2019-06-04 08:11:33 +00:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2020-07-22 16:32:06 +00:00
|
|
|
/* L2TP internal definitions.
|
2010-04-02 06:18:33 +00:00
|
|
|
*
|
|
|
|
* Copyright (c) 2008,2009 Katalix Systems Ltd
|
|
|
|
*/
|
2017-07-04 12:52:57 +00:00
|
|
|
#include <linux/refcount.h>
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
#ifndef _L2TP_CORE_H_
|
|
|
|
#define _L2TP_CORE_H_
|
|
|
|
|
2018-08-03 10:38:34 +00:00
|
|
|
#include <net/dst.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
|
2018-08-10 11:21:55 +00:00
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
#include <net/xfrm.h>
|
|
|
|
#endif
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Random numbers used for internal consistency checks of tunnel and session structures */
|
2010-04-02 06:18:33 +00:00
|
|
|
#define L2TP_TUNNEL_MAGIC 0x42114DDA
|
|
|
|
#define L2TP_SESSION_MAGIC 0x0C04EB7D
|
|
|
|
|
|
|
|
struct sk_buff;
|
|
|
|
|
|
|
|
struct l2tp_stats {
|
2013-03-19 06:11:22 +00:00
|
|
|
atomic_long_t tx_packets;
|
|
|
|
atomic_long_t tx_bytes;
|
|
|
|
atomic_long_t tx_errors;
|
|
|
|
atomic_long_t rx_packets;
|
|
|
|
atomic_long_t rx_bytes;
|
|
|
|
atomic_long_t rx_seq_discards;
|
|
|
|
atomic_long_t rx_oos_packets;
|
|
|
|
atomic_long_t rx_errors;
|
|
|
|
atomic_long_t rx_cookie_discards;
|
2021-03-03 15:50:49 +00:00
|
|
|
atomic_long_t rx_invalid;
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct l2tp_tunnel;
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* L2TP session configuration */
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_session_cfg {
|
2010-04-02 06:18:49 +00:00
|
|
|
enum l2tp_pwtype pw_type;
|
2020-07-22 16:32:06 +00:00
|
|
|
unsigned int recv_seq:1; /* expect receive packets with sequence numbers? */
|
|
|
|
unsigned int send_seq:1; /* send packets with sequence numbers? */
|
|
|
|
unsigned int lns_mode:1; /* behave as LNS?
|
|
|
|
* LAC enables sequence numbers under LNS control.
|
|
|
|
*/
|
2010-04-02 06:18:49 +00:00
|
|
|
u16 l2specific_type; /* Layer 2 specific type */
|
|
|
|
u8 cookie[8]; /* optional cookie */
|
|
|
|
int cookie_len; /* 0, 4 or 8 bytes */
|
|
|
|
u8 peer_cookie[8]; /* peer's cookie */
|
|
|
|
int peer_cookie_len; /* 0, 4 or 8 bytes */
|
2020-07-22 16:32:06 +00:00
|
|
|
int reorder_timeout; /* configured reorder timeout (in jiffies) */
|
2010-04-02 06:19:10 +00:00
|
|
|
char *ifname;
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
l2tp: store l2tpv3 sessions in per-net IDR
L2TPv3 sessions are currently held in one of two fixed-size hash
lists: either a per-net hashlist (IP-encap), or a per-tunnel hashlist
(UDP-encap), keyed by the L2TPv3 32-bit session_id.
In order to lookup L2TPv3 sessions in UDP-encap tunnels efficiently
without finding the tunnel first via sk_user_data, UDP sessions are
now kept in a per-net session list, keyed by session ID. Convert the
existing per-net hashlist to use an IDR for better performance when
there are many sessions and have L2TPv3 UDP sessions use the same IDR.
Although the L2TPv3 RFC states that the session ID alone identifies
the session, our implementation has allowed the same session ID to be
used in different L2TP UDP tunnels. To retain support for this, a new
per-net session hashtable is used, keyed by the sock and session
ID. If on creating a new session, a session already exists with that
ID in the IDR, the colliding sessions are added to the new hashtable
and the existing IDR entry is flagged. When looking up sessions, the
approach is to first check the IDR and if no unflagged match is found,
check the new hashtable. The sock is made available to session getters
where session ID collisions are to be considered. In this way, the new
hashtable is used only for session ID collisions so can be kept small.
For managing session removal, we need a list of colliding sessions
matching a given ID in order to update or remove the IDR entry of the
ID. This is necessary to detect session ID collisions when future
sessions are created. The list head is allocated on first collision
of a given ID and refcounted.
Signed-off-by: James Chapman <jchapman@katalix.com>
Reviewed-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-06-20 11:22:38 +00:00
|
|
|
struct l2tp_session_coll_list {
|
|
|
|
spinlock_t lock; /* for access to list */
|
|
|
|
struct list_head list;
|
|
|
|
refcount_t ref_count;
|
|
|
|
};
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Represents a session (pseudowire) instance.
|
|
|
|
* Tracks runtime state including cookies, dataplane packet sequencing, and IO statistics.
|
2024-06-20 11:22:44 +00:00
|
|
|
* Is linked into a per-tunnel session list and a per-net ("global") IDR tree.
|
2020-07-28 17:20:33 +00:00
|
|
|
*/
|
2020-08-22 14:59:05 +00:00
|
|
|
#define L2TP_SESSION_NAME_MAX 32
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_session {
|
2020-07-22 16:32:06 +00:00
|
|
|
int magic; /* should be L2TP_SESSION_MAGIC */
|
l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()
There are several ways to remove L2TP sessions:
* deleting a session explicitly using the netlink interface (with
L2TP_CMD_SESSION_DELETE),
* deleting the session's parent tunnel (either by closing the
tunnel's file descriptor or using the netlink interface),
* closing the PPPOL2TP file descriptor of a PPP pseudo-wire.
In some cases, when these methods are used concurrently on the same
session, the session can be removed twice, leading to use-after-free
bugs.
This patch adds a 'dead' flag, used by l2tp_session_delete() and
l2tp_tunnel_closeall() to prevent them from stepping on each other's
toes.
The session deletion path used when closing a PPPOL2TP file descriptor
doesn't need to be adapted. It already has to ensure that a session
remains valid for the lifetime of its PPPOL2TP file descriptor.
So it takes an extra reference on the session in the ->session_close()
callback (pppol2tp_session_close()), which is eventually dropped
in the ->sk_destruct() callback of the PPPOL2TP socket
(pppol2tp_session_destruct()).
Still, __l2tp_session_unhash() and l2tp_session_queue_purge() can be
called twice and even concurrently for a given session, but thanks to
proper locking and re-initialisation of list fields, this is not an
issue.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-09-22 13:39:24 +00:00
|
|
|
long dead;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2020-07-22 16:32:06 +00:00
|
|
|
struct l2tp_tunnel *tunnel; /* back pointer to tunnel context */
|
2010-04-02 06:18:33 +00:00
|
|
|
u32 session_id;
|
|
|
|
u32 peer_session_id;
|
2010-04-02 06:18:49 +00:00
|
|
|
u8 cookie[8];
|
|
|
|
int cookie_len;
|
|
|
|
u8 peer_cookie[8];
|
|
|
|
int peer_cookie_len;
|
|
|
|
u16 l2specific_type;
|
|
|
|
u16 hdr_len;
|
|
|
|
u32 nr; /* session NR state (receive) */
|
|
|
|
u32 ns; /* session NR state (send) */
|
2010-04-02 06:18:33 +00:00
|
|
|
struct sk_buff_head reorder_q; /* receive reorder queue */
|
2013-07-02 19:28:59 +00:00
|
|
|
u32 nr_max; /* max NR. Depends on tunnel */
|
|
|
|
u32 nr_window_size; /* NR window size */
|
2013-07-02 19:29:00 +00:00
|
|
|
u32 nr_oos; /* NR of last OOS packet */
|
2020-07-22 16:32:06 +00:00
|
|
|
int nr_oos_count; /* for OOS recovery */
|
2013-07-02 19:29:00 +00:00
|
|
|
int nr_oos_count_max;
|
2024-06-20 11:22:44 +00:00
|
|
|
struct list_head list; /* per-tunnel list node */
|
2017-07-04 12:52:58 +00:00
|
|
|
refcount_t ref_count;
|
l2tp: store l2tpv3 sessions in per-net IDR
L2TPv3 sessions are currently held in one of two fixed-size hash
lists: either a per-net hashlist (IP-encap), or a per-tunnel hashlist
(UDP-encap), keyed by the L2TPv3 32-bit session_id.
In order to lookup L2TPv3 sessions in UDP-encap tunnels efficiently
without finding the tunnel first via sk_user_data, UDP sessions are
now kept in a per-net session list, keyed by session ID. Convert the
existing per-net hashlist to use an IDR for better performance when
there are many sessions and have L2TPv3 UDP sessions use the same IDR.
Although the L2TPv3 RFC states that the session ID alone identifies
the session, our implementation has allowed the same session ID to be
used in different L2TP UDP tunnels. To retain support for this, a new
per-net session hashtable is used, keyed by the sock and session
ID. If on creating a new session, a session already exists with that
ID in the IDR, the colliding sessions are added to the new hashtable
and the existing IDR entry is flagged. When looking up sessions, the
approach is to first check the IDR and if no unflagged match is found,
check the new hashtable. The sock is made available to session getters
where session ID collisions are to be considered. In this way, the new
hashtable is used only for session ID collisions so can be kept small.
For managing session removal, we need a list of colliding sessions
matching a given ID in order to update or remove the IDR entry of the
ID. This is necessary to detect session ID collisions when future
sessions are created. The list head is allocated on first collision
of a given ID and refcounted.
Signed-off-by: James Chapman <jchapman@katalix.com>
Reviewed-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-06-20 11:22:38 +00:00
|
|
|
struct hlist_node hlist; /* per-net session hlist */
|
|
|
|
unsigned long hlist_key; /* key for session hlist */
|
|
|
|
struct l2tp_session_coll_list *coll_list; /* session collision list */
|
|
|
|
struct list_head clist; /* for coll_list */
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2020-08-22 14:59:05 +00:00
|
|
|
char name[L2TP_SESSION_NAME_MAX]; /* for logging */
|
2010-04-02 06:19:10 +00:00
|
|
|
char ifname[IFNAMSIZ];
|
2020-07-22 16:32:06 +00:00
|
|
|
unsigned int recv_seq:1; /* expect receive packets with sequence numbers? */
|
|
|
|
unsigned int send_seq:1; /* send packets with sequence numbers? */
|
|
|
|
unsigned int lns_mode:1; /* behave as LNS?
|
|
|
|
* LAC enables sequence numbers under LNS control.
|
|
|
|
*/
|
|
|
|
int reorder_timeout; /* configured reorder timeout (in jiffies) */
|
2012-05-09 23:43:08 +00:00
|
|
|
int reorder_skip; /* set if skip to next nr */
|
2010-04-02 06:18:49 +00:00
|
|
|
enum l2tp_pwtype pwtype;
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_stats stats;
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Session receive handler for data packets.
|
|
|
|
* Each pseudowire implementation should implement this callback in order to
|
|
|
|
* handle incoming packets. Packets are passed to the pseudowire handler after
|
|
|
|
* reordering, if data sequence numbers are enabled for the session.
|
|
|
|
*/
|
2010-04-02 06:18:33 +00:00
|
|
|
void (*recv_skb)(struct l2tp_session *session, struct sk_buff *skb, int data_len);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
|
|
|
/* Session close handler.
|
|
|
|
* Each pseudowire implementation may implement this callback in order to carry
|
|
|
|
* out pseudowire-specific shutdown actions.
|
2024-06-20 11:22:44 +00:00
|
|
|
* The callback is called by core after unlisting the session and purging its
|
2020-07-28 17:20:33 +00:00
|
|
|
* reorder queue.
|
|
|
|
*/
|
2010-04-02 06:18:33 +00:00
|
|
|
void (*session_close)(struct l2tp_session *session);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
|
|
|
/* Session show handler.
|
|
|
|
* Pseudowire-specific implementation of debugfs session rendering.
|
|
|
|
* The callback is called by l2tp_debugfs.c after rendering core session
|
|
|
|
* information.
|
|
|
|
*/
|
2010-04-02 06:19:33 +00:00
|
|
|
void (*show)(struct seq_file *m, void *priv);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
2020-07-22 16:32:06 +00:00
|
|
|
u8 priv[]; /* private data */
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* L2TP tunnel configuration */
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_tunnel_cfg {
|
2010-04-02 06:19:00 +00:00
|
|
|
enum l2tp_encap_type encap;
|
2010-04-02 06:19:40 +00:00
|
|
|
|
|
|
|
/* Used only for kernel-created sockets */
|
|
|
|
struct in_addr local_ip;
|
|
|
|
struct in_addr peer_ip;
|
2012-04-29 21:48:52 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
struct in6_addr *local_ip6;
|
|
|
|
struct in6_addr *peer_ip6;
|
|
|
|
#endif
|
2010-04-02 06:19:40 +00:00
|
|
|
u16 local_udp_port;
|
|
|
|
u16 peer_udp_port;
|
2014-05-23 15:47:40 +00:00
|
|
|
unsigned int use_udp_checksums:1,
|
|
|
|
udp6_zero_tx_checksums:1,
|
|
|
|
udp6_zero_rx_checksums:1;
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Represents a tunnel instance.
|
|
|
|
* Tracks runtime state including IO statistics.
|
|
|
|
* Holds the tunnel socket (either passed from userspace or directly created by the kernel).
|
2024-06-20 11:22:44 +00:00
|
|
|
* Maintains a list of sessions belonging to the tunnel instance.
|
2020-07-28 17:20:33 +00:00
|
|
|
* Is linked into a per-net list of tunnels.
|
|
|
|
*/
|
2020-08-22 14:59:05 +00:00
|
|
|
#define L2TP_TUNNEL_NAME_MAX 20
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_tunnel {
|
|
|
|
int magic; /* Should be L2TP_TUNNEL_MAGIC */
|
2017-09-26 14:16:43 +00:00
|
|
|
|
|
|
|
unsigned long dead;
|
|
|
|
|
2012-08-24 01:07:38 +00:00
|
|
|
struct rcu_head rcu;
|
2024-06-20 11:22:44 +00:00
|
|
|
spinlock_t list_lock; /* write-protection for session_list */
|
2020-07-22 16:32:06 +00:00
|
|
|
bool acpt_newsess; /* indicates whether this tunnel accepts
|
2024-06-20 11:22:44 +00:00
|
|
|
* new sessions. Protected by list_lock.
|
2017-09-01 15:58:48 +00:00
|
|
|
*/
|
2024-06-20 11:22:44 +00:00
|
|
|
struct list_head session_list; /* list of sessions */
|
2010-04-02 06:18:33 +00:00
|
|
|
u32 tunnel_id;
|
|
|
|
u32 peer_tunnel_id;
|
|
|
|
int version; /* 2=>L2TPv2, 3=>L2TPv3 */
|
|
|
|
|
2020-08-22 14:59:05 +00:00
|
|
|
char name[L2TP_TUNNEL_NAME_MAX]; /* for logging */
|
2010-04-02 06:19:00 +00:00
|
|
|
enum l2tp_encap_type encap;
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_stats stats;
|
|
|
|
|
|
|
|
struct net *l2tp_net; /* the net we belong to */
|
|
|
|
|
2017-07-04 12:52:57 +00:00
|
|
|
refcount_t ref_count;
|
2020-07-22 16:32:10 +00:00
|
|
|
void (*old_sk_destruct)(struct sock *sk);
|
2020-07-22 16:32:06 +00:00
|
|
|
struct sock *sock; /* parent socket */
|
|
|
|
int fd; /* parent fd, if tunnel socket was created
|
|
|
|
* by userspace
|
|
|
|
*/
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2013-01-31 23:43:00 +00:00
|
|
|
struct work_struct del_work;
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Pseudowire ops callbacks for use with the l2tp genetlink interface */
|
2010-04-02 06:19:10 +00:00
|
|
|
struct l2tp_nl_cmd_ops {
|
2020-07-28 17:20:33 +00:00
|
|
|
/* The pseudowire session create callback is responsible for creating a session
|
|
|
|
* instance for a specific pseudowire type.
|
|
|
|
* It must call l2tp_session_create and l2tp_session_register to register the
|
|
|
|
* session instance, as well as carry out any pseudowire-specific initialisation.
|
|
|
|
* It must return >= 0 on success, or an appropriate negative errno value on failure.
|
|
|
|
*/
|
2017-09-01 15:58:51 +00:00
|
|
|
int (*session_create)(struct net *net, struct l2tp_tunnel *tunnel,
|
|
|
|
u32 session_id, u32 peer_session_id,
|
|
|
|
struct l2tp_session_cfg *cfg);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
|
|
|
/* The pseudowire session delete callback is responsible for initiating the deletion
|
|
|
|
* of a session instance.
|
|
|
|
* It must call l2tp_session_delete, as well as carry out any pseudowire-specific
|
|
|
|
* teardown actions.
|
|
|
|
*/
|
2020-07-28 17:20:30 +00:00
|
|
|
void (*session_delete)(struct l2tp_session *session);
|
2010-04-02 06:19:10 +00:00
|
|
|
};
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
static inline void *l2tp_session_priv(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
return &session->priv[0];
|
|
|
|
}
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Tunnel and session refcounts */
|
2020-07-28 17:20:29 +00:00
|
|
|
void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel);
|
|
|
|
void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel);
|
|
|
|
void l2tp_session_inc_refcount(struct l2tp_session *session);
|
|
|
|
void l2tp_session_dec_refcount(struct l2tp_session *session);
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Tunnel and session lookup.
|
|
|
|
* These functions take a reference on the instances they return, so
|
|
|
|
* the caller must ensure that the reference is dropped appropriately.
|
|
|
|
*/
|
2017-08-25 14:51:40 +00:00
|
|
|
struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
|
2018-04-12 18:50:33 +00:00
|
|
|
struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth);
|
|
|
|
|
l2tp: store l2tpv3 sessions in per-net IDR
L2TPv3 sessions are currently held in one of two fixed-size hash
lists: either a per-net hashlist (IP-encap), or a per-tunnel hashlist
(UDP-encap), keyed by the L2TPv3 32-bit session_id.
In order to lookup L2TPv3 sessions in UDP-encap tunnels efficiently
without finding the tunnel first via sk_user_data, UDP sessions are
now kept in a per-net session list, keyed by session ID. Convert the
existing per-net hashlist to use an IDR for better performance when
there are many sessions and have L2TPv3 UDP sessions use the same IDR.
Although the L2TPv3 RFC states that the session ID alone identifies
the session, our implementation has allowed the same session ID to be
used in different L2TP UDP tunnels. To retain support for this, a new
per-net session hashtable is used, keyed by the sock and session
ID. If on creating a new session, a session already exists with that
ID in the IDR, the colliding sessions are added to the new hashtable
and the existing IDR entry is flagged. When looking up sessions, the
approach is to first check the IDR and if no unflagged match is found,
check the new hashtable. The sock is made available to session getters
where session ID collisions are to be considered. In this way, the new
hashtable is used only for session ID collisions so can be kept small.
For managing session removal, we need a list of colliding sessions
matching a given ID in order to update or remove the IDR entry of the
ID. This is necessary to detect session ID collisions when future
sessions are created. The list head is allocated on first collision
of a given ID and refcounted.
Signed-off-by: James Chapman <jchapman@katalix.com>
Reviewed-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-06-20 11:22:38 +00:00
|
|
|
struct l2tp_session *l2tp_v3_session_get(const struct net *net, struct sock *sk, u32 session_id);
|
2024-06-20 11:22:39 +00:00
|
|
|
struct l2tp_session *l2tp_v2_session_get(const struct net *net, u16 tunnel_id, u16 session_id);
|
2024-06-20 11:22:42 +00:00
|
|
|
struct l2tp_session *l2tp_session_get(const struct net *net, struct sock *sk, int pver,
|
|
|
|
u32 tunnel_id, u32 session_id);
|
2017-10-31 16:36:42 +00:00
|
|
|
struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth);
|
2017-04-12 08:05:29 +00:00
|
|
|
struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
|
2017-10-31 16:36:42 +00:00
|
|
|
const char *ifname);
|
2013-10-18 20:48:25 +00:00
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Tunnel and session lifetime management.
|
|
|
|
* Creation of a new instance is a two-step process: create, then register.
|
|
|
|
* Destruction is triggered using the *_delete functions, and completes asynchronously.
|
|
|
|
*/
|
2020-09-03 08:54:49 +00:00
|
|
|
int l2tp_tunnel_create(int fd, int version, u32 tunnel_id,
|
2013-10-18 20:48:25 +00:00
|
|
|
u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg,
|
|
|
|
struct l2tp_tunnel **tunnelp);
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-10 19:01:12 +00:00
|
|
|
int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
|
|
|
|
struct l2tp_tunnel_cfg *cfg);
|
2017-09-26 14:16:43 +00:00
|
|
|
void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
2013-10-18 20:48:25 +00:00
|
|
|
struct l2tp_session *l2tp_session_create(int priv_size,
|
|
|
|
struct l2tp_tunnel *tunnel,
|
|
|
|
u32 session_id, u32 peer_session_id,
|
|
|
|
struct l2tp_session_cfg *cfg);
|
2017-10-27 14:51:50 +00:00
|
|
|
int l2tp_session_register(struct l2tp_session *session,
|
|
|
|
struct l2tp_tunnel *tunnel);
|
2020-07-28 17:20:30 +00:00
|
|
|
void l2tp_session_delete(struct l2tp_session *session);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
|
|
|
/* Receive path helpers. If data sequencing is enabled for the session these
|
|
|
|
* functions handle queuing and reordering prior to passing packets to the
|
|
|
|
* pseudowire code to be passed to userspace.
|
|
|
|
*/
|
2013-10-18 20:48:25 +00:00
|
|
|
void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
|
|
|
|
unsigned char *ptr, unsigned char *optr, u16 hdrflags,
|
2018-07-25 12:53:33 +00:00
|
|
|
int length);
|
2013-10-18 20:48:25 +00:00
|
|
|
int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
|
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Transmit path helpers for sending packets over the tunnel socket. */
|
|
|
|
void l2tp_session_set_header_len(struct l2tp_session *session, int version);
|
2020-09-03 08:54:47 +00:00
|
|
|
int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb);
|
2013-10-18 20:48:25 +00:00
|
|
|
|
2020-07-28 17:20:33 +00:00
|
|
|
/* Pseudowire management.
|
|
|
|
* Pseudowires should register with l2tp core on module init, and unregister
|
|
|
|
* on module exit.
|
|
|
|
*/
|
|
|
|
int l2tp_nl_register_ops(enum l2tp_pwtype pw_type, const struct l2tp_nl_cmd_ops *ops);
|
2013-10-18 20:48:25 +00:00
|
|
|
void l2tp_nl_unregister_ops(enum l2tp_pwtype pw_type);
|
2020-07-28 17:20:33 +00:00
|
|
|
|
|
|
|
/* IOCTL helper for IP encap modules. */
|
net: ioctl: Use kernel memory on protocol ioctl callbacks
Most of the ioctls to net protocols operates directly on userspace
argument (arg). Usually doing get_user()/put_user() directly in the
ioctl callback. This is not flexible, because it is hard to reuse these
functions without passing userspace buffers.
Change the "struct proto" ioctls to avoid touching userspace memory and
operate on kernel buffers, i.e., all protocol's ioctl callbacks is
adapted to operate on a kernel memory other than on userspace (so, no
more {put,get}_user() and friends being called in the ioctl callback).
This changes the "struct proto" ioctl format in the following way:
int (*ioctl)(struct sock *sk, int cmd,
- unsigned long arg);
+ int *karg);
(Important to say that this patch does not touch the "struct proto_ops"
protocols)
So, the "karg" argument, which is passed to the ioctl callback, is a
pointer allocated to kernel space memory (inside a function wrapper).
This buffer (karg) may contain input argument (copied from userspace in
a prep function) and it might return a value/buffer, which is copied
back to userspace if necessary. There is not one-size-fits-all format
(that is I am using 'may' above), but basically, there are three type of
ioctls:
1) Do not read from userspace, returns a result to userspace
2) Read an input parameter from userspace, and does not return anything
to userspace
3) Read an input from userspace, and return a buffer to userspace.
The default case (1) (where no input parameter is given, and an "int" is
returned to userspace) encompasses more than 90% of the cases, but there
are two other exceptions. Here is a list of exceptions:
* Protocol RAW:
* cmd = SIOCGETVIFCNT:
* input and output = struct sioc_vif_req
* cmd = SIOCGETSGCNT
* input and output = struct sioc_sg_req
* Explanation: for the SIOCGETVIFCNT case, userspace passes the input
argument, which is struct sioc_vif_req. Then the callback populates
the struct, which is copied back to userspace.
* Protocol RAW6:
* cmd = SIOCGETMIFCNT_IN6
* input and output = struct sioc_mif_req6
* cmd = SIOCGETSGCNT_IN6
* input and output = struct sioc_sg_req6
* Protocol PHONET:
* cmd == SIOCPNADDRESOURCE | SIOCPNDELRESOURCE
* input int (4 bytes)
* Nothing is copied back to userspace.
For the exception cases, functions sock_sk_ioctl_inout() will
copy the userspace input, and copy it back to kernel space.
The wrapper that prepare the buffer and put the buffer back to user is
sk_ioctl(), so, instead of calling sk->sk_prot->ioctl(), the callee now
calls sk_ioctl(), which will handle all cases.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230609152800.830401-1-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-06-09 15:27:42 +00:00
|
|
|
int l2tp_ioctl(struct sock *sk, int cmd, int *karg);
|
2010-04-02 06:19:10 +00:00
|
|
|
|
2020-09-03 08:54:51 +00:00
|
|
|
/* Extract the tunnel structure from a socket's sk_user_data pointer,
|
|
|
|
* validating the tunnel magic feather.
|
|
|
|
*/
|
|
|
|
struct l2tp_tunnel *l2tp_sk_to_tunnel(struct sock *sk);
|
|
|
|
|
2018-01-16 22:01:55 +00:00
|
|
|
static inline int l2tp_get_l2specific_len(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
switch (session->l2specific_type) {
|
|
|
|
case L2TP_L2SPECTYPE_DEFAULT:
|
|
|
|
return 4;
|
|
|
|
case L2TP_L2SPECTYPE_NONE:
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-03 10:38:34 +00:00
|
|
|
static inline u32 l2tp_tunnel_dst_mtu(const struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
struct dst_entry *dst;
|
|
|
|
u32 mtu;
|
|
|
|
|
|
|
|
dst = sk_dst_get(tunnel->sock);
|
|
|
|
if (!dst)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
mtu = dst_mtu(dst);
|
|
|
|
dst_release(dst);
|
|
|
|
|
|
|
|
return mtu;
|
|
|
|
}
|
|
|
|
|
2018-08-10 11:21:55 +00:00
|
|
|
#ifdef CONFIG_XFRM
|
|
|
|
static inline bool l2tp_tunnel_uses_xfrm(const struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
struct sock *sk = tunnel->sock;
|
|
|
|
|
|
|
|
return sk && (rcu_access_pointer(sk->sk_policy[0]) ||
|
|
|
|
rcu_access_pointer(sk->sk_policy[1]));
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline bool l2tp_tunnel_uses_xfrm(const struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2019-01-30 06:55:14 +00:00
|
|
|
static inline int l2tp_v3_ensure_opt_in_linear(struct l2tp_session *session, struct sk_buff *skb,
|
|
|
|
unsigned char **ptr, unsigned char **optr)
|
|
|
|
{
|
|
|
|
int opt_len = session->peer_cookie_len + l2tp_get_l2specific_len(session);
|
|
|
|
|
|
|
|
if (opt_len > 0) {
|
|
|
|
int off = *ptr - *optr;
|
|
|
|
|
|
|
|
if (!pskb_may_pull(skb, off + opt_len))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (skb->data != *optr) {
|
|
|
|
*optr = skb->data;
|
|
|
|
*ptr = skb->data + off;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-09-24 04:33:34 +00:00
|
|
|
#define MODULE_ALIAS_L2TP_PWTYPE(type) \
|
|
|
|
MODULE_ALIAS("net-l2tp-type-" __stringify(type))
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
#endif /* _L2TP_CORE_H_ */
|