Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*****************************************************************************
3 * Linux PPP over L2TP (PPPoX/PPPoL2TP) Sockets
4 *
5 * PPPoX --- Generic PPP encapsulation socket family
6 * PPPoL2TP --- PPP over L2TP (RFC 2661)
7 *
8 * Version: 2.0.0
9 *
10 * Authors: James Chapman (jchapman@katalix.com)
11 *
12 * Based on original work by Martijn van Oosterhout <kleptog@svana.org>
13 *
14 * License:
15 */
16
17/* This driver handles only L2TP data frames; control frames are handled by a
18 * userspace application.
19 *
20 * To send data in an L2TP session, userspace opens a PPPoL2TP socket and
21 * attaches it to a bound UDP socket with local tunnel_id / session_id and
22 * peer tunnel_id / session_id set. Data can then be sent or received using
23 * regular socket sendmsg() / recvmsg() calls. Kernel parameters of the socket
24 * can be read or modified using ioctl() or [gs]etsockopt() calls.
25 *
26 * When a PPPoL2TP socket is connected with local and peer session_id values
27 * zero, the socket is treated as a special tunnel management socket.
28 *
29 * Here's example userspace code to create a socket for sending/receiving data
30 * over an L2TP session:-
31 *
32 * struct sockaddr_pppol2tp sax;
33 * int fd;
34 * int session_fd;
35 *
36 * fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
37 *
38 * sax.sa_family = AF_PPPOX;
39 * sax.sa_protocol = PX_PROTO_OL2TP;
40 * sax.pppol2tp.fd = tunnel_fd; // bound UDP socket
41 * sax.pppol2tp.addr.sin_addr.s_addr = addr->sin_addr.s_addr;
42 * sax.pppol2tp.addr.sin_port = addr->sin_port;
43 * sax.pppol2tp.addr.sin_family = AF_INET;
44 * sax.pppol2tp.s_tunnel = tunnel_id;
45 * sax.pppol2tp.s_session = session_id;
46 * sax.pppol2tp.d_tunnel = peer_tunnel_id;
47 * sax.pppol2tp.d_session = peer_session_id;
48 *
49 * session_fd = connect(fd, (struct sockaddr *)&sax, sizeof(sax));
50 *
51 * A pppd plugin that allows PPP traffic to be carried over L2TP using
52 * this driver is available from the OpenL2TP project at
53 * http://openl2tp.sourceforge.net.
54 */
55
56#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
57
58#include <linux/module.h>
59#include <linux/string.h>
60#include <linux/list.h>
61#include <linux/uaccess.h>
62
63#include <linux/kernel.h>
64#include <linux/spinlock.h>
65#include <linux/kthread.h>
66#include <linux/sched.h>
67#include <linux/slab.h>
68#include <linux/errno.h>
69#include <linux/jiffies.h>
70
71#include <linux/netdevice.h>
72#include <linux/net.h>
73#include <linux/inetdevice.h>
74#include <linux/skbuff.h>
75#include <linux/init.h>
76#include <linux/ip.h>
77#include <linux/udp.h>
78#include <linux/if_pppox.h>
79#include <linux/if_pppol2tp.h>
80#include <net/sock.h>
81#include <linux/ppp_channel.h>
82#include <linux/ppp_defs.h>
83#include <linux/ppp-ioctl.h>
84#include <linux/file.h>
85#include <linux/hash.h>
86#include <linux/sort.h>
87#include <linux/proc_fs.h>
88#include <linux/l2tp.h>
89#include <linux/nsproxy.h>
90#include <net/net_namespace.h>
91#include <net/netns/generic.h>
92#include <net/ip.h>
93#include <net/udp.h>
94#include <net/inet_common.h>
95
96#include <asm/byteorder.h>
97#include <linux/atomic.h>
98
99#include "l2tp_core.h"
100
101#define PPPOL2TP_DRV_VERSION "V2.0"
102
103/* Space for UDP, L2TP and PPP headers */
104#define PPPOL2TP_HEADER_OVERHEAD 40
105
106/* Number of bytes to build transmit L2TP headers.
107 * Unfortunately the size is different depending on whether sequence numbers
108 * are enabled.
109 */
110#define PPPOL2TP_L2TP_HDR_SIZE_SEQ 10
111#define PPPOL2TP_L2TP_HDR_SIZE_NOSEQ 6
112
113/* Private data of each session. This data lives at the end of struct
114 * l2tp_session, referenced via session->priv[].
115 */
116struct pppol2tp_session {
117 int owner; /* pid that opened the socket */
118
119 struct mutex sk_lock; /* Protects .sk */
120 struct sock __rcu *sk; /* Pointer to the session PPPoX socket */
121 struct sock *__sk; /* Copy of .sk, for cleanup */
122};
123
124static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb);
125
126static const struct ppp_channel_ops pppol2tp_chan_ops = {
127 .start_xmit = pppol2tp_xmit,
128};
129
130static const struct proto_ops pppol2tp_ops;
131
132/* Retrieves the pppol2tp socket associated to a session.
133 * A reference is held on the returned socket, so this function must be paired
134 * with sock_put().
135 */
136static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
137{
138 struct pppol2tp_session *ps = l2tp_session_priv(session);
139 struct sock *sk;
140
141 rcu_read_lock();
142 sk = rcu_dereference(ps->sk);
143 if (sk)
144 sock_hold(sk);
145 rcu_read_unlock();
146
147 return sk;
148}
149
150/* Helpers to obtain tunnel/session contexts from sockets.
151 */
152static struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk)
153{
154 struct l2tp_session *session;
155
156 if (!sk)
157 return NULL;
158
159 rcu_read_lock();
160 session = rcu_dereference_sk_user_data(sk);
161 if (session && refcount_inc_not_zero(&session->ref_count)) {
162 rcu_read_unlock();
163 WARN_ON_ONCE(session->magic != L2TP_SESSION_MAGIC);
164 return session;
165 }
166 rcu_read_unlock();
167
168 return NULL;
169}
170
171/*****************************************************************************
172 * Receive data handling
173 *****************************************************************************/
174
175/* Receive message. This is the recvmsg for the PPPoL2TP socket.
176 */
177static int pppol2tp_recvmsg(struct socket *sock, struct msghdr *msg,
178 size_t len, int flags)
179{
180 int err;
181 struct sk_buff *skb;
182 struct sock *sk = sock->sk;
183
184 err = -EIO;
185 if (sk->sk_state & PPPOX_BOUND)
186 goto end;
187
188 err = 0;
189 skb = skb_recv_datagram(sk, flags, &err);
190 if (!skb)
191 goto end;
192
193 if (len > skb->len)
194 len = skb->len;
195 else if (len < skb->len)
196 msg->msg_flags |= MSG_TRUNC;
197
198 err = skb_copy_datagram_msg(skb, 0, msg, len);
199 if (likely(err == 0))
200 err = len;
201
202 kfree_skb(skb);
203end:
204 return err;
205}
206
207static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
208{
209 struct pppol2tp_session *ps = l2tp_session_priv(session);
210 struct sock *sk = NULL;
211
212 /* If the socket is bound, send it in to PPP's input queue. Otherwise
213 * queue it on the session socket.
214 */
215 rcu_read_lock();
216 sk = rcu_dereference(ps->sk);
217 if (!sk)
218 goto no_sock;
219
220 /* If the first two bytes are 0xFF03, consider that it is the PPP's
221 * Address and Control fields and skip them. The L2TP module has always
222 * worked this way, although, in theory, the use of these fields should
223 * be negotiated and handled at the PPP layer. These fields are
224 * constant: 0xFF is the All-Stations Address and 0x03 the Unnumbered
225 * Information command with Poll/Final bit set to zero (RFC 1662).
226 */
227 if (pskb_may_pull(skb, 2) && skb->data[0] == PPP_ALLSTATIONS &&
228 skb->data[1] == PPP_UI)
229 skb_pull(skb, 2);
230
231 if (sk->sk_state & PPPOX_BOUND) {
232 struct pppox_sock *po;
233
234 po = pppox_sk(sk);
235 ppp_input(&po->chan, skb);
236 } else {
237 if (sock_queue_rcv_skb(sk, skb) < 0) {
238 atomic_long_inc(&session->stats.rx_errors);
239 kfree_skb(skb);
240 }
241 }
242 rcu_read_unlock();
243
244 return;
245
246no_sock:
247 rcu_read_unlock();
248 pr_warn_ratelimited("%s: no socket in recv\n", session->name);
249 kfree_skb(skb);
250}
251
252/************************************************************************
253 * Transmit handling
254 ***********************************************************************/
255
256/* This is the sendmsg for the PPPoL2TP pppol2tp_session socket. We come here
257 * when a user application does a sendmsg() on the session socket. L2TP and
258 * PPP headers must be inserted into the user's data.
259 */
260static int pppol2tp_sendmsg(struct socket *sock, struct msghdr *m,
261 size_t total_len)
262{
263 struct sock *sk = sock->sk;
264 struct sk_buff *skb;
265 int error;
266 struct l2tp_session *session;
267 struct l2tp_tunnel *tunnel;
268 int uhlen;
269
270 error = -ENOTCONN;
271 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
272 goto error;
273
274 /* Get session and tunnel contexts */
275 error = -EBADF;
276 session = pppol2tp_sock_to_session(sk);
277 if (!session)
278 goto error;
279
280 tunnel = session->tunnel;
281
282 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
283
284 /* Allocate a socket buffer */
285 error = -ENOMEM;
286 skb = sock_wmalloc(sk, NET_SKB_PAD + sizeof(struct iphdr) +
287 uhlen + session->hdr_len +
288 2 + total_len, /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
289 0, GFP_KERNEL);
290 if (!skb)
291 goto error_put_sess;
292
293 /* Reserve space for headers. */
294 skb_reserve(skb, NET_SKB_PAD);
295 skb_reset_network_header(skb);
296 skb_reserve(skb, sizeof(struct iphdr));
297 skb_reset_transport_header(skb);
298 skb_reserve(skb, uhlen);
299
300 /* Add PPP header */
301 skb->data[0] = PPP_ALLSTATIONS;
302 skb->data[1] = PPP_UI;
303 skb_put(skb, 2);
304
305 /* Copy user data into skb */
306 error = memcpy_from_msg(skb_put(skb, total_len), m, total_len);
307 if (error < 0) {
308 kfree_skb(skb);
309 goto error_put_sess;
310 }
311
312 local_bh_disable();
313 l2tp_xmit_skb(session, skb);
314 local_bh_enable();
315
316 l2tp_session_put(session);
317
318 return total_len;
319
320error_put_sess:
321 l2tp_session_put(session);
322error:
323 return error;
324}
325
326/* Transmit function called by generic PPP driver. Sends PPP frame
327 * over PPPoL2TP socket.
328 *
329 * This is almost the same as pppol2tp_sendmsg(), but rather than
330 * being called with a msghdr from userspace, it is called with a skb
331 * from the kernel.
332 *
333 * The supplied skb from ppp doesn't have enough headroom for the
334 * insertion of L2TP, UDP and IP headers so we need to allocate more
335 * headroom in the skb. This will create a cloned skb. But we must be
336 * careful in the error case because the caller will expect to free
337 * the skb it supplied, not our cloned skb. So we take care to always
338 * leave the original skb unfreed if we return an error.
339 */
340static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
341{
342 struct sock *sk = (struct sock *)chan->private;
343 struct l2tp_session *session;
344 struct l2tp_tunnel *tunnel;
345 int uhlen, headroom;
346
347 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
348 goto abort;
349
350 /* Get session and tunnel contexts from the socket */
351 session = pppol2tp_sock_to_session(sk);
352 if (!session)
353 goto abort;
354
355 tunnel = session->tunnel;
356
357 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
358 headroom = NET_SKB_PAD +
359 sizeof(struct iphdr) + /* IP header */
360 uhlen + /* UDP header (if L2TP_ENCAPTYPE_UDP) */
361 session->hdr_len + /* L2TP header */
362 2; /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
363 if (skb_cow_head(skb, headroom))
364 goto abort_put_sess;
365
366 /* Setup PPP header */
367 __skb_push(skb, 2);
368 skb->data[0] = PPP_ALLSTATIONS;
369 skb->data[1] = PPP_UI;
370
371 local_bh_disable();
372 l2tp_xmit_skb(session, skb);
373 local_bh_enable();
374
375 l2tp_session_put(session);
376
377 return 1;
378
379abort_put_sess:
380 l2tp_session_put(session);
381abort:
382 /* Free the original skb */
383 kfree_skb(skb);
384 return 1;
385}
386
387/*****************************************************************************
388 * Session (and tunnel control) socket create/destroy.
389 *****************************************************************************/
390
391/* Really kill the session socket. (Called from sock_put() if
392 * refcnt == 0.)
393 */
394static void pppol2tp_session_destruct(struct sock *sk)
395{
396 skb_queue_purge(&sk->sk_receive_queue);
397 skb_queue_purge(&sk->sk_write_queue);
398}
399
400static void pppol2tp_session_close(struct l2tp_session *session)
401{
402 struct pppol2tp_session *ps;
403
404 ps = l2tp_session_priv(session);
405 mutex_lock(&ps->sk_lock);
406 ps->__sk = rcu_dereference_protected(ps->sk,
407 lockdep_is_held(&ps->sk_lock));
408 RCU_INIT_POINTER(ps->sk, NULL);
409 mutex_unlock(&ps->sk_lock);
410 if (ps->__sk) {
411 /* detach socket */
412 rcu_assign_sk_user_data(ps->__sk, NULL);
413 sock_put(ps->__sk);
414
415 /* drop ref taken when we referenced socket via sk_user_data */
416 l2tp_session_put(session);
417 }
418}
419
420/* Called when the PPPoX socket (session) is closed.
421 */
422static int pppol2tp_release(struct socket *sock)
423{
424 struct sock *sk = sock->sk;
425 struct l2tp_session *session;
426 int error;
427
428 if (!sk)
429 return 0;
430
431 error = -EBADF;
432 lock_sock(sk);
433 if (sock_flag(sk, SOCK_DEAD) != 0)
434 goto error;
435
436 pppox_unbind_sock(sk);
437
438 /* Signal the death of the socket. */
439 sk->sk_state = PPPOX_DEAD;
440 sock_orphan(sk);
441 sock->sk = NULL;
442
443 session = pppol2tp_sock_to_session(sk);
444 if (session) {
445 l2tp_session_delete(session);
446 /* drop ref taken by pppol2tp_sock_to_session */
447 l2tp_session_put(session);
448 }
449
450 release_sock(sk);
451
452 sock_put(sk);
453
454 return 0;
455
456error:
457 release_sock(sk);
458 return error;
459}
460
461static struct proto pppol2tp_sk_proto = {
462 .name = "PPPOL2TP",
463 .owner = THIS_MODULE,
464 .obj_size = sizeof(struct pppox_sock),
465};
466
467static int pppol2tp_backlog_recv(struct sock *sk, struct sk_buff *skb)
468{
469 int rc;
470
471 rc = l2tp_udp_encap_recv(sk, skb);
472 if (rc)
473 kfree_skb(skb);
474
475 return NET_RX_SUCCESS;
476}
477
478/* socket() handler. Initialize a new struct sock.
479 */
480static int pppol2tp_create(struct net *net, struct socket *sock, int kern)
481{
482 int error = -ENOMEM;
483 struct sock *sk;
484
485 sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pppol2tp_sk_proto, kern);
486 if (!sk)
487 goto out;
488
489 sock_init_data(sock, sk);
490 sock_set_flag(sk, SOCK_RCU_FREE);
491
492 sock->state = SS_UNCONNECTED;
493 sock->ops = &pppol2tp_ops;
494
495 sk->sk_backlog_rcv = pppol2tp_backlog_recv;
496 sk->sk_protocol = PX_PROTO_OL2TP;
497 sk->sk_family = PF_PPPOX;
498 sk->sk_state = PPPOX_NONE;
499 sk->sk_type = SOCK_STREAM;
500 sk->sk_destruct = pppol2tp_session_destruct;
501
502 error = 0;
503
504out:
505 return error;
506}
507
508static void pppol2tp_show(struct seq_file *m, void *arg)
509{
510 struct l2tp_session *session = arg;
511 struct sock *sk;
512
513 sk = pppol2tp_session_get_sock(session);
514 if (sk) {
515 struct pppox_sock *po = pppox_sk(sk);
516
517 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
518 sock_put(sk);
519 }
520}
521
522static void pppol2tp_session_init(struct l2tp_session *session)
523{
524 struct pppol2tp_session *ps;
525
526 session->recv_skb = pppol2tp_recv;
527 session->session_close = pppol2tp_session_close;
528 if (IS_ENABLED(CONFIG_L2TP_DEBUGFS))
529 session->show = pppol2tp_show;
530
531 ps = l2tp_session_priv(session);
532 mutex_init(&ps->sk_lock);
533 ps->owner = current->pid;
534}
535
536struct l2tp_connect_info {
537 u8 version;
538 int fd;
539 u32 tunnel_id;
540 u32 peer_tunnel_id;
541 u32 session_id;
542 u32 peer_session_id;
543};
544
545static int pppol2tp_sockaddr_get_info(const void *sa, int sa_len,
546 struct l2tp_connect_info *info)
547{
548 switch (sa_len) {
549 case sizeof(struct sockaddr_pppol2tp):
550 {
551 const struct sockaddr_pppol2tp *sa_v2in4 = sa;
552
553 if (sa_v2in4->sa_protocol != PX_PROTO_OL2TP)
554 return -EINVAL;
555
556 info->version = 2;
557 info->fd = sa_v2in4->pppol2tp.fd;
558 info->tunnel_id = sa_v2in4->pppol2tp.s_tunnel;
559 info->peer_tunnel_id = sa_v2in4->pppol2tp.d_tunnel;
560 info->session_id = sa_v2in4->pppol2tp.s_session;
561 info->peer_session_id = sa_v2in4->pppol2tp.d_session;
562
563 break;
564 }
565 case sizeof(struct sockaddr_pppol2tpv3):
566 {
567 const struct sockaddr_pppol2tpv3 *sa_v3in4 = sa;
568
569 if (sa_v3in4->sa_protocol != PX_PROTO_OL2TP)
570 return -EINVAL;
571
572 info->version = 3;
573 info->fd = sa_v3in4->pppol2tp.fd;
574 info->tunnel_id = sa_v3in4->pppol2tp.s_tunnel;
575 info->peer_tunnel_id = sa_v3in4->pppol2tp.d_tunnel;
576 info->session_id = sa_v3in4->pppol2tp.s_session;
577 info->peer_session_id = sa_v3in4->pppol2tp.d_session;
578
579 break;
580 }
581 case sizeof(struct sockaddr_pppol2tpin6):
582 {
583 const struct sockaddr_pppol2tpin6 *sa_v2in6 = sa;
584
585 if (sa_v2in6->sa_protocol != PX_PROTO_OL2TP)
586 return -EINVAL;
587
588 info->version = 2;
589 info->fd = sa_v2in6->pppol2tp.fd;
590 info->tunnel_id = sa_v2in6->pppol2tp.s_tunnel;
591 info->peer_tunnel_id = sa_v2in6->pppol2tp.d_tunnel;
592 info->session_id = sa_v2in6->pppol2tp.s_session;
593 info->peer_session_id = sa_v2in6->pppol2tp.d_session;
594
595 break;
596 }
597 case sizeof(struct sockaddr_pppol2tpv3in6):
598 {
599 const struct sockaddr_pppol2tpv3in6 *sa_v3in6 = sa;
600
601 if (sa_v3in6->sa_protocol != PX_PROTO_OL2TP)
602 return -EINVAL;
603
604 info->version = 3;
605 info->fd = sa_v3in6->pppol2tp.fd;
606 info->tunnel_id = sa_v3in6->pppol2tp.s_tunnel;
607 info->peer_tunnel_id = sa_v3in6->pppol2tp.d_tunnel;
608 info->session_id = sa_v3in6->pppol2tp.s_session;
609 info->peer_session_id = sa_v3in6->pppol2tp.d_session;
610
611 break;
612 }
613 default:
614 return -EINVAL;
615 }
616
617 return 0;
618}
619
620/* Rough estimation of the maximum payload size a tunnel can transmit without
621 * fragmenting at the lower IP layer. Assumes L2TPv2 with sequence
622 * numbers and no IP option. Not quite accurate, but the result is mostly
623 * unused anyway.
624 */
625static int pppol2tp_tunnel_mtu(const struct l2tp_tunnel *tunnel)
626{
627 int mtu;
628
629 mtu = l2tp_tunnel_dst_mtu(tunnel);
630 if (mtu <= PPPOL2TP_HEADER_OVERHEAD)
631 return 1500 - PPPOL2TP_HEADER_OVERHEAD;
632
633 return mtu - PPPOL2TP_HEADER_OVERHEAD;
634}
635
636static struct l2tp_tunnel *pppol2tp_tunnel_get(struct net *net,
637 const struct l2tp_connect_info *info,
638 bool *new_tunnel)
639{
640 struct l2tp_tunnel *tunnel;
641 int error;
642
643 *new_tunnel = false;
644
645 tunnel = l2tp_tunnel_get(net, info->tunnel_id);
646
647 /* Special case: create tunnel context if session_id and
648 * peer_session_id is 0. Otherwise look up tunnel using supplied
649 * tunnel id.
650 */
651 if (!info->session_id && !info->peer_session_id) {
652 if (!tunnel) {
653 struct l2tp_tunnel_cfg tcfg = {
654 .encap = L2TP_ENCAPTYPE_UDP,
655 };
656
657 /* Prevent l2tp_tunnel_register() from trying to set up
658 * a kernel socket.
659 */
660 if (info->fd < 0)
661 return ERR_PTR(-EBADF);
662
663 error = l2tp_tunnel_create(info->fd,
664 info->version,
665 info->tunnel_id,
666 info->peer_tunnel_id, &tcfg,
667 &tunnel);
668 if (error < 0)
669 return ERR_PTR(error);
670
671 refcount_inc(&tunnel->ref_count);
672 error = l2tp_tunnel_register(tunnel, net, &tcfg);
673 if (error < 0) {
674 kfree(tunnel);
675 return ERR_PTR(error);
676 }
677
678 *new_tunnel = true;
679 }
680 } else {
681 /* Error if we can't find the tunnel */
682 if (!tunnel)
683 return ERR_PTR(-ENOENT);
684
685 /* Error if socket is not prepped */
686 if (!tunnel->sock) {
687 l2tp_tunnel_put(tunnel);
688 return ERR_PTR(-ENOENT);
689 }
690 }
691
692 return tunnel;
693}
694
695/* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
696 */
697static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
698 int sockaddr_len, int flags)
699{
700 struct sock *sk = sock->sk;
701 struct pppox_sock *po = pppox_sk(sk);
702 struct l2tp_session *session = NULL;
703 struct l2tp_connect_info info;
704 struct l2tp_tunnel *tunnel;
705 struct pppol2tp_session *ps;
706 struct l2tp_session_cfg cfg = { 0, };
707 bool drop_refcnt = false;
708 bool new_session = false;
709 bool new_tunnel = false;
710 int error;
711
712 error = pppol2tp_sockaddr_get_info(uservaddr, sockaddr_len, &info);
713 if (error < 0)
714 return error;
715
716 /* Don't bind if tunnel_id is 0 */
717 if (!info.tunnel_id)
718 return -EINVAL;
719
720 tunnel = pppol2tp_tunnel_get(sock_net(sk), &info, &new_tunnel);
721 if (IS_ERR(tunnel))
722 return PTR_ERR(tunnel);
723
724 lock_sock(sk);
725
726 /* Check for already bound sockets */
727 error = -EBUSY;
728 if (sk->sk_state & PPPOX_CONNECTED)
729 goto end;
730
731 /* We don't supporting rebinding anyway */
732 error = -EALREADY;
733 if (sk->sk_user_data)
734 goto end; /* socket is already attached */
735
736 if (tunnel->peer_tunnel_id == 0)
737 tunnel->peer_tunnel_id = info.peer_tunnel_id;
738
739 session = l2tp_session_get(sock_net(sk), tunnel->sock, tunnel->version,
740 info.tunnel_id, info.session_id);
741 if (session) {
742 drop_refcnt = true;
743
744 if (session->pwtype != L2TP_PWTYPE_PPP) {
745 error = -EPROTOTYPE;
746 goto end;
747 }
748
749 ps = l2tp_session_priv(session);
750
751 /* Using a pre-existing session is fine as long as it hasn't
752 * been connected yet.
753 */
754 mutex_lock(&ps->sk_lock);
755 if (rcu_dereference_protected(ps->sk,
756 lockdep_is_held(&ps->sk_lock)) ||
757 ps->__sk) {
758 mutex_unlock(&ps->sk_lock);
759 error = -EEXIST;
760 goto end;
761 }
762 } else {
763 cfg.pw_type = L2TP_PWTYPE_PPP;
764
765 session = l2tp_session_create(sizeof(struct pppol2tp_session),
766 tunnel, info.session_id,
767 info.peer_session_id, &cfg);
768 if (IS_ERR(session)) {
769 error = PTR_ERR(session);
770 goto end;
771 }
772
773 drop_refcnt = true;
774
775 pppol2tp_session_init(session);
776 ps = l2tp_session_priv(session);
777 refcount_inc(&session->ref_count);
778
779 mutex_lock(&ps->sk_lock);
780 error = l2tp_session_register(session, tunnel);
781 if (error < 0) {
782 mutex_unlock(&ps->sk_lock);
783 l2tp_session_put(session);
784 goto end;
785 }
786
787 new_session = true;
788 }
789
790 /* Special case: if source & dest session_id == 0x0000, this
791 * socket is being created to manage the tunnel. Just set up
792 * the internal context for use by ioctl() and sockopt()
793 * handlers.
794 */
795 if (session->session_id == 0 && session->peer_session_id == 0) {
796 error = 0;
797 goto out_no_ppp;
798 }
799
800 /* The only header we need to worry about is the L2TP
801 * header. This size is different depending on whether
802 * sequence numbers are enabled for the data channel.
803 */
804 po->chan.hdrlen = PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
805
806 po->chan.private = sk;
807 po->chan.ops = &pppol2tp_chan_ops;
808 po->chan.mtu = pppol2tp_tunnel_mtu(tunnel);
809
810 error = ppp_register_net_channel(sock_net(sk), &po->chan);
811 if (error) {
812 mutex_unlock(&ps->sk_lock);
813 goto end;
814 }
815
816out_no_ppp:
817 /* This is how we get the session context from the socket. */
818 sock_hold(sk);
819 rcu_assign_sk_user_data(sk, session);
820 rcu_assign_pointer(ps->sk, sk);
821 mutex_unlock(&ps->sk_lock);
822
823 /* Keep the reference we've grabbed on the session: sk doesn't expect
824 * the session to disappear. pppol2tp_session_close() is responsible
825 * for dropping it.
826 */
827 drop_refcnt = false;
828
829 sk->sk_state = PPPOX_CONNECTED;
830
831end:
832 if (error) {
833 if (new_session)
834 l2tp_session_delete(session);
835 if (new_tunnel)
836 l2tp_tunnel_delete(tunnel);
837 }
838 if (drop_refcnt)
839 l2tp_session_put(session);
840 l2tp_tunnel_put(tunnel);
841 release_sock(sk);
842
843 return error;
844}
845
846#ifdef CONFIG_L2TP_V3
847
848/* Called when creating sessions via the netlink interface. */
849static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
850 u32 session_id, u32 peer_session_id,
851 struct l2tp_session_cfg *cfg)
852{
853 int error;
854 struct l2tp_session *session;
855
856 /* Error if tunnel socket is not prepped */
857 if (!tunnel->sock) {
858 error = -ENOENT;
859 goto err;
860 }
861
862 /* Allocate and initialize a new session context. */
863 session = l2tp_session_create(sizeof(struct pppol2tp_session),
864 tunnel, session_id,
865 peer_session_id, cfg);
866 if (IS_ERR(session)) {
867 error = PTR_ERR(session);
868 goto err;
869 }
870
871 pppol2tp_session_init(session);
872
873 error = l2tp_session_register(session, tunnel);
874 if (error < 0)
875 goto err_sess;
876
877 return 0;
878
879err_sess:
880 l2tp_session_put(session);
881err:
882 return error;
883}
884
885#endif /* CONFIG_L2TP_V3 */
886
887/* getname() support.
888 */
889static int pppol2tp_getname(struct socket *sock, struct sockaddr *uaddr,
890 int peer)
891{
892 int len = 0;
893 int error = 0;
894 struct l2tp_session *session;
895 struct l2tp_tunnel *tunnel;
896 struct sock *sk = sock->sk;
897 struct inet_sock *inet;
898 struct pppol2tp_session *pls;
899
900 error = -ENOTCONN;
901 if (!sk)
902 goto end;
903 if (!(sk->sk_state & PPPOX_CONNECTED))
904 goto end;
905
906 error = -EBADF;
907 session = pppol2tp_sock_to_session(sk);
908 if (!session)
909 goto end;
910
911 pls = l2tp_session_priv(session);
912 tunnel = session->tunnel;
913
914 inet = inet_sk(tunnel->sock);
915 if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET) {
916 struct sockaddr_pppol2tp sp;
917
918 len = sizeof(sp);
919 memset(&sp, 0, len);
920 sp.sa_family = AF_PPPOX;
921 sp.sa_protocol = PX_PROTO_OL2TP;
922 sp.pppol2tp.fd = tunnel->fd;
923 sp.pppol2tp.pid = pls->owner;
924 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
925 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
926 sp.pppol2tp.s_session = session->session_id;
927 sp.pppol2tp.d_session = session->peer_session_id;
928 sp.pppol2tp.addr.sin_family = AF_INET;
929 sp.pppol2tp.addr.sin_port = inet->inet_dport;
930 sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
931 memcpy(uaddr, &sp, len);
932#if IS_ENABLED(CONFIG_IPV6)
933 } else if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET6) {
934 struct sockaddr_pppol2tpin6 sp;
935
936 len = sizeof(sp);
937 memset(&sp, 0, len);
938 sp.sa_family = AF_PPPOX;
939 sp.sa_protocol = PX_PROTO_OL2TP;
940 sp.pppol2tp.fd = tunnel->fd;
941 sp.pppol2tp.pid = pls->owner;
942 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
943 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
944 sp.pppol2tp.s_session = session->session_id;
945 sp.pppol2tp.d_session = session->peer_session_id;
946 sp.pppol2tp.addr.sin6_family = AF_INET6;
947 sp.pppol2tp.addr.sin6_port = inet->inet_dport;
948 memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
949 sizeof(tunnel->sock->sk_v6_daddr));
950 memcpy(uaddr, &sp, len);
951 } else if (tunnel->version == 3 && tunnel->sock->sk_family == AF_INET6) {
952 struct sockaddr_pppol2tpv3in6 sp;
953
954 len = sizeof(sp);
955 memset(&sp, 0, len);
956 sp.sa_family = AF_PPPOX;
957 sp.sa_protocol = PX_PROTO_OL2TP;
958 sp.pppol2tp.fd = tunnel->fd;
959 sp.pppol2tp.pid = pls->owner;
960 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
961 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
962 sp.pppol2tp.s_session = session->session_id;
963 sp.pppol2tp.d_session = session->peer_session_id;
964 sp.pppol2tp.addr.sin6_family = AF_INET6;
965 sp.pppol2tp.addr.sin6_port = inet->inet_dport;
966 memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
967 sizeof(tunnel->sock->sk_v6_daddr));
968 memcpy(uaddr, &sp, len);
969#endif
970 } else if (tunnel->version == 3) {
971 struct sockaddr_pppol2tpv3 sp;
972
973 len = sizeof(sp);
974 memset(&sp, 0, len);
975 sp.sa_family = AF_PPPOX;
976 sp.sa_protocol = PX_PROTO_OL2TP;
977 sp.pppol2tp.fd = tunnel->fd;
978 sp.pppol2tp.pid = pls->owner;
979 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
980 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
981 sp.pppol2tp.s_session = session->session_id;
982 sp.pppol2tp.d_session = session->peer_session_id;
983 sp.pppol2tp.addr.sin_family = AF_INET;
984 sp.pppol2tp.addr.sin_port = inet->inet_dport;
985 sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
986 memcpy(uaddr, &sp, len);
987 }
988
989 error = len;
990
991 l2tp_session_put(session);
992end:
993 return error;
994}
995
996/****************************************************************************
997 * ioctl() handlers.
998 *
999 * The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
1000 * sockets. However, in order to control kernel tunnel features, we allow
1001 * userspace to create a special "tunnel" PPPoX socket which is used for
1002 * control only. Tunnel PPPoX sockets have session_id == 0 and simply allow
1003 * the user application to issue L2TP setsockopt(), getsockopt() and ioctl()
1004 * calls.
1005 ****************************************************************************/
1006
1007static void pppol2tp_copy_stats(struct pppol2tp_ioc_stats *dest,
1008 const struct l2tp_stats *stats)
1009{
1010 memset(dest, 0, sizeof(*dest));
1011
1012 dest->tx_packets = atomic_long_read(&stats->tx_packets);
1013 dest->tx_bytes = atomic_long_read(&stats->tx_bytes);
1014 dest->tx_errors = atomic_long_read(&stats->tx_errors);
1015 dest->rx_packets = atomic_long_read(&stats->rx_packets);
1016 dest->rx_bytes = atomic_long_read(&stats->rx_bytes);
1017 dest->rx_seq_discards = atomic_long_read(&stats->rx_seq_discards);
1018 dest->rx_oos_packets = atomic_long_read(&stats->rx_oos_packets);
1019 dest->rx_errors = atomic_long_read(&stats->rx_errors);
1020}
1021
1022static int pppol2tp_tunnel_copy_stats(struct pppol2tp_ioc_stats *stats,
1023 struct l2tp_tunnel *tunnel)
1024{
1025 struct l2tp_session *session;
1026
1027 if (!stats->session_id) {
1028 pppol2tp_copy_stats(stats, &tunnel->stats);
1029 return 0;
1030 }
1031
1032 /* If session_id is set, search the corresponding session in the
1033 * context of this tunnel and record the session's statistics.
1034 */
1035 session = l2tp_session_get(tunnel->l2tp_net, tunnel->sock, tunnel->version,
1036 tunnel->tunnel_id, stats->session_id);
1037 if (!session)
1038 return -EBADR;
1039
1040 if (session->pwtype != L2TP_PWTYPE_PPP) {
1041 l2tp_session_put(session);
1042 return -EBADR;
1043 }
1044
1045 pppol2tp_copy_stats(stats, &session->stats);
1046 l2tp_session_put(session);
1047
1048 return 0;
1049}
1050
1051static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
1052 unsigned long arg)
1053{
1054 struct pppol2tp_ioc_stats stats;
1055 struct l2tp_session *session;
1056
1057 switch (cmd) {
1058 case PPPIOCGMRU:
1059 case PPPIOCGFLAGS:
1060 session = sock->sk->sk_user_data;
1061 if (!session)
1062 return -ENOTCONN;
1063
1064 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
1065 return -EBADF;
1066
1067 /* Not defined for tunnels */
1068 if (!session->session_id && !session->peer_session_id)
1069 return -ENOSYS;
1070
1071 if (put_user(0, (int __user *)arg))
1072 return -EFAULT;
1073 break;
1074
1075 case PPPIOCSMRU:
1076 case PPPIOCSFLAGS:
1077 session = sock->sk->sk_user_data;
1078 if (!session)
1079 return -ENOTCONN;
1080
1081 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
1082 return -EBADF;
1083
1084 /* Not defined for tunnels */
1085 if (!session->session_id && !session->peer_session_id)
1086 return -ENOSYS;
1087
1088 if (!access_ok((int __user *)arg, sizeof(int)))
1089 return -EFAULT;
1090 break;
1091
1092 case PPPIOCGL2TPSTATS:
1093 session = sock->sk->sk_user_data;
1094 if (!session)
1095 return -ENOTCONN;
1096
1097 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
1098 return -EBADF;
1099
1100 /* Session 0 represents the parent tunnel */
1101 if (!session->session_id && !session->peer_session_id) {
1102 u32 session_id;
1103 int err;
1104
1105 if (copy_from_user(&stats, (void __user *)arg,
1106 sizeof(stats)))
1107 return -EFAULT;
1108
1109 session_id = stats.session_id;
1110 err = pppol2tp_tunnel_copy_stats(&stats,
1111 session->tunnel);
1112 if (err < 0)
1113 return err;
1114
1115 stats.session_id = session_id;
1116 } else {
1117 pppol2tp_copy_stats(&stats, &session->stats);
1118 stats.session_id = session->session_id;
1119 }
1120 stats.tunnel_id = session->tunnel->tunnel_id;
1121 stats.using_ipsec = l2tp_tunnel_uses_xfrm(session->tunnel);
1122
1123 if (copy_to_user((void __user *)arg, &stats, sizeof(stats)))
1124 return -EFAULT;
1125 break;
1126
1127 default:
1128 return -ENOIOCTLCMD;
1129 }
1130
1131 return 0;
1132}
1133
1134/*****************************************************************************
1135 * setsockopt() / getsockopt() support.
1136 *
1137 * The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
1138 * sockets. In order to control kernel tunnel features, we allow userspace to
1139 * create a special "tunnel" PPPoX socket which is used for control only.
1140 * Tunnel PPPoX sockets have session_id == 0 and simply allow the user
1141 * application to issue L2TP setsockopt(), getsockopt() and ioctl() calls.
1142 *****************************************************************************/
1143
1144/* Tunnel setsockopt() helper.
1145 */
1146static int pppol2tp_tunnel_setsockopt(struct sock *sk,
1147 struct l2tp_tunnel *tunnel,
1148 int optname, int val)
1149{
1150 int err = 0;
1151
1152 switch (optname) {
1153 case PPPOL2TP_SO_DEBUG:
1154 /* Tunnel debug flags option is deprecated */
1155 break;
1156
1157 default:
1158 err = -ENOPROTOOPT;
1159 break;
1160 }
1161
1162 return err;
1163}
1164
1165/* Session setsockopt helper.
1166 */
1167static int pppol2tp_session_setsockopt(struct sock *sk,
1168 struct l2tp_session *session,
1169 int optname, int val)
1170{
1171 int err = 0;
1172
1173 switch (optname) {
1174 case PPPOL2TP_SO_RECVSEQ:
1175 if (val != 0 && val != 1) {
1176 err = -EINVAL;
1177 break;
1178 }
1179 session->recv_seq = !!val;
1180 break;
1181
1182 case PPPOL2TP_SO_SENDSEQ:
1183 if (val != 0 && val != 1) {
1184 err = -EINVAL;
1185 break;
1186 }
1187 session->send_seq = !!val;
1188 {
1189 struct pppox_sock *po = pppox_sk(sk);
1190
1191 po->chan.hdrlen = val ? PPPOL2TP_L2TP_HDR_SIZE_SEQ :
1192 PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
1193 }
1194 l2tp_session_set_header_len(session, session->tunnel->version,
1195 session->tunnel->encap);
1196 break;
1197
1198 case PPPOL2TP_SO_LNSMODE:
1199 if (val != 0 && val != 1) {
1200 err = -EINVAL;
1201 break;
1202 }
1203 session->lns_mode = !!val;
1204 break;
1205
1206 case PPPOL2TP_SO_DEBUG:
1207 /* Session debug flags option is deprecated */
1208 break;
1209
1210 case PPPOL2TP_SO_REORDERTO:
1211 session->reorder_timeout = msecs_to_jiffies(val);
1212 break;
1213
1214 default:
1215 err = -ENOPROTOOPT;
1216 break;
1217 }
1218
1219 return err;
1220}
1221
1222/* Main setsockopt() entry point.
1223 * Does API checks, then calls either the tunnel or session setsockopt
1224 * handler, according to whether the PPPoL2TP socket is a for a regular
1225 * session or the special tunnel type.
1226 */
1227static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
1228 sockptr_t optval, unsigned int optlen)
1229{
1230 struct sock *sk = sock->sk;
1231 struct l2tp_session *session;
1232 struct l2tp_tunnel *tunnel;
1233 int val;
1234 int err;
1235
1236 if (level != SOL_PPPOL2TP)
1237 return -EINVAL;
1238
1239 if (optlen < sizeof(int))
1240 return -EINVAL;
1241
1242 if (copy_from_sockptr(&val, optval, sizeof(int)))
1243 return -EFAULT;
1244
1245 err = -ENOTCONN;
1246 if (!sk->sk_user_data)
1247 goto end;
1248
1249 /* Get session context from the socket */
1250 err = -EBADF;
1251 session = pppol2tp_sock_to_session(sk);
1252 if (!session)
1253 goto end;
1254
1255 /* Special case: if session_id == 0x0000, treat as operation on tunnel
1256 */
1257 if (session->session_id == 0 && session->peer_session_id == 0) {
1258 tunnel = session->tunnel;
1259 err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
1260 } else {
1261 err = pppol2tp_session_setsockopt(sk, session, optname, val);
1262 }
1263
1264 l2tp_session_put(session);
1265end:
1266 return err;
1267}
1268
1269/* Tunnel getsockopt helper. Called with sock locked.
1270 */
1271static int pppol2tp_tunnel_getsockopt(struct sock *sk,
1272 struct l2tp_tunnel *tunnel,
1273 int optname, int *val)
1274{
1275 int err = 0;
1276
1277 switch (optname) {
1278 case PPPOL2TP_SO_DEBUG:
1279 /* Tunnel debug flags option is deprecated */
1280 *val = 0;
1281 break;
1282
1283 default:
1284 err = -ENOPROTOOPT;
1285 break;
1286 }
1287
1288 return err;
1289}
1290
1291/* Session getsockopt helper. Called with sock locked.
1292 */
1293static int pppol2tp_session_getsockopt(struct sock *sk,
1294 struct l2tp_session *session,
1295 int optname, int *val)
1296{
1297 int err = 0;
1298
1299 switch (optname) {
1300 case PPPOL2TP_SO_RECVSEQ:
1301 *val = session->recv_seq;
1302 break;
1303
1304 case PPPOL2TP_SO_SENDSEQ:
1305 *val = session->send_seq;
1306 break;
1307
1308 case PPPOL2TP_SO_LNSMODE:
1309 *val = session->lns_mode;
1310 break;
1311
1312 case PPPOL2TP_SO_DEBUG:
1313 /* Session debug flags option is deprecated */
1314 *val = 0;
1315 break;
1316
1317 case PPPOL2TP_SO_REORDERTO:
1318 *val = (int)jiffies_to_msecs(session->reorder_timeout);
1319 break;
1320
1321 default:
1322 err = -ENOPROTOOPT;
1323 }
1324
1325 return err;
1326}
1327
1328/* Main getsockopt() entry point.
1329 * Does API checks, then calls either the tunnel or session getsockopt
1330 * handler, according to whether the PPPoX socket is a for a regular session
1331 * or the special tunnel type.
1332 */
1333static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
1334 char __user *optval, int __user *optlen)
1335{
1336 struct sock *sk = sock->sk;
1337 struct l2tp_session *session;
1338 struct l2tp_tunnel *tunnel;
1339 int val, len;
1340 int err;
1341
1342 if (level != SOL_PPPOL2TP)
1343 return -EINVAL;
1344
1345 if (get_user(len, optlen))
1346 return -EFAULT;
1347
1348 if (len < 0)
1349 return -EINVAL;
1350
1351 len = min_t(unsigned int, len, sizeof(int));
1352
1353 err = -ENOTCONN;
1354 if (!sk->sk_user_data)
1355 goto end;
1356
1357 /* Get the session context */
1358 err = -EBADF;
1359 session = pppol2tp_sock_to_session(sk);
1360 if (!session)
1361 goto end;
1362
1363 /* Special case: if session_id == 0x0000, treat as operation on tunnel */
1364 if (session->session_id == 0 && session->peer_session_id == 0) {
1365 tunnel = session->tunnel;
1366 err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
1367 if (err)
1368 goto end_put_sess;
1369 } else {
1370 err = pppol2tp_session_getsockopt(sk, session, optname, &val);
1371 if (err)
1372 goto end_put_sess;
1373 }
1374
1375 err = -EFAULT;
1376 if (put_user(len, optlen))
1377 goto end_put_sess;
1378
1379 if (copy_to_user((void __user *)optval, &val, len))
1380 goto end_put_sess;
1381
1382 err = 0;
1383
1384end_put_sess:
1385 l2tp_session_put(session);
1386end:
1387 return err;
1388}
1389
1390/*****************************************************************************
1391 * /proc filesystem for debug
1392 * Since the original pppol2tp driver provided /proc/net/pppol2tp for
1393 * L2TPv2, we dump only L2TPv2 tunnels and sessions here.
1394 *****************************************************************************/
1395
1396#ifdef CONFIG_PROC_FS
1397
1398struct pppol2tp_seq_data {
1399 struct seq_net_private p;
1400 unsigned long tkey; /* lookup key of current tunnel */
1401 unsigned long skey; /* lookup key of current session */
1402 struct l2tp_tunnel *tunnel;
1403 struct l2tp_session *session; /* NULL means get next tunnel */
1404};
1405
1406static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
1407{
1408 /* Drop reference taken during previous invocation */
1409 if (pd->tunnel)
1410 l2tp_tunnel_put(pd->tunnel);
1411
1412 for (;;) {
1413 pd->tunnel = l2tp_tunnel_get_next(net, &pd->tkey);
1414 pd->tkey++;
1415
1416 /* Only accept L2TPv2 tunnels */
1417 if (!pd->tunnel || pd->tunnel->version == 2)
1418 return;
1419
1420 l2tp_tunnel_put(pd->tunnel);
1421 }
1422}
1423
1424static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
1425{
1426 /* Drop reference taken during previous invocation */
1427 if (pd->session)
1428 l2tp_session_put(pd->session);
1429
1430 pd->session = l2tp_session_get_next(net, pd->tunnel->sock,
1431 pd->tunnel->version,
1432 pd->tunnel->tunnel_id, &pd->skey);
1433 pd->skey++;
1434
1435 if (!pd->session) {
1436 pd->skey = 0;
1437 pppol2tp_next_tunnel(net, pd);
1438 }
1439}
1440
1441static void *pppol2tp_seq_start(struct seq_file *m, loff_t *offs)
1442{
1443 struct pppol2tp_seq_data *pd = SEQ_START_TOKEN;
1444 loff_t pos = *offs;
1445 struct net *net;
1446
1447 if (!pos)
1448 goto out;
1449
1450 if (WARN_ON(!m->private)) {
1451 pd = NULL;
1452 goto out;
1453 }
1454
1455 pd = m->private;
1456 net = seq_file_net(m);
1457
1458 if (!pd->tunnel)
1459 pppol2tp_next_tunnel(net, pd);
1460 else
1461 pppol2tp_next_session(net, pd);
1462
1463 /* NULL tunnel and session indicates end of list */
1464 if (!pd->tunnel && !pd->session)
1465 pd = NULL;
1466
1467out:
1468 return pd;
1469}
1470
1471static void *pppol2tp_seq_next(struct seq_file *m, void *v, loff_t *pos)
1472{
1473 (*pos)++;
1474 return NULL;
1475}
1476
1477static void pppol2tp_seq_stop(struct seq_file *p, void *v)
1478{
1479 struct pppol2tp_seq_data *pd = v;
1480
1481 if (!pd || pd == SEQ_START_TOKEN)
1482 return;
1483
1484 /* Drop reference taken by last invocation of pppol2tp_next_session()
1485 * or pppol2tp_next_tunnel().
1486 */
1487 if (pd->session) {
1488 l2tp_session_put(pd->session);
1489 pd->session = NULL;
1490 }
1491 if (pd->tunnel) {
1492 l2tp_tunnel_put(pd->tunnel);
1493 pd->tunnel = NULL;
1494 }
1495}
1496
1497static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
1498{
1499 struct l2tp_tunnel *tunnel = v;
1500
1501 seq_printf(m, "\nTUNNEL '%s', %c %d\n",
1502 tunnel->name,
1503 tunnel->sock ? 'Y' : 'N',
1504 refcount_read(&tunnel->ref_count) - 1);
1505 seq_printf(m, " %08x %ld/%ld/%ld %ld/%ld/%ld\n",
1506 0,
1507 atomic_long_read(&tunnel->stats.tx_packets),
1508 atomic_long_read(&tunnel->stats.tx_bytes),
1509 atomic_long_read(&tunnel->stats.tx_errors),
1510 atomic_long_read(&tunnel->stats.rx_packets),
1511 atomic_long_read(&tunnel->stats.rx_bytes),
1512 atomic_long_read(&tunnel->stats.rx_errors));
1513}
1514
1515static void pppol2tp_seq_session_show(struct seq_file *m, void *v)
1516{
1517 struct l2tp_session *session = v;
1518 struct l2tp_tunnel *tunnel = session->tunnel;
1519 unsigned char state;
1520 char user_data_ok;
1521 struct sock *sk;
1522 u32 ip = 0;
1523 u16 port = 0;
1524
1525 if (tunnel->sock) {
1526 struct inet_sock *inet = inet_sk(tunnel->sock);
1527
1528 ip = ntohl(inet->inet_saddr);
1529 port = ntohs(inet->inet_sport);
1530 }
1531
1532 sk = pppol2tp_session_get_sock(session);
1533 if (sk) {
1534 state = sk->sk_state;
1535 user_data_ok = (session == sk->sk_user_data) ? 'Y' : 'N';
1536 } else {
1537 state = 0;
1538 user_data_ok = 'N';
1539 }
1540
1541 seq_printf(m, " SESSION '%s' %08X/%d %04X/%04X -> %04X/%04X %d %c\n",
1542 session->name, ip, port,
1543 tunnel->tunnel_id,
1544 session->session_id,
1545 tunnel->peer_tunnel_id,
1546 session->peer_session_id,
1547 state, user_data_ok);
1548 seq_printf(m, " 0/0/%c/%c/%s %08x %u\n",
1549 session->recv_seq ? 'R' : '-',
1550 session->send_seq ? 'S' : '-',
1551 session->lns_mode ? "LNS" : "LAC",
1552 0,
1553 jiffies_to_msecs(session->reorder_timeout));
1554 seq_printf(m, " %u/%u %ld/%ld/%ld %ld/%ld/%ld\n",
1555 session->nr, session->ns,
1556 atomic_long_read(&session->stats.tx_packets),
1557 atomic_long_read(&session->stats.tx_bytes),
1558 atomic_long_read(&session->stats.tx_errors),
1559 atomic_long_read(&session->stats.rx_packets),
1560 atomic_long_read(&session->stats.rx_bytes),
1561 atomic_long_read(&session->stats.rx_errors));
1562
1563 if (sk) {
1564 struct pppox_sock *po = pppox_sk(sk);
1565
1566 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
1567 sock_put(sk);
1568 }
1569}
1570
1571static int pppol2tp_seq_show(struct seq_file *m, void *v)
1572{
1573 struct pppol2tp_seq_data *pd = v;
1574
1575 /* display header on line 1 */
1576 if (v == SEQ_START_TOKEN) {
1577 seq_puts(m, "PPPoL2TP driver info, " PPPOL2TP_DRV_VERSION "\n");
1578 seq_puts(m, "TUNNEL name, user-data-ok session-count\n");
1579 seq_puts(m, " debug tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
1580 seq_puts(m, " SESSION name, addr/port src-tid/sid dest-tid/sid state user-data-ok\n");
1581 seq_puts(m, " mtu/mru/rcvseq/sendseq/lns debug reorderto\n");
1582 seq_puts(m, " nr/ns tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
1583 goto out;
1584 }
1585
1586 if (!pd->session)
1587 pppol2tp_seq_tunnel_show(m, pd->tunnel);
1588 else
1589 pppol2tp_seq_session_show(m, pd->session);
1590
1591out:
1592 return 0;
1593}
1594
1595static const struct seq_operations pppol2tp_seq_ops = {
1596 .start = pppol2tp_seq_start,
1597 .next = pppol2tp_seq_next,
1598 .stop = pppol2tp_seq_stop,
1599 .show = pppol2tp_seq_show,
1600};
1601#endif /* CONFIG_PROC_FS */
1602
1603/*****************************************************************************
1604 * Network namespace
1605 *****************************************************************************/
1606
1607static __net_init int pppol2tp_init_net(struct net *net)
1608{
1609 struct proc_dir_entry *pde;
1610 int err = 0;
1611
1612 pde = proc_create_net("pppol2tp", 0444, net->proc_net,
1613 &pppol2tp_seq_ops, sizeof(struct pppol2tp_seq_data));
1614 if (!pde) {
1615 err = -ENOMEM;
1616 goto out;
1617 }
1618
1619out:
1620 return err;
1621}
1622
1623static __net_exit void pppol2tp_exit_net(struct net *net)
1624{
1625 remove_proc_entry("pppol2tp", net->proc_net);
1626}
1627
1628static struct pernet_operations pppol2tp_net_ops = {
1629 .init = pppol2tp_init_net,
1630 .exit = pppol2tp_exit_net,
1631};
1632
1633/*****************************************************************************
1634 * Init and cleanup
1635 *****************************************************************************/
1636
1637static const struct proto_ops pppol2tp_ops = {
1638 .family = AF_PPPOX,
1639 .owner = THIS_MODULE,
1640 .release = pppol2tp_release,
1641 .bind = sock_no_bind,
1642 .connect = pppol2tp_connect,
1643 .socketpair = sock_no_socketpair,
1644 .accept = sock_no_accept,
1645 .getname = pppol2tp_getname,
1646 .poll = datagram_poll,
1647 .listen = sock_no_listen,
1648 .shutdown = sock_no_shutdown,
1649 .setsockopt = pppol2tp_setsockopt,
1650 .getsockopt = pppol2tp_getsockopt,
1651 .sendmsg = pppol2tp_sendmsg,
1652 .recvmsg = pppol2tp_recvmsg,
1653 .mmap = sock_no_mmap,
1654 .ioctl = pppox_ioctl,
1655#ifdef CONFIG_COMPAT
1656 .compat_ioctl = pppox_compat_ioctl,
1657#endif
1658};
1659
1660static const struct pppox_proto pppol2tp_proto = {
1661 .create = pppol2tp_create,
1662 .ioctl = pppol2tp_ioctl,
1663 .owner = THIS_MODULE,
1664};
1665
1666#ifdef CONFIG_L2TP_V3
1667
1668static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
1669 .session_create = pppol2tp_session_create,
1670 .session_delete = l2tp_session_delete,
1671};
1672
1673#endif /* CONFIG_L2TP_V3 */
1674
1675static int __init pppol2tp_init(void)
1676{
1677 int err;
1678
1679 err = register_pernet_device(&pppol2tp_net_ops);
1680 if (err)
1681 goto out;
1682
1683 err = proto_register(&pppol2tp_sk_proto, 0);
1684 if (err)
1685 goto out_unregister_pppol2tp_pernet;
1686
1687 err = register_pppox_proto(PX_PROTO_OL2TP, &pppol2tp_proto);
1688 if (err)
1689 goto out_unregister_pppol2tp_proto;
1690
1691#ifdef CONFIG_L2TP_V3
1692 err = l2tp_nl_register_ops(L2TP_PWTYPE_PPP, &pppol2tp_nl_cmd_ops);
1693 if (err)
1694 goto out_unregister_pppox;
1695#endif
1696
1697 pr_info("PPPoL2TP kernel driver, %s\n", PPPOL2TP_DRV_VERSION);
1698
1699out:
1700 return err;
1701
1702#ifdef CONFIG_L2TP_V3
1703out_unregister_pppox:
1704 unregister_pppox_proto(PX_PROTO_OL2TP);
1705#endif
1706out_unregister_pppol2tp_proto:
1707 proto_unregister(&pppol2tp_sk_proto);
1708out_unregister_pppol2tp_pernet:
1709 unregister_pernet_device(&pppol2tp_net_ops);
1710 goto out;
1711}
1712
1713static void __exit pppol2tp_exit(void)
1714{
1715#ifdef CONFIG_L2TP_V3
1716 l2tp_nl_unregister_ops(L2TP_PWTYPE_PPP);
1717#endif
1718 unregister_pppox_proto(PX_PROTO_OL2TP);
1719 proto_unregister(&pppol2tp_sk_proto);
1720 unregister_pernet_device(&pppol2tp_net_ops);
1721}
1722
1723module_init(pppol2tp_init);
1724module_exit(pppol2tp_exit);
1725
1726MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1727MODULE_DESCRIPTION("PPP over L2TP over UDP");
1728MODULE_LICENSE("GPL");
1729MODULE_VERSION(PPPOL2TP_DRV_VERSION);
1730MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OL2TP);
1731MODULE_ALIAS_L2TP_PWTYPE(7);
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*****************************************************************************
3 * Linux PPP over L2TP (PPPoX/PPPoL2TP) Sockets
4 *
5 * PPPoX --- Generic PPP encapsulation socket family
6 * PPPoL2TP --- PPP over L2TP (RFC 2661)
7 *
8 * Version: 2.0.0
9 *
10 * Authors: James Chapman (jchapman@katalix.com)
11 *
12 * Based on original work by Martijn van Oosterhout <kleptog@svana.org>
13 *
14 * License:
15 */
16
17/* This driver handles only L2TP data frames; control frames are handled by a
18 * userspace application.
19 *
20 * To send data in an L2TP session, userspace opens a PPPoL2TP socket and
21 * attaches it to a bound UDP socket with local tunnel_id / session_id and
22 * peer tunnel_id / session_id set. Data can then be sent or received using
23 * regular socket sendmsg() / recvmsg() calls. Kernel parameters of the socket
24 * can be read or modified using ioctl() or [gs]etsockopt() calls.
25 *
26 * When a PPPoL2TP socket is connected with local and peer session_id values
27 * zero, the socket is treated as a special tunnel management socket.
28 *
29 * Here's example userspace code to create a socket for sending/receiving data
30 * over an L2TP session:-
31 *
32 * struct sockaddr_pppol2tp sax;
33 * int fd;
34 * int session_fd;
35 *
36 * fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
37 *
38 * sax.sa_family = AF_PPPOX;
39 * sax.sa_protocol = PX_PROTO_OL2TP;
40 * sax.pppol2tp.fd = tunnel_fd; // bound UDP socket
41 * sax.pppol2tp.addr.sin_addr.s_addr = addr->sin_addr.s_addr;
42 * sax.pppol2tp.addr.sin_port = addr->sin_port;
43 * sax.pppol2tp.addr.sin_family = AF_INET;
44 * sax.pppol2tp.s_tunnel = tunnel_id;
45 * sax.pppol2tp.s_session = session_id;
46 * sax.pppol2tp.d_tunnel = peer_tunnel_id;
47 * sax.pppol2tp.d_session = peer_session_id;
48 *
49 * session_fd = connect(fd, (struct sockaddr *)&sax, sizeof(sax));
50 *
51 * A pppd plugin that allows PPP traffic to be carried over L2TP using
52 * this driver is available from the OpenL2TP project at
53 * http://openl2tp.sourceforge.net.
54 */
55
56#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
57
58#include <linux/module.h>
59#include <linux/string.h>
60#include <linux/list.h>
61#include <linux/uaccess.h>
62
63#include <linux/kernel.h>
64#include <linux/spinlock.h>
65#include <linux/kthread.h>
66#include <linux/sched.h>
67#include <linux/slab.h>
68#include <linux/errno.h>
69#include <linux/jiffies.h>
70
71#include <linux/netdevice.h>
72#include <linux/net.h>
73#include <linux/inetdevice.h>
74#include <linux/skbuff.h>
75#include <linux/init.h>
76#include <linux/ip.h>
77#include <linux/udp.h>
78#include <linux/if_pppox.h>
79#include <linux/if_pppol2tp.h>
80#include <net/sock.h>
81#include <linux/ppp_channel.h>
82#include <linux/ppp_defs.h>
83#include <linux/ppp-ioctl.h>
84#include <linux/file.h>
85#include <linux/hash.h>
86#include <linux/sort.h>
87#include <linux/proc_fs.h>
88#include <linux/l2tp.h>
89#include <linux/nsproxy.h>
90#include <net/net_namespace.h>
91#include <net/netns/generic.h>
92#include <net/ip.h>
93#include <net/udp.h>
94#include <net/inet_common.h>
95
96#include <asm/byteorder.h>
97#include <linux/atomic.h>
98
99#include "l2tp_core.h"
100
101#define PPPOL2TP_DRV_VERSION "V2.0"
102
103/* Space for UDP, L2TP and PPP headers */
104#define PPPOL2TP_HEADER_OVERHEAD 40
105
106/* Number of bytes to build transmit L2TP headers.
107 * Unfortunately the size is different depending on whether sequence numbers
108 * are enabled.
109 */
110#define PPPOL2TP_L2TP_HDR_SIZE_SEQ 10
111#define PPPOL2TP_L2TP_HDR_SIZE_NOSEQ 6
112
113/* Private data of each session. This data lives at the end of struct
114 * l2tp_session, referenced via session->priv[].
115 */
116struct pppol2tp_session {
117 int owner; /* pid that opened the socket */
118
119 struct mutex sk_lock; /* Protects .sk */
120 struct sock __rcu *sk; /* Pointer to the session PPPoX socket */
121 struct sock *__sk; /* Copy of .sk, for cleanup */
122 struct rcu_head rcu; /* For asynchronous release */
123};
124
125static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb);
126
127static const struct ppp_channel_ops pppol2tp_chan_ops = {
128 .start_xmit = pppol2tp_xmit,
129};
130
131static const struct proto_ops pppol2tp_ops;
132
133/* Retrieves the pppol2tp socket associated to a session.
134 * A reference is held on the returned socket, so this function must be paired
135 * with sock_put().
136 */
137static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
138{
139 struct pppol2tp_session *ps = l2tp_session_priv(session);
140 struct sock *sk;
141
142 rcu_read_lock();
143 sk = rcu_dereference(ps->sk);
144 if (sk)
145 sock_hold(sk);
146 rcu_read_unlock();
147
148 return sk;
149}
150
151/* Helpers to obtain tunnel/session contexts from sockets.
152 */
153static inline struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk)
154{
155 struct l2tp_session *session;
156
157 if (!sk)
158 return NULL;
159
160 sock_hold(sk);
161 session = (struct l2tp_session *)(sk->sk_user_data);
162 if (!session) {
163 sock_put(sk);
164 goto out;
165 }
166 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC)) {
167 session = NULL;
168 sock_put(sk);
169 goto out;
170 }
171
172out:
173 return session;
174}
175
176/*****************************************************************************
177 * Receive data handling
178 *****************************************************************************/
179
180/* Receive message. This is the recvmsg for the PPPoL2TP socket.
181 */
182static int pppol2tp_recvmsg(struct socket *sock, struct msghdr *msg,
183 size_t len, int flags)
184{
185 int err;
186 struct sk_buff *skb;
187 struct sock *sk = sock->sk;
188
189 err = -EIO;
190 if (sk->sk_state & PPPOX_BOUND)
191 goto end;
192
193 err = 0;
194 skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
195 flags & MSG_DONTWAIT, &err);
196 if (!skb)
197 goto end;
198
199 if (len > skb->len)
200 len = skb->len;
201 else if (len < skb->len)
202 msg->msg_flags |= MSG_TRUNC;
203
204 err = skb_copy_datagram_msg(skb, 0, msg, len);
205 if (likely(err == 0))
206 err = len;
207
208 kfree_skb(skb);
209end:
210 return err;
211}
212
213static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
214{
215 struct pppol2tp_session *ps = l2tp_session_priv(session);
216 struct sock *sk = NULL;
217
218 /* If the socket is bound, send it in to PPP's input queue. Otherwise
219 * queue it on the session socket.
220 */
221 rcu_read_lock();
222 sk = rcu_dereference(ps->sk);
223 if (!sk)
224 goto no_sock;
225
226 /* If the first two bytes are 0xFF03, consider that it is the PPP's
227 * Address and Control fields and skip them. The L2TP module has always
228 * worked this way, although, in theory, the use of these fields should
229 * be negociated and handled at the PPP layer. These fields are
230 * constant: 0xFF is the All-Stations Address and 0x03 the Unnumbered
231 * Information command with Poll/Final bit set to zero (RFC 1662).
232 */
233 if (pskb_may_pull(skb, 2) && skb->data[0] == PPP_ALLSTATIONS &&
234 skb->data[1] == PPP_UI)
235 skb_pull(skb, 2);
236
237 if (sk->sk_state & PPPOX_BOUND) {
238 struct pppox_sock *po;
239
240 l2tp_dbg(session, L2TP_MSG_DATA,
241 "%s: recv %d byte data frame, passing to ppp\n",
242 session->name, data_len);
243
244 po = pppox_sk(sk);
245 ppp_input(&po->chan, skb);
246 } else {
247 l2tp_dbg(session, L2TP_MSG_DATA,
248 "%s: recv %d byte data frame, passing to L2TP socket\n",
249 session->name, data_len);
250
251 if (sock_queue_rcv_skb(sk, skb) < 0) {
252 atomic_long_inc(&session->stats.rx_errors);
253 kfree_skb(skb);
254 }
255 }
256 rcu_read_unlock();
257
258 return;
259
260no_sock:
261 rcu_read_unlock();
262 l2tp_info(session, L2TP_MSG_DATA, "%s: no socket\n", session->name);
263 kfree_skb(skb);
264}
265
266/************************************************************************
267 * Transmit handling
268 ***********************************************************************/
269
270/* This is the sendmsg for the PPPoL2TP pppol2tp_session socket. We come here
271 * when a user application does a sendmsg() on the session socket. L2TP and
272 * PPP headers must be inserted into the user's data.
273 */
274static int pppol2tp_sendmsg(struct socket *sock, struct msghdr *m,
275 size_t total_len)
276{
277 struct sock *sk = sock->sk;
278 struct sk_buff *skb;
279 int error;
280 struct l2tp_session *session;
281 struct l2tp_tunnel *tunnel;
282 int uhlen;
283
284 error = -ENOTCONN;
285 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
286 goto error;
287
288 /* Get session and tunnel contexts */
289 error = -EBADF;
290 session = pppol2tp_sock_to_session(sk);
291 if (!session)
292 goto error;
293
294 tunnel = session->tunnel;
295
296 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
297
298 /* Allocate a socket buffer */
299 error = -ENOMEM;
300 skb = sock_wmalloc(sk, NET_SKB_PAD + sizeof(struct iphdr) +
301 uhlen + session->hdr_len +
302 2 + total_len, /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
303 0, GFP_KERNEL);
304 if (!skb)
305 goto error_put_sess;
306
307 /* Reserve space for headers. */
308 skb_reserve(skb, NET_SKB_PAD);
309 skb_reset_network_header(skb);
310 skb_reserve(skb, sizeof(struct iphdr));
311 skb_reset_transport_header(skb);
312 skb_reserve(skb, uhlen);
313
314 /* Add PPP header */
315 skb->data[0] = PPP_ALLSTATIONS;
316 skb->data[1] = PPP_UI;
317 skb_put(skb, 2);
318
319 /* Copy user data into skb */
320 error = memcpy_from_msg(skb_put(skb, total_len), m, total_len);
321 if (error < 0) {
322 kfree_skb(skb);
323 goto error_put_sess;
324 }
325
326 local_bh_disable();
327 l2tp_xmit_skb(session, skb, session->hdr_len);
328 local_bh_enable();
329
330 sock_put(sk);
331
332 return total_len;
333
334error_put_sess:
335 sock_put(sk);
336error:
337 return error;
338}
339
340/* Transmit function called by generic PPP driver. Sends PPP frame
341 * over PPPoL2TP socket.
342 *
343 * This is almost the same as pppol2tp_sendmsg(), but rather than
344 * being called with a msghdr from userspace, it is called with a skb
345 * from the kernel.
346 *
347 * The supplied skb from ppp doesn't have enough headroom for the
348 * insertion of L2TP, UDP and IP headers so we need to allocate more
349 * headroom in the skb. This will create a cloned skb. But we must be
350 * careful in the error case because the caller will expect to free
351 * the skb it supplied, not our cloned skb. So we take care to always
352 * leave the original skb unfreed if we return an error.
353 */
354static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
355{
356 struct sock *sk = (struct sock *)chan->private;
357 struct l2tp_session *session;
358 struct l2tp_tunnel *tunnel;
359 int uhlen, headroom;
360
361 if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
362 goto abort;
363
364 /* Get session and tunnel contexts from the socket */
365 session = pppol2tp_sock_to_session(sk);
366 if (!session)
367 goto abort;
368
369 tunnel = session->tunnel;
370
371 uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
372 headroom = NET_SKB_PAD +
373 sizeof(struct iphdr) + /* IP header */
374 uhlen + /* UDP header (if L2TP_ENCAPTYPE_UDP) */
375 session->hdr_len + /* L2TP header */
376 2; /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
377 if (skb_cow_head(skb, headroom))
378 goto abort_put_sess;
379
380 /* Setup PPP header */
381 __skb_push(skb, 2);
382 skb->data[0] = PPP_ALLSTATIONS;
383 skb->data[1] = PPP_UI;
384
385 local_bh_disable();
386 l2tp_xmit_skb(session, skb, session->hdr_len);
387 local_bh_enable();
388
389 sock_put(sk);
390
391 return 1;
392
393abort_put_sess:
394 sock_put(sk);
395abort:
396 /* Free the original skb */
397 kfree_skb(skb);
398 return 1;
399}
400
401/*****************************************************************************
402 * Session (and tunnel control) socket create/destroy.
403 *****************************************************************************/
404
405static void pppol2tp_put_sk(struct rcu_head *head)
406{
407 struct pppol2tp_session *ps;
408
409 ps = container_of(head, typeof(*ps), rcu);
410 sock_put(ps->__sk);
411}
412
413/* Really kill the session socket. (Called from sock_put() if
414 * refcnt == 0.)
415 */
416static void pppol2tp_session_destruct(struct sock *sk)
417{
418 struct l2tp_session *session = sk->sk_user_data;
419
420 skb_queue_purge(&sk->sk_receive_queue);
421 skb_queue_purge(&sk->sk_write_queue);
422
423 if (session) {
424 sk->sk_user_data = NULL;
425 if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
426 return;
427 l2tp_session_dec_refcount(session);
428 }
429}
430
431/* Called when the PPPoX socket (session) is closed.
432 */
433static int pppol2tp_release(struct socket *sock)
434{
435 struct sock *sk = sock->sk;
436 struct l2tp_session *session;
437 int error;
438
439 if (!sk)
440 return 0;
441
442 error = -EBADF;
443 lock_sock(sk);
444 if (sock_flag(sk, SOCK_DEAD) != 0)
445 goto error;
446
447 pppox_unbind_sock(sk);
448
449 /* Signal the death of the socket. */
450 sk->sk_state = PPPOX_DEAD;
451 sock_orphan(sk);
452 sock->sk = NULL;
453
454 session = pppol2tp_sock_to_session(sk);
455 if (session) {
456 struct pppol2tp_session *ps;
457
458 l2tp_session_delete(session);
459
460 ps = l2tp_session_priv(session);
461 mutex_lock(&ps->sk_lock);
462 ps->__sk = rcu_dereference_protected(ps->sk,
463 lockdep_is_held(&ps->sk_lock));
464 RCU_INIT_POINTER(ps->sk, NULL);
465 mutex_unlock(&ps->sk_lock);
466 call_rcu(&ps->rcu, pppol2tp_put_sk);
467
468 /* Rely on the sock_put() call at the end of the function for
469 * dropping the reference held by pppol2tp_sock_to_session().
470 * The last reference will be dropped by pppol2tp_put_sk().
471 */
472 }
473
474 release_sock(sk);
475
476 /* This will delete the session context via
477 * pppol2tp_session_destruct() if the socket's refcnt drops to
478 * zero.
479 */
480 sock_put(sk);
481
482 return 0;
483
484error:
485 release_sock(sk);
486 return error;
487}
488
489static struct proto pppol2tp_sk_proto = {
490 .name = "PPPOL2TP",
491 .owner = THIS_MODULE,
492 .obj_size = sizeof(struct pppox_sock),
493};
494
495static int pppol2tp_backlog_recv(struct sock *sk, struct sk_buff *skb)
496{
497 int rc;
498
499 rc = l2tp_udp_encap_recv(sk, skb);
500 if (rc)
501 kfree_skb(skb);
502
503 return NET_RX_SUCCESS;
504}
505
506/* socket() handler. Initialize a new struct sock.
507 */
508static int pppol2tp_create(struct net *net, struct socket *sock, int kern)
509{
510 int error = -ENOMEM;
511 struct sock *sk;
512
513 sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pppol2tp_sk_proto, kern);
514 if (!sk)
515 goto out;
516
517 sock_init_data(sock, sk);
518
519 sock->state = SS_UNCONNECTED;
520 sock->ops = &pppol2tp_ops;
521
522 sk->sk_backlog_rcv = pppol2tp_backlog_recv;
523 sk->sk_protocol = PX_PROTO_OL2TP;
524 sk->sk_family = PF_PPPOX;
525 sk->sk_state = PPPOX_NONE;
526 sk->sk_type = SOCK_STREAM;
527 sk->sk_destruct = pppol2tp_session_destruct;
528
529 error = 0;
530
531out:
532 return error;
533}
534
535static void pppol2tp_show(struct seq_file *m, void *arg)
536{
537 struct l2tp_session *session = arg;
538 struct sock *sk;
539
540 sk = pppol2tp_session_get_sock(session);
541 if (sk) {
542 struct pppox_sock *po = pppox_sk(sk);
543
544 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
545 sock_put(sk);
546 }
547}
548
549static void pppol2tp_session_init(struct l2tp_session *session)
550{
551 struct pppol2tp_session *ps;
552
553 session->recv_skb = pppol2tp_recv;
554 if (IS_ENABLED(CONFIG_L2TP_DEBUGFS))
555 session->show = pppol2tp_show;
556
557 ps = l2tp_session_priv(session);
558 mutex_init(&ps->sk_lock);
559 ps->owner = current->pid;
560}
561
562struct l2tp_connect_info {
563 u8 version;
564 int fd;
565 u32 tunnel_id;
566 u32 peer_tunnel_id;
567 u32 session_id;
568 u32 peer_session_id;
569};
570
571static int pppol2tp_sockaddr_get_info(const void *sa, int sa_len,
572 struct l2tp_connect_info *info)
573{
574 switch (sa_len) {
575 case sizeof(struct sockaddr_pppol2tp):
576 {
577 const struct sockaddr_pppol2tp *sa_v2in4 = sa;
578
579 if (sa_v2in4->sa_protocol != PX_PROTO_OL2TP)
580 return -EINVAL;
581
582 info->version = 2;
583 info->fd = sa_v2in4->pppol2tp.fd;
584 info->tunnel_id = sa_v2in4->pppol2tp.s_tunnel;
585 info->peer_tunnel_id = sa_v2in4->pppol2tp.d_tunnel;
586 info->session_id = sa_v2in4->pppol2tp.s_session;
587 info->peer_session_id = sa_v2in4->pppol2tp.d_session;
588
589 break;
590 }
591 case sizeof(struct sockaddr_pppol2tpv3):
592 {
593 const struct sockaddr_pppol2tpv3 *sa_v3in4 = sa;
594
595 if (sa_v3in4->sa_protocol != PX_PROTO_OL2TP)
596 return -EINVAL;
597
598 info->version = 3;
599 info->fd = sa_v3in4->pppol2tp.fd;
600 info->tunnel_id = sa_v3in4->pppol2tp.s_tunnel;
601 info->peer_tunnel_id = sa_v3in4->pppol2tp.d_tunnel;
602 info->session_id = sa_v3in4->pppol2tp.s_session;
603 info->peer_session_id = sa_v3in4->pppol2tp.d_session;
604
605 break;
606 }
607 case sizeof(struct sockaddr_pppol2tpin6):
608 {
609 const struct sockaddr_pppol2tpin6 *sa_v2in6 = sa;
610
611 if (sa_v2in6->sa_protocol != PX_PROTO_OL2TP)
612 return -EINVAL;
613
614 info->version = 2;
615 info->fd = sa_v2in6->pppol2tp.fd;
616 info->tunnel_id = sa_v2in6->pppol2tp.s_tunnel;
617 info->peer_tunnel_id = sa_v2in6->pppol2tp.d_tunnel;
618 info->session_id = sa_v2in6->pppol2tp.s_session;
619 info->peer_session_id = sa_v2in6->pppol2tp.d_session;
620
621 break;
622 }
623 case sizeof(struct sockaddr_pppol2tpv3in6):
624 {
625 const struct sockaddr_pppol2tpv3in6 *sa_v3in6 = sa;
626
627 if (sa_v3in6->sa_protocol != PX_PROTO_OL2TP)
628 return -EINVAL;
629
630 info->version = 3;
631 info->fd = sa_v3in6->pppol2tp.fd;
632 info->tunnel_id = sa_v3in6->pppol2tp.s_tunnel;
633 info->peer_tunnel_id = sa_v3in6->pppol2tp.d_tunnel;
634 info->session_id = sa_v3in6->pppol2tp.s_session;
635 info->peer_session_id = sa_v3in6->pppol2tp.d_session;
636
637 break;
638 }
639 default:
640 return -EINVAL;
641 }
642
643 return 0;
644}
645
646/* Rough estimation of the maximum payload size a tunnel can transmit without
647 * fragmenting at the lower IP layer. Assumes L2TPv2 with sequence
648 * numbers and no IP option. Not quite accurate, but the result is mostly
649 * unused anyway.
650 */
651static int pppol2tp_tunnel_mtu(const struct l2tp_tunnel *tunnel)
652{
653 int mtu;
654
655 mtu = l2tp_tunnel_dst_mtu(tunnel);
656 if (mtu <= PPPOL2TP_HEADER_OVERHEAD)
657 return 1500 - PPPOL2TP_HEADER_OVERHEAD;
658
659 return mtu - PPPOL2TP_HEADER_OVERHEAD;
660}
661
662/* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
663 */
664static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
665 int sockaddr_len, int flags)
666{
667 struct sock *sk = sock->sk;
668 struct pppox_sock *po = pppox_sk(sk);
669 struct l2tp_session *session = NULL;
670 struct l2tp_connect_info info;
671 struct l2tp_tunnel *tunnel;
672 struct pppol2tp_session *ps;
673 struct l2tp_session_cfg cfg = { 0, };
674 bool drop_refcnt = false;
675 bool drop_tunnel = false;
676 bool new_session = false;
677 bool new_tunnel = false;
678 int error;
679
680 error = pppol2tp_sockaddr_get_info(uservaddr, sockaddr_len, &info);
681 if (error < 0)
682 return error;
683
684 lock_sock(sk);
685
686 /* Check for already bound sockets */
687 error = -EBUSY;
688 if (sk->sk_state & PPPOX_CONNECTED)
689 goto end;
690
691 /* We don't supporting rebinding anyway */
692 error = -EALREADY;
693 if (sk->sk_user_data)
694 goto end; /* socket is already attached */
695
696 /* Don't bind if tunnel_id is 0 */
697 error = -EINVAL;
698 if (!info.tunnel_id)
699 goto end;
700
701 tunnel = l2tp_tunnel_get(sock_net(sk), info.tunnel_id);
702 if (tunnel)
703 drop_tunnel = true;
704
705 /* Special case: create tunnel context if session_id and
706 * peer_session_id is 0. Otherwise look up tunnel using supplied
707 * tunnel id.
708 */
709 if (!info.session_id && !info.peer_session_id) {
710 if (!tunnel) {
711 struct l2tp_tunnel_cfg tcfg = {
712 .encap = L2TP_ENCAPTYPE_UDP,
713 .debug = 0,
714 };
715
716 /* Prevent l2tp_tunnel_register() from trying to set up
717 * a kernel socket.
718 */
719 if (info.fd < 0) {
720 error = -EBADF;
721 goto end;
722 }
723
724 error = l2tp_tunnel_create(sock_net(sk), info.fd,
725 info.version,
726 info.tunnel_id,
727 info.peer_tunnel_id, &tcfg,
728 &tunnel);
729 if (error < 0)
730 goto end;
731
732 l2tp_tunnel_inc_refcount(tunnel);
733 error = l2tp_tunnel_register(tunnel, sock_net(sk),
734 &tcfg);
735 if (error < 0) {
736 kfree(tunnel);
737 goto end;
738 }
739 drop_tunnel = true;
740 new_tunnel = true;
741 }
742 } else {
743 /* Error if we can't find the tunnel */
744 error = -ENOENT;
745 if (!tunnel)
746 goto end;
747
748 /* Error if socket is not prepped */
749 if (!tunnel->sock)
750 goto end;
751 }
752
753 if (tunnel->peer_tunnel_id == 0)
754 tunnel->peer_tunnel_id = info.peer_tunnel_id;
755
756 session = l2tp_tunnel_get_session(tunnel, info.session_id);
757 if (session) {
758 drop_refcnt = true;
759
760 if (session->pwtype != L2TP_PWTYPE_PPP) {
761 error = -EPROTOTYPE;
762 goto end;
763 }
764
765 ps = l2tp_session_priv(session);
766
767 /* Using a pre-existing session is fine as long as it hasn't
768 * been connected yet.
769 */
770 mutex_lock(&ps->sk_lock);
771 if (rcu_dereference_protected(ps->sk,
772 lockdep_is_held(&ps->sk_lock)) ||
773 ps->__sk) {
774 mutex_unlock(&ps->sk_lock);
775 error = -EEXIST;
776 goto end;
777 }
778 } else {
779 cfg.pw_type = L2TP_PWTYPE_PPP;
780
781 session = l2tp_session_create(sizeof(struct pppol2tp_session),
782 tunnel, info.session_id,
783 info.peer_session_id, &cfg);
784 if (IS_ERR(session)) {
785 error = PTR_ERR(session);
786 goto end;
787 }
788
789 pppol2tp_session_init(session);
790 ps = l2tp_session_priv(session);
791 l2tp_session_inc_refcount(session);
792
793 mutex_lock(&ps->sk_lock);
794 error = l2tp_session_register(session, tunnel);
795 if (error < 0) {
796 mutex_unlock(&ps->sk_lock);
797 kfree(session);
798 goto end;
799 }
800 drop_refcnt = true;
801 new_session = true;
802 }
803
804 /* Special case: if source & dest session_id == 0x0000, this
805 * socket is being created to manage the tunnel. Just set up
806 * the internal context for use by ioctl() and sockopt()
807 * handlers.
808 */
809 if (session->session_id == 0 && session->peer_session_id == 0) {
810 error = 0;
811 goto out_no_ppp;
812 }
813
814 /* The only header we need to worry about is the L2TP
815 * header. This size is different depending on whether
816 * sequence numbers are enabled for the data channel.
817 */
818 po->chan.hdrlen = PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
819
820 po->chan.private = sk;
821 po->chan.ops = &pppol2tp_chan_ops;
822 po->chan.mtu = pppol2tp_tunnel_mtu(tunnel);
823
824 error = ppp_register_net_channel(sock_net(sk), &po->chan);
825 if (error) {
826 mutex_unlock(&ps->sk_lock);
827 goto end;
828 }
829
830out_no_ppp:
831 /* This is how we get the session context from the socket. */
832 sk->sk_user_data = session;
833 rcu_assign_pointer(ps->sk, sk);
834 mutex_unlock(&ps->sk_lock);
835
836 /* Keep the reference we've grabbed on the session: sk doesn't expect
837 * the session to disappear. pppol2tp_session_destruct() is responsible
838 * for dropping it.
839 */
840 drop_refcnt = false;
841
842 sk->sk_state = PPPOX_CONNECTED;
843 l2tp_info(session, L2TP_MSG_CONTROL, "%s: created\n",
844 session->name);
845
846end:
847 if (error) {
848 if (new_session)
849 l2tp_session_delete(session);
850 if (new_tunnel)
851 l2tp_tunnel_delete(tunnel);
852 }
853 if (drop_refcnt)
854 l2tp_session_dec_refcount(session);
855 if (drop_tunnel)
856 l2tp_tunnel_dec_refcount(tunnel);
857 release_sock(sk);
858
859 return error;
860}
861
862#ifdef CONFIG_L2TP_V3
863
864/* Called when creating sessions via the netlink interface. */
865static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
866 u32 session_id, u32 peer_session_id,
867 struct l2tp_session_cfg *cfg)
868{
869 int error;
870 struct l2tp_session *session;
871
872 /* Error if tunnel socket is not prepped */
873 if (!tunnel->sock) {
874 error = -ENOENT;
875 goto err;
876 }
877
878 /* Allocate and initialize a new session context. */
879 session = l2tp_session_create(sizeof(struct pppol2tp_session),
880 tunnel, session_id,
881 peer_session_id, cfg);
882 if (IS_ERR(session)) {
883 error = PTR_ERR(session);
884 goto err;
885 }
886
887 pppol2tp_session_init(session);
888
889 error = l2tp_session_register(session, tunnel);
890 if (error < 0)
891 goto err_sess;
892
893 return 0;
894
895err_sess:
896 kfree(session);
897err:
898 return error;
899}
900
901#endif /* CONFIG_L2TP_V3 */
902
903/* getname() support.
904 */
905static int pppol2tp_getname(struct socket *sock, struct sockaddr *uaddr,
906 int peer)
907{
908 int len = 0;
909 int error = 0;
910 struct l2tp_session *session;
911 struct l2tp_tunnel *tunnel;
912 struct sock *sk = sock->sk;
913 struct inet_sock *inet;
914 struct pppol2tp_session *pls;
915
916 error = -ENOTCONN;
917 if (!sk)
918 goto end;
919 if (!(sk->sk_state & PPPOX_CONNECTED))
920 goto end;
921
922 error = -EBADF;
923 session = pppol2tp_sock_to_session(sk);
924 if (!session)
925 goto end;
926
927 pls = l2tp_session_priv(session);
928 tunnel = session->tunnel;
929
930 inet = inet_sk(tunnel->sock);
931 if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET) {
932 struct sockaddr_pppol2tp sp;
933
934 len = sizeof(sp);
935 memset(&sp, 0, len);
936 sp.sa_family = AF_PPPOX;
937 sp.sa_protocol = PX_PROTO_OL2TP;
938 sp.pppol2tp.fd = tunnel->fd;
939 sp.pppol2tp.pid = pls->owner;
940 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
941 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
942 sp.pppol2tp.s_session = session->session_id;
943 sp.pppol2tp.d_session = session->peer_session_id;
944 sp.pppol2tp.addr.sin_family = AF_INET;
945 sp.pppol2tp.addr.sin_port = inet->inet_dport;
946 sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
947 memcpy(uaddr, &sp, len);
948#if IS_ENABLED(CONFIG_IPV6)
949 } else if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET6) {
950 struct sockaddr_pppol2tpin6 sp;
951
952 len = sizeof(sp);
953 memset(&sp, 0, len);
954 sp.sa_family = AF_PPPOX;
955 sp.sa_protocol = PX_PROTO_OL2TP;
956 sp.pppol2tp.fd = tunnel->fd;
957 sp.pppol2tp.pid = pls->owner;
958 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
959 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
960 sp.pppol2tp.s_session = session->session_id;
961 sp.pppol2tp.d_session = session->peer_session_id;
962 sp.pppol2tp.addr.sin6_family = AF_INET6;
963 sp.pppol2tp.addr.sin6_port = inet->inet_dport;
964 memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
965 sizeof(tunnel->sock->sk_v6_daddr));
966 memcpy(uaddr, &sp, len);
967 } else if (tunnel->version == 3 && tunnel->sock->sk_family == AF_INET6) {
968 struct sockaddr_pppol2tpv3in6 sp;
969
970 len = sizeof(sp);
971 memset(&sp, 0, len);
972 sp.sa_family = AF_PPPOX;
973 sp.sa_protocol = PX_PROTO_OL2TP;
974 sp.pppol2tp.fd = tunnel->fd;
975 sp.pppol2tp.pid = pls->owner;
976 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
977 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
978 sp.pppol2tp.s_session = session->session_id;
979 sp.pppol2tp.d_session = session->peer_session_id;
980 sp.pppol2tp.addr.sin6_family = AF_INET6;
981 sp.pppol2tp.addr.sin6_port = inet->inet_dport;
982 memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
983 sizeof(tunnel->sock->sk_v6_daddr));
984 memcpy(uaddr, &sp, len);
985#endif
986 } else if (tunnel->version == 3) {
987 struct sockaddr_pppol2tpv3 sp;
988
989 len = sizeof(sp);
990 memset(&sp, 0, len);
991 sp.sa_family = AF_PPPOX;
992 sp.sa_protocol = PX_PROTO_OL2TP;
993 sp.pppol2tp.fd = tunnel->fd;
994 sp.pppol2tp.pid = pls->owner;
995 sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
996 sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
997 sp.pppol2tp.s_session = session->session_id;
998 sp.pppol2tp.d_session = session->peer_session_id;
999 sp.pppol2tp.addr.sin_family = AF_INET;
1000 sp.pppol2tp.addr.sin_port = inet->inet_dport;
1001 sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
1002 memcpy(uaddr, &sp, len);
1003 }
1004
1005 error = len;
1006
1007 sock_put(sk);
1008end:
1009 return error;
1010}
1011
1012/****************************************************************************
1013 * ioctl() handlers.
1014 *
1015 * The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
1016 * sockets. However, in order to control kernel tunnel features, we allow
1017 * userspace to create a special "tunnel" PPPoX socket which is used for
1018 * control only. Tunnel PPPoX sockets have session_id == 0 and simply allow
1019 * the user application to issue L2TP setsockopt(), getsockopt() and ioctl()
1020 * calls.
1021 ****************************************************************************/
1022
1023static void pppol2tp_copy_stats(struct pppol2tp_ioc_stats *dest,
1024 const struct l2tp_stats *stats)
1025{
1026 memset(dest, 0, sizeof(*dest));
1027
1028 dest->tx_packets = atomic_long_read(&stats->tx_packets);
1029 dest->tx_bytes = atomic_long_read(&stats->tx_bytes);
1030 dest->tx_errors = atomic_long_read(&stats->tx_errors);
1031 dest->rx_packets = atomic_long_read(&stats->rx_packets);
1032 dest->rx_bytes = atomic_long_read(&stats->rx_bytes);
1033 dest->rx_seq_discards = atomic_long_read(&stats->rx_seq_discards);
1034 dest->rx_oos_packets = atomic_long_read(&stats->rx_oos_packets);
1035 dest->rx_errors = atomic_long_read(&stats->rx_errors);
1036}
1037
1038static int pppol2tp_tunnel_copy_stats(struct pppol2tp_ioc_stats *stats,
1039 struct l2tp_tunnel *tunnel)
1040{
1041 struct l2tp_session *session;
1042
1043 if (!stats->session_id) {
1044 pppol2tp_copy_stats(stats, &tunnel->stats);
1045 return 0;
1046 }
1047
1048 /* If session_id is set, search the corresponding session in the
1049 * context of this tunnel and record the session's statistics.
1050 */
1051 session = l2tp_tunnel_get_session(tunnel, stats->session_id);
1052 if (!session)
1053 return -EBADR;
1054
1055 if (session->pwtype != L2TP_PWTYPE_PPP) {
1056 l2tp_session_dec_refcount(session);
1057 return -EBADR;
1058 }
1059
1060 pppol2tp_copy_stats(stats, &session->stats);
1061 l2tp_session_dec_refcount(session);
1062
1063 return 0;
1064}
1065
1066static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
1067 unsigned long arg)
1068{
1069 struct pppol2tp_ioc_stats stats;
1070 struct l2tp_session *session;
1071
1072 switch (cmd) {
1073 case PPPIOCGMRU:
1074 case PPPIOCGFLAGS:
1075 session = sock->sk->sk_user_data;
1076 if (!session)
1077 return -ENOTCONN;
1078
1079 /* Not defined for tunnels */
1080 if (!session->session_id && !session->peer_session_id)
1081 return -ENOSYS;
1082
1083 if (put_user(0, (int __user *)arg))
1084 return -EFAULT;
1085 break;
1086
1087 case PPPIOCSMRU:
1088 case PPPIOCSFLAGS:
1089 session = sock->sk->sk_user_data;
1090 if (!session)
1091 return -ENOTCONN;
1092
1093 /* Not defined for tunnels */
1094 if (!session->session_id && !session->peer_session_id)
1095 return -ENOSYS;
1096
1097 if (!access_ok((int __user *)arg, sizeof(int)))
1098 return -EFAULT;
1099 break;
1100
1101 case PPPIOCGL2TPSTATS:
1102 session = sock->sk->sk_user_data;
1103 if (!session)
1104 return -ENOTCONN;
1105
1106 /* Session 0 represents the parent tunnel */
1107 if (!session->session_id && !session->peer_session_id) {
1108 u32 session_id;
1109 int err;
1110
1111 if (copy_from_user(&stats, (void __user *)arg,
1112 sizeof(stats)))
1113 return -EFAULT;
1114
1115 session_id = stats.session_id;
1116 err = pppol2tp_tunnel_copy_stats(&stats,
1117 session->tunnel);
1118 if (err < 0)
1119 return err;
1120
1121 stats.session_id = session_id;
1122 } else {
1123 pppol2tp_copy_stats(&stats, &session->stats);
1124 stats.session_id = session->session_id;
1125 }
1126 stats.tunnel_id = session->tunnel->tunnel_id;
1127 stats.using_ipsec = l2tp_tunnel_uses_xfrm(session->tunnel);
1128
1129 if (copy_to_user((void __user *)arg, &stats, sizeof(stats)))
1130 return -EFAULT;
1131 break;
1132
1133 default:
1134 return -ENOIOCTLCMD;
1135 }
1136
1137 return 0;
1138}
1139
1140/*****************************************************************************
1141 * setsockopt() / getsockopt() support.
1142 *
1143 * The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
1144 * sockets. In order to control kernel tunnel features, we allow userspace to
1145 * create a special "tunnel" PPPoX socket which is used for control only.
1146 * Tunnel PPPoX sockets have session_id == 0 and simply allow the user
1147 * application to issue L2TP setsockopt(), getsockopt() and ioctl() calls.
1148 *****************************************************************************/
1149
1150/* Tunnel setsockopt() helper.
1151 */
1152static int pppol2tp_tunnel_setsockopt(struct sock *sk,
1153 struct l2tp_tunnel *tunnel,
1154 int optname, int val)
1155{
1156 int err = 0;
1157
1158 switch (optname) {
1159 case PPPOL2TP_SO_DEBUG:
1160 tunnel->debug = val;
1161 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: set debug=%x\n",
1162 tunnel->name, tunnel->debug);
1163 break;
1164
1165 default:
1166 err = -ENOPROTOOPT;
1167 break;
1168 }
1169
1170 return err;
1171}
1172
1173/* Session setsockopt helper.
1174 */
1175static int pppol2tp_session_setsockopt(struct sock *sk,
1176 struct l2tp_session *session,
1177 int optname, int val)
1178{
1179 int err = 0;
1180
1181 switch (optname) {
1182 case PPPOL2TP_SO_RECVSEQ:
1183 if (val != 0 && val != 1) {
1184 err = -EINVAL;
1185 break;
1186 }
1187 session->recv_seq = !!val;
1188 l2tp_info(session, L2TP_MSG_CONTROL,
1189 "%s: set recv_seq=%d\n",
1190 session->name, session->recv_seq);
1191 break;
1192
1193 case PPPOL2TP_SO_SENDSEQ:
1194 if (val != 0 && val != 1) {
1195 err = -EINVAL;
1196 break;
1197 }
1198 session->send_seq = !!val;
1199 {
1200 struct pppox_sock *po = pppox_sk(sk);
1201
1202 po->chan.hdrlen = val ? PPPOL2TP_L2TP_HDR_SIZE_SEQ :
1203 PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
1204 }
1205 l2tp_session_set_header_len(session, session->tunnel->version);
1206 l2tp_info(session, L2TP_MSG_CONTROL,
1207 "%s: set send_seq=%d\n",
1208 session->name, session->send_seq);
1209 break;
1210
1211 case PPPOL2TP_SO_LNSMODE:
1212 if (val != 0 && val != 1) {
1213 err = -EINVAL;
1214 break;
1215 }
1216 session->lns_mode = !!val;
1217 l2tp_info(session, L2TP_MSG_CONTROL,
1218 "%s: set lns_mode=%d\n",
1219 session->name, session->lns_mode);
1220 break;
1221
1222 case PPPOL2TP_SO_DEBUG:
1223 session->debug = val;
1224 l2tp_info(session, L2TP_MSG_CONTROL, "%s: set debug=%x\n",
1225 session->name, session->debug);
1226 break;
1227
1228 case PPPOL2TP_SO_REORDERTO:
1229 session->reorder_timeout = msecs_to_jiffies(val);
1230 l2tp_info(session, L2TP_MSG_CONTROL,
1231 "%s: set reorder_timeout=%d\n",
1232 session->name, session->reorder_timeout);
1233 break;
1234
1235 default:
1236 err = -ENOPROTOOPT;
1237 break;
1238 }
1239
1240 return err;
1241}
1242
1243/* Main setsockopt() entry point.
1244 * Does API checks, then calls either the tunnel or session setsockopt
1245 * handler, according to whether the PPPoL2TP socket is a for a regular
1246 * session or the special tunnel type.
1247 */
1248static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
1249 sockptr_t optval, unsigned int optlen)
1250{
1251 struct sock *sk = sock->sk;
1252 struct l2tp_session *session;
1253 struct l2tp_tunnel *tunnel;
1254 int val;
1255 int err;
1256
1257 if (level != SOL_PPPOL2TP)
1258 return -EINVAL;
1259
1260 if (optlen < sizeof(int))
1261 return -EINVAL;
1262
1263 if (copy_from_sockptr(&val, optval, sizeof(int)))
1264 return -EFAULT;
1265
1266 err = -ENOTCONN;
1267 if (!sk->sk_user_data)
1268 goto end;
1269
1270 /* Get session context from the socket */
1271 err = -EBADF;
1272 session = pppol2tp_sock_to_session(sk);
1273 if (!session)
1274 goto end;
1275
1276 /* Special case: if session_id == 0x0000, treat as operation on tunnel
1277 */
1278 if (session->session_id == 0 && session->peer_session_id == 0) {
1279 tunnel = session->tunnel;
1280 err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
1281 } else {
1282 err = pppol2tp_session_setsockopt(sk, session, optname, val);
1283 }
1284
1285 sock_put(sk);
1286end:
1287 return err;
1288}
1289
1290/* Tunnel getsockopt helper. Called with sock locked.
1291 */
1292static int pppol2tp_tunnel_getsockopt(struct sock *sk,
1293 struct l2tp_tunnel *tunnel,
1294 int optname, int *val)
1295{
1296 int err = 0;
1297
1298 switch (optname) {
1299 case PPPOL2TP_SO_DEBUG:
1300 *val = tunnel->debug;
1301 l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: get debug=%x\n",
1302 tunnel->name, tunnel->debug);
1303 break;
1304
1305 default:
1306 err = -ENOPROTOOPT;
1307 break;
1308 }
1309
1310 return err;
1311}
1312
1313/* Session getsockopt helper. Called with sock locked.
1314 */
1315static int pppol2tp_session_getsockopt(struct sock *sk,
1316 struct l2tp_session *session,
1317 int optname, int *val)
1318{
1319 int err = 0;
1320
1321 switch (optname) {
1322 case PPPOL2TP_SO_RECVSEQ:
1323 *val = session->recv_seq;
1324 l2tp_info(session, L2TP_MSG_CONTROL,
1325 "%s: get recv_seq=%d\n", session->name, *val);
1326 break;
1327
1328 case PPPOL2TP_SO_SENDSEQ:
1329 *val = session->send_seq;
1330 l2tp_info(session, L2TP_MSG_CONTROL,
1331 "%s: get send_seq=%d\n", session->name, *val);
1332 break;
1333
1334 case PPPOL2TP_SO_LNSMODE:
1335 *val = session->lns_mode;
1336 l2tp_info(session, L2TP_MSG_CONTROL,
1337 "%s: get lns_mode=%d\n", session->name, *val);
1338 break;
1339
1340 case PPPOL2TP_SO_DEBUG:
1341 *val = session->debug;
1342 l2tp_info(session, L2TP_MSG_CONTROL, "%s: get debug=%d\n",
1343 session->name, *val);
1344 break;
1345
1346 case PPPOL2TP_SO_REORDERTO:
1347 *val = (int)jiffies_to_msecs(session->reorder_timeout);
1348 l2tp_info(session, L2TP_MSG_CONTROL,
1349 "%s: get reorder_timeout=%d\n", session->name, *val);
1350 break;
1351
1352 default:
1353 err = -ENOPROTOOPT;
1354 }
1355
1356 return err;
1357}
1358
1359/* Main getsockopt() entry point.
1360 * Does API checks, then calls either the tunnel or session getsockopt
1361 * handler, according to whether the PPPoX socket is a for a regular session
1362 * or the special tunnel type.
1363 */
1364static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
1365 char __user *optval, int __user *optlen)
1366{
1367 struct sock *sk = sock->sk;
1368 struct l2tp_session *session;
1369 struct l2tp_tunnel *tunnel;
1370 int val, len;
1371 int err;
1372
1373 if (level != SOL_PPPOL2TP)
1374 return -EINVAL;
1375
1376 if (get_user(len, optlen))
1377 return -EFAULT;
1378
1379 len = min_t(unsigned int, len, sizeof(int));
1380
1381 if (len < 0)
1382 return -EINVAL;
1383
1384 err = -ENOTCONN;
1385 if (!sk->sk_user_data)
1386 goto end;
1387
1388 /* Get the session context */
1389 err = -EBADF;
1390 session = pppol2tp_sock_to_session(sk);
1391 if (!session)
1392 goto end;
1393
1394 /* Special case: if session_id == 0x0000, treat as operation on tunnel */
1395 if (session->session_id == 0 && session->peer_session_id == 0) {
1396 tunnel = session->tunnel;
1397 err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
1398 if (err)
1399 goto end_put_sess;
1400 } else {
1401 err = pppol2tp_session_getsockopt(sk, session, optname, &val);
1402 if (err)
1403 goto end_put_sess;
1404 }
1405
1406 err = -EFAULT;
1407 if (put_user(len, optlen))
1408 goto end_put_sess;
1409
1410 if (copy_to_user((void __user *)optval, &val, len))
1411 goto end_put_sess;
1412
1413 err = 0;
1414
1415end_put_sess:
1416 sock_put(sk);
1417end:
1418 return err;
1419}
1420
1421/*****************************************************************************
1422 * /proc filesystem for debug
1423 * Since the original pppol2tp driver provided /proc/net/pppol2tp for
1424 * L2TPv2, we dump only L2TPv2 tunnels and sessions here.
1425 *****************************************************************************/
1426
1427static unsigned int pppol2tp_net_id;
1428
1429#ifdef CONFIG_PROC_FS
1430
1431struct pppol2tp_seq_data {
1432 struct seq_net_private p;
1433 int tunnel_idx; /* current tunnel */
1434 int session_idx; /* index of session within current tunnel */
1435 struct l2tp_tunnel *tunnel;
1436 struct l2tp_session *session; /* NULL means get next tunnel */
1437};
1438
1439static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
1440{
1441 /* Drop reference taken during previous invocation */
1442 if (pd->tunnel)
1443 l2tp_tunnel_dec_refcount(pd->tunnel);
1444
1445 for (;;) {
1446 pd->tunnel = l2tp_tunnel_get_nth(net, pd->tunnel_idx);
1447 pd->tunnel_idx++;
1448
1449 /* Only accept L2TPv2 tunnels */
1450 if (!pd->tunnel || pd->tunnel->version == 2)
1451 return;
1452
1453 l2tp_tunnel_dec_refcount(pd->tunnel);
1454 }
1455}
1456
1457static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
1458{
1459 /* Drop reference taken during previous invocation */
1460 if (pd->session)
1461 l2tp_session_dec_refcount(pd->session);
1462
1463 pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx);
1464 pd->session_idx++;
1465
1466 if (!pd->session) {
1467 pd->session_idx = 0;
1468 pppol2tp_next_tunnel(net, pd);
1469 }
1470}
1471
1472static void *pppol2tp_seq_start(struct seq_file *m, loff_t *offs)
1473{
1474 struct pppol2tp_seq_data *pd = SEQ_START_TOKEN;
1475 loff_t pos = *offs;
1476 struct net *net;
1477
1478 if (!pos)
1479 goto out;
1480
1481 if (WARN_ON(!m->private)) {
1482 pd = NULL;
1483 goto out;
1484 }
1485
1486 pd = m->private;
1487 net = seq_file_net(m);
1488
1489 if (!pd->tunnel)
1490 pppol2tp_next_tunnel(net, pd);
1491 else
1492 pppol2tp_next_session(net, pd);
1493
1494 /* NULL tunnel and session indicates end of list */
1495 if (!pd->tunnel && !pd->session)
1496 pd = NULL;
1497
1498out:
1499 return pd;
1500}
1501
1502static void *pppol2tp_seq_next(struct seq_file *m, void *v, loff_t *pos)
1503{
1504 (*pos)++;
1505 return NULL;
1506}
1507
1508static void pppol2tp_seq_stop(struct seq_file *p, void *v)
1509{
1510 struct pppol2tp_seq_data *pd = v;
1511
1512 if (!pd || pd == SEQ_START_TOKEN)
1513 return;
1514
1515 /* Drop reference taken by last invocation of pppol2tp_next_session()
1516 * or pppol2tp_next_tunnel().
1517 */
1518 if (pd->session) {
1519 l2tp_session_dec_refcount(pd->session);
1520 pd->session = NULL;
1521 }
1522 if (pd->tunnel) {
1523 l2tp_tunnel_dec_refcount(pd->tunnel);
1524 pd->tunnel = NULL;
1525 }
1526}
1527
1528static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
1529{
1530 struct l2tp_tunnel *tunnel = v;
1531
1532 seq_printf(m, "\nTUNNEL '%s', %c %d\n",
1533 tunnel->name,
1534 (tunnel == tunnel->sock->sk_user_data) ? 'Y' : 'N',
1535 refcount_read(&tunnel->ref_count) - 1);
1536 seq_printf(m, " %08x %ld/%ld/%ld %ld/%ld/%ld\n",
1537 tunnel->debug,
1538 atomic_long_read(&tunnel->stats.tx_packets),
1539 atomic_long_read(&tunnel->stats.tx_bytes),
1540 atomic_long_read(&tunnel->stats.tx_errors),
1541 atomic_long_read(&tunnel->stats.rx_packets),
1542 atomic_long_read(&tunnel->stats.rx_bytes),
1543 atomic_long_read(&tunnel->stats.rx_errors));
1544}
1545
1546static void pppol2tp_seq_session_show(struct seq_file *m, void *v)
1547{
1548 struct l2tp_session *session = v;
1549 struct l2tp_tunnel *tunnel = session->tunnel;
1550 unsigned char state;
1551 char user_data_ok;
1552 struct sock *sk;
1553 u32 ip = 0;
1554 u16 port = 0;
1555
1556 if (tunnel->sock) {
1557 struct inet_sock *inet = inet_sk(tunnel->sock);
1558
1559 ip = ntohl(inet->inet_saddr);
1560 port = ntohs(inet->inet_sport);
1561 }
1562
1563 sk = pppol2tp_session_get_sock(session);
1564 if (sk) {
1565 state = sk->sk_state;
1566 user_data_ok = (session == sk->sk_user_data) ? 'Y' : 'N';
1567 } else {
1568 state = 0;
1569 user_data_ok = 'N';
1570 }
1571
1572 seq_printf(m, " SESSION '%s' %08X/%d %04X/%04X -> %04X/%04X %d %c\n",
1573 session->name, ip, port,
1574 tunnel->tunnel_id,
1575 session->session_id,
1576 tunnel->peer_tunnel_id,
1577 session->peer_session_id,
1578 state, user_data_ok);
1579 seq_printf(m, " 0/0/%c/%c/%s %08x %u\n",
1580 session->recv_seq ? 'R' : '-',
1581 session->send_seq ? 'S' : '-',
1582 session->lns_mode ? "LNS" : "LAC",
1583 session->debug,
1584 jiffies_to_msecs(session->reorder_timeout));
1585 seq_printf(m, " %hu/%hu %ld/%ld/%ld %ld/%ld/%ld\n",
1586 session->nr, session->ns,
1587 atomic_long_read(&session->stats.tx_packets),
1588 atomic_long_read(&session->stats.tx_bytes),
1589 atomic_long_read(&session->stats.tx_errors),
1590 atomic_long_read(&session->stats.rx_packets),
1591 atomic_long_read(&session->stats.rx_bytes),
1592 atomic_long_read(&session->stats.rx_errors));
1593
1594 if (sk) {
1595 struct pppox_sock *po = pppox_sk(sk);
1596
1597 seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
1598 sock_put(sk);
1599 }
1600}
1601
1602static int pppol2tp_seq_show(struct seq_file *m, void *v)
1603{
1604 struct pppol2tp_seq_data *pd = v;
1605
1606 /* display header on line 1 */
1607 if (v == SEQ_START_TOKEN) {
1608 seq_puts(m, "PPPoL2TP driver info, " PPPOL2TP_DRV_VERSION "\n");
1609 seq_puts(m, "TUNNEL name, user-data-ok session-count\n");
1610 seq_puts(m, " debug tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
1611 seq_puts(m, " SESSION name, addr/port src-tid/sid dest-tid/sid state user-data-ok\n");
1612 seq_puts(m, " mtu/mru/rcvseq/sendseq/lns debug reorderto\n");
1613 seq_puts(m, " nr/ns tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
1614 goto out;
1615 }
1616
1617 if (!pd->session)
1618 pppol2tp_seq_tunnel_show(m, pd->tunnel);
1619 else
1620 pppol2tp_seq_session_show(m, pd->session);
1621
1622out:
1623 return 0;
1624}
1625
1626static const struct seq_operations pppol2tp_seq_ops = {
1627 .start = pppol2tp_seq_start,
1628 .next = pppol2tp_seq_next,
1629 .stop = pppol2tp_seq_stop,
1630 .show = pppol2tp_seq_show,
1631};
1632#endif /* CONFIG_PROC_FS */
1633
1634/*****************************************************************************
1635 * Network namespace
1636 *****************************************************************************/
1637
1638static __net_init int pppol2tp_init_net(struct net *net)
1639{
1640 struct proc_dir_entry *pde;
1641 int err = 0;
1642
1643 pde = proc_create_net("pppol2tp", 0444, net->proc_net,
1644 &pppol2tp_seq_ops, sizeof(struct pppol2tp_seq_data));
1645 if (!pde) {
1646 err = -ENOMEM;
1647 goto out;
1648 }
1649
1650out:
1651 return err;
1652}
1653
1654static __net_exit void pppol2tp_exit_net(struct net *net)
1655{
1656 remove_proc_entry("pppol2tp", net->proc_net);
1657}
1658
1659static struct pernet_operations pppol2tp_net_ops = {
1660 .init = pppol2tp_init_net,
1661 .exit = pppol2tp_exit_net,
1662 .id = &pppol2tp_net_id,
1663};
1664
1665/*****************************************************************************
1666 * Init and cleanup
1667 *****************************************************************************/
1668
1669static const struct proto_ops pppol2tp_ops = {
1670 .family = AF_PPPOX,
1671 .owner = THIS_MODULE,
1672 .release = pppol2tp_release,
1673 .bind = sock_no_bind,
1674 .connect = pppol2tp_connect,
1675 .socketpair = sock_no_socketpair,
1676 .accept = sock_no_accept,
1677 .getname = pppol2tp_getname,
1678 .poll = datagram_poll,
1679 .listen = sock_no_listen,
1680 .shutdown = sock_no_shutdown,
1681 .setsockopt = pppol2tp_setsockopt,
1682 .getsockopt = pppol2tp_getsockopt,
1683 .sendmsg = pppol2tp_sendmsg,
1684 .recvmsg = pppol2tp_recvmsg,
1685 .mmap = sock_no_mmap,
1686 .ioctl = pppox_ioctl,
1687#ifdef CONFIG_COMPAT
1688 .compat_ioctl = pppox_compat_ioctl,
1689#endif
1690};
1691
1692static const struct pppox_proto pppol2tp_proto = {
1693 .create = pppol2tp_create,
1694 .ioctl = pppol2tp_ioctl,
1695 .owner = THIS_MODULE,
1696};
1697
1698#ifdef CONFIG_L2TP_V3
1699
1700static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
1701 .session_create = pppol2tp_session_create,
1702 .session_delete = l2tp_session_delete,
1703};
1704
1705#endif /* CONFIG_L2TP_V3 */
1706
1707static int __init pppol2tp_init(void)
1708{
1709 int err;
1710
1711 err = register_pernet_device(&pppol2tp_net_ops);
1712 if (err)
1713 goto out;
1714
1715 err = proto_register(&pppol2tp_sk_proto, 0);
1716 if (err)
1717 goto out_unregister_pppol2tp_pernet;
1718
1719 err = register_pppox_proto(PX_PROTO_OL2TP, &pppol2tp_proto);
1720 if (err)
1721 goto out_unregister_pppol2tp_proto;
1722
1723#ifdef CONFIG_L2TP_V3
1724 err = l2tp_nl_register_ops(L2TP_PWTYPE_PPP, &pppol2tp_nl_cmd_ops);
1725 if (err)
1726 goto out_unregister_pppox;
1727#endif
1728
1729 pr_info("PPPoL2TP kernel driver, %s\n", PPPOL2TP_DRV_VERSION);
1730
1731out:
1732 return err;
1733
1734#ifdef CONFIG_L2TP_V3
1735out_unregister_pppox:
1736 unregister_pppox_proto(PX_PROTO_OL2TP);
1737#endif
1738out_unregister_pppol2tp_proto:
1739 proto_unregister(&pppol2tp_sk_proto);
1740out_unregister_pppol2tp_pernet:
1741 unregister_pernet_device(&pppol2tp_net_ops);
1742 goto out;
1743}
1744
1745static void __exit pppol2tp_exit(void)
1746{
1747#ifdef CONFIG_L2TP_V3
1748 l2tp_nl_unregister_ops(L2TP_PWTYPE_PPP);
1749#endif
1750 unregister_pppox_proto(PX_PROTO_OL2TP);
1751 proto_unregister(&pppol2tp_sk_proto);
1752 unregister_pernet_device(&pppol2tp_net_ops);
1753}
1754
1755module_init(pppol2tp_init);
1756module_exit(pppol2tp_exit);
1757
1758MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
1759MODULE_DESCRIPTION("PPP over L2TP over UDP");
1760MODULE_LICENSE("GPL");
1761MODULE_VERSION(PPPOL2TP_DRV_VERSION);
1762MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OL2TP);
1763MODULE_ALIAS_L2TP_PWTYPE(7);