246  return session;
247  }
248  }
249  }
250 
251  read_unlock_bh(&tunnel->hlist_lock);
252 
253  return NULL;
254 }
256 
257 /* Lookup a session by interface name.
258  * This is very inefficient but is only used by management interfaces.
259  */
260 struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
261 {
262  struct l2tp_net *pn = l2tp_pernet(net);
263  int hash;
264  struct hlist_node *walk;
265  struct l2tp_session *session;
266 
267  rcu_read_lock_bh();
268  for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
269  hlist_for_each_entry_rcu(session, walk, &pn->l2tp_session_hlist[hash], global_hlist) {
270  if (!strcmp(session->ifname, ifname)) {
271  rcu_read_unlock_bh();
272  return session;
273  }
274  }
275  }
276 
277  rcu_read_unlock_bh();
278 
279  return NULL;
280 }
282 
283 /* Lookup a tunnel by id
284  */
285 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id)
286 {
287  struct l2tp_tunnel *tunnel;
288  struct l2tp_net *pn = l2tp_pernet(net);
289 
290  rcu_read_lock_bh();
291  list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
292  if (tunnel->tunnel_id == tunnel_id) {
293  rcu_read_unlock_bh();
294  return tunnel;
295  }
296  }
297  rcu_read_unlock_bh();
298 
299  return NULL;
300 }
302 
303 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth)
304 {
305  struct l2tp_net *pn = l2tp_pernet(net);
306  struct l2tp_tunnel *tunnel;
307  int count = 0;
308 
309  rcu_read_lock_bh();
310  list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
311  if (++count > nth) {
312  rcu_read_unlock_bh();
313  return tunnel;
314  }
315  }
316 
317  rcu_read_unlock_bh();
318 
319  return NULL;
320 }
322 
323 /*****************************************************************************
324  * Receive data handling
325  *****************************************************************************/
326 
327 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
328  * number.
329  */
330 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
331 {
332  struct sk_buff *skbp;
333  struct sk_buff *tmp;
334  u32 ns = L2TP_SKB_CB(skb)->ns;
335  struct l2tp_stats *sstats;
336 
337  spin_lock_bh(&session->reorder_q.lock);
338  sstats = &session->stats;
339  skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
340  if (L2TP_SKB_CB(skbp)->ns > ns) {
341  __skb_queue_before(&session->reorder_q, skbp, skb);
342  l2tp_dbg(session, L2TP_MSG_SEQ,
343  "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
344  session->name, ns, L2TP_SKB_CB(skbp)->ns,
345  skb_queue_len(&session->reorder_q));
346  u64_stats_update_begin(&sstats->syncp);
347  sstats->rx_oos_packets++;
348  u64_stats_update_end(&sstats->syncp);
349  goto out;
350  }
351  }
352 
353  __skb_queue_tail(&session->reorder_q, skb);
354 
355 out:
356  spin_unlock_bh(&session->reorder_q.lock);
357 }
358 
359 /* Dequeue a single skb.
360  */
361 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
362 {
363  struct l2tp_tunnel *tunnel = session->tunnel;
364  int length = L2TP_SKB_CB(skb)->length;
365  struct l2tp_stats *tstats, *sstats;
366 
367  /* We're about to requeue the skb, so return resources
368  * to its current owner (a socket receive buffer).
369  */
370  skb_orphan(skb);
371 
372  tstats = &tunnel->stats;
373  u64_stats_update_begin(&tstats->syncp);
374  sstats = &session->stats;
375  u64_stats_update_begin(&sstats->syncp);
376  tstats->rx_packets++;
377  tstats->rx_bytes += length;
378  sstats->rx_packets++;
379  sstats->rx_bytes += length;
380  u64_stats_update_end(&tstats->syncp);
381  u64_stats_update_end(&sstats->syncp);
382 
383  if (L2TP_SKB_CB(skb)->has_seq) {
384  /* Bump our Nr */
385  session->nr++;
386  if (tunnel->version == L2TP_HDR_VER_2)
387  session->nr &= 0xffff;
388  else
389  session->nr &= 0xffffff;
390 
391  l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
392  session->name, session->nr);
393  }
394 
395  /* call private receive handler */
396  if (session->recv_skb != NULL)
397  (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
398  else
399  kfree_skb(skb);
400 
401  if (session->deref)
402  (*session->deref)(session);
403 }
404 
405 /* Dequeue skbs from the session's reorder_q, subject to packet order.
406  * Skbs that have been in the queue for too long are simply discarded.
407  */
408 static void l2tp_recv_dequeue(struct l2tp_session *session)
409 {
410  struct sk_buff *skb;
411  struct sk_buff *tmp;
412  struct l2tp_stats *sstats;
413 
414  /* If the pkt at the head of the queue has the nr that we
415  * expect to send up next, dequeue it and any other
416  * in-sequence packets behind it.
417  */
418 start:
419  spin_lock_bh(&session->reorder_q.lock);
420  sstats = &session->stats;
421  skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
422  if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
423  u64_stats_update_begin(&sstats->syncp);
424  sstats->rx_seq_discards++;
425  sstats->rx_errors++;
426  u64_stats_update_end(&sstats->syncp);
427  l2tp_dbg(session, L2TP_MSG_SEQ,
428  "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
429  session->name, L2TP_SKB_CB(skb)->ns,
430  L2TP_SKB_CB(skb)->length, session->nr,
431  skb_queue_len(&session->reorder_q));
432  session->reorder_skip = 1;
433  __skb_unlink(skb, &session->reorder_q);
434  kfree_skb(skb);
435  if (session->deref)
436  (*session->deref)(session);
437  continue;
438  }
439 
440  if (L2TP_SKB_CB(skb)->has_seq) {
441  if (session->reorder_skip) {
442  l2tp_dbg(session, L2TP_MSG_SEQ,
443  "%s: advancing nr to next pkt: %u -> %u",
444  session->name, session->nr,
445  L2TP_SKB_CB(skb)->ns);
446  session->reorder_skip = 0;
447  session->nr = L2TP_SKB_CB(skb)->ns;
448  }
449  if (L2TP_SKB_CB(skb)->ns != session->nr) {
450  l2tp_dbg(session, L2TP_MSG_SEQ,
451  "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
452  session->name, L2TP_SKB_CB(skb)->ns,
453  L2TP_SKB_CB(skb)->length, session->nr,
454  skb_queue_len(&session->reorder_q));
455  goto out;
456  }
457  }
458  __skb_unlink(skb, &session->reorder_q);
459 
460  /* Process the skb. We release the queue lock while we
461  * do so to let other contexts process the queue.
462  */
463  spin_unlock_bh(&session->reorder_q.lock);
464  l2tp_recv_dequeue_skb(session, skb);
465  goto start;
466  }
467 
468 out:
469  spin_unlock_bh(&session->reorder_q.lock);
470 }
471 
472 static inline int l2tp_verify_udp_checksum(struct sock *sk,
473  struct sk_buff *skb)
474 {
475  struct udphdr *uh = udp_hdr(skb);
476  u16 ulen = ntohs(uh->len);
477  __wsum psum;
478 
479  if (sk->sk_no_check || skb_csum_unnecessary(skb))
480  return 0;
481 
482 #if IS_ENABLED(CONFIG_IPV6)
483  if (sk->sk_family == PF_INET6) {
484  if (!uh->check) {
485  LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
486  return 1;
487  }
488  if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
489  !csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
490  &ipv6_hdr(skb)->daddr, ulen,
491  IPPROTO_UDP, skb->csum)) {
493  return 0;
494  }
495  skb->csum = ~csum_unfold(csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
496  &ipv6_hdr(skb)->daddr,
497  skb->len, IPPROTO_UDP,
498  0));
499  } else
500 #endif
501  {
502  struct inet_sock *inet;
503  if (!uh->check)
504  return 0;
505  inet = inet_sk(sk);
506  psum = csum_tcpudp_nofold(inet->inet_saddr, inet->inet_daddr,
507  ulen, IPPROTO_UDP, 0);
508 
509  if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
510  !csum_fold(csum_add(psum, skb->csum)))
511  return 0;
512  skb->csum = psum;
513  }
514 
515  return __skb_checksum_complete(skb);
516 }
517 
518 /* Do receive processing of L2TP data frames. We handle both L2TPv2
519  * and L2TPv3 data frames here.
520  *
521  * L2TPv2 Data Message Header
522  *
523  * 0 1 2 3
524  * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
525  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
526  * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
527  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
528  * | Tunnel ID | Session ID |
529  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
530  * | Ns (opt) | Nr (opt) |
531  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
532  * | Offset Size (opt) | Offset pad... (opt)
533  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
534  *
535  * Data frames are marked by T=0. All other fields are the same as
536  * those in L2TP control frames.
537  *
538  * L2TPv3 Data Message Header
539  *
540  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
541  * | L2TP Session Header |
542  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
543  * | L2-Specific Sublayer |
544  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
545  * | Tunnel Payload ...
546  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
547  *
548  * L2TPv3 Session Header Over IP
549  *
550  * 0 1 2 3
551  * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
552  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
553  * | Session ID |
554  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
555  * | Cookie (optional, maximum 64 bits)...
556  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
557  * |
558  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
559  *
560  * L2TPv3 L2-Specific Sublayer Format
561  *
562  * 0 1 2 3
563  * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
564  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
565  * |x|S|x|x|x|x|x|x| Sequence Number |
566  * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
567  *
568  * Cookie value, sublayer format and offset (pad) are negotiated with
569  * the peer when the session is set up. Unlike L2TPv2, we do not need
570  * to parse the packet header to determine if optional fields are
571  * present.
572  *
573  * Caller must already have parsed the frame and determined that it is
574  * a data (not control) frame before coming here. Fields up to the
575  * session-id have already been parsed and ptr points to the data
576  * after the session-id.
577  */
578 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
579  unsigned char *ptr, unsigned char *optr, u16 hdrflags,
580  int length, int (*payload_hook)(struct sk_buff *skb))
581 {
582  struct l2tp_tunnel *tunnel = session->tunnel;
583  int offset;
584  u32 ns, nr;
585  struct l2tp_stats *sstats = &session->stats;
586 
587  /* The ref count is increased since we now hold a pointer to
588  * the session. Take care to decrement the refcnt when exiting
589  * this function from now on...
590  */
591  l2tp_session_inc_refcount(session);
592  if (session->ref)
593  (*session->ref)(session);
594 
595  /* Parse and check optional cookie */
596  if (session->peer_cookie_len > 0) {
597  if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
598  l2tp_info(tunnel, L2TP_MSG_DATA,
599  "%s: cookie mismatch (%u/%u). Discarding.\n",
600  tunnel->name, tunnel->tunnel_id,
601  session->session_id);
602  u64_stats_update_begin(&sstats->syncp);
603  sstats->rx_cookie_discards++;
604  u64_stats_update_end(&sstats->syncp);
605  goto discard;
606  }
607  ptr += session->peer_cookie_len;
608  }
609 
610  /* Handle the optional sequence numbers. Sequence numbers are
611  * in different places for L2TPv2 and L2TPv3.
612  *
613  * If we are the LAC, enable/disable sequence numbers under
614  * the control of the LNS. If no sequence numbers present but
615  * we were expecting them, discard frame.
616  */
617  ns = nr = 0;
618  L2TP_SKB_CB(skb)->has_seq = 0;
619  if (tunnel->version == L2TP_HDR_VER_2) {
620  if (hdrflags & L2TP_HDRFLAG_S) {
621  ns = ntohs(*(__be16 *) ptr);
622  ptr += 2;
623  nr = ntohs(*(__be16 *) ptr);
624  ptr += 2;
625 
626  /* Store L2TP info in the skb */
627  L2TP_SKB_CB(skb)->ns = ns;
628  L2TP_SKB_CB(skb)->has_seq = 1;
629 
630  l2tp_dbg(session, L2TP_MSG_SEQ,
631  "%s: recv data ns=%u, nr=%u, session nr=%u\n",
632  session->name, ns, nr, session->nr);
633  }
634  } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
635  u32 l2h = ntohl(*(__be32 *) ptr);
636 
637  if (l2h & 0x40000000) {
638  ns = l2h & 0x00ffffff;
639 
640  /* Store L2TP info in the skb */
641  L2TP_SKB_CB(skb)->ns = ns;
642  L2TP_SKB_CB(skb)->has_seq = 1;
643 
644  l2tp_dbg(session, L2TP_MSG_SEQ,
645  "%s: recv data ns=%u, session nr=%u\n",
646  session->name, ns, session->nr);
647  }
648  }
649 
650  /* Advance past L2-specific header, if present */
651  ptr += session->l2specific_len;
652 
653  if (L2TP_SKB_CB(skb)->has_seq) {
654  /* Received a packet with sequence numbers. If we're the LNS,
655  * check if we sre sending sequence numbers and if not,
656  * configure it so.
657  */
658  if ((!session->lns_mode) && (!session->send_seq)) {
659  l2tp_info(session, L2TP_MSG_SEQ,
660  "%s: requested to enable seq numbers by LNS\n",
661  session->name);
662  session->send_seq = -1;
663  l2tp_session_set_header_len(session, tunnel->version);
664  }
665  } else {
666  /* No sequence numbers.
667  * If user has configured mandatory sequence numbers, discard.
668  */
669  if (session->recv_seq) {
670  l2tp_warn(session, L2TP_MSG_SEQ,
671  "%s: recv data has no seq numbers when required. Discarding.\n",
672  session->name);
673  u64_stats_update_begin(&sstats->syncp);
674  sstats->rx_seq_discards++;
675  u64_stats_update_end(&sstats->syncp);
676  goto discard;
677  }
678 
679  /* If we're the LAC and we're sending sequence numbers, the
680  * LNS has requested that we no longer send sequence numbers.
681  * If we're the LNS and we're sending sequence numbers, the
682  * LAC is broken. Discard the frame.
683  */
684  if ((!session->lns_mode) && (session->send_seq)) {
685  l2tp_info(session, L2TP_MSG_SEQ,
686  "%s: requested to disable seq numbers by LNS\n",
687  session->name);
688  session->send_seq = 0;
689  l2tp_session_set_header_len(session, tunnel->version);
690  } else if (session->send_seq) {
691  l2tp_warn(session, L2TP_MSG_SEQ,
692  "%s: recv data has no seq numbers when required. Discarding.\n",
693  session->name);
694  u64_stats_update_begin(&sstats->syncp);
695  sstats->rx_seq_discards++;
696  u64_stats_update_end(&sstats->syncp);
697  goto discard;
698  }
699  }
700 
701  /* Session data offset is handled differently for L2TPv2 and
702  * L2TPv3. For L2TPv2, there is an optional 16-bit value in
703  * the header. For L2TPv3, the offset is negotiated using AVPs
704  * in the session setup control protocol.
705  */
706  if (tunnel->version == L2TP_HDR_VER_2) {
707  /* If offset bit set, skip it. */
708  if (hdrflags & L2TP_HDRFLAG_O) {
709  offset = ntohs(*(__be16 *)ptr);
710  ptr += 2 + offset;
711  }
712  } else
713  ptr += session->offset;
714 
715  offset = ptr - optr;
716  if (!pskb_may_pull(skb, offset))
717  goto discard;
718 
719  __skb_pull(skb, offset);
720 
721  /* If caller wants to process the payload before we queue the
722  * packet, do so now.
723  */
724  if (payload_hook)
725  if ((*payload_hook)(skb))
726  goto discard;
727 
728  /* Prepare skb for adding to the session's reorder_q. Hold
729  * packets for max reorder_timeout or 1 second if not
730  * reordering.
731  */
732  L2TP_SKB_CB(skb)->length = length;
733  L2TP_SKB_CB(skb)->expires = jiffies +
734  (session->reorder_timeout ? session->reorder_timeout : HZ);
735 
736  /* Add packet to the session's receive queue. Reordering is done here, if
737  * enabled. Saved L2TP protocol info is stored in skb->sb[].
738  */
739  if (L2TP_SKB_CB(skb)->has_seq) {
740  if (session->reorder_timeout != 0) {
741  /* Packet reordering enabled. Add skb to session's
742  * reorder queue, in order of ns.
743  */
744  l2tp_recv_queue_skb(session, skb);
745  } else {
746  /* Packet reordering disabled. Discard out-of-sequence
747  * packets
748  */
749  if (L2TP_SKB_CB(skb)->ns != session->nr) {
750  u64_stats_update_begin(&sstats->syncp);
751  sstats->rx_seq_discards++;
752  u64_stats_update_end(&sstats->syncp);
753  l2tp_dbg(session, L2TP_MSG_SEQ,
754  "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
755  session->name, L2TP_SKB_CB(skb)->ns,
756  L2TP_SKB_CB(skb)->length, session->nr,
757  skb_queue_len(&session->reorder_q));
758  goto discard;
759  }
760  skb_queue_tail(&session->reorder_q, skb);
761  }
762  } else {
763  /* No sequence numbers. Add the skb to the tail of the
764  * reorder queue. This ensures that it will be
765  * delivered after all previous sequenced skbs.
766  */
767  skb_queue_tail(&session->reorder_q, skb);
768  }
769 
770  /* Try to dequeue as many skbs from reorder_q as we can. */
771  l2tp_recv_dequeue(session);
772 
773  l2tp_session_dec_refcount(session);
774 
775  return;
776 
777 discard:
778  u64_stats_update_begin(&sstats->syncp);
779  sstats->rx_errors++;
780  u64_stats_update_end(&sstats->syncp);
781  kfree_skb(skb);
782 
783  if (session->deref)
784  (*session->deref)(session);
785 
786  l2tp_session_dec_refcount(session);
787 }
789 
790 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
791  * here. The skb is not on a list when we get here.
792  * Returns 0 if the packet was a data packet and was successfully passed on.
793  * Returns 1 if the packet was not a good data packet and could not be
794  * forwarded. All such packets are passed up to userspace to deal with.
795  */
796 static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
797  int (*payload_hook)(struct sk_buff *skb))
798 {
799  struct l2tp_session *session = NULL;
800  unsigned char *ptr, *optr;
801  u16 hdrflags;
802  u32 tunnel_id, session_id;
803  u16 version;
804  int length;
805  struct l2tp_stats *tstats;
806 
807  if (tunnel->sock && l2tp_verify_udp_checksum(tunnel->sock, skb))
808  goto discard_bad_csum;
809 
810  /* UDP always verifies the packet length. */
811  __skb_pull(skb, sizeof(struct udphdr));
812 
813  /* Short packet? */
814  if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
815  l2tp_info(tunnel, L2TP_MSG_DATA,
816  "%s: recv short packet (len=%d)\n",
817  tunnel->name, skb->len);
818  goto error;
819  }
820 
821  /* Trace packet contents, if enabled */
822  if (tunnel->debug & L2TP_MSG_DATA) {
823  length = min(32u, skb->len);
824  if (!pskb_may_pull(skb, length))
825  goto error;
826 
827  pr_debug("%s: recv\n", tunnel->name);
828  print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
829  }
830 
831  /* Point to L2TP header */
832  optr = ptr = skb->data;
833 
834  /* Get L2TP header flags */
835  hdrflags = ntohs(*(__be16 *) ptr);
836 
837  /* Check protocol version */
838  version = hdrflags & L2TP_HDR_VER_MASK;
839  if (version != tunnel->version) {
840  l2tp_info(tunnel, L2TP_MSG_DATA,
841  "%s: recv protocol version mismatch: got %d expected %d\n",
842  tunnel->name, version, tunnel->version);
843  goto error;
844  }
845 
846  /* Get length of L2TP packet */
847  length = skb->len;
848 
849  /* If type is control packet, it is handled by userspace. */
850  if (hdrflags & L2TP_HDRFLAG_T) {
851  l2tp_dbg(tunnel, L2TP_MSG_DATA,
852  "%s: recv control packet, len=%d\n",
853  tunnel->name, length);
854  goto error;
855  }
856 
857  /* Skip flags */
858  ptr += 2;
859 
860  if (tunnel->version == L2TP_HDR_VER_2) {
861  /* If length is present, skip it */
862  if (hdrflags & L2TP_HDRFLAG_L)
863  ptr += 2;
864 
865  /* Extract tunnel and session ID */
866  tunnel_id = ntohs(*(__be16 *) ptr);
867  ptr += 2;
868  session_id = ntohs(*(__be16 *) ptr);
869  ptr += 2;
870  } else {
871  ptr += 2; /* skip reserved bits */
872  tunnel_id = tunnel->tunnel_id;
873  session_id = ntohl(*(__be32 *) ptr);
874  ptr += 4;
875  }
876 
877  /* Find the session context */
878  session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
879  if (!session || !session->recv_skb) {
880  /* Not found? Pass to userspace to deal with */
881  l2tp_info(tunnel, L2TP_MSG_DATA,
882  "%s: no session found (%u/%u). Passing up.\n",
883  tunnel->name, tunnel_id, session_id);
884  goto error;
885  }
886 
887  l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
888 
889  return 0;
890 
891 discard_bad_csum:
892  LIMIT_NETDEBUG("%s: UDP: bad checksum\n", tunnel->name);
894  tstats = &tunnel->stats;
895  u64_stats_update_begin(&tstats->syncp);
896  tstats->rx_errors++;
897  u64_stats_update_end(&tstats->syncp);
898  kfree_skb(skb);
899 
900  return 0;
901 
902 error:
903  /* Put UDP header back */
904  __skb_push(skb, sizeof(struct udphdr));
905 
906  return 1;
907 }
908 
909 /* UDP encapsulation receive handler. See net/ipv4/udp.c.
910  * Return codes:
911  * 0 : success.
912  * <0: error
913  * >0: skb should be passed up to userspace as UDP.
914  */
915 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
916 {
917  struct l2tp_tunnel *tunnel;
918 
919  tunnel = l2tp_sock_to_tunnel(sk);
920  if (tunnel == NULL)
921  goto pass_up;
922 
923  l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
924  tunnel->name, skb->len);
925 
926  if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
927  goto pass_up_put;
928 
929  sock_put(sk);
930  return 0;
931 
932 pass_up_put:
933  sock_put(sk);
934 pass_up:
935  return 1;
936 }
938 
939 /************************************************************************
940  * Transmit handling
941  ***********************************************************************/
942 
943 /* Build an L2TP header for the session into the buffer provided.
944  */
945 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
946 {
947  struct l2tp_tunnel *tunnel = session->tunnel;
948  __be16 *bufp = buf;
949  __be16 *optr = buf;
951  u32 tunnel_id = tunnel->peer_tunnel_id;
952  u32 session_id = session->peer_session_id;
953 
954  if (session->send_seq)
955  flags |= L2TP_HDRFLAG_S;
956 
957  /* Setup L2TP header. */
958  *bufp++ = htons(flags);
959  *bufp++ = htons(tunnel_id);
960  *bufp++ = htons(session_id);
961  if (session->send_seq) {
962  *bufp++ = htons(session->ns);
963  *bufp++ = 0;
964  session->ns++;
965  session->ns &= 0xffff;
966  l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
967  session->name, session->ns);
968  }
969 
970  return bufp - optr;
971 }
972 
973 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
974 {
975  struct l2tp_tunnel *tunnel = session->tunnel;
976  char *bufp = buf;
977  char *optr = bufp;
978 
979  /* Setup L2TP header. The header differs slightly for UDP and
980  * IP encapsulations. For UDP, there is 4 bytes of flags.
981  */
982  if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
983  u16 flags = L2TP_HDR_VER_3;
984  *((__be16 *) bufp) = htons(flags);
985  bufp += 2;
986  *((__be16 *) bufp) = 0;
987  bufp += 2;
988  }
989 
990  *((__be32 *) bufp) = htonl(session->peer_session_id);
991  bufp += 4;
992  if (session->cookie_len) {
993  memcpy(bufp, &session->cookie[0], session->cookie_len);
994  bufp += session->cookie_len;
995  }
996  if (session->l2specific_len) {
997  if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
998  u32 l2h = 0;
999  if (session->send_seq) {
1000  l2h = 0x40000000 | session->ns;
1001  session->ns++;
1002  session->ns &= 0xffffff;
1003  l2tp_dbg(session, L2TP_MSG_SEQ,
1004  "%s: updated ns to %u\n",
1005  session->name, session->ns);
1006  }
1007 
1008  *((__be32 *) bufp) = htonl(l2h);
1009  }
1010  bufp += session->l2specific_len;
1011  }
1012  if (session->offset)
1013  bufp += session->offset;
1014 
1015  return bufp - optr;
1016 }
1017 
1018 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
1019  struct flowi *fl, size_t data_len)
1020 {
1021  struct l2tp_tunnel *tunnel = session->tunnel;
1022  unsigned int len = skb->len;
1023  int error;
1024  struct l2tp_stats *tstats, *sstats;
1025 
1026  /* Debug */
1027  if (session->send_seq)
1028  l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
1029  session->name, data_len, session->ns - 1);
1030  else
1031  l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
1032  session->name, data_len);
1033 
1034  if (session->debug & L2TP_MSG_DATA) {
1035  int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1036  unsigned char *datap = skb->data + uhlen;
1037 
1038  pr_debug("%s: xmit\n", session->name);
1039  print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
1040  datap, min_t(size_t, 32, len - uhlen));
1041  }
1042 
1043  /* Queue the packet to IP for output */
1044  skb->local_df = 1;
1045 #if IS_ENABLED(CONFIG_IPV6)
1046  if (skb->sk->sk_family == PF_INET6)
1047  error = inet6_csk_xmit(skb, NULL);
1048  else
1049 #endif
1050  error = ip_queue_xmit(skb, fl);
1051 
1052  /* Update stats */
1053  tstats = &tunnel->stats;
1054  u64_stats_update_begin(&tstats->syncp);
1055  sstats = &session->stats;
1056  u64_stats_update_begin(&sstats->syncp);
1057  if (error >= 0) {
1058  tstats->tx_packets++;
1059  tstats->tx_bytes += len;
1060  sstats->tx_packets++;
1061  sstats->tx_bytes += len;
1062  } else {
1063  tstats->tx_errors++;
1064  sstats->tx_errors++;
1065  }
1066  u64_stats_update_end(&tstats->syncp);
1067  u64_stats_update_end(&sstats->syncp);
1068 
1069  return 0;
1070 }
1071 
1072 /* Automatically called when the skb is freed.
1073  */
1074 static void l2tp_sock_wfree(struct sk_buff *skb)
1075 {
1076  sock_put(skb->sk);
1077 }
1078 
1079 /* For data skbs that we transmit, we associate with the tunnel socket
1080  * but don't do accounting.
1081  */
1082 static inline void l2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
1083 {
1084  sock_hold(sk);
1085  skb->sk = sk;
1086  skb->destructor = l2tp_sock_wfree;
1087 }
1088 
1089 #if IS_ENABLED(CONFIG_IPV6)
1090 static void l2tp_xmit_ipv6_csum(struct sock *sk, struct sk_buff *skb,
1091  int udp_len)
1092 {
1093  struct ipv6_pinfo *np = inet6_sk(sk);
1094  struct udphdr *uh = udp_hdr(skb);
1095 
1096  if (!skb_dst(skb) || !skb_dst(skb)->dev ||
1097  !(skb_dst(skb)->dev->features & NETIF_F_IPV6_CSUM)) {
1098  __wsum csum = skb_checksum(skb, 0, udp_len, 0);
1100  uh->check = csum_ipv6_magic(&np->saddr, &np->daddr, udp_len,
1101  IPPROTO_UDP, csum);
1102  if (uh->check == 0)
1103  uh->check = CSUM_MANGLED_0;
1104  } else {
1105  skb->ip_summed = CHECKSUM_PARTIAL;
1106  skb->csum_start = skb_transport_header(skb) - skb->head;
1107  skb->csum_offset = offsetof(struct udphdr, check);
1108  uh->check = ~csum_ipv6_magic(&np->saddr, &np->daddr,
1109  udp_len, IPPROTO_UDP, 0);
1110  }
1111 }
1112 #endif
1113 
1114 /* If caller requires the skb to have a ppp header, the header must be
1115  * inserted in the skb data before calling this function.
1116  */
1117 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len)
1118 {
1119  int data_len = skb->len;
1120  struct l2tp_tunnel *tunnel = session->tunnel;
1121  struct sock *sk = tunnel->sock;
1122  struct flowi *fl;
1123  struct udphdr *uh;
1124  struct inet_sock *inet;
1125  __wsum csum;
1126  int old_headroom;
1127  int new_headroom;
1128  int headroom;
1129  int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
1130  int udp_len;
1131  int ret = NET_XMIT_SUCCESS;
1132 
1133  /* Check that there's enough headroom in the skb to insert IP,
1134  * UDP and L2TP headers. If not enough, expand it to
1135  * make room. Adjust truesize.
1136  */
1137  headroom = NET_SKB_PAD + sizeof(struct iphdr) +
1138  uhlen + hdr_len;
1139  old_headroom = skb_headroom(skb);
1140  if (skb_cow_head(skb, headroom)) {
1141  kfree_skb(skb);
1142  return NET_XMIT_DROP;
1143  }
1144 
1145  new_headroom = skb_headroom(skb);
1146  skb_orphan(skb);
1147  skb->truesize += new_headroom - old_headroom;
1148 
1149  /* Setup L2TP header */
1150  session->build_header(session, __skb_push(skb, hdr_len));
1151 
1152  /* Reset skb netfilter state */
1153  memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1155  IPSKB_REROUTED);
1156  nf_reset(skb);
1157 
1158  bh_lock_sock(sk);
1159  if (sock_owned_by_user(sk)) {
1160  kfree_skb(skb);
1161  ret = NET_XMIT_DROP;
1162  goto out_unlock;
1163  }
1164 
1165  /* Get routing info from the tunnel socket */
1166  skb_dst_drop(skb);
1167  skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
1168 
1169  inet = inet_sk(sk);
1170  fl = &inet->cork.fl;
1171  switch (tunnel->encap) {
1172  case L2TP_ENCAPTYPE_UDP:
1173  /* Setup UDP header */
1174  __skb_push(skb, sizeof(*uh));
1175  skb_reset_transport_header(skb);
1176  uh = udp_hdr(skb);
1177  uh->source = inet->inet_sport;
1178  uh->dest = inet->inet_dport;
1179  udp_len = uhlen + hdr_len + data_len;
1180  uh->len = htons(udp_len);
1181  uh->check = 0;
1182 
1183  /* Calculate UDP checksum if configured to do so */
1184 #if IS_ENABLED(CONFIG_IPV6)
1185  if (sk->sk_family == PF_INET6)
1186  l2tp_xmit_ipv6_csum(sk, skb, udp_len);
1187  else
1188 #endif
1189  if (sk->sk_no_check == UDP_CSUM_NOXMIT)
1190  skb->ip_summed = CHECKSUM_NONE;
1191  else if ((skb_dst(skb) && skb_dst(skb)->dev) &&
1192  (!(skb_dst(skb)->dev->features & NETIF_F_V4_CSUM))) {
1194  csum = skb_checksum(skb, 0, udp_len, 0);
1195  uh->check = csum_tcpudp_magic(inet->inet_saddr,
1196  inet->inet_daddr,
1197  udp_len, IPPROTO_UDP, csum);
1198  if (uh->check == 0)
1199  uh->check = CSUM_MANGLED_0;
1200  } else {
1201  skb->ip_summed = CHECKSUM_PARTIAL;
1202  skb->csum_start = skb_transport_header(skb) - skb->head;
1203  skb->csum_offset = offsetof(struct udphdr, check);
1204  uh->check = ~csum_tcpudp_magic(inet->inet_saddr,
1205  inet->inet_daddr,
1206  udp_len, IPPROTO_UDP, 0);
1207  }
1208  break;
1209 
1210  case L2TP_ENCAPTYPE_IP:
1211  break;
1212  }
1213 
1214  l2tp_skb_set_owner_w(skb, sk);
1215 
1216  l2tp_xmit_core(session, skb, fl, data_len);
1217 out_unlock:
1218  bh_unlock_sock(sk);
1219 
1220  return ret;
1221 }
1223 
1224 /*****************************************************************************
1225  * Tinnel and session create/destroy.
1226  *****************************************************************************/
1227 
1228 /* Tunnel socket destruct hook.
1229  * The tunnel context is deleted only when all session sockets have been
1230  * closed.
1231  */
1232 static void l2tp_tunnel_destruct(struct sock *sk)
1233 {
1234  struct l2tp_tunnel *tunnel;
1235 
1236  tunnel = sk->sk_user_data;
1237  if (tunnel == NULL)
1238  goto end;
1239 
1240  l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
1241 
1242  /* Close all sessions */
1243  l2tp_tunnel_closeall(tunnel);
1244 
1245  switch (tunnel->encap) {
1246  case L2TP_ENCAPTYPE_UDP:
1247  /* No longer an encapsulation socket. See net/ipv4/udp.c */
1248  (udp_sk(sk))->encap_type = 0;
1249  (udp_sk(sk))->encap_rcv = NULL;
1250  break;
1251  case L2TP_ENCAPTYPE_IP:
1252  break;
1253  }
1254 
1255  /* Remove hooks into tunnel socket */
1256  tunnel->sock = NULL;
1257  sk->sk_destruct = tunnel->old_sk_destruct;
1258  sk->sk_user_data = NULL;
1259 
1260  /* Call the original destructor */
1261  if (sk->sk_destruct)
1262  (*sk->sk_destruct)(sk);
1263 
1264  /* We're finished with the socket */
1265  l2tp_tunnel_dec_refcount(tunnel);
1266 
1267 end:
1268  return;
1269 }
1270 
1271 /* When the tunnel is closed, all the attached sessions need to go too.
1272  */
1273 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1274 {
1275  int hash;
1276  struct hlist_node *walk;
1277  struct hlist_node *tmp;
1278  struct l2tp_session *session;
1279 
1280  BUG_ON(tunnel == NULL);
1281 
1282  l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
1283  tunnel->name);
1284 
1285  write_lock_bh(&tunnel->hlist_lock);
1286  for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
1287 again:
1288  hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
1289  session = hlist_entry(walk, struct l2tp_session, hlist);
1290 
1291  l2tp_info(session, L2TP_MSG_CONTROL,
1292  "%s: closing session\n", session->name);
1293 
1294  hlist_del_init(&session->hlist);
1295 
1296  /* Since we should hold the sock lock while
1297  * doing any unbinding, we need to release the
1298  * lock we're holding before taking that lock.
1299  * Hold a reference to the sock so it doesn't
1300  * disappear as we're jumping between locks.
1301  */
1302  if (session->ref != NULL)
1303  (*session->ref)(session);
1304 
1305  write_unlock_bh(&tunnel->hlist_lock);
1306 
1307  if (tunnel->version != L2TP_HDR_VER_2) {
1308  struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1309 
1310  spin_lock_bh(&pn->l2tp_session_hlist_lock);
1311  hlist_del_init_rcu(&session->global_hlist);
1312  spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1313  synchronize_rcu();
1314  }
1315 
1316  if (session->session_close != NULL)
1317  (*session->session_close)(session);
1318 
1319  if (session->deref != NULL)
1320  (*session->deref)(session);
1321 
1322  write_lock_bh(&tunnel->hlist_lock);
1323 
1324  /* Now restart from the beginning of this hash
1325  * chain. We always remove a session from the
1326  * list so we are guaranteed to make forward
1327  * progress.
1328  */
1329  goto again;
1330  }
1331  }
1332  write_unlock_bh(&tunnel->hlist_lock);
1333 }
1334 
1335 /* Really kill the tunnel.
1336  * Come here only when all sessions have been cleared from the tunnel.
1337  */
1338 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
1339 {
1340  struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1341 
1342  BUG_ON(atomic_read(&tunnel->ref_count) != 0);
1343  BUG_ON(tunnel->sock != NULL);
1344 
1345  l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
1346 
1347  /* Remove from tunnel list */
1348  spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1349  list_del_rcu(&tunnel->list);
1350  kfree_rcu(tunnel, rcu);
1351  spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1352 
1353  atomic_dec(&l2tp_tunnel_count);
1354 }
1355 
1356 /* Create a socket for the tunnel, if one isn't set up by
1357  * userspace. This is used for static tunnels where there is no
1358  * managing L2TP daemon.
1359  */
1360 static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct socket **sockp)
1361 {
1362  int err = -EINVAL;
1363  struct sockaddr_in udp_addr;
1364 #if IS_ENABLED(CONFIG_IPV6)
1365  struct sockaddr_in6 udp6_addr;
1366  struct sockaddr_l2tpip6 ip6_addr;
1367 #endif
1368  struct sockaddr_l2tpip ip_addr;
1369  struct socket *sock = NULL;
1370 
1371  switch (cfg->encap) {
1372  case L2TP_ENCAPTYPE_UDP:
1373 #if IS_ENABLED(CONFIG_IPV6)
1374  if (cfg->local_ip6 && cfg->peer_ip6) {
1375  err = sock_create(AF_INET6, SOCK_DGRAM, 0, sockp);
1376  if (err < 0)
1377  goto out;
1378 
1379  sock = *sockp;
1380 
1381  memset(&udp6_addr, 0, sizeof(udp6_addr));
1382  udp6_addr.sin6_family = AF_INET6;
1383  memcpy(&udp6_addr.sin6_addr, cfg->local_ip6,
1384  sizeof(udp6_addr.sin6_addr));
1385  udp6_addr.sin6_port = htons(cfg->local_udp_port);
1386  err = kernel_bind(sock, (struct sockaddr *) &udp6_addr,
1387  sizeof(udp6_addr));
1388  if (err < 0)
1389  goto out;
1390 
1391  udp6_addr.sin6_family = AF_INET6;
1392  memcpy(&udp6_addr.sin6_addr, cfg->peer_ip6,
1393  sizeof(udp6_addr.sin6_addr));
1394  udp6_addr.sin6_port = htons(cfg->peer_udp_port);
1395  err = kernel_connect(sock,
1396  (struct sockaddr *) &udp6_addr,
1397  sizeof(udp6_addr), 0);
1398  if (err < 0)
1399  goto out;
1400  } else
1401 #endif
1402  {
1403  err = sock_create(AF_INET, SOCK_DGRAM, 0, sockp);
1404  if (err < 0)
1405  goto out;
1406 
1407  sock = *sockp;
1408 
1409  memset(&udp_addr, 0, sizeof(udp_addr));
1410  udp_addr.sin_family = AF_INET;
1411  udp_addr.sin_addr = cfg->local_ip;
1412  udp_addr.sin_port = htons(cfg->local_udp_port);
1413  err = kernel_bind(sock, (struct sockaddr *) &udp_addr,
1414  sizeof(udp_addr));
1415  if (err < 0)
1416  goto out;
1417 
1418  udp_addr.sin_family = AF_INET;
1419  udp_addr.sin_addr = cfg->peer_ip;
1420  udp_addr.sin_port = htons(cfg->peer_udp_port);
1421  err = kernel_connect(sock,
1422  (struct sockaddr *) &udp_addr,
1423  sizeof(udp_addr), 0);
1424  if (err < 0)
1425  goto out;
1426  }
1427 
1428  if (!cfg->use_udp_checksums)
1429  sock->sk->sk_no_check = UDP_CSUM_NOXMIT;
1430 
1431  break;
1432 
1433  case L2TP_ENCAPTYPE_IP:
1434 #if IS_ENABLED(CONFIG_IPV6)
1435  if (cfg->local_ip6 && cfg->peer_ip6) {
1437  sockp);
1438  if (err < 0)
1439  goto out;
1440 
1441  sock = *sockp;
1442 
1443  memset(&ip6_addr, 0, sizeof(ip6_addr));
1444  ip6_addr.l2tp_family = AF_INET6;
1445  memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1446  sizeof(ip6_addr.l2tp_addr));
1447  ip6_addr.l2tp_conn_id = tunnel_id;
1448  err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
1449  sizeof(ip6_addr));
1450  if (err < 0)
1451  goto out;
1452 
1453  ip6_addr.l2tp_family = AF_INET6;
1454  memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1455  sizeof(ip6_addr.l2tp_addr));
1456  ip6_addr.l2tp_conn_id = peer_tunnel_id;
1457  err = kernel_connect(sock,
1458  (struct sockaddr *) &ip6_addr,
1459  sizeof(ip6_addr), 0);
1460  if (err < 0)
1461  goto out;
1462  } else
1463 #endif
1464  {
1466  sockp);
1467  if (err < 0)
1468  goto out;
1469 
1470  sock = *sockp;
1471 
1472  memset(&ip_addr, 0, sizeof(ip_addr));
1473  ip_addr.l2tp_family = AF_INET;
1474  ip_addr.l2tp_addr = cfg->local_ip;
1475  ip_addr.l2tp_conn_id = tunnel_id;
1476  err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
1477  sizeof(ip_addr));
1478  if (err < 0)
1479  goto out;
1480 
1481  ip_addr.l2tp_family = AF_INET;
1482  ip_addr.l2tp_addr = cfg->peer_ip;
1483  ip_addr.l2tp_conn_id = peer_tunnel_id;
1484  err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
1485  sizeof(ip_addr), 0);
1486  if (err < 0)
1487  goto out;
1488  }
1489  break;
1490 
1491  default:
1492  goto out;
1493  }
1494 
1495 out:
1496  if ((err < 0) && sock) {
1497  sock_release(sock);
1498  *sockp = NULL;
1499  }
1500 
1501  return err;
1502 }
1503 
1504 static struct lock_class_key l2tp_socket_class;
1505 
1506 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1507 {
1508  struct l2tp_tunnel *tunnel = NULL;
1509  int err;
1510  struct socket *sock = NULL;
1511  struct sock *sk = NULL;
1512  struct l2tp_net *pn;
1513  enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1514 
1515  /* Get the tunnel socket from the fd, which was opened by
1516  * the userspace L2TP daemon. If not specified, create a
1517  * kernel socket.
1518  */
1519  if (fd < 0) {
1520  err = l2tp_tunnel_sock_create(tunnel_id, peer_tunnel_id, cfg, &sock);
1521  if (err < 0)
1522  goto err;
1523  } else {
1524  err = -EBADF;
1525  sock = sockfd_lookup(fd, &err);
1526  if (!sock) {
1527  pr_err("tunl %hu: sockfd_lookup(fd=%d) returned %d\n",
1528  tunnel_id, fd, err);
1529  goto err;
1530  }
1531  }
1532 
1533  sk = sock->sk;
1534 
1535  if (cfg != NULL)
1536  encap = cfg->encap;
1537 
1538  /* Quick sanity checks */
1539  switch (encap) {
1540  case L2TP_ENCAPTYPE_UDP:
1541  err = -EPROTONOSUPPORT;
1542  if (sk->sk_protocol != IPPROTO_UDP) {
1543  pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1544  tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
1545  goto err;
1546  }
1547  break;
1548  case L2TP_ENCAPTYPE_IP:
1549  err = -EPROTONOSUPPORT;
1550  if (sk->sk_protocol != IPPROTO_L2TP) {
1551  pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
1552  tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
1553  goto err;
1554  }
1555  break;
1556  }
1557 
1558  /* Check if this socket has already been prepped */
1559  tunnel = (struct l2tp_tunnel *)sk->sk_user_data;
1560  if (tunnel != NULL) {
1561  /* This socket has already been prepped */
1562  err = -EBUSY;
1563  goto err;
1564  }
1565 
1566  tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL);
1567  if (tunnel == NULL) {
1568  err = -ENOMEM;
1569  goto err;
1570  }
1571 
1572  tunnel->version = version;
1573  tunnel->tunnel_id = tunnel_id;
1574  tunnel->peer_tunnel_id = peer_tunnel_id;
1575  tunnel->debug = L2TP_DEFAULT_DEBUG_FLAGS;
1576 
1577  tunnel->magic = L2TP_TUNNEL_MAGIC;
1578  sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1579  rwlock_init(&tunnel->hlist_lock);
1580 
1581  /* The net we belong to */
1582  tunnel->l2tp_net = net;
1583  pn = l2tp_pernet(net);
1584 
1585  if (cfg != NULL)
1586  tunnel->debug = cfg->debug;
1587 
1588  /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1589  tunnel->encap = encap;
1590  if (encap == L2TP_ENCAPTYPE_UDP) {
1591  /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
1592  udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
1593  udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
1594 #if IS_ENABLED(CONFIG_IPV6)
1595  if (sk->sk_family == PF_INET6)
1597  else
1598 #endif
1599  udp_encap_enable();
1600  }
1601 
1602  sk->sk_user_data = tunnel;
1603 
1604  /* Hook on the tunnel socket destructor so that we can cleanup
1605  * if the tunnel socket goes away.
1606  */
1607  tunnel->old_sk_destruct = sk->sk_destruct;
1608  sk->sk_destruct = &l2tp_tunnel_destruct;
1609  tunnel->sock = sk;
1610  lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
1611 
1612  sk->sk_allocation = GFP_ATOMIC;
1613 
1614  /* Add tunnel to our list */
1615  INIT_LIST_HEAD(&tunnel->list);
1616  atomic_inc(&l2tp_tunnel_count);
1617 
1618  /* Bump the reference count. The tunnel context is deleted
1619  * only when this drops to zero. Must be done before list insertion
1620  */
1621  l2tp_tunnel_inc_refcount(tunnel);
1622  spin_lock_bh(&pn->l2tp_tunnel_list_lock);
1623  list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
1624  spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
1625 
1626  err = 0;
1627 err:
1628  if (tunnelp)
1629  *tunnelp = tunnel;
1630 
1631  /* If tunnel's socket was created by the kernel, it doesn't
1632  * have a file.
1633  */
1634  if (sock && sock->file)
1635  sockfd_put(sock);
1636 
1637  return err;
1638 }
1640 
1641 /* This function is used by the netlink TUNNEL_DELETE command.
1642  */
1643 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1644 {
1645  int err = 0;
1646  struct socket *sock = tunnel->sock ? tunnel->sock->sk_socket : NULL;
1647 
1648  /* Force the tunnel socket to close. This will eventually
1649  * cause the tunnel to be deleted via the normal socket close
1650  * mechanisms when userspace closes the tunnel socket.
1651  */
1652  if (sock != NULL) {
1653  err = inet_shutdown(sock, 2);
1654 
1655  /* If the tunnel's socket was created by the kernel,
1656  * close the socket here since the socket was not
1657  * created by userspace.
1658  */
1659  if (sock->file == NULL)
1660  err = inet_release(sock);
1661  }
1662 
1663  return err;
1664 }
1666 
1667 /* Really kill the session.
1668  */
1669 void l2tp_session_free(struct l2tp_session *session)
1670 {
1671  struct l2tp_tunnel *tunnel;
1672 
1673  BUG_ON(atomic_read(&session->ref_count) != 0);
1674 
1675  tunnel = session->tunnel;
1676  if (tunnel != NULL) {
1677  BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
1678 
1679  /* Delete the session from the hash */
1680  write_lock_bh(&tunnel->hlist_lock);
1681  hlist_del_init(&session->hlist);
1682  write_unlock_bh(&tunnel->hlist_lock);
1683 
1684  /* Unlink from the global hash if not L2TPv2 */
1685  if (tunnel->version != L2TP_HDR_VER_2) {
1686  struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1687 
1688  spin_lock_bh(&pn->l2tp_session_hlist_lock);
1689  hlist_del_init_rcu(&session->global_hlist);
1690  spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1691  synchronize_rcu();
1692  }
1693 
1694  if (session->session_id != 0)
1695  atomic_dec(&l2tp_session_count);
1696 
1697  sock_put(tunnel->sock);
1698 
1699  /* This will delete the tunnel context if this
1700  * is the last session on the tunnel.
1701  */
1702  session->tunnel = NULL;
1703  l2tp_tunnel_dec_refcount(tunnel);
1704  }
1705 
1706  kfree(session);
1707 
1708  return;
1709 }
1711 
1712 /* This function is used by the netlink SESSION_DELETE command and by
1713  pseudowire modules.
1714  */
1715 int l2tp_session_delete(struct l2tp_session *session)
1716 {
1717  if (session->session_close != NULL)
1718  (*session->session_close)(session);
1719 
1720  l2tp_session_dec_refcount(session);
1721 
1722  return 0;
1723 }
1725 
1726 
1727 /* We come here whenever a session's send_seq, cookie_len or
1728  * l2specific_len parameters are set.
1729  */
1730 static void l2tp_session_set_header_len(struct l2tp_session *session, int version)
1731 {
1732  if (version == L2TP_HDR_VER_2) {
1733  session->hdr_len = 6;
1734  if (session->send_seq)
1735  session->hdr_len += 4;
1736  } else {
1737  session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset;
1738  if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)
1739  session->hdr_len += 4;
1740  }
1741 
1742 }
1743 
1744 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
1745 {
1746  struct l2tp_session *session;
1747 
1748  session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
1749  if (session != NULL) {
1750  session->magic = L2TP_SESSION_MAGIC;
1751  session->tunnel = tunnel;
1752 
1753  session->session_id = session_id;
1754  session->peer_session_id = peer_session_id;
1755  session->nr = 0;
1756 
1757  sprintf(&session->name[0], "sess %u/%u",
1758  tunnel->tunnel_id, session->session_id);
1759 
1760  skb_queue_head_init(&session->reorder_q);
1761 
1762  INIT_HLIST_NODE(&session->hlist);
1763  INIT_HLIST_NODE(&session->global_hlist);
1764 
1765  /* Inherit debug options from tunnel */
1766  session->debug = tunnel->debug;
1767 
1768  if (cfg) {
1769  session->pwtype = cfg->pw_type;
1770  session->debug = cfg->debug;
1771  session->mtu = cfg->mtu;
1772  session->mru = cfg->mru;
1773  session->send_seq = cfg->send_seq;
1774  session->recv_seq = cfg->recv_seq;
1775  session->lns_mode = cfg->lns_mode;
1776  session->reorder_timeout = cfg->reorder_timeout;
1777  session->offset = cfg->offset;
1778  session->l2specific_type = cfg->l2specific_type;
1779  session->l2specific_len = cfg->l2specific_len;
1780  session->cookie_len = cfg->cookie_len;
1781  memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1782  session->peer_cookie_len = cfg->peer_cookie_len;
1783  memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1784  }
1785 
1786  if (tunnel->version == L2TP_HDR_VER_2)
1787  session->build_header = l2tp_build_l2tpv2_header;
1788  else
1789  session->build_header = l2tp_build_l2tpv3_header;
1790 
1791  l2tp_session_set_header_len(session, tunnel->version);
1792 
1793  /* Bump the reference count. The session context is deleted
1794  * only when this drops to zero.
1795  */
1796  l2tp_session_inc_refcount(session);
1797  l2tp_tunnel_inc_refcount(tunnel);
1798 
1799  /* Ensure tunnel socket isn't deleted */
1800  sock_hold(tunnel->sock);
1801 
1802  /* Add session to the tunnel's hash list */
1803  write_lock_bh(&tunnel->hlist_lock);
1804  hlist_add_head(&session->hlist,
1805  l2tp_session_id_hash(tunnel, session_id));
1806  write_unlock_bh(&tunnel->hlist_lock);
1807 
1808  /* And to the global session list if L2TPv3 */
1809  if (tunnel->version != L2TP_HDR_VER_2) {
1810  struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1811 
1812  spin_lock_bh(&pn->l2tp_session_hlist_lock);
1813  hlist_add_head_rcu(&session->global_hlist,
1814  l2tp_session_id_hash_2(pn, session_id));
1815  spin_unlock_bh(&pn->l2tp_session_hlist_lock);
1816  }
1817 
1818  /* Ignore management session in session count value */
1819  if (session->session_id != 0)
1820  atomic_inc(&l2tp_session_count);
1821  }
1822 
1823  return session;
1824 }
1826 
1827 /*****************************************************************************
1828  * Init and cleanup
1829  *****************************************************************************/
1830 
1831 static __net_init int l2tp_init_net(struct net *net)
1832 {
1833  struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1834  int hash;
1835 
1836  INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
1838 
1839  for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
1840  INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
1841 
1843 
1844  return 0;
1845 }
1846 
1847 static struct pernet_operations l2tp_net_ops = {
1848  .init = l2tp_init_net,
1849  .id = &l2tp_net_id,
1850  .size = sizeof(struct l2tp_net),
1851 };
1852 
1853 static int __init l2tp_init(void)
1854 {
1855  int rc = 0;
1856 
1857  rc = register_pernet_device(&l2tp_net_ops);
1858  if (rc)
1859  goto out;
1860 
1861  pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1862 
1863 out:
1864  return rc;
1865 }
1866 
1867 static void __exit l2tp_exit(void)
1868 {
1869  unregister_pernet_device(&l2tp_net_ops);
1870 }
1871 
1872 module_init(l2tp_init);
1873 module_exit(l2tp_exit);
1874 
1875 MODULE_AUTHOR("James Chapman <[email protected]>");
1876 MODULE_DESCRIPTION("L2TP core");
1877 MODULE_LICENSE("GPL");
1879