l2tp_core.c (45761B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* L2TP core. 3 * 4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd 5 * 6 * This file contains some code of the original L2TPv2 pppol2tp 7 * driver, which has the following copyright: 8 * 9 * Authors: Martijn van Oosterhout <kleptog@svana.org> 10 * James Chapman (jchapman@katalix.com) 11 * Contributors: 12 * Michal Ostrowski <mostrows@speakeasy.net> 13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br> 14 * David S. Miller (davem@redhat.com) 15 */ 16 17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 18 19#include <linux/module.h> 20#include <linux/string.h> 21#include <linux/list.h> 22#include <linux/rculist.h> 23#include <linux/uaccess.h> 24 25#include <linux/kernel.h> 26#include <linux/spinlock.h> 27#include <linux/kthread.h> 28#include <linux/sched.h> 29#include <linux/slab.h> 30#include <linux/errno.h> 31#include <linux/jiffies.h> 32 33#include <linux/netdevice.h> 34#include <linux/net.h> 35#include <linux/inetdevice.h> 36#include <linux/skbuff.h> 37#include <linux/init.h> 38#include <linux/in.h> 39#include <linux/ip.h> 40#include <linux/udp.h> 41#include <linux/l2tp.h> 42#include <linux/hash.h> 43#include <linux/sort.h> 44#include <linux/file.h> 45#include <linux/nsproxy.h> 46#include <net/net_namespace.h> 47#include <net/netns/generic.h> 48#include <net/dst.h> 49#include <net/ip.h> 50#include <net/udp.h> 51#include <net/udp_tunnel.h> 52#include <net/inet_common.h> 53#include <net/xfrm.h> 54#include <net/protocol.h> 55#include <net/inet6_connection_sock.h> 56#include <net/inet_ecn.h> 57#include <net/ip6_route.h> 58#include <net/ip6_checksum.h> 59 60#include <asm/byteorder.h> 61#include <linux/atomic.h> 62 63#include "l2tp_core.h" 64#include "trace.h" 65 66#define CREATE_TRACE_POINTS 67#include "trace.h" 68 69#define L2TP_DRV_VERSION "V2.0" 70 71/* L2TP header constants */ 72#define L2TP_HDRFLAG_T 0x8000 73#define L2TP_HDRFLAG_L 0x4000 74#define L2TP_HDRFLAG_S 0x0800 75#define L2TP_HDRFLAG_O 0x0200 76#define L2TP_HDRFLAG_P 0x0100 77 78#define L2TP_HDR_VER_MASK 0x000F 79#define L2TP_HDR_VER_2 0x0002 80#define L2TP_HDR_VER_3 0x0003 81 82/* L2TPv3 default L2-specific sublayer */ 83#define L2TP_SLFLAG_S 0x40000000 84#define L2TP_SL_SEQ_MASK 0x00ffffff 85 86#define L2TP_HDR_SIZE_MAX 14 87 88/* Default trace flags */ 89#define L2TP_DEFAULT_DEBUG_FLAGS 0 90 91/* Private data stored for received packets in the skb. 92 */ 93struct l2tp_skb_cb { 94 u32 ns; 95 u16 has_seq; 96 u16 length; 97 unsigned long expires; 98}; 99 100#define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *)&(skb)->cb[sizeof(struct inet_skb_parm)]) 101 102static struct workqueue_struct *l2tp_wq; 103 104/* per-net private data for this module */ 105static unsigned int l2tp_net_id; 106struct l2tp_net { 107 struct list_head l2tp_tunnel_list; 108 /* Lock for write access to l2tp_tunnel_list */ 109 spinlock_t l2tp_tunnel_list_lock; 110 struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2]; 111 /* Lock for write access to l2tp_session_hlist */ 112 spinlock_t l2tp_session_hlist_lock; 113}; 114 115#if IS_ENABLED(CONFIG_IPV6) 116static bool l2tp_sk_is_v6(struct sock *sk) 117{ 118 return sk->sk_family == PF_INET6 && 119 !ipv6_addr_v4mapped(&sk->sk_v6_daddr); 120} 121#endif 122 123static inline struct l2tp_net *l2tp_pernet(const struct net *net) 124{ 125 return net_generic(net, l2tp_net_id); 126} 127 128/* Session hash global list for L2TPv3. 129 * The session_id SHOULD be random according to RFC3931, but several 130 * L2TP implementations use incrementing session_ids. So we do a real 131 * hash on the session_id, rather than a simple bitmask. 132 */ 133static inline struct hlist_head * 134l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id) 135{ 136 return &pn->l2tp_session_hlist[hash_32(session_id, L2TP_HASH_BITS_2)]; 137} 138 139/* Session hash list. 140 * The session_id SHOULD be random according to RFC2661, but several 141 * L2TP implementations (Cisco and Microsoft) use incrementing 142 * session_ids. So we do a real hash on the session_id, rather than a 143 * simple bitmask. 144 */ 145static inline struct hlist_head * 146l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id) 147{ 148 return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)]; 149} 150 151static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel) 152{ 153 trace_free_tunnel(tunnel); 154 sock_put(tunnel->sock); 155 /* the tunnel is freed in the socket destructor */ 156} 157 158static void l2tp_session_free(struct l2tp_session *session) 159{ 160 trace_free_session(session); 161 if (session->tunnel) 162 l2tp_tunnel_dec_refcount(session->tunnel); 163 kfree(session); 164} 165 166struct l2tp_tunnel *l2tp_sk_to_tunnel(struct sock *sk) 167{ 168 struct l2tp_tunnel *tunnel = sk->sk_user_data; 169 170 if (tunnel) 171 if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC)) 172 return NULL; 173 174 return tunnel; 175} 176EXPORT_SYMBOL_GPL(l2tp_sk_to_tunnel); 177 178void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel) 179{ 180 refcount_inc(&tunnel->ref_count); 181} 182EXPORT_SYMBOL_GPL(l2tp_tunnel_inc_refcount); 183 184void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel) 185{ 186 if (refcount_dec_and_test(&tunnel->ref_count)) 187 l2tp_tunnel_free(tunnel); 188} 189EXPORT_SYMBOL_GPL(l2tp_tunnel_dec_refcount); 190 191void l2tp_session_inc_refcount(struct l2tp_session *session) 192{ 193 refcount_inc(&session->ref_count); 194} 195EXPORT_SYMBOL_GPL(l2tp_session_inc_refcount); 196 197void l2tp_session_dec_refcount(struct l2tp_session *session) 198{ 199 if (refcount_dec_and_test(&session->ref_count)) 200 l2tp_session_free(session); 201} 202EXPORT_SYMBOL_GPL(l2tp_session_dec_refcount); 203 204/* Lookup a tunnel. A new reference is held on the returned tunnel. */ 205struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id) 206{ 207 const struct l2tp_net *pn = l2tp_pernet(net); 208 struct l2tp_tunnel *tunnel; 209 210 rcu_read_lock_bh(); 211 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { 212 if (tunnel->tunnel_id == tunnel_id && 213 refcount_inc_not_zero(&tunnel->ref_count)) { 214 rcu_read_unlock_bh(); 215 216 return tunnel; 217 } 218 } 219 rcu_read_unlock_bh(); 220 221 return NULL; 222} 223EXPORT_SYMBOL_GPL(l2tp_tunnel_get); 224 225struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth) 226{ 227 const struct l2tp_net *pn = l2tp_pernet(net); 228 struct l2tp_tunnel *tunnel; 229 int count = 0; 230 231 rcu_read_lock_bh(); 232 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { 233 if (++count > nth && 234 refcount_inc_not_zero(&tunnel->ref_count)) { 235 rcu_read_unlock_bh(); 236 return tunnel; 237 } 238 } 239 rcu_read_unlock_bh(); 240 241 return NULL; 242} 243EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth); 244 245struct l2tp_session *l2tp_tunnel_get_session(struct l2tp_tunnel *tunnel, 246 u32 session_id) 247{ 248 struct hlist_head *session_list; 249 struct l2tp_session *session; 250 251 session_list = l2tp_session_id_hash(tunnel, session_id); 252 253 rcu_read_lock_bh(); 254 hlist_for_each_entry_rcu(session, session_list, hlist) 255 if (session->session_id == session_id) { 256 l2tp_session_inc_refcount(session); 257 rcu_read_unlock_bh(); 258 259 return session; 260 } 261 rcu_read_unlock_bh(); 262 263 return NULL; 264} 265EXPORT_SYMBOL_GPL(l2tp_tunnel_get_session); 266 267struct l2tp_session *l2tp_session_get(const struct net *net, u32 session_id) 268{ 269 struct hlist_head *session_list; 270 struct l2tp_session *session; 271 272 session_list = l2tp_session_id_hash_2(l2tp_pernet(net), session_id); 273 274 rcu_read_lock_bh(); 275 hlist_for_each_entry_rcu(session, session_list, global_hlist) 276 if (session->session_id == session_id) { 277 l2tp_session_inc_refcount(session); 278 rcu_read_unlock_bh(); 279 280 return session; 281 } 282 rcu_read_unlock_bh(); 283 284 return NULL; 285} 286EXPORT_SYMBOL_GPL(l2tp_session_get); 287 288struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth) 289{ 290 int hash; 291 struct l2tp_session *session; 292 int count = 0; 293 294 rcu_read_lock_bh(); 295 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) { 296 hlist_for_each_entry_rcu(session, &tunnel->session_hlist[hash], hlist) { 297 if (++count > nth) { 298 l2tp_session_inc_refcount(session); 299 rcu_read_unlock_bh(); 300 return session; 301 } 302 } 303 } 304 305 rcu_read_unlock_bh(); 306 307 return NULL; 308} 309EXPORT_SYMBOL_GPL(l2tp_session_get_nth); 310 311/* Lookup a session by interface name. 312 * This is very inefficient but is only used by management interfaces. 313 */ 314struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net, 315 const char *ifname) 316{ 317 struct l2tp_net *pn = l2tp_pernet(net); 318 int hash; 319 struct l2tp_session *session; 320 321 rcu_read_lock_bh(); 322 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) { 323 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) { 324 if (!strcmp(session->ifname, ifname)) { 325 l2tp_session_inc_refcount(session); 326 rcu_read_unlock_bh(); 327 328 return session; 329 } 330 } 331 } 332 333 rcu_read_unlock_bh(); 334 335 return NULL; 336} 337EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname); 338 339int l2tp_session_register(struct l2tp_session *session, 340 struct l2tp_tunnel *tunnel) 341{ 342 struct l2tp_session *session_walk; 343 struct hlist_head *g_head; 344 struct hlist_head *head; 345 struct l2tp_net *pn; 346 int err; 347 348 head = l2tp_session_id_hash(tunnel, session->session_id); 349 350 spin_lock_bh(&tunnel->hlist_lock); 351 if (!tunnel->acpt_newsess) { 352 err = -ENODEV; 353 goto err_tlock; 354 } 355 356 hlist_for_each_entry(session_walk, head, hlist) 357 if (session_walk->session_id == session->session_id) { 358 err = -EEXIST; 359 goto err_tlock; 360 } 361 362 if (tunnel->version == L2TP_HDR_VER_3) { 363 pn = l2tp_pernet(tunnel->l2tp_net); 364 g_head = l2tp_session_id_hash_2(pn, session->session_id); 365 366 spin_lock_bh(&pn->l2tp_session_hlist_lock); 367 368 /* IP encap expects session IDs to be globally unique, while 369 * UDP encap doesn't. 370 */ 371 hlist_for_each_entry(session_walk, g_head, global_hlist) 372 if (session_walk->session_id == session->session_id && 373 (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP || 374 tunnel->encap == L2TP_ENCAPTYPE_IP)) { 375 err = -EEXIST; 376 goto err_tlock_pnlock; 377 } 378 379 l2tp_tunnel_inc_refcount(tunnel); 380 hlist_add_head_rcu(&session->global_hlist, g_head); 381 382 spin_unlock_bh(&pn->l2tp_session_hlist_lock); 383 } else { 384 l2tp_tunnel_inc_refcount(tunnel); 385 } 386 387 hlist_add_head_rcu(&session->hlist, head); 388 spin_unlock_bh(&tunnel->hlist_lock); 389 390 trace_register_session(session); 391 392 return 0; 393 394err_tlock_pnlock: 395 spin_unlock_bh(&pn->l2tp_session_hlist_lock); 396err_tlock: 397 spin_unlock_bh(&tunnel->hlist_lock); 398 399 return err; 400} 401EXPORT_SYMBOL_GPL(l2tp_session_register); 402 403/***************************************************************************** 404 * Receive data handling 405 *****************************************************************************/ 406 407/* Queue a skb in order. We come here only if the skb has an L2TP sequence 408 * number. 409 */ 410static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb) 411{ 412 struct sk_buff *skbp; 413 struct sk_buff *tmp; 414 u32 ns = L2TP_SKB_CB(skb)->ns; 415 416 spin_lock_bh(&session->reorder_q.lock); 417 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) { 418 if (L2TP_SKB_CB(skbp)->ns > ns) { 419 __skb_queue_before(&session->reorder_q, skbp, skb); 420 atomic_long_inc(&session->stats.rx_oos_packets); 421 goto out; 422 } 423 } 424 425 __skb_queue_tail(&session->reorder_q, skb); 426 427out: 428 spin_unlock_bh(&session->reorder_q.lock); 429} 430 431/* Dequeue a single skb. 432 */ 433static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb) 434{ 435 struct l2tp_tunnel *tunnel = session->tunnel; 436 int length = L2TP_SKB_CB(skb)->length; 437 438 /* We're about to requeue the skb, so return resources 439 * to its current owner (a socket receive buffer). 440 */ 441 skb_orphan(skb); 442 443 atomic_long_inc(&tunnel->stats.rx_packets); 444 atomic_long_add(length, &tunnel->stats.rx_bytes); 445 atomic_long_inc(&session->stats.rx_packets); 446 atomic_long_add(length, &session->stats.rx_bytes); 447 448 if (L2TP_SKB_CB(skb)->has_seq) { 449 /* Bump our Nr */ 450 session->nr++; 451 session->nr &= session->nr_max; 452 trace_session_seqnum_update(session); 453 } 454 455 /* call private receive handler */ 456 if (session->recv_skb) 457 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length); 458 else 459 kfree_skb(skb); 460} 461 462/* Dequeue skbs from the session's reorder_q, subject to packet order. 463 * Skbs that have been in the queue for too long are simply discarded. 464 */ 465static void l2tp_recv_dequeue(struct l2tp_session *session) 466{ 467 struct sk_buff *skb; 468 struct sk_buff *tmp; 469 470 /* If the pkt at the head of the queue has the nr that we 471 * expect to send up next, dequeue it and any other 472 * in-sequence packets behind it. 473 */ 474start: 475 spin_lock_bh(&session->reorder_q.lock); 476 skb_queue_walk_safe(&session->reorder_q, skb, tmp) { 477 struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb); 478 479 /* If the packet has been pending on the queue for too long, discard it */ 480 if (time_after(jiffies, cb->expires)) { 481 atomic_long_inc(&session->stats.rx_seq_discards); 482 atomic_long_inc(&session->stats.rx_errors); 483 trace_session_pkt_expired(session, cb->ns); 484 session->reorder_skip = 1; 485 __skb_unlink(skb, &session->reorder_q); 486 kfree_skb(skb); 487 continue; 488 } 489 490 if (cb->has_seq) { 491 if (session->reorder_skip) { 492 session->reorder_skip = 0; 493 session->nr = cb->ns; 494 trace_session_seqnum_reset(session); 495 } 496 if (cb->ns != session->nr) 497 goto out; 498 } 499 __skb_unlink(skb, &session->reorder_q); 500 501 /* Process the skb. We release the queue lock while we 502 * do so to let other contexts process the queue. 503 */ 504 spin_unlock_bh(&session->reorder_q.lock); 505 l2tp_recv_dequeue_skb(session, skb); 506 goto start; 507 } 508 509out: 510 spin_unlock_bh(&session->reorder_q.lock); 511} 512 513static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr) 514{ 515 u32 nws; 516 517 if (nr >= session->nr) 518 nws = nr - session->nr; 519 else 520 nws = (session->nr_max + 1) - (session->nr - nr); 521 522 return nws < session->nr_window_size; 523} 524 525/* If packet has sequence numbers, queue it if acceptable. Returns 0 if 526 * acceptable, else non-zero. 527 */ 528static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb) 529{ 530 struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb); 531 532 if (!l2tp_seq_check_rx_window(session, cb->ns)) { 533 /* Packet sequence number is outside allowed window. 534 * Discard it. 535 */ 536 trace_session_pkt_outside_rx_window(session, cb->ns); 537 goto discard; 538 } 539 540 if (session->reorder_timeout != 0) { 541 /* Packet reordering enabled. Add skb to session's 542 * reorder queue, in order of ns. 543 */ 544 l2tp_recv_queue_skb(session, skb); 545 goto out; 546 } 547 548 /* Packet reordering disabled. Discard out-of-sequence packets, while 549 * tracking the number if in-sequence packets after the first OOS packet 550 * is seen. After nr_oos_count_max in-sequence packets, reset the 551 * sequence number to re-enable packet reception. 552 */ 553 if (cb->ns == session->nr) { 554 skb_queue_tail(&session->reorder_q, skb); 555 } else { 556 u32 nr_oos = cb->ns; 557 u32 nr_next = (session->nr_oos + 1) & session->nr_max; 558 559 if (nr_oos == nr_next) 560 session->nr_oos_count++; 561 else 562 session->nr_oos_count = 0; 563 564 session->nr_oos = nr_oos; 565 if (session->nr_oos_count > session->nr_oos_count_max) { 566 session->reorder_skip = 1; 567 } 568 if (!session->reorder_skip) { 569 atomic_long_inc(&session->stats.rx_seq_discards); 570 trace_session_pkt_oos(session, cb->ns); 571 goto discard; 572 } 573 skb_queue_tail(&session->reorder_q, skb); 574 } 575 576out: 577 return 0; 578 579discard: 580 return 1; 581} 582 583/* Do receive processing of L2TP data frames. We handle both L2TPv2 584 * and L2TPv3 data frames here. 585 * 586 * L2TPv2 Data Message Header 587 * 588 * 0 1 2 3 589 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 590 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 591 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) | 592 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 593 * | Tunnel ID | Session ID | 594 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 595 * | Ns (opt) | Nr (opt) | 596 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 597 * | Offset Size (opt) | Offset pad... (opt) 598 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 599 * 600 * Data frames are marked by T=0. All other fields are the same as 601 * those in L2TP control frames. 602 * 603 * L2TPv3 Data Message Header 604 * 605 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 606 * | L2TP Session Header | 607 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 608 * | L2-Specific Sublayer | 609 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 610 * | Tunnel Payload ... 611 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 612 * 613 * L2TPv3 Session Header Over IP 614 * 615 * 0 1 2 3 616 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 617 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 618 * | Session ID | 619 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 620 * | Cookie (optional, maximum 64 bits)... 621 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 622 * | 623 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 624 * 625 * L2TPv3 L2-Specific Sublayer Format 626 * 627 * 0 1 2 3 628 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 629 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 630 * |x|S|x|x|x|x|x|x| Sequence Number | 631 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 632 * 633 * Cookie value and sublayer format are negotiated with the peer when 634 * the session is set up. Unlike L2TPv2, we do not need to parse the 635 * packet header to determine if optional fields are present. 636 * 637 * Caller must already have parsed the frame and determined that it is 638 * a data (not control) frame before coming here. Fields up to the 639 * session-id have already been parsed and ptr points to the data 640 * after the session-id. 641 */ 642void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, 643 unsigned char *ptr, unsigned char *optr, u16 hdrflags, 644 int length) 645{ 646 struct l2tp_tunnel *tunnel = session->tunnel; 647 int offset; 648 649 /* Parse and check optional cookie */ 650 if (session->peer_cookie_len > 0) { 651 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) { 652 pr_debug_ratelimited("%s: cookie mismatch (%u/%u). Discarding.\n", 653 tunnel->name, tunnel->tunnel_id, 654 session->session_id); 655 atomic_long_inc(&session->stats.rx_cookie_discards); 656 goto discard; 657 } 658 ptr += session->peer_cookie_len; 659 } 660 661 /* Handle the optional sequence numbers. Sequence numbers are 662 * in different places for L2TPv2 and L2TPv3. 663 * 664 * If we are the LAC, enable/disable sequence numbers under 665 * the control of the LNS. If no sequence numbers present but 666 * we were expecting them, discard frame. 667 */ 668 L2TP_SKB_CB(skb)->has_seq = 0; 669 if (tunnel->version == L2TP_HDR_VER_2) { 670 if (hdrflags & L2TP_HDRFLAG_S) { 671 /* Store L2TP info in the skb */ 672 L2TP_SKB_CB(skb)->ns = ntohs(*(__be16 *)ptr); 673 L2TP_SKB_CB(skb)->has_seq = 1; 674 ptr += 2; 675 /* Skip past nr in the header */ 676 ptr += 2; 677 678 } 679 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) { 680 u32 l2h = ntohl(*(__be32 *)ptr); 681 682 if (l2h & 0x40000000) { 683 /* Store L2TP info in the skb */ 684 L2TP_SKB_CB(skb)->ns = l2h & 0x00ffffff; 685 L2TP_SKB_CB(skb)->has_seq = 1; 686 } 687 ptr += 4; 688 } 689 690 if (L2TP_SKB_CB(skb)->has_seq) { 691 /* Received a packet with sequence numbers. If we're the LAC, 692 * check if we sre sending sequence numbers and if not, 693 * configure it so. 694 */ 695 if (!session->lns_mode && !session->send_seq) { 696 trace_session_seqnum_lns_enable(session); 697 session->send_seq = 1; 698 l2tp_session_set_header_len(session, tunnel->version); 699 } 700 } else { 701 /* No sequence numbers. 702 * If user has configured mandatory sequence numbers, discard. 703 */ 704 if (session->recv_seq) { 705 pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n", 706 session->name); 707 atomic_long_inc(&session->stats.rx_seq_discards); 708 goto discard; 709 } 710 711 /* If we're the LAC and we're sending sequence numbers, the 712 * LNS has requested that we no longer send sequence numbers. 713 * If we're the LNS and we're sending sequence numbers, the 714 * LAC is broken. Discard the frame. 715 */ 716 if (!session->lns_mode && session->send_seq) { 717 trace_session_seqnum_lns_disable(session); 718 session->send_seq = 0; 719 l2tp_session_set_header_len(session, tunnel->version); 720 } else if (session->send_seq) { 721 pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n", 722 session->name); 723 atomic_long_inc(&session->stats.rx_seq_discards); 724 goto discard; 725 } 726 } 727 728 /* Session data offset is defined only for L2TPv2 and is 729 * indicated by an optional 16-bit value in the header. 730 */ 731 if (tunnel->version == L2TP_HDR_VER_2) { 732 /* If offset bit set, skip it. */ 733 if (hdrflags & L2TP_HDRFLAG_O) { 734 offset = ntohs(*(__be16 *)ptr); 735 ptr += 2 + offset; 736 } 737 } 738 739 offset = ptr - optr; 740 if (!pskb_may_pull(skb, offset)) 741 goto discard; 742 743 __skb_pull(skb, offset); 744 745 /* Prepare skb for adding to the session's reorder_q. Hold 746 * packets for max reorder_timeout or 1 second if not 747 * reordering. 748 */ 749 L2TP_SKB_CB(skb)->length = length; 750 L2TP_SKB_CB(skb)->expires = jiffies + 751 (session->reorder_timeout ? session->reorder_timeout : HZ); 752 753 /* Add packet to the session's receive queue. Reordering is done here, if 754 * enabled. Saved L2TP protocol info is stored in skb->sb[]. 755 */ 756 if (L2TP_SKB_CB(skb)->has_seq) { 757 if (l2tp_recv_data_seq(session, skb)) 758 goto discard; 759 } else { 760 /* No sequence numbers. Add the skb to the tail of the 761 * reorder queue. This ensures that it will be 762 * delivered after all previous sequenced skbs. 763 */ 764 skb_queue_tail(&session->reorder_q, skb); 765 } 766 767 /* Try to dequeue as many skbs from reorder_q as we can. */ 768 l2tp_recv_dequeue(session); 769 770 return; 771 772discard: 773 atomic_long_inc(&session->stats.rx_errors); 774 kfree_skb(skb); 775} 776EXPORT_SYMBOL_GPL(l2tp_recv_common); 777 778/* Drop skbs from the session's reorder_q 779 */ 780static void l2tp_session_queue_purge(struct l2tp_session *session) 781{ 782 struct sk_buff *skb = NULL; 783 784 while ((skb = skb_dequeue(&session->reorder_q))) { 785 atomic_long_inc(&session->stats.rx_errors); 786 kfree_skb(skb); 787 } 788} 789 790/* Internal UDP receive frame. Do the real work of receiving an L2TP data frame 791 * here. The skb is not on a list when we get here. 792 * Returns 0 if the packet was a data packet and was successfully passed on. 793 * Returns 1 if the packet was not a good data packet and could not be 794 * forwarded. All such packets are passed up to userspace to deal with. 795 */ 796static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb) 797{ 798 struct l2tp_session *session = NULL; 799 unsigned char *ptr, *optr; 800 u16 hdrflags; 801 u32 tunnel_id, session_id; 802 u16 version; 803 int length; 804 805 /* UDP has verified checksum */ 806 807 /* UDP always verifies the packet length. */ 808 __skb_pull(skb, sizeof(struct udphdr)); 809 810 /* Short packet? */ 811 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) { 812 pr_debug_ratelimited("%s: recv short packet (len=%d)\n", 813 tunnel->name, skb->len); 814 goto invalid; 815 } 816 817 /* Point to L2TP header */ 818 optr = skb->data; 819 ptr = skb->data; 820 821 /* Get L2TP header flags */ 822 hdrflags = ntohs(*(__be16 *)ptr); 823 824 /* Check protocol version */ 825 version = hdrflags & L2TP_HDR_VER_MASK; 826 if (version != tunnel->version) { 827 pr_debug_ratelimited("%s: recv protocol version mismatch: got %d expected %d\n", 828 tunnel->name, version, tunnel->version); 829 goto invalid; 830 } 831 832 /* Get length of L2TP packet */ 833 length = skb->len; 834 835 /* If type is control packet, it is handled by userspace. */ 836 if (hdrflags & L2TP_HDRFLAG_T) 837 goto pass; 838 839 /* Skip flags */ 840 ptr += 2; 841 842 if (tunnel->version == L2TP_HDR_VER_2) { 843 /* If length is present, skip it */ 844 if (hdrflags & L2TP_HDRFLAG_L) 845 ptr += 2; 846 847 /* Extract tunnel and session ID */ 848 tunnel_id = ntohs(*(__be16 *)ptr); 849 ptr += 2; 850 session_id = ntohs(*(__be16 *)ptr); 851 ptr += 2; 852 } else { 853 ptr += 2; /* skip reserved bits */ 854 tunnel_id = tunnel->tunnel_id; 855 session_id = ntohl(*(__be32 *)ptr); 856 ptr += 4; 857 } 858 859 /* Find the session context */ 860 session = l2tp_tunnel_get_session(tunnel, session_id); 861 if (!session || !session->recv_skb) { 862 if (session) 863 l2tp_session_dec_refcount(session); 864 865 /* Not found? Pass to userspace to deal with */ 866 pr_debug_ratelimited("%s: no session found (%u/%u). Passing up.\n", 867 tunnel->name, tunnel_id, session_id); 868 goto pass; 869 } 870 871 if (tunnel->version == L2TP_HDR_VER_3 && 872 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) { 873 l2tp_session_dec_refcount(session); 874 goto invalid; 875 } 876 877 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length); 878 l2tp_session_dec_refcount(session); 879 880 return 0; 881 882invalid: 883 atomic_long_inc(&tunnel->stats.rx_invalid); 884 885pass: 886 /* Put UDP header back */ 887 __skb_push(skb, sizeof(struct udphdr)); 888 889 return 1; 890} 891 892/* UDP encapsulation receive handler. See net/ipv4/udp.c. 893 * Return codes: 894 * 0 : success. 895 * <0: error 896 * >0: skb should be passed up to userspace as UDP. 897 */ 898int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb) 899{ 900 struct l2tp_tunnel *tunnel; 901 902 /* Note that this is called from the encap_rcv hook inside an 903 * RCU-protected region, but without the socket being locked. 904 * Hence we use rcu_dereference_sk_user_data to access the 905 * tunnel data structure rather the usual l2tp_sk_to_tunnel 906 * accessor function. 907 */ 908 tunnel = rcu_dereference_sk_user_data(sk); 909 if (!tunnel) 910 goto pass_up; 911 if (WARN_ON(tunnel->magic != L2TP_TUNNEL_MAGIC)) 912 goto pass_up; 913 914 if (l2tp_udp_recv_core(tunnel, skb)) 915 goto pass_up; 916 917 return 0; 918 919pass_up: 920 return 1; 921} 922EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv); 923 924/************************************************************************ 925 * Transmit handling 926 ***********************************************************************/ 927 928/* Build an L2TP header for the session into the buffer provided. 929 */ 930static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf) 931{ 932 struct l2tp_tunnel *tunnel = session->tunnel; 933 __be16 *bufp = buf; 934 __be16 *optr = buf; 935 u16 flags = L2TP_HDR_VER_2; 936 u32 tunnel_id = tunnel->peer_tunnel_id; 937 u32 session_id = session->peer_session_id; 938 939 if (session->send_seq) 940 flags |= L2TP_HDRFLAG_S; 941 942 /* Setup L2TP header. */ 943 *bufp++ = htons(flags); 944 *bufp++ = htons(tunnel_id); 945 *bufp++ = htons(session_id); 946 if (session->send_seq) { 947 *bufp++ = htons(session->ns); 948 *bufp++ = 0; 949 session->ns++; 950 session->ns &= 0xffff; 951 trace_session_seqnum_update(session); 952 } 953 954 return bufp - optr; 955} 956 957static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf) 958{ 959 struct l2tp_tunnel *tunnel = session->tunnel; 960 char *bufp = buf; 961 char *optr = bufp; 962 963 /* Setup L2TP header. The header differs slightly for UDP and 964 * IP encapsulations. For UDP, there is 4 bytes of flags. 965 */ 966 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) { 967 u16 flags = L2TP_HDR_VER_3; 968 *((__be16 *)bufp) = htons(flags); 969 bufp += 2; 970 *((__be16 *)bufp) = 0; 971 bufp += 2; 972 } 973 974 *((__be32 *)bufp) = htonl(session->peer_session_id); 975 bufp += 4; 976 if (session->cookie_len) { 977 memcpy(bufp, &session->cookie[0], session->cookie_len); 978 bufp += session->cookie_len; 979 } 980 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) { 981 u32 l2h = 0; 982 983 if (session->send_seq) { 984 l2h = 0x40000000 | session->ns; 985 session->ns++; 986 session->ns &= 0xffffff; 987 trace_session_seqnum_update(session); 988 } 989 990 *((__be32 *)bufp) = htonl(l2h); 991 bufp += 4; 992 } 993 994 return bufp - optr; 995} 996 997/* Queue the packet to IP for output: tunnel socket lock must be held */ 998static int l2tp_xmit_queue(struct l2tp_tunnel *tunnel, struct sk_buff *skb, struct flowi *fl) 999{ 1000 int err; 1001 1002 skb->ignore_df = 1; 1003 skb_dst_drop(skb); 1004#if IS_ENABLED(CONFIG_IPV6) 1005 if (l2tp_sk_is_v6(tunnel->sock)) 1006 err = inet6_csk_xmit(tunnel->sock, skb, NULL); 1007 else 1008#endif 1009 err = ip_queue_xmit(tunnel->sock, skb, fl); 1010 1011 return err >= 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP; 1012} 1013 1014static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, unsigned int *len) 1015{ 1016 struct l2tp_tunnel *tunnel = session->tunnel; 1017 unsigned int data_len = skb->len; 1018 struct sock *sk = tunnel->sock; 1019 int headroom, uhlen, udp_len; 1020 int ret = NET_XMIT_SUCCESS; 1021 struct inet_sock *inet; 1022 struct udphdr *uh; 1023 1024 /* Check that there's enough headroom in the skb to insert IP, 1025 * UDP and L2TP headers. If not enough, expand it to 1026 * make room. Adjust truesize. 1027 */ 1028 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(*uh) : 0; 1029 headroom = NET_SKB_PAD + sizeof(struct iphdr) + uhlen + session->hdr_len; 1030 if (skb_cow_head(skb, headroom)) { 1031 kfree_skb(skb); 1032 return NET_XMIT_DROP; 1033 } 1034 1035 /* Setup L2TP header */ 1036 if (tunnel->version == L2TP_HDR_VER_2) 1037 l2tp_build_l2tpv2_header(session, __skb_push(skb, session->hdr_len)); 1038 else 1039 l2tp_build_l2tpv3_header(session, __skb_push(skb, session->hdr_len)); 1040 1041 /* Reset skb netfilter state */ 1042 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); 1043 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED); 1044 nf_reset_ct(skb); 1045 1046 bh_lock_sock(sk); 1047 if (sock_owned_by_user(sk)) { 1048 kfree_skb(skb); 1049 ret = NET_XMIT_DROP; 1050 goto out_unlock; 1051 } 1052 1053 /* The user-space may change the connection status for the user-space 1054 * provided socket at run time: we must check it under the socket lock 1055 */ 1056 if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) { 1057 kfree_skb(skb); 1058 ret = NET_XMIT_DROP; 1059 goto out_unlock; 1060 } 1061 1062 /* Report transmitted length before we add encap header, which keeps 1063 * statistics consistent for both UDP and IP encap tx/rx paths. 1064 */ 1065 *len = skb->len; 1066 1067 inet = inet_sk(sk); 1068 switch (tunnel->encap) { 1069 case L2TP_ENCAPTYPE_UDP: 1070 /* Setup UDP header */ 1071 __skb_push(skb, sizeof(*uh)); 1072 skb_reset_transport_header(skb); 1073 uh = udp_hdr(skb); 1074 uh->source = inet->inet_sport; 1075 uh->dest = inet->inet_dport; 1076 udp_len = uhlen + session->hdr_len + data_len; 1077 uh->len = htons(udp_len); 1078 1079 /* Calculate UDP checksum if configured to do so */ 1080#if IS_ENABLED(CONFIG_IPV6) 1081 if (l2tp_sk_is_v6(sk)) 1082 udp6_set_csum(udp_get_no_check6_tx(sk), 1083 skb, &inet6_sk(sk)->saddr, 1084 &sk->sk_v6_daddr, udp_len); 1085 else 1086#endif 1087 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr, 1088 inet->inet_daddr, udp_len); 1089 break; 1090 1091 case L2TP_ENCAPTYPE_IP: 1092 break; 1093 } 1094 1095 ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl); 1096 1097out_unlock: 1098 bh_unlock_sock(sk); 1099 1100 return ret; 1101} 1102 1103/* If caller requires the skb to have a ppp header, the header must be 1104 * inserted in the skb data before calling this function. 1105 */ 1106int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb) 1107{ 1108 unsigned int len = 0; 1109 int ret; 1110 1111 ret = l2tp_xmit_core(session, skb, &len); 1112 if (ret == NET_XMIT_SUCCESS) { 1113 atomic_long_inc(&session->tunnel->stats.tx_packets); 1114 atomic_long_add(len, &session->tunnel->stats.tx_bytes); 1115 atomic_long_inc(&session->stats.tx_packets); 1116 atomic_long_add(len, &session->stats.tx_bytes); 1117 } else { 1118 atomic_long_inc(&session->tunnel->stats.tx_errors); 1119 atomic_long_inc(&session->stats.tx_errors); 1120 } 1121 return ret; 1122} 1123EXPORT_SYMBOL_GPL(l2tp_xmit_skb); 1124 1125/***************************************************************************** 1126 * Tinnel and session create/destroy. 1127 *****************************************************************************/ 1128 1129/* Tunnel socket destruct hook. 1130 * The tunnel context is deleted only when all session sockets have been 1131 * closed. 1132 */ 1133static void l2tp_tunnel_destruct(struct sock *sk) 1134{ 1135 struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk); 1136 1137 if (!tunnel) 1138 goto end; 1139 1140 /* Disable udp encapsulation */ 1141 switch (tunnel->encap) { 1142 case L2TP_ENCAPTYPE_UDP: 1143 /* No longer an encapsulation socket. See net/ipv4/udp.c */ 1144 (udp_sk(sk))->encap_type = 0; 1145 (udp_sk(sk))->encap_rcv = NULL; 1146 (udp_sk(sk))->encap_destroy = NULL; 1147 break; 1148 case L2TP_ENCAPTYPE_IP: 1149 break; 1150 } 1151 1152 /* Remove hooks into tunnel socket */ 1153 sk->sk_destruct = tunnel->old_sk_destruct; 1154 sk->sk_user_data = NULL; 1155 1156 /* Call the original destructor */ 1157 if (sk->sk_destruct) 1158 (*sk->sk_destruct)(sk); 1159 1160 kfree_rcu(tunnel, rcu); 1161end: 1162 return; 1163} 1164 1165/* Remove an l2tp session from l2tp_core's hash lists. */ 1166static void l2tp_session_unhash(struct l2tp_session *session) 1167{ 1168 struct l2tp_tunnel *tunnel = session->tunnel; 1169 1170 /* Remove the session from core hashes */ 1171 if (tunnel) { 1172 /* Remove from the per-tunnel hash */ 1173 spin_lock_bh(&tunnel->hlist_lock); 1174 hlist_del_init_rcu(&session->hlist); 1175 spin_unlock_bh(&tunnel->hlist_lock); 1176 1177 /* For L2TPv3 we have a per-net hash: remove from there, too */ 1178 if (tunnel->version != L2TP_HDR_VER_2) { 1179 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net); 1180 1181 spin_lock_bh(&pn->l2tp_session_hlist_lock); 1182 hlist_del_init_rcu(&session->global_hlist); 1183 spin_unlock_bh(&pn->l2tp_session_hlist_lock); 1184 } 1185 1186 synchronize_rcu(); 1187 } 1188} 1189 1190/* When the tunnel is closed, all the attached sessions need to go too. 1191 */ 1192static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel) 1193{ 1194 struct l2tp_session *session; 1195 int hash; 1196 1197 spin_lock_bh(&tunnel->hlist_lock); 1198 tunnel->acpt_newsess = false; 1199 for (hash = 0; hash < L2TP_HASH_SIZE; hash++) { 1200again: 1201 hlist_for_each_entry_rcu(session, &tunnel->session_hlist[hash], hlist) { 1202 hlist_del_init_rcu(&session->hlist); 1203 1204 spin_unlock_bh(&tunnel->hlist_lock); 1205 l2tp_session_delete(session); 1206 spin_lock_bh(&tunnel->hlist_lock); 1207 1208 /* Now restart from the beginning of this hash 1209 * chain. We always remove a session from the 1210 * list so we are guaranteed to make forward 1211 * progress. 1212 */ 1213 goto again; 1214 } 1215 } 1216 spin_unlock_bh(&tunnel->hlist_lock); 1217} 1218 1219/* Tunnel socket destroy hook for UDP encapsulation */ 1220static void l2tp_udp_encap_destroy(struct sock *sk) 1221{ 1222 struct l2tp_tunnel *tunnel = l2tp_sk_to_tunnel(sk); 1223 1224 if (tunnel) 1225 l2tp_tunnel_delete(tunnel); 1226} 1227 1228/* Workqueue tunnel deletion function */ 1229static void l2tp_tunnel_del_work(struct work_struct *work) 1230{ 1231 struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel, 1232 del_work); 1233 struct sock *sk = tunnel->sock; 1234 struct socket *sock = sk->sk_socket; 1235 struct l2tp_net *pn; 1236 1237 l2tp_tunnel_closeall(tunnel); 1238 1239 /* If the tunnel socket was created within the kernel, use 1240 * the sk API to release it here. 1241 */ 1242 if (tunnel->fd < 0) { 1243 if (sock) { 1244 kernel_sock_shutdown(sock, SHUT_RDWR); 1245 sock_release(sock); 1246 } 1247 } 1248 1249 /* Remove the tunnel struct from the tunnel list */ 1250 pn = l2tp_pernet(tunnel->l2tp_net); 1251 spin_lock_bh(&pn->l2tp_tunnel_list_lock); 1252 list_del_rcu(&tunnel->list); 1253 spin_unlock_bh(&pn->l2tp_tunnel_list_lock); 1254 1255 /* drop initial ref */ 1256 l2tp_tunnel_dec_refcount(tunnel); 1257 1258 /* drop workqueue ref */ 1259 l2tp_tunnel_dec_refcount(tunnel); 1260} 1261 1262/* Create a socket for the tunnel, if one isn't set up by 1263 * userspace. This is used for static tunnels where there is no 1264 * managing L2TP daemon. 1265 * 1266 * Since we don't want these sockets to keep a namespace alive by 1267 * themselves, we drop the socket's namespace refcount after creation. 1268 * These sockets are freed when the namespace exits using the pernet 1269 * exit hook. 1270 */ 1271static int l2tp_tunnel_sock_create(struct net *net, 1272 u32 tunnel_id, 1273 u32 peer_tunnel_id, 1274 struct l2tp_tunnel_cfg *cfg, 1275 struct socket **sockp) 1276{ 1277 int err = -EINVAL; 1278 struct socket *sock = NULL; 1279 struct udp_port_cfg udp_conf; 1280 1281 switch (cfg->encap) { 1282 case L2TP_ENCAPTYPE_UDP: 1283 memset(&udp_conf, 0, sizeof(udp_conf)); 1284 1285#if IS_ENABLED(CONFIG_IPV6) 1286 if (cfg->local_ip6 && cfg->peer_ip6) { 1287 udp_conf.family = AF_INET6; 1288 memcpy(&udp_conf.local_ip6, cfg->local_ip6, 1289 sizeof(udp_conf.local_ip6)); 1290 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6, 1291 sizeof(udp_conf.peer_ip6)); 1292 udp_conf.use_udp6_tx_checksums = 1293 !cfg->udp6_zero_tx_checksums; 1294 udp_conf.use_udp6_rx_checksums = 1295 !cfg->udp6_zero_rx_checksums; 1296 } else 1297#endif 1298 { 1299 udp_conf.family = AF_INET; 1300 udp_conf.local_ip = cfg->local_ip; 1301 udp_conf.peer_ip = cfg->peer_ip; 1302 udp_conf.use_udp_checksums = cfg->use_udp_checksums; 1303 } 1304 1305 udp_conf.local_udp_port = htons(cfg->local_udp_port); 1306 udp_conf.peer_udp_port = htons(cfg->peer_udp_port); 1307 1308 err = udp_sock_create(net, &udp_conf, &sock); 1309 if (err < 0) 1310 goto out; 1311 1312 break; 1313 1314 case L2TP_ENCAPTYPE_IP: 1315#if IS_ENABLED(CONFIG_IPV6) 1316 if (cfg->local_ip6 && cfg->peer_ip6) { 1317 struct sockaddr_l2tpip6 ip6_addr = {0}; 1318 1319 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM, 1320 IPPROTO_L2TP, &sock); 1321 if (err < 0) 1322 goto out; 1323 1324 ip6_addr.l2tp_family = AF_INET6; 1325 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6, 1326 sizeof(ip6_addr.l2tp_addr)); 1327 ip6_addr.l2tp_conn_id = tunnel_id; 1328 err = kernel_bind(sock, (struct sockaddr *)&ip6_addr, 1329 sizeof(ip6_addr)); 1330 if (err < 0) 1331 goto out; 1332 1333 ip6_addr.l2tp_family = AF_INET6; 1334 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6, 1335 sizeof(ip6_addr.l2tp_addr)); 1336 ip6_addr.l2tp_conn_id = peer_tunnel_id; 1337 err = kernel_connect(sock, 1338 (struct sockaddr *)&ip6_addr, 1339 sizeof(ip6_addr), 0); 1340 if (err < 0) 1341 goto out; 1342 } else 1343#endif 1344 { 1345 struct sockaddr_l2tpip ip_addr = {0}; 1346 1347 err = sock_create_kern(net, AF_INET, SOCK_DGRAM, 1348 IPPROTO_L2TP, &sock); 1349 if (err < 0) 1350 goto out; 1351 1352 ip_addr.l2tp_family = AF_INET; 1353 ip_addr.l2tp_addr = cfg->local_ip; 1354 ip_addr.l2tp_conn_id = tunnel_id; 1355 err = kernel_bind(sock, (struct sockaddr *)&ip_addr, 1356 sizeof(ip_addr)); 1357 if (err < 0) 1358 goto out; 1359 1360 ip_addr.l2tp_family = AF_INET; 1361 ip_addr.l2tp_addr = cfg->peer_ip; 1362 ip_addr.l2tp_conn_id = peer_tunnel_id; 1363 err = kernel_connect(sock, (struct sockaddr *)&ip_addr, 1364 sizeof(ip_addr), 0); 1365 if (err < 0) 1366 goto out; 1367 } 1368 break; 1369 1370 default: 1371 goto out; 1372 } 1373 1374out: 1375 *sockp = sock; 1376 if (err < 0 && sock) { 1377 kernel_sock_shutdown(sock, SHUT_RDWR); 1378 sock_release(sock); 1379 *sockp = NULL; 1380 } 1381 1382 return err; 1383} 1384 1385static struct lock_class_key l2tp_socket_class; 1386 1387int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, 1388 struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp) 1389{ 1390 struct l2tp_tunnel *tunnel = NULL; 1391 int err; 1392 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP; 1393 1394 if (cfg) 1395 encap = cfg->encap; 1396 1397 tunnel = kzalloc(sizeof(*tunnel), GFP_KERNEL); 1398 if (!tunnel) { 1399 err = -ENOMEM; 1400 goto err; 1401 } 1402 1403 tunnel->version = version; 1404 tunnel->tunnel_id = tunnel_id; 1405 tunnel->peer_tunnel_id = peer_tunnel_id; 1406 1407 tunnel->magic = L2TP_TUNNEL_MAGIC; 1408 sprintf(&tunnel->name[0], "tunl %u", tunnel_id); 1409 spin_lock_init(&tunnel->hlist_lock); 1410 tunnel->acpt_newsess = true; 1411 1412 tunnel->encap = encap; 1413 1414 refcount_set(&tunnel->ref_count, 1); 1415 tunnel->fd = fd; 1416 1417 /* Init delete workqueue struct */ 1418 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work); 1419 1420 INIT_LIST_HEAD(&tunnel->list); 1421 1422 err = 0; 1423err: 1424 if (tunnelp) 1425 *tunnelp = tunnel; 1426 1427 return err; 1428} 1429EXPORT_SYMBOL_GPL(l2tp_tunnel_create); 1430 1431static int l2tp_validate_socket(const struct sock *sk, const struct net *net, 1432 enum l2tp_encap_type encap) 1433{ 1434 if (!net_eq(sock_net(sk), net)) 1435 return -EINVAL; 1436 1437 if (sk->sk_type != SOCK_DGRAM) 1438 return -EPROTONOSUPPORT; 1439 1440 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 1441 return -EPROTONOSUPPORT; 1442 1443 if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) || 1444 (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP)) 1445 return -EPROTONOSUPPORT; 1446 1447 if (sk->sk_user_data) 1448 return -EBUSY; 1449 1450 return 0; 1451} 1452 1453int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, 1454 struct l2tp_tunnel_cfg *cfg) 1455{ 1456 struct l2tp_tunnel *tunnel_walk; 1457 struct l2tp_net *pn; 1458 struct socket *sock; 1459 struct sock *sk; 1460 int ret; 1461 1462 if (tunnel->fd < 0) { 1463 ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id, 1464 tunnel->peer_tunnel_id, cfg, 1465 &sock); 1466 if (ret < 0) 1467 goto err; 1468 } else { 1469 sock = sockfd_lookup(tunnel->fd, &ret); 1470 if (!sock) 1471 goto err; 1472 1473 ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); 1474 if (ret < 0) 1475 goto err_sock; 1476 } 1477 1478 tunnel->l2tp_net = net; 1479 pn = l2tp_pernet(net); 1480 1481 sk = sock->sk; 1482 sock_hold(sk); 1483 tunnel->sock = sk; 1484 1485 spin_lock_bh(&pn->l2tp_tunnel_list_lock); 1486 list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) { 1487 if (tunnel_walk->tunnel_id == tunnel->tunnel_id) { 1488 spin_unlock_bh(&pn->l2tp_tunnel_list_lock); 1489 sock_put(sk); 1490 ret = -EEXIST; 1491 goto err_sock; 1492 } 1493 } 1494 list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list); 1495 spin_unlock_bh(&pn->l2tp_tunnel_list_lock); 1496 1497 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) { 1498 struct udp_tunnel_sock_cfg udp_cfg = { 1499 .sk_user_data = tunnel, 1500 .encap_type = UDP_ENCAP_L2TPINUDP, 1501 .encap_rcv = l2tp_udp_encap_recv, 1502 .encap_destroy = l2tp_udp_encap_destroy, 1503 }; 1504 1505 setup_udp_tunnel_sock(net, sock, &udp_cfg); 1506 } else { 1507 sk->sk_user_data = tunnel; 1508 } 1509 1510 tunnel->old_sk_destruct = sk->sk_destruct; 1511 sk->sk_destruct = &l2tp_tunnel_destruct; 1512 lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, 1513 "l2tp_sock"); 1514 sk->sk_allocation = GFP_ATOMIC; 1515 1516 trace_register_tunnel(tunnel); 1517 1518 if (tunnel->fd >= 0) 1519 sockfd_put(sock); 1520 1521 return 0; 1522 1523err_sock: 1524 if (tunnel->fd < 0) 1525 sock_release(sock); 1526 else 1527 sockfd_put(sock); 1528err: 1529 return ret; 1530} 1531EXPORT_SYMBOL_GPL(l2tp_tunnel_register); 1532 1533/* This function is used by the netlink TUNNEL_DELETE command. 1534 */ 1535void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel) 1536{ 1537 if (!test_and_set_bit(0, &tunnel->dead)) { 1538 trace_delete_tunnel(tunnel); 1539 l2tp_tunnel_inc_refcount(tunnel); 1540 queue_work(l2tp_wq, &tunnel->del_work); 1541 } 1542} 1543EXPORT_SYMBOL_GPL(l2tp_tunnel_delete); 1544 1545void l2tp_session_delete(struct l2tp_session *session) 1546{ 1547 if (test_and_set_bit(0, &session->dead)) 1548 return; 1549 1550 trace_delete_session(session); 1551 l2tp_session_unhash(session); 1552 l2tp_session_queue_purge(session); 1553 if (session->session_close) 1554 (*session->session_close)(session); 1555 1556 l2tp_session_dec_refcount(session); 1557} 1558EXPORT_SYMBOL_GPL(l2tp_session_delete); 1559 1560/* We come here whenever a session's send_seq, cookie_len or 1561 * l2specific_type parameters are set. 1562 */ 1563void l2tp_session_set_header_len(struct l2tp_session *session, int version) 1564{ 1565 if (version == L2TP_HDR_VER_2) { 1566 session->hdr_len = 6; 1567 if (session->send_seq) 1568 session->hdr_len += 4; 1569 } else { 1570 session->hdr_len = 4 + session->cookie_len; 1571 session->hdr_len += l2tp_get_l2specific_len(session); 1572 if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP) 1573 session->hdr_len += 4; 1574 } 1575} 1576EXPORT_SYMBOL_GPL(l2tp_session_set_header_len); 1577 1578struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, 1579 u32 peer_session_id, struct l2tp_session_cfg *cfg) 1580{ 1581 struct l2tp_session *session; 1582 1583 session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL); 1584 if (session) { 1585 session->magic = L2TP_SESSION_MAGIC; 1586 session->tunnel = tunnel; 1587 1588 session->session_id = session_id; 1589 session->peer_session_id = peer_session_id; 1590 session->nr = 0; 1591 if (tunnel->version == L2TP_HDR_VER_2) 1592 session->nr_max = 0xffff; 1593 else 1594 session->nr_max = 0xffffff; 1595 session->nr_window_size = session->nr_max / 2; 1596 session->nr_oos_count_max = 4; 1597 1598 /* Use NR of first received packet */ 1599 session->reorder_skip = 1; 1600 1601 sprintf(&session->name[0], "sess %u/%u", 1602 tunnel->tunnel_id, session->session_id); 1603 1604 skb_queue_head_init(&session->reorder_q); 1605 1606 INIT_HLIST_NODE(&session->hlist); 1607 INIT_HLIST_NODE(&session->global_hlist); 1608 1609 if (cfg) { 1610 session->pwtype = cfg->pw_type; 1611 session->send_seq = cfg->send_seq; 1612 session->recv_seq = cfg->recv_seq; 1613 session->lns_mode = cfg->lns_mode; 1614 session->reorder_timeout = cfg->reorder_timeout; 1615 session->l2specific_type = cfg->l2specific_type; 1616 session->cookie_len = cfg->cookie_len; 1617 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len); 1618 session->peer_cookie_len = cfg->peer_cookie_len; 1619 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len); 1620 } 1621 1622 l2tp_session_set_header_len(session, tunnel->version); 1623 1624 refcount_set(&session->ref_count, 1); 1625 1626 return session; 1627 } 1628 1629 return ERR_PTR(-ENOMEM); 1630} 1631EXPORT_SYMBOL_GPL(l2tp_session_create); 1632 1633/***************************************************************************** 1634 * Init and cleanup 1635 *****************************************************************************/ 1636 1637static __net_init int l2tp_init_net(struct net *net) 1638{ 1639 struct l2tp_net *pn = net_generic(net, l2tp_net_id); 1640 int hash; 1641 1642 INIT_LIST_HEAD(&pn->l2tp_tunnel_list); 1643 spin_lock_init(&pn->l2tp_tunnel_list_lock); 1644 1645 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) 1646 INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]); 1647 1648 spin_lock_init(&pn->l2tp_session_hlist_lock); 1649 1650 return 0; 1651} 1652 1653static __net_exit void l2tp_exit_net(struct net *net) 1654{ 1655 struct l2tp_net *pn = l2tp_pernet(net); 1656 struct l2tp_tunnel *tunnel = NULL; 1657 int hash; 1658 1659 rcu_read_lock_bh(); 1660 list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { 1661 l2tp_tunnel_delete(tunnel); 1662 } 1663 rcu_read_unlock_bh(); 1664 1665 if (l2tp_wq) 1666 flush_workqueue(l2tp_wq); 1667 rcu_barrier(); 1668 1669 for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) 1670 WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash])); 1671} 1672 1673static struct pernet_operations l2tp_net_ops = { 1674 .init = l2tp_init_net, 1675 .exit = l2tp_exit_net, 1676 .id = &l2tp_net_id, 1677 .size = sizeof(struct l2tp_net), 1678}; 1679 1680static int __init l2tp_init(void) 1681{ 1682 int rc = 0; 1683 1684 rc = register_pernet_device(&l2tp_net_ops); 1685 if (rc) 1686 goto out; 1687 1688 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0); 1689 if (!l2tp_wq) { 1690 pr_err("alloc_workqueue failed\n"); 1691 unregister_pernet_device(&l2tp_net_ops); 1692 rc = -ENOMEM; 1693 goto out; 1694 } 1695 1696 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION); 1697 1698out: 1699 return rc; 1700} 1701 1702static void __exit l2tp_exit(void) 1703{ 1704 unregister_pernet_device(&l2tp_net_ops); 1705 if (l2tp_wq) { 1706 destroy_workqueue(l2tp_wq); 1707 l2tp_wq = NULL; 1708 } 1709} 1710 1711module_init(l2tp_init); 1712module_exit(l2tp_exit); 1713 1714MODULE_AUTHOR("James Chapman <jchapman@katalix.com>"); 1715MODULE_DESCRIPTION("L2TP core"); 1716MODULE_LICENSE("GPL"); 1717MODULE_VERSION(L2TP_DRV_VERSION);