brain-hackers_pepepper-mirror
/
linux-brain
mirror of https://github.com/brain-hackers/linux-brain.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux-brain/net/l2tp/l2tp_core.h

338 lines
9.5 KiB
C
Raw Normal View History

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Enrico Weigelt <info@metux.net> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-06-04 17:11:33 +09:00
/* SPDX-License-Identifier: GPL-2.0-only */
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
/*
* L2TP internal definitions.
*
* Copyright (c) 2008,2009 Katalix Systems Ltd
*/
net, l2tp: convert l2tp_tunnel.ref_count from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-04 21:52:57 +09:00
#include <linux/refcount.h>
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
#ifndef _L2TP_CORE_H_
#define _L2TP_CORE_H_
l2tp: define l2tp_tunnel_dst_mtu() Consolidate retrieval of tunnel's socket mtu in order to simplify l2tp_eth and l2tp_ppp a bit. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-08-03 19:38:34 +09:00
#include <net/dst.h>
#include <net/sock.h>
l2tp: define l2tp_tunnel_uses_xfrm() Use helper function to figure out if a tunnel is using ipsec. Also, avoid accessing ->sk_policy directly since it's RCU protected. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-08-10 20:21:55 +09:00
#ifdef CONFIG_XFRM
#include <net/xfrm.h>
#endif
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
/* Just some random numbers */
#define L2TP_TUNNEL_MAGIC 0x42114DDA
#define L2TP_SESSION_MAGIC 0x0C04EB7D
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
/* Per tunnel, session hash table size */
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
#define L2TP_HASH_BITS 4
#define L2TP_HASH_SIZE (1 << L2TP_HASH_BITS)
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
/* System-wide, session hash table size */
#define L2TP_HASH_BITS_2 8
#define L2TP_HASH_SIZE_2 (1 << L2TP_HASH_BITS_2)
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct sk_buff;
struct l2tp_stats {
l2tp: avoid deadlock in l2tp stats update l2tp's u64_stats writers were incorrectly synchronised, making it possible to deadlock a 64bit machine running a 32bit kernel simply by sending the l2tp code netlink commands while passing data through l2tp sessions. Previous discussion on netdev determined that alternative solutions such as spinlock writer synchronisation or per-cpu data would bring unjustified overhead, given that most users interested in high volume traffic will likely be running 64bit kernels on 64bit hardware. As such, this patch replaces l2tp's use of u64_stats with atomic_long_t, thereby avoiding the deadlock. Ref: http://marc.info/?l=linux-netdev&m=134029167910731&w=2 http://marc.info/?l=linux-netdev&m=134079868111131&w=2 Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-19 15:11:22 +09:00
atomic_long_t tx_packets;
atomic_long_t tx_bytes;
atomic_long_t tx_errors;
atomic_long_t rx_packets;
atomic_long_t rx_bytes;
atomic_long_t rx_seq_discards;
atomic_long_t rx_oos_packets;
atomic_long_t rx_errors;
atomic_long_t rx_cookie_discards;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
};
struct l2tp_tunnel;
/* Describes a session. Contains information to determine incoming
* packets and transmit outgoing ones.
*/
struct l2tp_session_cfg {
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
enum l2tp_pwtype pw_type;
net: cleanup unsigned to unsigned int Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-15 14:58:06 +09:00
unsigned int recv_seq:1; /* expect receive packets with
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
* sequence numbers? */
net: cleanup unsigned to unsigned int Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-15 14:58:06 +09:00
unsigned int send_seq:1; /* send packets with sequence
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
* numbers? */
net: cleanup unsigned to unsigned int Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-15 14:58:06 +09:00
unsigned int lns_mode:1; /* behave as LNS? LAC enables
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
* sequence numbers under
* control of LNS. */
int debug; /* bitmask of debug message
* categories */
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
u16 l2specific_type; /* Layer 2 specific type */
u8 cookie[8]; /* optional cookie */
int cookie_len; /* 0, 4 or 8 bytes */
u8 peer_cookie[8]; /* peer's cookie */
int peer_cookie_len; /* 0, 4 or 8 bytes */
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
int reorder_timeout; /* configured reorder timeout
* (in jiffies) */
l2tp: Add netlink control API for L2TP In L2TPv3, we need to create/delete/modify/query L2TP tunnel and session contexts. The number of parameters is significant. So let's use netlink. Userspace uses this API to control L2TP tunnel/session contexts in the kernel. The previous pppol2tp driver was managed using [gs]etsockopt(). This API is retained for backwards compatibility. Unlike L2TPv2 which carries only PPP frames, L2TPv3 can carry raw ethernet frames or other frame types and these do not always have an associated socket family. Therefore, we need a way to use L2TP sessions that doesn't require a socket type for each supported frame type. Hence netlink is used. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:10 +09:00
char *ifname;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
};
struct l2tp_session {
int magic; /* should be
* L2TP_SESSION_MAGIC */
l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall() There are several ways to remove L2TP sessions: * deleting a session explicitly using the netlink interface (with L2TP_CMD_SESSION_DELETE), * deleting the session's parent tunnel (either by closing the tunnel's file descriptor or using the netlink interface), * closing the PPPOL2TP file descriptor of a PPP pseudo-wire. In some cases, when these methods are used concurrently on the same session, the session can be removed twice, leading to use-after-free bugs. This patch adds a 'dead' flag, used by l2tp_session_delete() and l2tp_tunnel_closeall() to prevent them from stepping on each other's toes. The session deletion path used when closing a PPPOL2TP file descriptor doesn't need to be adapted. It already has to ensure that a session remains valid for the lifetime of its PPPOL2TP file descriptor. So it takes an extra reference on the session in the ->session_close() callback (pppol2tp_session_close()), which is eventually dropped in the ->sk_destruct() callback of the PPPOL2TP socket (pppol2tp_session_destruct()). Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be called twice and even concurrently for a given session, but thanks to proper locking and re-initialisation of list fields, this is not an issue. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-22 22:39:24 +09:00
long dead;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct l2tp_tunnel *tunnel; /* back pointer to tunnel
* context */
u32 session_id;
u32 peer_session_id;
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
u8 cookie[8];
int cookie_len;
u8 peer_cookie[8];
int peer_cookie_len;
u16 l2specific_type;
u16 hdr_len;
u32 nr; /* session NR state (receive) */
u32 ns; /* session NR state (send) */
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct sk_buff_head reorder_q; /* receive reorder queue */
l2tp: make datapath sequence number support RFC-compliant The L2TP datapath is not currently RFC-compliant when sequence numbers are used in L2TP data packets. According to the L2TP RFC, any received sequence number NR greater than or equal to the next expected NR is acceptable, where the "greater than or equal to" test is determined by the NR wrap point. This differs for L2TPv2 and L2TPv3, so add state in the session context to hold the max NR value and the NR window size in order to do the acceptable sequence number value check. These might be configurable later, but for now we derive it from the tunnel L2TP version, which determines the sequence number field size. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-03 04:28:59 +09:00
u32 nr_max; /* max NR. Depends on tunnel */
u32 nr_window_size; /* NR window size */
l2tp: make datapath resilient to packet loss when sequence numbers enabled If L2TP data sequence numbers are enabled and reordering is not enabled, data reception stops if a packet is lost since the kernel waits for a sequence number that is never resent. (When reordering is enabled, data reception restarts when the reorder timeout expires.) If no reorder timeout is set, we should count the number of in-sequence packets after the out-of-sequence (OOS) condition is detected, and reset sequence number state after a number of such packets are received. For now, the number of in-sequence packets while in OOS state which cause the sequence number state to be reset is hard-coded to 5. This could be configurable later. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-03 04:29:00 +09:00
u32 nr_oos; /* NR of last OOS packet */
int nr_oos_count; /* For OOS recovery */
int nr_oos_count_max;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct hlist_node hlist; /* Hash list node */
net, l2tp: convert l2tp_session.ref_count from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-04 21:52:58 +09:00
refcount_t ref_count;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
char name[32]; /* for logging */
l2tp: Add netlink control API for L2TP In L2TPv3, we need to create/delete/modify/query L2TP tunnel and session contexts. The number of parameters is significant. So let's use netlink. Userspace uses this API to control L2TP tunnel/session contexts in the kernel. The previous pppol2tp driver was managed using [gs]etsockopt(). This API is retained for backwards compatibility. Unlike L2TPv2 which carries only PPP frames, L2TPv3 can carry raw ethernet frames or other frame types and these do not always have an associated socket family. Therefore, we need a way to use L2TP sessions that doesn't require a socket type for each supported frame type. Hence netlink is used. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:10 +09:00
char ifname[IFNAMSIZ];
net: cleanup unsigned to unsigned int Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-15 14:58:06 +09:00
unsigned int recv_seq:1; /* expect receive packets with
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
* sequence numbers? */
net: cleanup unsigned to unsigned int Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-15 14:58:06 +09:00
unsigned int send_seq:1; /* send packets with sequence
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
* numbers? */
net: cleanup unsigned to unsigned int Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-15 14:58:06 +09:00
unsigned int lns_mode:1; /* behave as LNS? LAC enables
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
* sequence numbers under
* control of LNS. */
int debug; /* bitmask of debug message
* categories */
int reorder_timeout; /* configured reorder timeout
* (in jiffies) */
l2tp: fix reorder timeout recovery When L2TP data packet reordering is enabled, packets are held in a queue while waiting for out-of-sequence packets. If a packet gets lost, packets will be held until the reorder timeout expires, when we are supposed to then advance to the sequence number of the next packet but we don't currently do so. As a result, the data channel is stuck because we are waiting for a packet that will never arrive - all packets age out and none are passed. The fix is to add a flag to the session context, which is set when the reorder timeout expires and tells the receive code to reset the next expected sequence number to that of the next packet in the queue. Tested in a production L2TP network with Starent and Nortel L2TP gear. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-05-10 08:43:08 +09:00
int reorder_skip; /* set if skip to next nr */
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
enum l2tp_pwtype pwtype;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct l2tp_stats stats;
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
struct hlist_node global_hlist; /* Global hash list node */
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
l2tp: Add L2TPv3 protocol support The L2TPv3 protocol changes the layout of the L2TP packet header. Tunnel and session ids change from 16-bit to 32-bit values, data sequence numbers change from 16-bit to 24-bit values and PPP-specific fields are moved into protocol-specific subheaders. Although this patch introduces L2TPv3 protocol support, there are no userspace interfaces to create L2TPv3 sessions yet. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:49 +09:00
int (*build_header)(struct l2tp_session *session, void *buf);
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
void (*recv_skb)(struct l2tp_session *session, struct sk_buff *skb, int data_len);
void (*session_close)(struct l2tp_session *session);
l2tp: Add debugfs files for dumping l2tp debug info The existing pppol2tp driver exports debug info to /proc/net/pppol2tp. Rather than adding info to that file for the new functionality added in this patch series, we add new files in debugfs, leaving the old /proc file for backwards compatibility (L2TPv2 only). Currently only one file is provided: l2tp/tunnels, which lists internal debug info for all l2tp tunnels and sessions. More files may be added later. The info is for debug and problem analysis only - userspace apps should use netlink to obtain status about l2tp tunnels and sessions. Although debugfs does not support net namespaces, the tunnels and sessions dumped in l2tp/tunnels are only those in the net namespace of the process reading the file. Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:33 +09:00
void (*show)(struct seq_file *m, void *priv);
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
uint8_t priv[0]; /* private data */
};
/* Describes the tunnel. It contains info to track all the associated
* sessions so incoming packets can be sorted out
*/
struct l2tp_tunnel_cfg {
int debug; /* bitmask of debug message
* categories */
l2tp: Add L2TPv3 IP encapsulation (no UDP) support This patch adds a new L2TPIP socket family and modifies the core to handle the case where there is no UDP header in the L2TP packet. L2TP/IP uses IP protocol 115. Since L2TP/UDP and L2TP/IP packets differ in layout, the datapath packet handling code needs changes too. Userspace uses an L2TPIP socket instead of a UDP socket when IP encapsulation is required. We can't use raw sockets for this because the semantics of raw sockets don't lend themselves to the socket-per-tunnel model - we need to Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:00 +09:00
enum l2tp_encap_type encap;
l2tp: Add support for static unmanaged L2TPv3 tunnels This patch adds support for static (unmanaged) L2TPv3 tunnels, where the tunnel socket is created by the kernel rather than being created by userspace. This means L2TP tunnels and sessions can be created manually, without needing an L2TP control protocol implemented in userspace. This might be useful where the user wants a simple ethernet over IP tunnel. A patch to iproute2 adds a new command set under "ip l2tp" to make use of this feature. This will be submitted separately. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:40 +09:00
/* Used only for kernel-created sockets */
struct in_addr local_ip;
struct in_addr peer_ip;
l2tp: netlink api for l2tpv3 ipv6 unmanaged tunnels This patch adds support for unmanaged L2TPv3 tunnels over IPv6 using the netlink API. We already support unmanaged L2TPv3 tunnels over IPv4. A patch to iproute2 to make use of this feature will be submitted separately. Signed-off-by: Chris Elston <celston@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-04-30 06:48:52 +09:00
#if IS_ENABLED(CONFIG_IPV6)
struct in6_addr *local_ip6;
struct in6_addr *peer_ip6;
#endif
l2tp: Add support for static unmanaged L2TPv3 tunnels This patch adds support for static (unmanaged) L2TPv3 tunnels, where the tunnel socket is created by the kernel rather than being created by userspace. This means L2TP tunnels and sessions can be created manually, without needing an L2TP control protocol implemented in userspace. This might be useful where the user wants a simple ethernet over IP tunnel. A patch to iproute2 adds a new command set under "ip l2tp" to make use of this feature. This will be submitted separately. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:40 +09:00
u16 local_udp_port;
u16 peer_udp_port;
l2tp: Add support for zero IPv6 checksums Added new L2TP configuration options to allow TX and RX of zero checksums in IPv6. Default is not to use them. Signed-off-by: Tom Herbert <therbert@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-24 00:47:40 +09:00
unsigned int use_udp_checksums:1,
udp6_zero_tx_checksums:1,
udp6_zero_rx_checksums:1;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
};
struct l2tp_tunnel {
int magic; /* Should be L2TP_TUNNEL_MAGIC */
l2tp: fix race condition in l2tp_tunnel_delete If we try to delete the same tunnel twice, the first delete operation does a lookup (l2tp_tunnel_get), finds the tunnel, calls l2tp_tunnel_delete, which queues it for deletion by l2tp_tunnel_del_work. The second delete operation also finds the tunnel and calls l2tp_tunnel_delete. If the workqueue has already fired and started running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the same tunnel a second time, and try to free the socket again. Add a dead flag to prevent firing the workqueue twice. Then we can remove the check of queue_work's result that was meant to prevent that race but doesn't. Reproducer: ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000 ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000 ip link set l2tp1 up ip l2tp del tunnel tunnel_id 3000 ip l2tp del tunnel tunnel_id 3000 Fixes: f8ccac0e4493 ("l2tp: put tunnel socket release on a workqueue") Reported-by: Jianlin Shi <jishi@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-26 23:16:43 +09:00
unsigned long dead;
l2tp: avoid to use synchronize_rcu in tunnel free function Avoid to use synchronize_rcu in l2tp_tunnel_free because context may be atomic. Signed-off-by: Dmitry Kozlov <xeb@mail.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-24 10:07:38 +09:00
struct rcu_head rcu;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
rwlock_t hlist_lock; /* protect session_hlist */
l2tp: prevent creation of sessions on terminated tunnels l2tp_tunnel_destruct() sets tunnel->sock to NULL, then removes the tunnel from the pernet list and finally closes all its sessions. Therefore, it's possible to add a session to a tunnel that is still reachable, but for which tunnel->sock has already been reset. This can make l2tp_session_create() dereference a NULL pointer when calling sock_hold(tunnel->sock). This patch adds the .acpt_newsess field to struct l2tp_tunnel, which is used by l2tp_tunnel_closeall() to prevent addition of new sessions to tunnels. Resetting tunnel->sock is done after l2tp_tunnel_closeall() returned, so that l2tp_session_add_to_tunnel() can safely take a reference on it when .acpt_newsess is true. The .acpt_newsess field is modified in l2tp_tunnel_closeall(), rather than in l2tp_tunnel_destruct(), so that it benefits all tunnel removal mechanisms. E.g. on UDP tunnels, a session could be added to a tunnel after l2tp_udp_encap_destroy() proceeded. This would prevent the tunnel from being removed because of the references held by this new session on the tunnel and its socket. Even though the session could be removed manually later on, this defeats the purpose of commit 9980d001cec8 ("l2tp: add udp encap socket destroy handler"). Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-02 00:58:48 +09:00
bool acpt_newsess; /* Indicates whether this
* tunnel accepts new sessions.
* Protected by hlist_lock.
*/
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct hlist_head session_hlist[L2TP_HASH_SIZE];
/* hashed list of sessions,
* hashed by id */
u32 tunnel_id;
u32 peer_tunnel_id;
int version; /* 2=>L2TPv2, 3=>L2TPv3 */
char name[20]; /* for logging */
int debug; /* bitmask of debug message
* categories */
l2tp: Add L2TPv3 IP encapsulation (no UDP) support This patch adds a new L2TPIP socket family and modifies the core to handle the case where there is no UDP header in the L2TP packet. L2TP/IP uses IP protocol 115. Since L2TP/UDP and L2TP/IP packets differ in layout, the datapath packet handling code needs changes too. Userspace uses an L2TPIP socket instead of a UDP socket when IP encapsulation is required. We can't use raw sockets for this because the semantics of raw sockets don't lend themselves to the socket-per-tunnel model - we need to Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:00 +09:00
enum l2tp_encap_type encap;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
struct l2tp_stats stats;
struct list_head list; /* Keep a list of all tunnels */
struct net *l2tp_net; /* the net we belong to */
net, l2tp: convert l2tp_tunnel.ref_count from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-04 21:52:57 +09:00
refcount_t ref_count;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
void (*old_sk_destruct)(struct sock *);
struct sock *sock; /* Parent socket */
l2tp: prevent l2tp_tunnel_delete racing with userspace close If a tunnel socket is created by userspace, l2tp hooks the socket destructor in order to clean up resources if userspace closes the socket or crashes. It also caches a pointer to the struct sock for use in the data path and in the netlink interface. While it is safe to use the cached sock pointer in the data path, where the skb references keep the socket alive, it is not safe to use it elsewhere as such access introduces a race with userspace closing the socket. In particular, l2tp_tunnel_delete is prone to oopsing if a multithreaded userspace application closes a socket at the same time as sending a netlink delete command for the tunnel. This patch fixes this oops by forcing l2tp_tunnel_delete to explicitly look up a tunnel socket held by userspace using sockfd_lookup(). Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-22 14:13:48 +09:00
int fd; /* Parent fd, if tunnel socket
* was created by userspace */
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
l2tp: put tunnel socket release on a workqueue To allow l2tp_tunnel_delete to be called from an atomic context, place the tunnel socket release calls on a workqueue for asynchronous execution. Tunnel memory is eventually freed in the tunnel socket destructor. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-01 08:43:00 +09:00
struct work_struct del_work;
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
};
l2tp: Add netlink control API for L2TP In L2TPv3, we need to create/delete/modify/query L2TP tunnel and session contexts. The number of parameters is significant. So let's use netlink. Userspace uses this API to control L2TP tunnel/session contexts in the kernel. The previous pppol2tp driver was managed using [gs]etsockopt(). This API is retained for backwards compatibility. Unlike L2TPv2 which carries only PPP frames, L2TPv3 can carry raw ethernet frames or other frame types and these do not always have an associated socket family. Therefore, we need a way to use L2TP sessions that doesn't require a socket type for each supported frame type. Hence netlink is used. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:10 +09:00
struct l2tp_nl_cmd_ops {
l2tp: pass tunnel pointer to ->session_create() Using l2tp_tunnel_find() in pppol2tp_session_create() and l2tp_eth_create() is racy, because no reference is held on the returned session. These functions are only used to implement the ->session_create callback which is run by l2tp_nl_cmd_session_create(). Therefore searching for the parent tunnel isn't necessary because l2tp_nl_cmd_session_create() already has a pointer to it and holds a reference. This patch modifies ->session_create()'s prototype to directly pass the the parent tunnel as parameter, thus avoiding searching for it in pppol2tp_session_create() and l2tp_eth_create(). Since we have to touch the ->session_create() call in l2tp_nl_cmd_session_create(), let's also remove the useless conditional: we know that ->session_create isn't NULL at this point because it's already been checked earlier in this same function. Finally, one might be tempted to think that the removed l2tp_tunnel_find() calls were harmless because they would return the same tunnel as the one held by l2tp_nl_cmd_session_create() anyway. But that tunnel might be removed and a new one created with same tunnel Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find() would return the new tunnel which wouldn't be protected by the reference held by l2tp_nl_cmd_session_create(). Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-02 00:58:51 +09:00
int (*session_create)(struct net *net, struct l2tp_tunnel *tunnel,
u32 session_id, u32 peer_session_id,
struct l2tp_session_cfg *cfg);
l2tp: Add netlink control API for L2TP In L2TPv3, we need to create/delete/modify/query L2TP tunnel and session contexts. The number of parameters is significant. So let's use netlink. Userspace uses this API to control L2TP tunnel/session contexts in the kernel. The previous pppol2tp driver was managed using [gs]etsockopt(). This API is retained for backwards compatibility. Unlike L2TPv2 which carries only PPP frames, L2TPv3 can carry raw ethernet frames or other frame types and these do not always have an associated socket family. Therefore, we need a way to use L2TP sessions that doesn't require a socket type for each supported frame type. Hence netlink is used. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:10 +09:00
int (*session_delete)(struct l2tp_session *session);
};
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
static inline void *l2tp_session_priv(struct l2tp_session *session)
{
return &session->priv[0];
}
l2tp: hold tunnel while looking up sessions in l2tp_netlink l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the returned tunnel can go away on us anytime. Fix this by defining l2tp_tunnel_get(), which works like l2tp_tunnel_find(), but takes a reference on the returned tunnel. Caller then has to drop this reference using l2tp_tunnel_dec_refcount(). As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code has been broken (not even compiling) in May 2012 by commit a4ca44fa578c ("net: l2tp: Standardize logging styles") and fixed more than two years later by commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it doesn't appear to be used by anyone. Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h, let's just simplify things and call kfree_rcu() directly in l2tp_tunnel_dec_refcount(). Extra assertions and debugging code provided by l2tp_tunnel_free() didn't help catching any of the reference counting and socket handling issues found while working on this series. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-25 23:51:40 +09:00
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
l2tp: hold reference on tunnels in netlink dumps l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned tunnel, therefore it can be freed whenever the caller uses it. This patch defines l2tp_tunnel_get_nth() which works similarly, but also takes a reference on the returned tunnel. The caller then has to drop it after it stops using the tunnel. Convert netlink dumps to make them safe against concurrent tunnel deletion. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-13 03:50:33 +09:00
struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth);
l2tp: split l2tp_session_get() l2tp_session_get() is used for two different purposes. If 'tunnel' is NULL, the session is searched globally in the supplied network namespace. Otherwise it is searched exclusively in the tunnel context. Callers always know the context in which they need to search the session. But some of them do provide both a namespace and a tunnel, making the semantic of the call unclear. This patch defines l2tp_tunnel_get_session() for lookups done in a tunnel and restricts l2tp_session_get() to namespace searches. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-08-10 20:21:57 +09:00
struct l2tp_session *l2tp_tunnel_get_session(struct l2tp_tunnel *tunnel,
u32 session_id);
l2tp: hold reference on tunnels in netlink dumps l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned tunnel, therefore it can be freed whenever the caller uses it. This patch defines l2tp_tunnel_get_nth() which works similarly, but also takes a reference on the returned tunnel. The caller then has to drop it after it stops using the tunnel. Convert netlink dumps to make them safe against concurrent tunnel deletion. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-13 03:50:33 +09:00
l2tp: fix races with tunnel socket close The tunnel socket tunnel->sock (struct sock) is accessed when preparing a new ppp session on a tunnel at pppol2tp_session_init. If the socket is closed by a thread while another is creating a new session, the threads race. In pppol2tp_connect, the tunnel object may be created if the pppol2tp socket is associated with the special session_id 0 and the tunnel socket is looked up using the provided fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel socket to prevent it being destroyed during pppol2tp_connect since this may itself may race with the socket being destroyed. Doing sockfd_lookup in pppol2tp_connect isn't sufficient to prevent tunnel->sock going away either because a given tunnel socket fd may be reused between calls to pppol2tp_connect. Instead, have l2tp_tunnel_create sock_hold the tunnel socket before it does sockfd_put. This ensures that the tunnel's socket is always extant while the tunnel object exists. Hold a ref on the socket until the tunnel is destroyed and ensure that all tunnel destroy paths go through a common function (l2tp_tunnel_delete) since this will do the final sock_put to release the tunnel socket. Since the tunnel's socket is now guaranteed to exist if the tunnel exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel to derive the tunnel from the socket since this is always sk_user_data. Also, sessions no longer sock_hold the tunnel socket since sessions already hold a tunnel ref and the tunnel sock will not be freed until the tunnel is freed. Removing these sock_holds in l2tp_session_register avoids a possible sock leak in the pppol2tp_connect error path if l2tp_session_register succeeds but attaching a ppp channel fails. The pppol2tp_connect error path could have been fixed instead and have the sock ref dropped when the session is freed, but doing a sock_put of the tunnel socket when the session is freed would require a new session_free callback. It is simpler to just remove the sock_hold of the tunnel socket in l2tp_session_register, now that the tunnel socket lifetime is guaranteed. Finally, some init code in l2tp_tunnel_create is reordered to ensure that the new tunnel object's refcount is set and the tunnel socket ref is taken before the tunnel socket destructor callbacks are set. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Modules linked in: CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34 Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 RIP: 0010:pppol2tp_session_init+0x1d6/0x500 RSP: 0018:ffff88001377fb40 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228 RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002 R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000 R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76 FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0 Call Trace: pppol2tp_connect+0xd18/0x13c0 ? pppol2tp_session_create+0x170/0x170 ? __might_fault+0x115/0x1d0 ? lock_downgrade+0x860/0x860 ? __might_fault+0xe5/0x1d0 ? security_socket_connect+0x8e/0xc0 SYSC_connect+0x1b6/0x310 ? SYSC_bind+0x280/0x280 ? __do_page_fault+0x5d1/0xca0 ? up_read+0x1f/0x40 ? __do_page_fault+0x3c8/0xca0 SyS_connect+0x29/0x30 ? SyS_accept+0x40/0x40 do_syscall_64+0x1e0/0x730 ? trace_hardirqs_off_thunk+0x1a/0x1c entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ffb3e376259 RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259 RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004 RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60 R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000 Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16 Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close") Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 02:45:45 +09:00
void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
l2tp: hold tunnel while looking up sessions in l2tp_netlink l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the returned tunnel can go away on us anytime. Fix this by defining l2tp_tunnel_get(), which works like l2tp_tunnel_find(), but takes a reference on the returned tunnel. Caller then has to drop this reference using l2tp_tunnel_dec_refcount(). As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code has been broken (not even compiling) in May 2012 by commit a4ca44fa578c ("net: l2tp: Standardize logging styles") and fixed more than two years later by commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it doesn't appear to be used by anyone. Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h, let's just simplify things and call kfree_rcu() directly in l2tp_tunnel_dec_refcount(). Extra assertions and debugging code provided by l2tp_tunnel_free() didn't help catching any of the reference counting and socket handling issues found while working on this series. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-25 23:51:40 +09:00
l2tp: split l2tp_session_get() l2tp_session_get() is used for two different purposes. If 'tunnel' is NULL, the session is searched globally in the supplied network namespace. Otherwise it is searched exclusively in the tunnel context. Callers always know the context in which they need to search the session. But some of them do provide both a namespace and a tunnel, making the semantic of the call unclear. This patch defines l2tp_tunnel_get_session() for lookups done in a tunnel and restricts l2tp_session_get() to namespace searches. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-08-10 20:21:57 +09:00
struct l2tp_session *l2tp_session_get(const struct net *net, u32 session_id);
l2tp: remove ->ref() and ->deref() The ->ref() and ->deref() callbacks are unused since PPP stopped using them in ee40fb2e1eb5 ("l2tp: protect sock pointer of struct pppol2tp_session with RCU"). We can thus remove them from struct l2tp_session and drop the do_ref parameter of l2tp_session_get*(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-01 01:36:42 +09:00
struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth);
l2tp: define parameters of l2tp_session_get*() as "const" Make l2tp_pernet()'s parameter constant, so that l2tp_session_get*() can declare their "net" variable as "const". Also constify "ifname" in l2tp_session_get_by_ifname(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-12 17:05:29 +09:00
struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
l2tp: remove ->ref() and ->deref() The ->ref() and ->deref() callbacks are unused since PPP stopped using them in ee40fb2e1eb5 ("l2tp: protect sock pointer of struct pppol2tp_session with RCU"). We can thus remove them from struct l2tp_session and drop the do_ref parameter of l2tp_session_get*(). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-01 01:36:42 +09:00
const char *ifname);
net: misc: Remove extern from function prototypes There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-19 05:48:25 +09:00
int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id,
u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg,
struct l2tp_tunnel **tunnelp);
l2tp: fix races in tunnel creation l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel list and sets the socket's ->sk_user_data field, before returning it to the caller. Therefore, there are two ways the tunnel can be accessed and freed, before the caller even had the opportunity to take a reference. In practice, syzbot could crash the module by closing the socket right after a new tunnel was returned to pppol2tp_create(). This patch moves tunnel registration out of l2tp_tunnel_create(), so that the caller can safely hold a reference before publishing the tunnel. This second step is done with the new l2tp_tunnel_register() function, which is now responsible for associating the tunnel to its socket and for inserting it into the namespace's list. While moving the code to l2tp_tunnel_register(), a few modifications have been done. First, the socket validation tests are done in a helper function, for clarity. Also, modifying the socket is now done after having inserted the tunnel to the namespace's tunnels list. This will allow insertion to fail, without having to revert theses modifications in the error path (a followup patch will check for duplicate tunnels before insertion). Either the socket is a kernel socket which we control, or it is a user-space socket for which we have a reference on the file descriptor. In any case, the socket isn't going to be closed from under us. Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-11 04:01:12 +09:00
int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
struct l2tp_tunnel_cfg *cfg);
l2tp: fix race condition in l2tp_tunnel_delete If we try to delete the same tunnel twice, the first delete operation does a lookup (l2tp_tunnel_get), finds the tunnel, calls l2tp_tunnel_delete, which queues it for deletion by l2tp_tunnel_del_work. The second delete operation also finds the tunnel and calls l2tp_tunnel_delete. If the workqueue has already fired and started running l2tp_tunnel_del_work, then l2tp_tunnel_delete will queue the same tunnel a second time, and try to free the socket again. Add a dead flag to prevent firing the workqueue twice. Then we can remove the check of queue_work's result that was meant to prevent that race but doesn't. Reproducer: ip l2tp add tunnel tunnel_id 3000 peer_tunnel_id 4000 local 192.168.0.2 remote 192.168.0.1 encap udp udp_sport 5000 udp_dport 6000 ip l2tp add session name l2tp1 tunnel_id 3000 session_id 1000 peer_session_id 2000 ip link set l2tp1 up ip l2tp del tunnel tunnel_id 3000 ip l2tp del tunnel tunnel_id 3000 Fixes: f8ccac0e4493 ("l2tp: put tunnel socket release on a workqueue") Reported-by: Jianlin Shi <jishi@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Acked-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-26 23:16:43 +09:00
void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
net: misc: Remove extern from function prototypes There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-19 05:48:25 +09:00
struct l2tp_session *l2tp_session_create(int priv_size,
struct l2tp_tunnel *tunnel,
u32 session_id, u32 peer_session_id,
struct l2tp_session_cfg *cfg);
l2tp: don't register sessions in l2tp_session_create() Sessions created by l2tp_session_create() aren't fully initialised: some pseudo-wire specific operations need to be done before making the session usable. Therefore the PPP and Ethernet pseudo-wires continue working on the returned l2tp session while it's already been exposed to the rest of the system. This can lead to various issues. In particular, the session may enter the deletion process before having been fully initialised, which will confuse the session removal code. This patch moves session registration out of l2tp_session_create(), so that callers can control when the session is exposed to the rest of the system. This is done by the new l2tp_session_register() function. Only pppol2tp_session_create() can be easily converted to avoid modifying its session after registration (the debug message is dropped in order to avoid the need for holding a reference on the session). For pppol2tp_connect() and l2tp_eth_create()), more work is needed. That'll be done in followup patches. For now, let's just register the session right after its creation, like it was done before. The only difference is that we can easily take a reference on the session before registering it, so, at least, we're sure it's not going to be freed while we're working on it. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 23:51:50 +09:00
int l2tp_session_register(struct l2tp_session *session,
struct l2tp_tunnel *tunnel);
net: misc: Remove extern from function prototypes There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-19 05:48:25 +09:00
void __l2tp_session_unhash(struct l2tp_session *session);
int l2tp_session_delete(struct l2tp_session *session);
void l2tp_session_free(struct l2tp_session *session);
void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
unsigned char *ptr, unsigned char *optr, u16 hdrflags,
l2tp: remove ->recv_payload_hook The tunnel reception hook is only used by l2tp_ppp for skipping PPP framing bytes. This is a session specific operation, but once a PPP session sets ->recv_payload_hook on its tunnel, all frames received by the tunnel will enter pppol2tp_recv_payload_hook(), including those targeted at Ethernet sessions (an L2TPv3 tunnel can multiplex PPP and Ethernet sessions). So this mechanism is wrong, and uselessly complex. Let's just move this functionality to the pppol2tp rx handler and drop ->recv_payload_hook. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-07-25 21:53:33 +09:00
int length);
net: misc: Remove extern from function prototypes There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-19 05:48:25 +09:00
int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
l2tp: fix manual sequencing (de)activation in L2TPv2 Commit e0d4435f "l2tp: Update PPP-over-L2TP driver to work over L2TPv3" broke the PPPOL2TP_SO_SENDSEQ setsockopt. The L2TP header length was previously computed by pppol2tp_l2t_header_len() before each call to l2tp_xmit_skb(). Now that header length is retrieved from the hdr_len session field, this field must be updated every time the L2TP header format is modified, or l2tp_xmit_skb() won't push the right amount of data for the L2TP header. This patch uses l2tp_session_set_header_len() to adjust hdr_len every time sequencing is (de)activated from userspace (either by the PPPOL2TP_SO_SENDSEQ setsockopt or the L2TP_ATTR_SEND_SEQ netlink attribute). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2014-03-06 19:14:30 +09:00
void l2tp_session_set_header_len(struct l2tp_session *session, int version);
net: misc: Remove extern from function prototypes There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-19 05:48:25 +09:00
int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb,
int hdr_len);
int l2tp_nl_register_ops(enum l2tp_pwtype pw_type,
const struct l2tp_nl_cmd_ops *ops);
void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type);
l2tp: do not use udp_ioctl() udp_ioctl(), as its name suggests, is used by UDP protocols, but is also used by L2TP :( L2TP should use its own handler, because it really does not look the same. SIOCINQ for instance should not assume UDP checksum or headers. Thanks to Andrey and syzkaller team for providing the report and a nice reproducer. While crashes only happen on recent kernels (after commit 7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")), this probably needs to be backported to older kernels. Fixes: 7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue") Fixes: 85584672012e ("udp: Fix udp_poll() and ioctl()") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Andrey Konovalov <andreyknvl@google.com> Acked-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-10 09:15:52 +09:00
int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg);
l2tp: Add netlink control API for L2TP In L2TPv3, we need to create/delete/modify/query L2TP tunnel and session contexts. The number of parameters is significant. So let's use netlink. Userspace uses this API to control L2TP tunnel/session contexts in the kernel. The previous pppol2tp driver was managed using [gs]etsockopt(). This API is retained for backwards compatibility. Unlike L2TPv2 which carries only PPP frames, L2TPv3 can carry raw ethernet frames or other frame types and these do not always have an associated socket family. Therefore, we need a way to use L2TP sessions that doesn't require a socket type for each supported frame type. Hence netlink is used. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:19:10 +09:00
l2tp: hold tunnel while looking up sessions in l2tp_netlink l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the returned tunnel can go away on us anytime. Fix this by defining l2tp_tunnel_get(), which works like l2tp_tunnel_find(), but takes a reference on the returned tunnel. Caller then has to drop this reference using l2tp_tunnel_dec_refcount(). As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code has been broken (not even compiling) in May 2012 by commit a4ca44fa578c ("net: l2tp: Standardize logging styles") and fixed more than two years later by commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it doesn't appear to be used by anyone. Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h, let's just simplify things and call kfree_rcu() directly in l2tp_tunnel_dec_refcount(). Extra assertions and debugging code provided by l2tp_tunnel_free() didn't help catching any of the reference counting and socket handling issues found while working on this series. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-25 23:51:40 +09:00
static inline void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel)
{
refcount_inc(&tunnel->ref_count);
}
static inline void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
{
if (refcount_dec_and_test(&tunnel->ref_count))
l2tp: fix races with tunnel socket close The tunnel socket tunnel->sock (struct sock) is accessed when preparing a new ppp session on a tunnel at pppol2tp_session_init. If the socket is closed by a thread while another is creating a new session, the threads race. In pppol2tp_connect, the tunnel object may be created if the pppol2tp socket is associated with the special session_id 0 and the tunnel socket is looked up using the provided fd. When handling this, pppol2tp_connect cannot sock_hold the tunnel socket to prevent it being destroyed during pppol2tp_connect since this may itself may race with the socket being destroyed. Doing sockfd_lookup in pppol2tp_connect isn't sufficient to prevent tunnel->sock going away either because a given tunnel socket fd may be reused between calls to pppol2tp_connect. Instead, have l2tp_tunnel_create sock_hold the tunnel socket before it does sockfd_put. This ensures that the tunnel's socket is always extant while the tunnel object exists. Hold a ref on the socket until the tunnel is destroyed and ensure that all tunnel destroy paths go through a common function (l2tp_tunnel_delete) since this will do the final sock_put to release the tunnel socket. Since the tunnel's socket is now guaranteed to exist if the tunnel exists, we no longer need to use sockfd_lookup via l2tp_sock_to_tunnel to derive the tunnel from the socket since this is always sk_user_data. Also, sessions no longer sock_hold the tunnel socket since sessions already hold a tunnel ref and the tunnel sock will not be freed until the tunnel is freed. Removing these sock_holds in l2tp_session_register avoids a possible sock leak in the pppol2tp_connect error path if l2tp_session_register succeeds but attaching a ppp channel fails. The pppol2tp_connect error path could have been fixed instead and have the sock ref dropped when the session is freed, but doing a sock_put of the tunnel socket when the session is freed would require a new session_free callback. It is simpler to just remove the sock_hold of the tunnel socket in l2tp_session_register, now that the tunnel socket lifetime is guaranteed. Finally, some init code in l2tp_tunnel_create is reordered to ensure that the new tunnel object's refcount is set and the tunnel socket ref is taken before the tunnel socket destructor callbacks are set. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Modules linked in: CPU: 0 PID: 4360 Comm: syzbot_19c09769 Not tainted 4.16.0-rc2+ #34 Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 RIP: 0010:pppol2tp_session_init+0x1d6/0x500 RSP: 0018:ffff88001377fb40 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88001636a940 RCX: ffffffff84836c1d RDX: 0000000000000045 RSI: 0000000055976744 RDI: 0000000000000228 RBP: ffff88001377fb60 R08: ffffffff84836bc8 R09: 0000000000000002 R10: ffff88001377fab8 R11: 0000000000000001 R12: 0000000000000000 R13: ffff88001636aac8 R14: ffff8800160f81c0 R15: 1ffff100026eff76 FS: 00007ffb3ea66700(0000) GS:ffff88001a400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020e77000 CR3: 0000000016261000 CR4: 00000000000006f0 Call Trace: pppol2tp_connect+0xd18/0x13c0 ? pppol2tp_session_create+0x170/0x170 ? __might_fault+0x115/0x1d0 ? lock_downgrade+0x860/0x860 ? __might_fault+0xe5/0x1d0 ? security_socket_connect+0x8e/0xc0 SYSC_connect+0x1b6/0x310 ? SYSC_bind+0x280/0x280 ? __do_page_fault+0x5d1/0xca0 ? up_read+0x1f/0x40 ? __do_page_fault+0x3c8/0xca0 SyS_connect+0x29/0x30 ? SyS_accept+0x40/0x40 do_syscall_64+0x1e0/0x730 ? trace_hardirqs_off_thunk+0x1a/0x1c entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ffb3e376259 RSP: 002b:00007ffeda4f6508 EFLAGS: 00000202 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020e77012 RCX: 00007ffb3e376259 RDX: 000000000000002e RSI: 0000000020e77000 RDI: 0000000000000004 RBP: 00007ffeda4f6540 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400b60 R13: 00007ffeda4f6660 R14: 0000000000000000 R15: 0000000000000000 Code: 80 3d b0 ff 06 02 00 0f 84 07 02 00 00 e8 13 d6 db fc 49 8d bc 24 28 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 f a 48 c1 ea 03 <80> 3c 02 00 0f 85 ed 02 00 00 4d 8b a4 24 28 02 00 00 e8 13 16 Fixes: 80d84ef3ff1dd ("l2tp: prevent l2tp_tunnel_delete racing with userspace close") Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-02-24 02:45:45 +09:00
l2tp_tunnel_free(tunnel);
l2tp: hold tunnel while looking up sessions in l2tp_netlink l2tp_tunnel_find() doesn't take a reference on the returned tunnel. Therefore, it's unsafe to use it because the returned tunnel can go away on us anytime. Fix this by defining l2tp_tunnel_get(), which works like l2tp_tunnel_find(), but takes a reference on the returned tunnel. Caller then has to drop this reference using l2tp_tunnel_dec_refcount(). As l2tp_tunnel_dec_refcount() needs to be moved to l2tp_core.h, let's simplify the patch and not move the L2TP_REFCNT_DEBUG part. This code has been broken (not even compiling) in May 2012 by commit a4ca44fa578c ("net: l2tp: Standardize logging styles") and fixed more than two years later by commit 29abe2fda54f ("l2tp: fix missing line continuation"). So it doesn't appear to be used by anyone. Same thing for l2tp_tunnel_free(); instead of moving it to l2tp_core.h, let's just simplify things and call kfree_rcu() directly in l2tp_tunnel_dec_refcount(). Extra assertions and debugging code provided by l2tp_tunnel_free() didn't help catching any of the reference counting and socket handling issues found while working on this series. Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-25 23:51:40 +09:00
}
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
/* Session reference counts. Incremented when code obtains a reference
* to a session.
*/
l2tp: remove l2tp specific refcount debugging With conversion to refcount_t, such manual debugging code doesn't make sense anymore. The tunnel part was already dropped by 54652eb12c1b ("l2tp: hold tunnel while looking up sessions in l2tp_netlink"). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-01 01:36:44 +09:00
static inline void l2tp_session_inc_refcount(struct l2tp_session *session)
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
{
net, l2tp: convert l2tp_session.ref_count from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-04 21:52:58 +09:00
refcount_inc(&session->ref_count);
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
}
l2tp: remove l2tp specific refcount debugging With conversion to refcount_t, such manual debugging code doesn't make sense anymore. The tunnel part was already dropped by 54652eb12c1b ("l2tp: hold tunnel while looking up sessions in l2tp_netlink"). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-01 01:36:44 +09:00
static inline void l2tp_session_dec_refcount(struct l2tp_session *session)
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
{
net, l2tp: convert l2tp_session.ref_count from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-04 21:52:58 +09:00
if (refcount_dec_and_test(&session->ref_count))
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
l2tp_session_free(session);
}
l2tp: remove l2specific_len dependency in l2tp_core Remove l2specific_len dependency while building l2tpv3 header or parsing the received frame since default L2-Specific Sublayer is always four bytes long and we don't need to rely on a user supplied value. Moreover in l2tp netlink code there are no sanity checks to enforce the relation between l2specific_len and l2specific_type, so sending a malformed netlink message is possible to set l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than 4 leaking memory on the wire and sending corrupted frames. Reviewed-by: Guillaume Nault <g.nault@alphalink.fr> Tested-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-17 07:01:55 +09:00
static inline int l2tp_get_l2specific_len(struct l2tp_session *session)
{
switch (session->l2specific_type) {
case L2TP_L2SPECTYPE_DEFAULT:
return 4;
case L2TP_L2SPECTYPE_NONE:
default:
return 0;
}
}
l2tp: define l2tp_tunnel_dst_mtu() Consolidate retrieval of tunnel's socket mtu in order to simplify l2tp_eth and l2tp_ppp a bit. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-08-03 19:38:34 +09:00
static inline u32 l2tp_tunnel_dst_mtu(const struct l2tp_tunnel *tunnel)
{
struct dst_entry *dst;
u32 mtu;
dst = sk_dst_get(tunnel->sock);
if (!dst)
return 0;
mtu = dst_mtu(dst);
dst_release(dst);
return mtu;
}
l2tp: define l2tp_tunnel_uses_xfrm() Use helper function to figure out if a tunnel is using ipsec. Also, avoid accessing ->sk_policy directly since it's RCU protected. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
2018-08-10 20:21:55 +09:00
#ifdef CONFIG_XFRM
static inline bool l2tp_tunnel_uses_xfrm(const struct l2tp_tunnel *tunnel)
{
struct sock *sk = tunnel->sock;
return sk && (rcu_access_pointer(sk->sk_policy[0]) ||
rcu_access_pointer(sk->sk_policy[1]));
}
#else
static inline bool l2tp_tunnel_uses_xfrm(const struct l2tp_tunnel *tunnel)
{
return false;
}
#endif
l2tp: fix reading optional fields of L2TPv3 Use pskb_may_pull() to make sure the optional fields are in skb linear parts, so we can safely read them later. It's easy to reproduce the issue with a net driver that supports paged skb data. Just create a L2TPv3 over IP tunnel and then generates some network traffic. Once reproduced, rx err in /sys/kernel/debug/l2tp/tunnels will increase. Changes in v4: 1. s/l2tp_v3_pull_opt/l2tp_v3_ensure_opt_in_linear/ 2. s/tunnel->version != L2TP_HDR_VER_2/tunnel->version == L2TP_HDR_VER_3/ 3. Add 'Fixes' in commit messages. Changes in v3: 1. To keep consistency, move the code out of l2tp_recv_common. 2. Use "net" instead of "net-next", since this is a bug fix. Changes in v2: 1. Only fix L2TPv3 to make code simple. To fix both L2TPv3 and L2TPv2, we'd better refactor l2tp_recv_common. It's complicated to do so. 2. Reloading pointers after pskb_may_pull Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support") Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support") Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") Signed-off-by: Jacob Wen <jian.w.wen@oracle.com> Acked-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-30 15:55:14 +09:00
static inline int l2tp_v3_ensure_opt_in_linear(struct l2tp_session *session, struct sk_buff *skb,
unsigned char **ptr, unsigned char **optr)
{
int opt_len = session->peer_cookie_len + l2tp_get_l2specific_len(session);
if (opt_len > 0) {
int off = *ptr - *optr;
if (!pskb_may_pull(skb, off + opt_len))
return -1;
if (skb->data != *optr) {
*optr = skb->data;
*ptr = skb->data + off;
}
}
return 0;
}
net: l2tp: Standardize logging styles Use more current logging styles. Add pr_fmt to prefix output appropriately. Convert printks to pr_<level>. Convert PRINTK macros to new l2tp_<level> macros. Neaten some <foo>_refcount debugging macros. Use print_hex_dump_bytes instead of hand-coded loops. Coalesce formats and align arguments. Some KERN_DEBUG output is not now emitted unless dynamic_debugging is enabled. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-05-16 18:55:56 +09:00
#define l2tp_printk(ptr, type, func, fmt, ...) \
do { \
if (((ptr)->debug) & (type)) \
func(fmt, ##__VA_ARGS__); \
} while (0)
#define l2tp_warn(ptr, type, fmt, ...) \
l2tp_printk(ptr, type, pr_warn, fmt, ##__VA_ARGS__)
#define l2tp_info(ptr, type, fmt, ...) \
l2tp_printk(ptr, type, pr_info, fmt, ##__VA_ARGS__)
#define l2tp_dbg(ptr, type, fmt, ...) \
l2tp_printk(ptr, type, pr_debug, fmt, ##__VA_ARGS__)
l2tp: auto load type modules It should not be necessary to do explicit module loading when configuring L2TP. Modules should be loaded as needed instead (as is done already with netlink and other tunnel types). This patch adds a new module alias type and code to load the sub module on demand. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-24 13:33:34 +09:00
#define MODULE_ALIAS_L2TP_PWTYPE(type) \
MODULE_ALIAS("net-l2tp-type-" __stringify(type))
l2tp: Split pppol2tp patch into separate l2tp and ppp parts This patch splits the pppol2tp driver into separate L2TP and PPP parts to prepare for L2TPv3 support. In L2TPv3, protocols other than PPP can be carried, so this split creates a common L2TP core that will handle the common L2TP bits which protocol support modules such as PPP will use. Note that the existing pppol2tp module is split into l2tp_core and l2tp_ppp by this change. There are no feature changes here. Internally, however, there are significant changes, mostly to handle the separation of PPP-specific data from the L2TP session and to provide hooks in the core for modules like PPP to access. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-04-02 15:18:33 +09:00
#endif /* _L2TP_CORE_H_ */