1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (c) 2008,2009,2010 Katalix Systems Ltd
6 * This file contains some code of the original L2TPv2 pppol2tp
7 * driver, which has the following copyright:
9 * Authors: Martijn van Oosterhout <kleptog@svana.org>
10 * James Chapman (jchapman@katalix.com)
12 * Michal Ostrowski <mostrows@speakeasy.net>
13 * Arnaldo Carvalho de Melo <acme@xconectiva.com.br>
14 * David S. Miller (davem@redhat.com)
17 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
19 #include <linux/module.h>
20 #include <linux/string.h>
21 #include <linux/list.h>
22 #include <linux/rculist.h>
23 #include <linux/uaccess.h>
25 #include <linux/kernel.h>
26 #include <linux/spinlock.h>
27 #include <linux/kthread.h>
28 #include <linux/sched.h>
29 #include <linux/slab.h>
30 #include <linux/errno.h>
31 #include <linux/jiffies.h>
33 #include <linux/netdevice.h>
34 #include <linux/net.h>
35 #include <linux/inetdevice.h>
36 #include <linux/skbuff.h>
37 #include <linux/init.h>
40 #include <linux/udp.h>
41 #include <linux/l2tp.h>
42 #include <linux/sort.h>
43 #include <linux/file.h>
44 #include <linux/nsproxy.h>
45 #include <net/net_namespace.h>
46 #include <net/netns/generic.h>
50 #include <net/udp_tunnel.h>
51 #include <net/inet_common.h>
53 #include <net/protocol.h>
54 #include <net/inet6_connection_sock.h>
55 #include <net/inet_ecn.h>
56 #include <net/ip6_route.h>
57 #include <net/ip6_checksum.h>
59 #include <asm/byteorder.h>
60 #include <linux/atomic.h>
62 #include "l2tp_core.h"
64 #define CREATE_TRACE_POINTS
67 #define L2TP_DRV_VERSION "V2.0"
69 /* L2TP header constants */
70 #define L2TP_HDRFLAG_T 0x8000
71 #define L2TP_HDRFLAG_L 0x4000
72 #define L2TP_HDRFLAG_S 0x0800
73 #define L2TP_HDRFLAG_O 0x0200
74 #define L2TP_HDRFLAG_P 0x0100
76 #define L2TP_HDR_VER_MASK 0x000F
77 #define L2TP_HDR_VER_2 0x0002
78 #define L2TP_HDR_VER_3 0x0003
80 /* L2TPv3 default L2-specific sublayer */
81 #define L2TP_SLFLAG_S 0x40000000
82 #define L2TP_SL_SEQ_MASK 0x00ffffff
84 #define L2TP_HDR_SIZE_MAX 14
86 /* Default trace flags */
87 #define L2TP_DEFAULT_DEBUG_FLAGS 0
89 #define L2TP_DEPTH_NESTING 2
90 #if L2TP_DEPTH_NESTING == SINGLE_DEPTH_NESTING
91 #error "L2TP requires its own lockdep subclass"
94 /* Private data stored for received packets in the skb.
100 unsigned long expires;
103 #define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *)&(skb)->cb[sizeof(struct inet_skb_parm)])
105 static struct workqueue_struct *l2tp_wq;
107 /* per-net private data for this module */
108 static unsigned int l2tp_net_id;
110 /* Lock for write access to l2tp_tunnel_idr */
111 spinlock_t l2tp_tunnel_idr_lock;
112 struct idr l2tp_tunnel_idr;
113 /* Lock for write access to l2tp_v[23]_session_idr/htable */
114 spinlock_t l2tp_session_idr_lock;
115 struct idr l2tp_v2_session_idr;
116 struct idr l2tp_v3_session_idr;
117 struct hlist_head l2tp_v3_session_htable[16];
120 static u32 l2tp_v2_session_key(u16 tunnel_id, u16 session_id)
122 return ((u32)tunnel_id) << 16 | session_id;
125 static unsigned long l2tp_v3_session_hashkey(struct sock *sk, u32 session_id)
127 return ((unsigned long)sk) + session_id;
130 #if IS_ENABLED(CONFIG_IPV6)
131 static bool l2tp_sk_is_v6(struct sock *sk)
133 return sk->sk_family == PF_INET6 &&
134 !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
138 static struct l2tp_net *l2tp_pernet(const struct net *net)
140 return net_generic(net, l2tp_net_id);
143 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
145 struct sock *sk = tunnel->sock;
147 trace_free_tunnel(tunnel);
150 /* Disable udp encapsulation */
151 switch (tunnel->encap) {
152 case L2TP_ENCAPTYPE_UDP:
153 /* No longer an encapsulation socket. See net/ipv4/udp.c */
154 WRITE_ONCE(udp_sk(sk)->encap_type, 0);
155 udp_sk(sk)->encap_rcv = NULL;
156 udp_sk(sk)->encap_destroy = NULL;
158 case L2TP_ENCAPTYPE_IP:
166 kfree_rcu(tunnel, rcu);
169 static void l2tp_session_free(struct l2tp_session *session)
171 trace_free_session(session);
173 l2tp_tunnel_put(session->tunnel);
174 kfree_rcu(session, rcu);
177 struct l2tp_tunnel *l2tp_sk_to_tunnel(const struct sock *sk)
179 const struct net *net = sock_net(sk);
180 unsigned long tunnel_id, tmp;
181 struct l2tp_tunnel *tunnel;
185 pn = l2tp_pernet(net);
186 idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
188 tunnel->sock == sk &&
189 refcount_inc_not_zero(&tunnel->ref_count)) {
190 rcu_read_unlock_bh();
194 rcu_read_unlock_bh();
198 EXPORT_SYMBOL_GPL(l2tp_sk_to_tunnel);
200 void l2tp_tunnel_put(struct l2tp_tunnel *tunnel)
202 if (refcount_dec_and_test(&tunnel->ref_count))
203 l2tp_tunnel_free(tunnel);
205 EXPORT_SYMBOL_GPL(l2tp_tunnel_put);
207 void l2tp_session_put(struct l2tp_session *session)
209 if (refcount_dec_and_test(&session->ref_count))
210 l2tp_session_free(session);
212 EXPORT_SYMBOL_GPL(l2tp_session_put);
214 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
215 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
217 const struct l2tp_net *pn = l2tp_pernet(net);
218 struct l2tp_tunnel *tunnel;
221 tunnel = idr_find(&pn->l2tp_tunnel_idr, tunnel_id);
222 if (tunnel && refcount_inc_not_zero(&tunnel->ref_count)) {
223 rcu_read_unlock_bh();
226 rcu_read_unlock_bh();
230 EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
232 struct l2tp_tunnel *l2tp_tunnel_get_next(const struct net *net, unsigned long *key)
234 struct l2tp_net *pn = l2tp_pernet(net);
235 struct l2tp_tunnel *tunnel = NULL;
239 tunnel = idr_get_next_ul(&pn->l2tp_tunnel_idr, key);
241 if (refcount_inc_not_zero(&tunnel->ref_count)) {
242 rcu_read_unlock_bh();
248 rcu_read_unlock_bh();
252 EXPORT_SYMBOL_GPL(l2tp_tunnel_get_next);
254 struct l2tp_session *l2tp_v3_session_get(const struct net *net, struct sock *sk, u32 session_id)
256 const struct l2tp_net *pn = l2tp_pernet(net);
257 struct l2tp_session *session;
260 session = idr_find(&pn->l2tp_v3_session_idr, session_id);
261 if (session && !hash_hashed(&session->hlist) &&
262 refcount_inc_not_zero(&session->ref_count)) {
263 rcu_read_unlock_bh();
267 /* If we get here and session is non-NULL, the session_id
268 * collides with one in another tunnel. If sk is non-NULL,
269 * find the session matching sk.
272 unsigned long key = l2tp_v3_session_hashkey(sk, session->session_id);
274 hash_for_each_possible_rcu(pn->l2tp_v3_session_htable, session,
276 /* session->tunnel may be NULL if another thread is in
277 * l2tp_session_register and has added an item to
278 * l2tp_v3_session_htable but hasn't yet added the
279 * session to its tunnel's session_list.
281 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
283 if (session->session_id == session_id &&
284 tunnel && tunnel->sock == sk &&
285 refcount_inc_not_zero(&session->ref_count)) {
286 rcu_read_unlock_bh();
291 rcu_read_unlock_bh();
295 EXPORT_SYMBOL_GPL(l2tp_v3_session_get);
297 struct l2tp_session *l2tp_v2_session_get(const struct net *net, u16 tunnel_id, u16 session_id)
299 u32 session_key = l2tp_v2_session_key(tunnel_id, session_id);
300 const struct l2tp_net *pn = l2tp_pernet(net);
301 struct l2tp_session *session;
304 session = idr_find(&pn->l2tp_v2_session_idr, session_key);
305 if (session && refcount_inc_not_zero(&session->ref_count)) {
306 rcu_read_unlock_bh();
309 rcu_read_unlock_bh();
313 EXPORT_SYMBOL_GPL(l2tp_v2_session_get);
315 struct l2tp_session *l2tp_session_get(const struct net *net, struct sock *sk, int pver,
316 u32 tunnel_id, u32 session_id)
318 if (pver == L2TP_HDR_VER_2)
319 return l2tp_v2_session_get(net, tunnel_id, session_id);
321 return l2tp_v3_session_get(net, sk, session_id);
323 EXPORT_SYMBOL_GPL(l2tp_session_get);
325 static struct l2tp_session *l2tp_v2_session_get_next(const struct net *net,
329 struct l2tp_net *pn = l2tp_pernet(net);
330 struct l2tp_session *session = NULL;
332 /* Start searching within the range of the tid */
334 *key = l2tp_v2_session_key(tid, 0);
338 session = idr_get_next_ul(&pn->l2tp_v2_session_idr, key);
340 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
342 /* ignore sessions with id 0 as they are internal for pppol2tp */
343 if (session->session_id == 0) {
348 if (tunnel->tunnel_id == tid &&
349 refcount_inc_not_zero(&session->ref_count)) {
350 rcu_read_unlock_bh();
355 if (tunnel->tunnel_id == tid)
358 rcu_read_unlock_bh();
363 static struct l2tp_session *l2tp_v3_session_get_next(const struct net *net,
364 u32 tid, struct sock *sk,
367 struct l2tp_net *pn = l2tp_pernet(net);
368 struct l2tp_session *session = NULL;
372 session = idr_get_next_ul(&pn->l2tp_v3_session_idr, key);
373 if (session && !hash_hashed(&session->hlist)) {
374 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
376 if (tunnel && tunnel->tunnel_id == tid &&
377 refcount_inc_not_zero(&session->ref_count)) {
378 rcu_read_unlock_bh();
386 /* If we get here and session is non-NULL, the IDR entry may be one
387 * where the session_id collides with one in another tunnel. Check
388 * session_htable for a match. There can only be one session of a given
389 * ID per tunnel so we can return as soon as a match is found.
391 if (session && hash_hashed(&session->hlist)) {
392 unsigned long hkey = l2tp_v3_session_hashkey(sk, session->session_id);
393 u32 sid = session->session_id;
395 hash_for_each_possible_rcu(pn->l2tp_v3_session_htable, session,
397 struct l2tp_tunnel *tunnel = READ_ONCE(session->tunnel);
399 if (session->session_id == sid &&
400 tunnel && tunnel->tunnel_id == tid &&
401 refcount_inc_not_zero(&session->ref_count)) {
402 rcu_read_unlock_bh();
407 /* If no match found, the colliding session ID isn't in our
408 * tunnel so try the next session ID.
414 rcu_read_unlock_bh();
419 struct l2tp_session *l2tp_session_get_next(const struct net *net, struct sock *sk, int pver,
420 u32 tunnel_id, unsigned long *key)
422 if (pver == L2TP_HDR_VER_2)
423 return l2tp_v2_session_get_next(net, tunnel_id, key);
425 return l2tp_v3_session_get_next(net, tunnel_id, sk, key);
427 EXPORT_SYMBOL_GPL(l2tp_session_get_next);
429 /* Lookup a session by interface name.
430 * This is very inefficient but is only used by management interfaces.
432 struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
435 struct l2tp_net *pn = l2tp_pernet(net);
436 unsigned long tunnel_id, tmp;
437 struct l2tp_session *session;
438 struct l2tp_tunnel *tunnel;
441 idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
443 list_for_each_entry_rcu(session, &tunnel->session_list, list) {
444 if (!strcmp(session->ifname, ifname)) {
445 refcount_inc(&session->ref_count);
446 rcu_read_unlock_bh();
453 rcu_read_unlock_bh();
457 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
459 static void l2tp_session_coll_list_add(struct l2tp_session_coll_list *clist,
460 struct l2tp_session *session)
462 refcount_inc(&session->ref_count);
463 WARN_ON_ONCE(session->coll_list);
464 session->coll_list = clist;
465 spin_lock(&clist->lock);
466 list_add(&session->clist, &clist->list);
467 spin_unlock(&clist->lock);
470 static int l2tp_session_collision_add(struct l2tp_net *pn,
471 struct l2tp_session *session1,
472 struct l2tp_session *session2)
474 struct l2tp_session_coll_list *clist;
476 lockdep_assert_held(&pn->l2tp_session_idr_lock);
481 /* If existing session is in IP-encap tunnel, refuse new session */
482 if (session2->tunnel->encap == L2TP_ENCAPTYPE_IP)
485 clist = session2->coll_list;
487 /* First collision. Allocate list to manage the collided sessions
488 * and add the existing session to the list.
490 clist = kmalloc(sizeof(*clist), GFP_ATOMIC);
494 spin_lock_init(&clist->lock);
495 INIT_LIST_HEAD(&clist->list);
496 refcount_set(&clist->ref_count, 1);
497 l2tp_session_coll_list_add(clist, session2);
500 /* If existing session isn't already in the session hlist, add it. */
501 if (!hash_hashed(&session2->hlist))
502 hash_add_rcu(pn->l2tp_v3_session_htable, &session2->hlist,
503 session2->hlist_key);
505 /* Add new session to the hlist and collision list */
506 hash_add_rcu(pn->l2tp_v3_session_htable, &session1->hlist,
507 session1->hlist_key);
508 refcount_inc(&clist->ref_count);
509 l2tp_session_coll_list_add(clist, session1);
514 static void l2tp_session_collision_del(struct l2tp_net *pn,
515 struct l2tp_session *session)
517 struct l2tp_session_coll_list *clist = session->coll_list;
518 unsigned long session_key = session->session_id;
519 struct l2tp_session *session2;
521 lockdep_assert_held(&pn->l2tp_session_idr_lock);
523 hash_del_rcu(&session->hlist);
526 /* Remove session from its collision list. If there
527 * are other sessions with the same ID, replace this
528 * session's IDR entry with that session, otherwise
529 * remove the IDR entry. If this is the last session,
530 * the collision list data is freed.
532 spin_lock(&clist->lock);
533 list_del_init(&session->clist);
534 session2 = list_first_entry_or_null(&clist->list, struct l2tp_session, clist);
536 void *old = idr_replace(&pn->l2tp_v3_session_idr, session2, session_key);
538 WARN_ON_ONCE(IS_ERR_VALUE(old));
540 void *removed = idr_remove(&pn->l2tp_v3_session_idr, session_key);
542 WARN_ON_ONCE(removed != session);
544 session->coll_list = NULL;
545 spin_unlock(&clist->lock);
546 if (refcount_dec_and_test(&clist->ref_count))
548 l2tp_session_put(session);
552 int l2tp_session_register(struct l2tp_session *session,
553 struct l2tp_tunnel *tunnel)
555 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
556 struct l2tp_session *other_session = NULL;
561 spin_lock_bh(&tunnel->list_lock);
562 spin_lock_bh(&pn->l2tp_session_idr_lock);
564 if (!tunnel->acpt_newsess) {
569 if (tunnel->version == L2TP_HDR_VER_3) {
570 session_key = session->session_id;
571 err = idr_alloc_u32(&pn->l2tp_v3_session_idr, NULL,
572 &session_key, session_key, GFP_ATOMIC);
573 /* IP encap expects session IDs to be globally unique, while
574 * UDP encap doesn't. This isn't per the RFC, which says that
575 * sessions are identified only by the session ID, but is to
576 * support existing userspace which depends on it.
578 if (err == -ENOSPC && tunnel->encap == L2TP_ENCAPTYPE_UDP) {
579 other_session = idr_find(&pn->l2tp_v3_session_idr,
581 err = l2tp_session_collision_add(pn, session,
585 session_key = l2tp_v2_session_key(tunnel->tunnel_id,
586 session->session_id);
587 err = idr_alloc_u32(&pn->l2tp_v2_session_idr, NULL,
588 &session_key, session_key, GFP_ATOMIC);
597 refcount_inc(&tunnel->ref_count);
598 WRITE_ONCE(session->tunnel, tunnel);
599 list_add_rcu(&session->list, &tunnel->session_list);
601 /* this makes session available to lockless getters */
602 if (tunnel->version == L2TP_HDR_VER_3) {
604 old = idr_replace(&pn->l2tp_v3_session_idr, session, session_key);
606 old = idr_replace(&pn->l2tp_v2_session_idr, session, session_key);
609 /* old should be NULL, unless something removed or modified
610 * the IDR entry after our idr_alloc_32 above (which shouldn't
615 spin_unlock_bh(&pn->l2tp_session_idr_lock);
616 spin_unlock_bh(&tunnel->list_lock);
619 trace_register_session(session);
623 EXPORT_SYMBOL_GPL(l2tp_session_register);
625 /*****************************************************************************
626 * Receive data handling
627 *****************************************************************************/
629 /* Queue a skb in order. We come here only if the skb has an L2TP sequence
632 static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *skb)
634 struct sk_buff *skbp;
636 u32 ns = L2TP_SKB_CB(skb)->ns;
638 spin_lock_bh(&session->reorder_q.lock);
639 skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
640 if (L2TP_SKB_CB(skbp)->ns > ns) {
641 __skb_queue_before(&session->reorder_q, skbp, skb);
642 atomic_long_inc(&session->stats.rx_oos_packets);
647 __skb_queue_tail(&session->reorder_q, skb);
650 spin_unlock_bh(&session->reorder_q.lock);
653 /* Dequeue a single skb.
655 static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *skb)
657 struct l2tp_tunnel *tunnel = session->tunnel;
658 int length = L2TP_SKB_CB(skb)->length;
660 /* We're about to requeue the skb, so return resources
661 * to its current owner (a socket receive buffer).
665 atomic_long_inc(&tunnel->stats.rx_packets);
666 atomic_long_add(length, &tunnel->stats.rx_bytes);
667 atomic_long_inc(&session->stats.rx_packets);
668 atomic_long_add(length, &session->stats.rx_bytes);
670 if (L2TP_SKB_CB(skb)->has_seq) {
673 session->nr &= session->nr_max;
674 trace_session_seqnum_update(session);
677 /* call private receive handler */
678 if (session->recv_skb)
679 (*session->recv_skb)(session, skb, L2TP_SKB_CB(skb)->length);
684 /* Dequeue skbs from the session's reorder_q, subject to packet order.
685 * Skbs that have been in the queue for too long are simply discarded.
687 static void l2tp_recv_dequeue(struct l2tp_session *session)
692 /* If the pkt at the head of the queue has the nr that we
693 * expect to send up next, dequeue it and any other
694 * in-sequence packets behind it.
697 spin_lock_bh(&session->reorder_q.lock);
698 skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
699 struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
701 /* If the packet has been pending on the queue for too long, discard it */
702 if (time_after(jiffies, cb->expires)) {
703 atomic_long_inc(&session->stats.rx_seq_discards);
704 atomic_long_inc(&session->stats.rx_errors);
705 trace_session_pkt_expired(session, cb->ns);
706 session->reorder_skip = 1;
707 __skb_unlink(skb, &session->reorder_q);
713 if (session->reorder_skip) {
714 session->reorder_skip = 0;
715 session->nr = cb->ns;
716 trace_session_seqnum_reset(session);
718 if (cb->ns != session->nr)
721 __skb_unlink(skb, &session->reorder_q);
723 /* Process the skb. We release the queue lock while we
724 * do so to let other contexts process the queue.
726 spin_unlock_bh(&session->reorder_q.lock);
727 l2tp_recv_dequeue_skb(session, skb);
732 spin_unlock_bh(&session->reorder_q.lock);
735 static int l2tp_seq_check_rx_window(struct l2tp_session *session, u32 nr)
739 if (nr >= session->nr)
740 nws = nr - session->nr;
742 nws = (session->nr_max + 1) - (session->nr - nr);
744 return nws < session->nr_window_size;
747 /* If packet has sequence numbers, queue it if acceptable. Returns 0 if
748 * acceptable, else non-zero.
750 static int l2tp_recv_data_seq(struct l2tp_session *session, struct sk_buff *skb)
752 struct l2tp_skb_cb *cb = L2TP_SKB_CB(skb);
754 if (!l2tp_seq_check_rx_window(session, cb->ns)) {
755 /* Packet sequence number is outside allowed window.
758 trace_session_pkt_outside_rx_window(session, cb->ns);
762 if (session->reorder_timeout != 0) {
763 /* Packet reordering enabled. Add skb to session's
764 * reorder queue, in order of ns.
766 l2tp_recv_queue_skb(session, skb);
770 /* Packet reordering disabled. Discard out-of-sequence packets, while
771 * tracking the number if in-sequence packets after the first OOS packet
772 * is seen. After nr_oos_count_max in-sequence packets, reset the
773 * sequence number to re-enable packet reception.
775 if (cb->ns == session->nr) {
776 skb_queue_tail(&session->reorder_q, skb);
779 u32 nr_next = (session->nr_oos + 1) & session->nr_max;
781 if (nr_oos == nr_next)
782 session->nr_oos_count++;
784 session->nr_oos_count = 0;
786 session->nr_oos = nr_oos;
787 if (session->nr_oos_count > session->nr_oos_count_max) {
788 session->reorder_skip = 1;
790 if (!session->reorder_skip) {
791 atomic_long_inc(&session->stats.rx_seq_discards);
792 trace_session_pkt_oos(session, cb->ns);
795 skb_queue_tail(&session->reorder_q, skb);
805 /* Do receive processing of L2TP data frames. We handle both L2TPv2
806 * and L2TPv3 data frames here.
808 * L2TPv2 Data Message Header
811 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
812 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
813 * |T|L|x|x|S|x|O|P|x|x|x|x| Ver | Length (opt) |
814 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
815 * | Tunnel ID | Session ID |
816 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
817 * | Ns (opt) | Nr (opt) |
818 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
819 * | Offset Size (opt) | Offset pad... (opt)
820 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
822 * Data frames are marked by T=0. All other fields are the same as
823 * those in L2TP control frames.
825 * L2TPv3 Data Message Header
827 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
828 * | L2TP Session Header |
829 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
830 * | L2-Specific Sublayer |
831 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
832 * | Tunnel Payload ...
833 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
835 * L2TPv3 Session Header Over IP
838 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
839 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
841 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
842 * | Cookie (optional, maximum 64 bits)...
843 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
845 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
847 * L2TPv3 L2-Specific Sublayer Format
850 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
851 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
852 * |x|S|x|x|x|x|x|x| Sequence Number |
853 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
855 * Cookie value and sublayer format are negotiated with the peer when
856 * the session is set up. Unlike L2TPv2, we do not need to parse the
857 * packet header to determine if optional fields are present.
859 * Caller must already have parsed the frame and determined that it is
860 * a data (not control) frame before coming here. Fields up to the
861 * session-id have already been parsed and ptr points to the data
862 * after the session-id.
864 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
865 unsigned char *ptr, unsigned char *optr, u16 hdrflags,
868 struct l2tp_tunnel *tunnel = session->tunnel;
871 /* Parse and check optional cookie */
872 if (session->peer_cookie_len > 0) {
873 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
874 pr_debug_ratelimited("%s: cookie mismatch (%u/%u). Discarding.\n",
875 tunnel->name, tunnel->tunnel_id,
876 session->session_id);
877 atomic_long_inc(&session->stats.rx_cookie_discards);
880 ptr += session->peer_cookie_len;
883 /* Handle the optional sequence numbers. Sequence numbers are
884 * in different places for L2TPv2 and L2TPv3.
886 * If we are the LAC, enable/disable sequence numbers under
887 * the control of the LNS. If no sequence numbers present but
888 * we were expecting them, discard frame.
890 L2TP_SKB_CB(skb)->has_seq = 0;
891 if (tunnel->version == L2TP_HDR_VER_2) {
892 if (hdrflags & L2TP_HDRFLAG_S) {
893 /* Store L2TP info in the skb */
894 L2TP_SKB_CB(skb)->ns = ntohs(*(__be16 *)ptr);
895 L2TP_SKB_CB(skb)->has_seq = 1;
897 /* Skip past nr in the header */
901 } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
902 u32 l2h = ntohl(*(__be32 *)ptr);
904 if (l2h & 0x40000000) {
905 /* Store L2TP info in the skb */
906 L2TP_SKB_CB(skb)->ns = l2h & 0x00ffffff;
907 L2TP_SKB_CB(skb)->has_seq = 1;
912 if (L2TP_SKB_CB(skb)->has_seq) {
913 /* Received a packet with sequence numbers. If we're the LAC,
914 * check if we sre sending sequence numbers and if not,
917 if (!session->lns_mode && !session->send_seq) {
918 trace_session_seqnum_lns_enable(session);
919 session->send_seq = 1;
920 l2tp_session_set_header_len(session, tunnel->version,
924 /* No sequence numbers.
925 * If user has configured mandatory sequence numbers, discard.
927 if (session->recv_seq) {
928 pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
930 atomic_long_inc(&session->stats.rx_seq_discards);
934 /* If we're the LAC and we're sending sequence numbers, the
935 * LNS has requested that we no longer send sequence numbers.
936 * If we're the LNS and we're sending sequence numbers, the
937 * LAC is broken. Discard the frame.
939 if (!session->lns_mode && session->send_seq) {
940 trace_session_seqnum_lns_disable(session);
941 session->send_seq = 0;
942 l2tp_session_set_header_len(session, tunnel->version,
944 } else if (session->send_seq) {
945 pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",
947 atomic_long_inc(&session->stats.rx_seq_discards);
952 /* Session data offset is defined only for L2TPv2 and is
953 * indicated by an optional 16-bit value in the header.
955 if (tunnel->version == L2TP_HDR_VER_2) {
956 /* If offset bit set, skip it. */
957 if (hdrflags & L2TP_HDRFLAG_O) {
958 offset = ntohs(*(__be16 *)ptr);
964 if (!pskb_may_pull(skb, offset))
967 __skb_pull(skb, offset);
969 /* Prepare skb for adding to the session's reorder_q. Hold
970 * packets for max reorder_timeout or 1 second if not
973 L2TP_SKB_CB(skb)->length = length;
974 L2TP_SKB_CB(skb)->expires = jiffies +
975 (session->reorder_timeout ? session->reorder_timeout : HZ);
977 /* Add packet to the session's receive queue. Reordering is done here, if
978 * enabled. Saved L2TP protocol info is stored in skb->sb[].
980 if (L2TP_SKB_CB(skb)->has_seq) {
981 if (l2tp_recv_data_seq(session, skb))
984 /* No sequence numbers. Add the skb to the tail of the
985 * reorder queue. This ensures that it will be
986 * delivered after all previous sequenced skbs.
988 skb_queue_tail(&session->reorder_q, skb);
991 /* Try to dequeue as many skbs from reorder_q as we can. */
992 l2tp_recv_dequeue(session);
997 atomic_long_inc(&session->stats.rx_errors);
1000 EXPORT_SYMBOL_GPL(l2tp_recv_common);
1002 /* Drop skbs from the session's reorder_q
1004 static void l2tp_session_queue_purge(struct l2tp_session *session)
1006 struct sk_buff *skb = NULL;
1008 while ((skb = skb_dequeue(&session->reorder_q))) {
1009 atomic_long_inc(&session->stats.rx_errors);
1014 /* UDP encapsulation receive handler. See net/ipv4/udp.c for details. */
1015 int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
1017 struct l2tp_session *session = NULL;
1018 struct l2tp_tunnel *tunnel = NULL;
1019 struct net *net = sock_net(sk);
1020 unsigned char *ptr, *optr;
1025 /* UDP has verified checksum */
1027 /* UDP always verifies the packet length. */
1028 __skb_pull(skb, sizeof(struct udphdr));
1031 if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX))
1034 /* Point to L2TP header */
1038 /* Get L2TP header flags */
1039 hdrflags = ntohs(*(__be16 *)ptr);
1041 /* Get protocol version */
1042 version = hdrflags & L2TP_HDR_VER_MASK;
1044 /* Get length of L2TP packet */
1047 /* If type is control packet, it is handled by userspace. */
1048 if (hdrflags & L2TP_HDRFLAG_T)
1054 if (version == L2TP_HDR_VER_2) {
1055 u16 tunnel_id, session_id;
1057 /* If length is present, skip it */
1058 if (hdrflags & L2TP_HDRFLAG_L)
1061 /* Extract tunnel and session ID */
1062 tunnel_id = ntohs(*(__be16 *)ptr);
1064 session_id = ntohs(*(__be16 *)ptr);
1067 session = l2tp_v2_session_get(net, tunnel_id, session_id);
1071 ptr += 2; /* skip reserved bits */
1072 session_id = ntohl(*(__be32 *)ptr);
1075 session = l2tp_v3_session_get(net, sk, session_id);
1078 if (!session || !session->recv_skb) {
1080 l2tp_session_put(session);
1082 /* Not found? Pass to userspace to deal with */
1086 tunnel = session->tunnel;
1088 /* Check protocol version */
1089 if (version != tunnel->version)
1092 if (version == L2TP_HDR_VER_3 &&
1093 l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
1094 l2tp_session_put(session);
1098 l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
1099 l2tp_session_put(session);
1104 atomic_long_inc(&tunnel->stats.rx_invalid);
1107 /* Put UDP header back */
1108 __skb_push(skb, sizeof(struct udphdr));
1112 EXPORT_SYMBOL_GPL(l2tp_udp_encap_recv);
1114 /* UDP encapsulation receive error handler. See net/ipv4/udp.c for details. */
1115 static void l2tp_udp_encap_err_recv(struct sock *sk, struct sk_buff *skb, int err,
1116 __be16 port, u32 info, u8 *payload)
1119 sk_error_report(sk);
1121 if (ip_hdr(skb)->version == IPVERSION) {
1122 if (inet_test_bit(RECVERR, sk))
1123 return ip_icmp_error(sk, skb, err, port, info, payload);
1124 #if IS_ENABLED(CONFIG_IPV6)
1126 if (inet6_test_bit(RECVERR6, sk))
1127 return ipv6_icmp_error(sk, skb, err, port, info, payload);
1132 /************************************************************************
1134 ***********************************************************************/
1136 /* Build an L2TP header for the session into the buffer provided.
1138 static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
1140 struct l2tp_tunnel *tunnel = session->tunnel;
1143 u16 flags = L2TP_HDR_VER_2;
1144 u32 tunnel_id = tunnel->peer_tunnel_id;
1145 u32 session_id = session->peer_session_id;
1147 if (session->send_seq)
1148 flags |= L2TP_HDRFLAG_S;
1150 /* Setup L2TP header. */
1151 *bufp++ = htons(flags);
1152 *bufp++ = htons(tunnel_id);
1153 *bufp++ = htons(session_id);
1154 if (session->send_seq) {
1155 *bufp++ = htons(session->ns);
1158 session->ns &= 0xffff;
1159 trace_session_seqnum_update(session);
1165 static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
1167 struct l2tp_tunnel *tunnel = session->tunnel;
1171 /* Setup L2TP header. The header differs slightly for UDP and
1172 * IP encapsulations. For UDP, there is 4 bytes of flags.
1174 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1175 u16 flags = L2TP_HDR_VER_3;
1176 *((__be16 *)bufp) = htons(flags);
1178 *((__be16 *)bufp) = 0;
1182 *((__be32 *)bufp) = htonl(session->peer_session_id);
1184 if (session->cookie_len) {
1185 memcpy(bufp, &session->cookie[0], session->cookie_len);
1186 bufp += session->cookie_len;
1188 if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
1191 if (session->send_seq) {
1192 l2h = 0x40000000 | session->ns;
1194 session->ns &= 0xffffff;
1195 trace_session_seqnum_update(session);
1198 *((__be32 *)bufp) = htonl(l2h);
1205 /* Queue the packet to IP for output: tunnel socket lock must be held */
1206 static int l2tp_xmit_queue(struct l2tp_tunnel *tunnel, struct sk_buff *skb, struct flowi *fl)
1212 #if IS_ENABLED(CONFIG_IPV6)
1213 if (l2tp_sk_is_v6(tunnel->sock))
1214 err = inet6_csk_xmit(tunnel->sock, skb, NULL);
1217 err = ip_queue_xmit(tunnel->sock, skb, fl);
1219 return err >= 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
1222 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, unsigned int *len)
1224 struct l2tp_tunnel *tunnel = session->tunnel;
1225 unsigned int data_len = skb->len;
1226 struct sock *sk = tunnel->sock;
1227 int headroom, uhlen, udp_len;
1228 int ret = NET_XMIT_SUCCESS;
1229 struct inet_sock *inet;
1232 /* Check that there's enough headroom in the skb to insert IP,
1233 * UDP and L2TP headers. If not enough, expand it to
1234 * make room. Adjust truesize.
1236 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(*uh) : 0;
1237 headroom = NET_SKB_PAD + sizeof(struct iphdr) + uhlen + session->hdr_len;
1238 if (skb_cow_head(skb, headroom)) {
1240 return NET_XMIT_DROP;
1243 /* Setup L2TP header */
1244 if (tunnel->version == L2TP_HDR_VER_2)
1245 l2tp_build_l2tpv2_header(session, __skb_push(skb, session->hdr_len));
1247 l2tp_build_l2tpv3_header(session, __skb_push(skb, session->hdr_len));
1249 /* Reset skb netfilter state */
1250 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
1251 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED);
1254 /* L2TP uses its own lockdep subclass to avoid lockdep splats caused by
1255 * nested socket calls on the same lockdep socket class. This can
1256 * happen when data from a user socket is routed over l2tp, which uses
1257 * another userspace socket.
1259 spin_lock_nested(&sk->sk_lock.slock, L2TP_DEPTH_NESTING);
1261 if (sock_owned_by_user(sk)) {
1263 ret = NET_XMIT_DROP;
1267 /* The user-space may change the connection status for the user-space
1268 * provided socket at run time: we must check it under the socket lock
1270 if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
1272 ret = NET_XMIT_DROP;
1276 /* Report transmitted length before we add encap header, which keeps
1277 * statistics consistent for both UDP and IP encap tx/rx paths.
1282 switch (tunnel->encap) {
1283 case L2TP_ENCAPTYPE_UDP:
1284 /* Setup UDP header */
1285 __skb_push(skb, sizeof(*uh));
1286 skb_reset_transport_header(skb);
1288 uh->source = inet->inet_sport;
1289 uh->dest = inet->inet_dport;
1290 udp_len = uhlen + session->hdr_len + data_len;
1291 uh->len = htons(udp_len);
1293 /* Calculate UDP checksum if configured to do so */
1294 #if IS_ENABLED(CONFIG_IPV6)
1295 if (l2tp_sk_is_v6(sk))
1296 udp6_set_csum(udp_get_no_check6_tx(sk),
1297 skb, &inet6_sk(sk)->saddr,
1298 &sk->sk_v6_daddr, udp_len);
1301 udp_set_csum(sk->sk_no_check_tx, skb, inet->inet_saddr,
1302 inet->inet_daddr, udp_len);
1305 case L2TP_ENCAPTYPE_IP:
1309 ret = l2tp_xmit_queue(tunnel, skb, &inet->cork.fl);
1312 spin_unlock(&sk->sk_lock.slock);
1317 /* If caller requires the skb to have a ppp header, the header must be
1318 * inserted in the skb data before calling this function.
1320 int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb)
1322 unsigned int len = 0;
1325 ret = l2tp_xmit_core(session, skb, &len);
1326 if (ret == NET_XMIT_SUCCESS) {
1327 atomic_long_inc(&session->tunnel->stats.tx_packets);
1328 atomic_long_add(len, &session->tunnel->stats.tx_bytes);
1329 atomic_long_inc(&session->stats.tx_packets);
1330 atomic_long_add(len, &session->stats.tx_bytes);
1332 atomic_long_inc(&session->tunnel->stats.tx_errors);
1333 atomic_long_inc(&session->stats.tx_errors);
1337 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
1339 /*****************************************************************************
1340 * Tinnel and session create/destroy.
1341 *****************************************************************************/
1343 /* Remove an l2tp session from l2tp_core's lists. */
1344 static void l2tp_session_unhash(struct l2tp_session *session)
1346 struct l2tp_tunnel *tunnel = session->tunnel;
1349 struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
1350 struct l2tp_session *removed = session;
1352 spin_lock_bh(&tunnel->list_lock);
1353 spin_lock_bh(&pn->l2tp_session_idr_lock);
1355 /* Remove from the per-tunnel list */
1356 list_del_init(&session->list);
1358 /* Remove from per-net IDR */
1359 if (tunnel->version == L2TP_HDR_VER_3) {
1360 if (hash_hashed(&session->hlist))
1361 l2tp_session_collision_del(pn, session);
1363 removed = idr_remove(&pn->l2tp_v3_session_idr,
1364 session->session_id);
1366 u32 session_key = l2tp_v2_session_key(tunnel->tunnel_id,
1367 session->session_id);
1368 removed = idr_remove(&pn->l2tp_v2_session_idr,
1371 WARN_ON_ONCE(removed && removed != session);
1373 spin_unlock_bh(&pn->l2tp_session_idr_lock);
1374 spin_unlock_bh(&tunnel->list_lock);
1378 /* When the tunnel is closed, all the attached sessions need to go too.
1380 static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
1382 struct l2tp_session *session;
1384 spin_lock_bh(&tunnel->list_lock);
1385 tunnel->acpt_newsess = false;
1386 list_for_each_entry(session, &tunnel->session_list, list)
1387 l2tp_session_delete(session);
1388 spin_unlock_bh(&tunnel->list_lock);
1391 /* Tunnel socket destroy hook for UDP encapsulation */
1392 static void l2tp_udp_encap_destroy(struct sock *sk)
1394 struct l2tp_tunnel *tunnel;
1396 tunnel = l2tp_sk_to_tunnel(sk);
1398 l2tp_tunnel_delete(tunnel);
1399 l2tp_tunnel_put(tunnel);
1403 static void l2tp_tunnel_remove(struct net *net, struct l2tp_tunnel *tunnel)
1405 struct l2tp_net *pn = l2tp_pernet(net);
1407 spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
1408 idr_remove(&pn->l2tp_tunnel_idr, tunnel->tunnel_id);
1409 spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
1412 /* Workqueue tunnel deletion function */
1413 static void l2tp_tunnel_del_work(struct work_struct *work)
1415 struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
1417 struct sock *sk = tunnel->sock;
1418 struct socket *sock = sk->sk_socket;
1420 l2tp_tunnel_closeall(tunnel);
1422 /* If the tunnel socket was created within the kernel, use
1423 * the sk API to release it here.
1425 if (tunnel->fd < 0) {
1427 kernel_sock_shutdown(sock, SHUT_RDWR);
1432 l2tp_tunnel_remove(tunnel->l2tp_net, tunnel);
1433 /* drop initial ref */
1434 l2tp_tunnel_put(tunnel);
1436 /* drop workqueue ref */
1437 l2tp_tunnel_put(tunnel);
1440 /* Create a socket for the tunnel, if one isn't set up by
1441 * userspace. This is used for static tunnels where there is no
1442 * managing L2TP daemon.
1444 * Since we don't want these sockets to keep a namespace alive by
1445 * themselves, we drop the socket's namespace refcount after creation.
1446 * These sockets are freed when the namespace exits using the pernet
1449 static int l2tp_tunnel_sock_create(struct net *net,
1452 struct l2tp_tunnel_cfg *cfg,
1453 struct socket **sockp)
1456 struct socket *sock = NULL;
1457 struct udp_port_cfg udp_conf;
1459 switch (cfg->encap) {
1460 case L2TP_ENCAPTYPE_UDP:
1461 memset(&udp_conf, 0, sizeof(udp_conf));
1463 #if IS_ENABLED(CONFIG_IPV6)
1464 if (cfg->local_ip6 && cfg->peer_ip6) {
1465 udp_conf.family = AF_INET6;
1466 memcpy(&udp_conf.local_ip6, cfg->local_ip6,
1467 sizeof(udp_conf.local_ip6));
1468 memcpy(&udp_conf.peer_ip6, cfg->peer_ip6,
1469 sizeof(udp_conf.peer_ip6));
1470 udp_conf.use_udp6_tx_checksums =
1471 !cfg->udp6_zero_tx_checksums;
1472 udp_conf.use_udp6_rx_checksums =
1473 !cfg->udp6_zero_rx_checksums;
1477 udp_conf.family = AF_INET;
1478 udp_conf.local_ip = cfg->local_ip;
1479 udp_conf.peer_ip = cfg->peer_ip;
1480 udp_conf.use_udp_checksums = cfg->use_udp_checksums;
1483 udp_conf.local_udp_port = htons(cfg->local_udp_port);
1484 udp_conf.peer_udp_port = htons(cfg->peer_udp_port);
1486 err = udp_sock_create(net, &udp_conf, &sock);
1492 case L2TP_ENCAPTYPE_IP:
1493 #if IS_ENABLED(CONFIG_IPV6)
1494 if (cfg->local_ip6 && cfg->peer_ip6) {
1495 struct sockaddr_l2tpip6 ip6_addr = {0};
1497 err = sock_create_kern(net, AF_INET6, SOCK_DGRAM,
1498 IPPROTO_L2TP, &sock);
1502 ip6_addr.l2tp_family = AF_INET6;
1503 memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
1504 sizeof(ip6_addr.l2tp_addr));
1505 ip6_addr.l2tp_conn_id = tunnel_id;
1506 err = kernel_bind(sock, (struct sockaddr *)&ip6_addr,
1511 ip6_addr.l2tp_family = AF_INET6;
1512 memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
1513 sizeof(ip6_addr.l2tp_addr));
1514 ip6_addr.l2tp_conn_id = peer_tunnel_id;
1515 err = kernel_connect(sock,
1516 (struct sockaddr *)&ip6_addr,
1517 sizeof(ip6_addr), 0);
1523 struct sockaddr_l2tpip ip_addr = {0};
1525 err = sock_create_kern(net, AF_INET, SOCK_DGRAM,
1526 IPPROTO_L2TP, &sock);
1530 ip_addr.l2tp_family = AF_INET;
1531 ip_addr.l2tp_addr = cfg->local_ip;
1532 ip_addr.l2tp_conn_id = tunnel_id;
1533 err = kernel_bind(sock, (struct sockaddr *)&ip_addr,
1538 ip_addr.l2tp_family = AF_INET;
1539 ip_addr.l2tp_addr = cfg->peer_ip;
1540 ip_addr.l2tp_conn_id = peer_tunnel_id;
1541 err = kernel_connect(sock, (struct sockaddr *)&ip_addr,
1542 sizeof(ip_addr), 0);
1554 if (err < 0 && sock) {
1555 kernel_sock_shutdown(sock, SHUT_RDWR);
1563 int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
1564 struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
1566 struct l2tp_tunnel *tunnel = NULL;
1568 enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
1573 tunnel = kzalloc(sizeof(*tunnel), GFP_KERNEL);
1579 tunnel->version = version;
1580 tunnel->tunnel_id = tunnel_id;
1581 tunnel->peer_tunnel_id = peer_tunnel_id;
1583 sprintf(&tunnel->name[0], "tunl %u", tunnel_id);
1584 spin_lock_init(&tunnel->list_lock);
1585 tunnel->acpt_newsess = true;
1586 INIT_LIST_HEAD(&tunnel->session_list);
1588 tunnel->encap = encap;
1590 refcount_set(&tunnel->ref_count, 1);
1593 /* Init delete workqueue struct */
1594 INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
1603 EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
1605 static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
1606 enum l2tp_encap_type encap)
1608 struct l2tp_tunnel *tunnel;
1610 if (!net_eq(sock_net(sk), net))
1613 if (sk->sk_type != SOCK_DGRAM)
1614 return -EPROTONOSUPPORT;
1616 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
1617 return -EPROTONOSUPPORT;
1619 if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
1620 (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
1621 return -EPROTONOSUPPORT;
1623 if (encap == L2TP_ENCAPTYPE_UDP && sk->sk_user_data)
1626 tunnel = l2tp_sk_to_tunnel(sk);
1628 l2tp_tunnel_put(tunnel);
1635 int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
1636 struct l2tp_tunnel_cfg *cfg)
1638 struct l2tp_net *pn = l2tp_pernet(net);
1639 u32 tunnel_id = tunnel->tunnel_id;
1640 struct socket *sock;
1644 spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
1645 ret = idr_alloc_u32(&pn->l2tp_tunnel_idr, NULL, &tunnel_id, tunnel_id,
1647 spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
1649 return ret == -ENOSPC ? -EEXIST : ret;
1651 if (tunnel->fd < 0) {
1652 ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
1653 tunnel->peer_tunnel_id, cfg,
1658 sock = sockfd_lookup(tunnel->fd, &ret);
1665 write_lock_bh(&sk->sk_callback_lock);
1666 ret = l2tp_validate_socket(sk, net, tunnel->encap);
1668 goto err_inval_sock;
1669 write_unlock_bh(&sk->sk_callback_lock);
1671 if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
1672 struct udp_tunnel_sock_cfg udp_cfg = {
1673 .encap_type = UDP_ENCAP_L2TPINUDP,
1674 .encap_rcv = l2tp_udp_encap_recv,
1675 .encap_err_rcv = l2tp_udp_encap_err_recv,
1676 .encap_destroy = l2tp_udp_encap_destroy,
1679 setup_udp_tunnel_sock(net, sock, &udp_cfg);
1682 sk->sk_allocation = GFP_ATOMIC;
1687 tunnel->l2tp_net = net;
1689 spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
1690 idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id);
1691 spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
1693 trace_register_tunnel(tunnel);
1695 if (tunnel->fd >= 0)
1701 write_unlock_bh(&sk->sk_callback_lock);
1709 l2tp_tunnel_remove(net, tunnel);
1712 EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
1714 /* This function is used by the netlink TUNNEL_DELETE command.
1716 void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
1718 if (!test_and_set_bit(0, &tunnel->dead)) {
1719 trace_delete_tunnel(tunnel);
1720 refcount_inc(&tunnel->ref_count);
1721 queue_work(l2tp_wq, &tunnel->del_work);
1724 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
1726 void l2tp_session_delete(struct l2tp_session *session)
1728 if (!test_and_set_bit(0, &session->dead)) {
1729 trace_delete_session(session);
1730 refcount_inc(&session->ref_count);
1731 queue_work(l2tp_wq, &session->del_work);
1734 EXPORT_SYMBOL_GPL(l2tp_session_delete);
1736 /* Workqueue session deletion function */
1737 static void l2tp_session_del_work(struct work_struct *work)
1739 struct l2tp_session *session = container_of(work, struct l2tp_session,
1742 l2tp_session_unhash(session);
1743 l2tp_session_queue_purge(session);
1744 if (session->session_close)
1745 (*session->session_close)(session);
1747 /* drop initial ref */
1748 l2tp_session_put(session);
1750 /* drop workqueue ref */
1751 l2tp_session_put(session);
1754 /* We come here whenever a session's send_seq, cookie_len or
1755 * l2specific_type parameters are set.
1757 void l2tp_session_set_header_len(struct l2tp_session *session, int version,
1758 enum l2tp_encap_type encap)
1760 if (version == L2TP_HDR_VER_2) {
1761 session->hdr_len = 6;
1762 if (session->send_seq)
1763 session->hdr_len += 4;
1765 session->hdr_len = 4 + session->cookie_len;
1766 session->hdr_len += l2tp_get_l2specific_len(session);
1767 if (encap == L2TP_ENCAPTYPE_UDP)
1768 session->hdr_len += 4;
1771 EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
1773 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id,
1774 u32 peer_session_id, struct l2tp_session_cfg *cfg)
1776 struct l2tp_session *session;
1778 session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL);
1780 session->magic = L2TP_SESSION_MAGIC;
1782 session->session_id = session_id;
1783 session->peer_session_id = peer_session_id;
1785 if (tunnel->version == L2TP_HDR_VER_2)
1786 session->nr_max = 0xffff;
1788 session->nr_max = 0xffffff;
1789 session->nr_window_size = session->nr_max / 2;
1790 session->nr_oos_count_max = 4;
1792 /* Use NR of first received packet */
1793 session->reorder_skip = 1;
1795 sprintf(&session->name[0], "sess %u/%u",
1796 tunnel->tunnel_id, session->session_id);
1798 skb_queue_head_init(&session->reorder_q);
1800 session->hlist_key = l2tp_v3_session_hashkey(tunnel->sock, session->session_id);
1801 INIT_HLIST_NODE(&session->hlist);
1802 INIT_LIST_HEAD(&session->clist);
1803 INIT_LIST_HEAD(&session->list);
1804 INIT_WORK(&session->del_work, l2tp_session_del_work);
1807 session->pwtype = cfg->pw_type;
1808 session->send_seq = cfg->send_seq;
1809 session->recv_seq = cfg->recv_seq;
1810 session->lns_mode = cfg->lns_mode;
1811 session->reorder_timeout = cfg->reorder_timeout;
1812 session->l2specific_type = cfg->l2specific_type;
1813 session->cookie_len = cfg->cookie_len;
1814 memcpy(&session->cookie[0], &cfg->cookie[0], cfg->cookie_len);
1815 session->peer_cookie_len = cfg->peer_cookie_len;
1816 memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);
1819 l2tp_session_set_header_len(session, tunnel->version, tunnel->encap);
1821 refcount_set(&session->ref_count, 1);
1826 return ERR_PTR(-ENOMEM);
1828 EXPORT_SYMBOL_GPL(l2tp_session_create);
1830 /*****************************************************************************
1832 *****************************************************************************/
1834 static __net_init int l2tp_init_net(struct net *net)
1836 struct l2tp_net *pn = net_generic(net, l2tp_net_id);
1838 idr_init(&pn->l2tp_tunnel_idr);
1839 spin_lock_init(&pn->l2tp_tunnel_idr_lock);
1841 idr_init(&pn->l2tp_v2_session_idr);
1842 idr_init(&pn->l2tp_v3_session_idr);
1843 spin_lock_init(&pn->l2tp_session_idr_lock);
1848 static __net_exit void l2tp_pre_exit_net(struct net *net)
1850 struct l2tp_net *pn = l2tp_pernet(net);
1851 struct l2tp_tunnel *tunnel = NULL;
1852 unsigned long tunnel_id, tmp;
1855 idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
1857 l2tp_tunnel_delete(tunnel);
1859 rcu_read_unlock_bh();
1862 /* Run all TUNNEL_DELETE work items just queued. */
1863 __flush_workqueue(l2tp_wq);
1865 /* Each TUNNEL_DELETE work item will queue a SESSION_DELETE
1866 * work item for each session in the tunnel. Flush the
1867 * workqueue again to process these.
1869 __flush_workqueue(l2tp_wq);
1873 static int l2tp_idr_item_unexpected(int id, void *p, void *data)
1875 const char *idr_name = data;
1877 pr_err("l2tp: %s IDR not empty at net %d exit\n", idr_name, id);
1882 static __net_exit void l2tp_exit_net(struct net *net)
1884 struct l2tp_net *pn = l2tp_pernet(net);
1886 /* Our per-net IDRs should be empty. Check that is so, to
1887 * help catch cleanup races or refcnt leaks.
1889 idr_for_each(&pn->l2tp_v2_session_idr, l2tp_idr_item_unexpected,
1891 idr_for_each(&pn->l2tp_v3_session_idr, l2tp_idr_item_unexpected,
1893 idr_for_each(&pn->l2tp_tunnel_idr, l2tp_idr_item_unexpected,
1896 idr_destroy(&pn->l2tp_v2_session_idr);
1897 idr_destroy(&pn->l2tp_v3_session_idr);
1898 idr_destroy(&pn->l2tp_tunnel_idr);
1901 static struct pernet_operations l2tp_net_ops = {
1902 .init = l2tp_init_net,
1903 .exit = l2tp_exit_net,
1904 .pre_exit = l2tp_pre_exit_net,
1906 .size = sizeof(struct l2tp_net),
1909 static int __init l2tp_init(void)
1913 rc = register_pernet_device(&l2tp_net_ops);
1917 l2tp_wq = alloc_workqueue("l2tp", WQ_UNBOUND, 0);
1919 pr_err("alloc_workqueue failed\n");
1920 unregister_pernet_device(&l2tp_net_ops);
1925 pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
1931 static void __exit l2tp_exit(void)
1933 unregister_pernet_device(&l2tp_net_ops);
1935 destroy_workqueue(l2tp_wq);
1940 module_init(l2tp_init);
1941 module_exit(l2tp_exit);
1943 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1944 MODULE_DESCRIPTION("L2TP core");
1945 MODULE_LICENSE("GPL");
1946 MODULE_VERSION(L2TP_DRV_VERSION);
projects / linux-block.git / blob