2019-05-27 06:55:01 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2010-04-02 06:18:33 +00:00
|
|
|
/*****************************************************************************
|
|
|
|
* Linux PPP over L2TP (PPPoX/PPPoL2TP) Sockets
|
|
|
|
*
|
|
|
|
* PPPoX --- Generic PPP encapsulation socket family
|
|
|
|
* PPPoL2TP --- PPP over L2TP (RFC 2661)
|
|
|
|
*
|
|
|
|
* Version: 2.0.0
|
|
|
|
*
|
|
|
|
* Authors: James Chapman (jchapman@katalix.com)
|
|
|
|
*
|
|
|
|
* Based on original work by Martijn van Oosterhout <kleptog@svana.org>
|
|
|
|
*
|
|
|
|
* License:
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* This driver handles only L2TP data frames; control frames are handled by a
|
|
|
|
* userspace application.
|
|
|
|
*
|
|
|
|
* To send data in an L2TP session, userspace opens a PPPoL2TP socket and
|
|
|
|
* attaches it to a bound UDP socket with local tunnel_id / session_id and
|
|
|
|
* peer tunnel_id / session_id set. Data can then be sent or received using
|
|
|
|
* regular socket sendmsg() / recvmsg() calls. Kernel parameters of the socket
|
|
|
|
* can be read or modified using ioctl() or [gs]etsockopt() calls.
|
|
|
|
*
|
|
|
|
* When a PPPoL2TP socket is connected with local and peer session_id values
|
|
|
|
* zero, the socket is treated as a special tunnel management socket.
|
|
|
|
*
|
|
|
|
* Here's example userspace code to create a socket for sending/receiving data
|
|
|
|
* over an L2TP session:-
|
|
|
|
*
|
|
|
|
* struct sockaddr_pppol2tp sax;
|
|
|
|
* int fd;
|
|
|
|
* int session_fd;
|
|
|
|
*
|
|
|
|
* fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
|
|
|
|
*
|
|
|
|
* sax.sa_family = AF_PPPOX;
|
|
|
|
* sax.sa_protocol = PX_PROTO_OL2TP;
|
|
|
|
* sax.pppol2tp.fd = tunnel_fd; // bound UDP socket
|
|
|
|
* sax.pppol2tp.addr.sin_addr.s_addr = addr->sin_addr.s_addr;
|
|
|
|
* sax.pppol2tp.addr.sin_port = addr->sin_port;
|
|
|
|
* sax.pppol2tp.addr.sin_family = AF_INET;
|
|
|
|
* sax.pppol2tp.s_tunnel = tunnel_id;
|
|
|
|
* sax.pppol2tp.s_session = session_id;
|
|
|
|
* sax.pppol2tp.d_tunnel = peer_tunnel_id;
|
|
|
|
* sax.pppol2tp.d_session = peer_session_id;
|
|
|
|
*
|
|
|
|
* session_fd = connect(fd, (struct sockaddr *)&sax, sizeof(sax));
|
|
|
|
*
|
|
|
|
* A pppd plugin that allows PPP traffic to be carried over L2TP using
|
|
|
|
* this driver is available from the OpenL2TP project at
|
|
|
|
* http://openl2tp.sourceforge.net.
|
|
|
|
*/
|
|
|
|
|
2012-05-16 09:55:56 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/uaccess.h>
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/kthread.h>
|
|
|
|
#include <linux/sched.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/jiffies.h>
|
|
|
|
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/net.h>
|
|
|
|
#include <linux/inetdevice.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/ip.h>
|
|
|
|
#include <linux/udp.h>
|
|
|
|
#include <linux/if_pppox.h>
|
|
|
|
#include <linux/if_pppol2tp.h>
|
|
|
|
#include <net/sock.h>
|
|
|
|
#include <linux/ppp_channel.h>
|
|
|
|
#include <linux/ppp_defs.h>
|
2012-03-04 12:56:55 +00:00
|
|
|
#include <linux/ppp-ioctl.h>
|
2010-04-02 06:18:33 +00:00
|
|
|
#include <linux/file.h>
|
|
|
|
#include <linux/hash.h>
|
|
|
|
#include <linux/sort.h>
|
|
|
|
#include <linux/proc_fs.h>
|
2010-04-02 06:19:10 +00:00
|
|
|
#include <linux/l2tp.h>
|
2010-04-02 06:18:33 +00:00
|
|
|
#include <linux/nsproxy.h>
|
|
|
|
#include <net/net_namespace.h>
|
|
|
|
#include <net/netns/generic.h>
|
|
|
|
#include <net/ip.h>
|
|
|
|
#include <net/udp.h>
|
2013-03-19 06:11:21 +00:00
|
|
|
#include <net/inet_common.h>
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
#include <asm/byteorder.h>
|
2011-07-26 23:09:06 +00:00
|
|
|
#include <linux/atomic.h>
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
#include "l2tp_core.h"
|
|
|
|
|
|
|
|
#define PPPOL2TP_DRV_VERSION "V2.0"
|
|
|
|
|
|
|
|
/* Space for UDP, L2TP and PPP headers */
|
|
|
|
#define PPPOL2TP_HEADER_OVERHEAD 40
|
|
|
|
|
|
|
|
/* Number of bytes to build transmit L2TP headers.
|
|
|
|
* Unfortunately the size is different depending on whether sequence numbers
|
|
|
|
* are enabled.
|
|
|
|
*/
|
|
|
|
#define PPPOL2TP_L2TP_HDR_SIZE_SEQ 10
|
|
|
|
#define PPPOL2TP_L2TP_HDR_SIZE_NOSEQ 6
|
|
|
|
|
|
|
|
/* Private data of each session. This data lives at the end of struct
|
|
|
|
* l2tp_session, referenced via session->priv[].
|
|
|
|
*/
|
|
|
|
struct pppol2tp_session {
|
|
|
|
int owner; /* pid that opened the socket */
|
|
|
|
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
struct mutex sk_lock; /* Protects .sk */
|
2020-07-22 16:32:06 +00:00
|
|
|
struct sock __rcu *sk; /* Pointer to the session PPPoX socket */
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
struct sock *__sk; /* Copy of .sk, for cleanup */
|
|
|
|
struct rcu_head rcu; /* For asynchronous release */
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb);
|
|
|
|
|
2010-08-04 07:34:36 +00:00
|
|
|
static const struct ppp_channel_ops pppol2tp_chan_ops = {
|
|
|
|
.start_xmit = pppol2tp_xmit,
|
|
|
|
};
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
static const struct proto_ops pppol2tp_ops;
|
|
|
|
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
/* Retrieves the pppol2tp socket associated to a session.
|
|
|
|
* A reference is held on the returned socket, so this function must be paired
|
|
|
|
* with sock_put().
|
|
|
|
*/
|
|
|
|
static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
struct pppol2tp_session *ps = l2tp_session_priv(session);
|
|
|
|
struct sock *sk;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
sk = rcu_dereference(ps->sk);
|
|
|
|
if (sk)
|
|
|
|
sock_hold(sk);
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
return sk;
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
/* Helpers to obtain tunnel/session contexts from sockets.
|
|
|
|
*/
|
|
|
|
static inline struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk)
|
|
|
|
{
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!sk)
|
2010-04-02 06:18:33 +00:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
sock_hold(sk);
|
|
|
|
session = (struct l2tp_session *)(sk->sk_user_data);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!session) {
|
2010-04-02 06:18:33 +00:00
|
|
|
sock_put(sk);
|
|
|
|
goto out;
|
|
|
|
}
|
2020-07-24 15:31:53 +00:00
|
|
|
if (WARN_ON(session->magic != L2TP_SESSION_MAGIC)) {
|
|
|
|
session = NULL;
|
|
|
|
sock_put(sk);
|
|
|
|
goto out;
|
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
out:
|
|
|
|
return session;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* Receive data handling
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* Receive message. This is the recvmsg for the PPPoL2TP socket.
|
|
|
|
*/
|
2015-03-02 07:37:48 +00:00
|
|
|
static int pppol2tp_recvmsg(struct socket *sock, struct msghdr *msg,
|
|
|
|
size_t len, int flags)
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
|
|
|
|
err = -EIO;
|
|
|
|
if (sk->sk_state & PPPOX_BOUND)
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
err = 0;
|
|
|
|
skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
|
|
|
|
flags & MSG_DONTWAIT, &err);
|
|
|
|
if (!skb)
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
if (len > skb->len)
|
|
|
|
len = skb->len;
|
|
|
|
else if (len < skb->len)
|
|
|
|
msg->msg_flags |= MSG_TRUNC;
|
|
|
|
|
2014-11-05 21:46:40 +00:00
|
|
|
err = skb_copy_datagram_msg(skb, 0, msg, len);
|
2010-04-02 06:18:33 +00:00
|
|
|
if (likely(err == 0))
|
|
|
|
err = len;
|
|
|
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
end:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void pppol2tp_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len)
|
|
|
|
{
|
|
|
|
struct pppol2tp_session *ps = l2tp_session_priv(session);
|
|
|
|
struct sock *sk = NULL;
|
|
|
|
|
|
|
|
/* If the socket is bound, send it in to PPP's input queue. Otherwise
|
|
|
|
* queue it on the session socket.
|
|
|
|
*/
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
sk = rcu_dereference(ps->sk);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!sk)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto no_sock;
|
|
|
|
|
2018-07-25 12:53:33 +00:00
|
|
|
/* If the first two bytes are 0xFF03, consider that it is the PPP's
|
|
|
|
* Address and Control fields and skip them. The L2TP module has always
|
|
|
|
* worked this way, although, in theory, the use of these fields should
|
2021-06-07 15:01:37 +00:00
|
|
|
* be negotiated and handled at the PPP layer. These fields are
|
2018-07-25 12:53:33 +00:00
|
|
|
* constant: 0xFF is the All-Stations Address and 0x03 the Unnumbered
|
|
|
|
* Information command with Poll/Final bit set to zero (RFC 1662).
|
|
|
|
*/
|
|
|
|
if (pskb_may_pull(skb, 2) && skb->data[0] == PPP_ALLSTATIONS &&
|
|
|
|
skb->data[1] == PPP_UI)
|
|
|
|
skb_pull(skb, 2);
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
if (sk->sk_state & PPPOX_BOUND) {
|
|
|
|
struct pppox_sock *po;
|
2015-12-29 12:06:59 +00:00
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
po = pppox_sk(sk);
|
|
|
|
ppp_input(&po->chan, skb);
|
|
|
|
} else {
|
2014-03-06 10:15:10 +00:00
|
|
|
if (sock_queue_rcv_skb(sk, skb) < 0) {
|
|
|
|
atomic_long_inc(&session->stats.rx_errors);
|
|
|
|
kfree_skb(skb);
|
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
rcu_read_unlock();
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
no_sock:
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
rcu_read_unlock();
|
2020-08-22 14:59:03 +00:00
|
|
|
pr_warn_ratelimited("%s: no socket in recv\n", session->name);
|
2010-04-02 06:18:33 +00:00
|
|
|
kfree_skb(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
/************************************************************************
|
|
|
|
* Transmit handling
|
|
|
|
***********************************************************************/
|
|
|
|
|
|
|
|
/* This is the sendmsg for the PPPoL2TP pppol2tp_session socket. We come here
|
|
|
|
* when a user application does a sendmsg() on the session socket. L2TP and
|
|
|
|
* PPP headers must be inserted into the user's data.
|
|
|
|
*/
|
2015-03-02 07:37:48 +00:00
|
|
|
static int pppol2tp_sendmsg(struct socket *sock, struct msghdr *m,
|
2010-04-02 06:18:33 +00:00
|
|
|
size_t total_len)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
int error;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
struct l2tp_tunnel *tunnel;
|
2010-04-02 06:19:00 +00:00
|
|
|
int uhlen;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
error = -ENOTCONN;
|
|
|
|
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
/* Get session and tunnel contexts */
|
|
|
|
error = -EBADF;
|
|
|
|
session = pppol2tp_sock_to_session(sk);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!session)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto error;
|
|
|
|
|
2017-11-10 21:06:31 +00:00
|
|
|
tunnel = session->tunnel;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2010-04-02 06:19:00 +00:00
|
|
|
uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
/* Allocate a socket buffer */
|
|
|
|
error = -ENOMEM;
|
|
|
|
skb = sock_wmalloc(sk, NET_SKB_PAD + sizeof(struct iphdr) +
|
2010-04-02 06:19:00 +00:00
|
|
|
uhlen + session->hdr_len +
|
2016-08-22 14:50:02 +00:00
|
|
|
2 + total_len, /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
|
2010-04-02 06:18:33 +00:00
|
|
|
0, GFP_KERNEL);
|
|
|
|
if (!skb)
|
2017-11-10 21:06:31 +00:00
|
|
|
goto error_put_sess;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
/* Reserve space for headers. */
|
|
|
|
skb_reserve(skb, NET_SKB_PAD);
|
|
|
|
skb_reset_network_header(skb);
|
|
|
|
skb_reserve(skb, sizeof(struct iphdr));
|
|
|
|
skb_reset_transport_header(skb);
|
2010-04-02 06:19:00 +00:00
|
|
|
skb_reserve(skb, uhlen);
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
/* Add PPP header */
|
2016-08-22 14:50:02 +00:00
|
|
|
skb->data[0] = PPP_ALLSTATIONS;
|
|
|
|
skb->data[1] = PPP_UI;
|
2010-04-02 06:18:33 +00:00
|
|
|
skb_put(skb, 2);
|
|
|
|
|
|
|
|
/* Copy user data into skb */
|
2014-04-07 01:25:44 +00:00
|
|
|
error = memcpy_from_msg(skb_put(skb, total_len), m, total_len);
|
2010-04-02 06:18:33 +00:00
|
|
|
if (error < 0) {
|
|
|
|
kfree_skb(skb);
|
2017-11-10 21:06:31 +00:00
|
|
|
goto error_put_sess;
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
2013-10-10 13:30:09 +00:00
|
|
|
local_bh_disable();
|
2020-09-03 08:54:47 +00:00
|
|
|
l2tp_xmit_skb(session, skb);
|
2013-10-10 13:30:09 +00:00
|
|
|
local_bh_enable();
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2013-03-01 05:02:02 +00:00
|
|
|
sock_put(sk);
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2013-06-12 14:07:36 +00:00
|
|
|
return total_len;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
error_put_sess:
|
|
|
|
sock_put(sk);
|
|
|
|
error:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Transmit function called by generic PPP driver. Sends PPP frame
|
|
|
|
* over PPPoL2TP socket.
|
|
|
|
*
|
|
|
|
* This is almost the same as pppol2tp_sendmsg(), but rather than
|
|
|
|
* being called with a msghdr from userspace, it is called with a skb
|
|
|
|
* from the kernel.
|
|
|
|
*
|
|
|
|
* The supplied skb from ppp doesn't have enough headroom for the
|
|
|
|
* insertion of L2TP, UDP and IP headers so we need to allocate more
|
|
|
|
* headroom in the skb. This will create a cloned skb. But we must be
|
|
|
|
* careful in the error case because the caller will expect to free
|
|
|
|
* the skb it supplied, not our cloned skb. So we take care to always
|
|
|
|
* leave the original skb unfreed if we return an error.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
|
|
|
|
{
|
2020-07-22 16:32:05 +00:00
|
|
|
struct sock *sk = (struct sock *)chan->private;
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_session *session;
|
|
|
|
struct l2tp_tunnel *tunnel;
|
2011-10-07 05:45:57 +00:00
|
|
|
int uhlen, headroom;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
|
|
|
|
goto abort;
|
|
|
|
|
|
|
|
/* Get session and tunnel contexts from the socket */
|
|
|
|
session = pppol2tp_sock_to_session(sk);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!session)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto abort;
|
|
|
|
|
2017-11-10 21:06:31 +00:00
|
|
|
tunnel = session->tunnel;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2011-10-07 05:45:57 +00:00
|
|
|
uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
|
|
|
|
headroom = NET_SKB_PAD +
|
|
|
|
sizeof(struct iphdr) + /* IP header */
|
|
|
|
uhlen + /* UDP header (if L2TP_ENCAPTYPE_UDP) */
|
|
|
|
session->hdr_len + /* L2TP header */
|
2016-08-22 14:50:02 +00:00
|
|
|
2; /* 2 bytes for PPP_ALLSTATIONS & PPP_UI */
|
2011-10-07 05:45:57 +00:00
|
|
|
if (skb_cow_head(skb, headroom))
|
2017-11-10 21:06:31 +00:00
|
|
|
goto abort_put_sess;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
/* Setup PPP header */
|
2016-08-22 14:50:02 +00:00
|
|
|
__skb_push(skb, 2);
|
|
|
|
skb->data[0] = PPP_ALLSTATIONS;
|
|
|
|
skb->data[1] = PPP_UI;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2013-10-10 13:30:09 +00:00
|
|
|
local_bh_disable();
|
2020-09-03 08:54:47 +00:00
|
|
|
l2tp_xmit_skb(session, skb);
|
2013-10-10 13:30:09 +00:00
|
|
|
local_bh_enable();
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
sock_put(sk);
|
2017-11-10 21:06:31 +00:00
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
abort_put_sess:
|
|
|
|
sock_put(sk);
|
|
|
|
abort:
|
|
|
|
/* Free the original skb */
|
|
|
|
kfree_skb(skb);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* Session (and tunnel control) socket create/destroy.
|
|
|
|
*****************************************************************************/
|
|
|
|
|
2018-02-23 17:45:46 +00:00
|
|
|
static void pppol2tp_put_sk(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct pppol2tp_session *ps;
|
|
|
|
|
|
|
|
ps = container_of(head, typeof(*ps), rcu);
|
|
|
|
sock_put(ps->__sk);
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
/* Really kill the session socket. (Called from sock_put() if
|
|
|
|
* refcnt == 0.)
|
|
|
|
*/
|
|
|
|
static void pppol2tp_session_destruct(struct sock *sk)
|
|
|
|
{
|
2013-03-19 06:11:23 +00:00
|
|
|
struct l2tp_session *session = sk->sk_user_data;
|
2017-03-29 06:45:29 +00:00
|
|
|
|
|
|
|
skb_queue_purge(&sk->sk_receive_queue);
|
|
|
|
skb_queue_purge(&sk->sk_write_queue);
|
|
|
|
|
2013-03-19 06:11:23 +00:00
|
|
|
if (session) {
|
2010-04-02 06:18:33 +00:00
|
|
|
sk->sk_user_data = NULL;
|
2020-07-24 15:31:53 +00:00
|
|
|
if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
|
|
|
|
return;
|
2010-04-02 06:18:33 +00:00
|
|
|
l2tp_session_dec_refcount(session);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Called when the PPPoX socket (session) is closed.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_release(struct socket *sock)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (!sk)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error = -EBADF;
|
|
|
|
lock_sock(sk);
|
|
|
|
if (sock_flag(sk, SOCK_DEAD) != 0)
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
pppox_unbind_sock(sk);
|
|
|
|
|
|
|
|
/* Signal the death of the socket. */
|
|
|
|
sk->sk_state = PPPOX_DEAD;
|
|
|
|
sock_orphan(sk);
|
|
|
|
sock->sk = NULL;
|
|
|
|
|
|
|
|
session = pppol2tp_sock_to_session(sk);
|
2018-02-23 17:45:46 +00:00
|
|
|
if (session) {
|
l2tp: fix refcount leakage on PPPoL2TP sockets
Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session
object destroy") tried to fix a race condition where a PPPoL2TP socket
would disappear while the L2TP session was still using it. However, it
missed the root issue which is that an L2TP session may accept to be
reconnected if its associated socket has entered the release process.
The tentative fix makes the session hold the socket it is connected to.
That saves the kernel from crashing, but introduces refcount leakage,
preventing the socket from completing the release process. Once stalled,
everything the socket depends on can't be released anymore, including
the L2TP session and the l2tp_ppp module.
The root issue is that, when releasing a connected PPPoL2TP socket, the
session's ->sk pointer (RCU-protected) is reset to NULL and we have to
wait for a grace period before destroying the socket. The socket drops
the session in its ->sk_destruct callback function, so the session
will exist until the last reference on the socket is dropped.
Therefore, there is a time frame where pppol2tp_connect() may accept
reconnecting a session, as it only checks ->sk to figure out if the
session is connected. This time frame is shortened by the fact that
pppol2tp_release() calls l2tp_session_delete(), making the session
unreachable before resetting ->sk. However, pppol2tp_connect() may
grab the session before it gets unhashed by l2tp_session_delete(), but
it may test ->sk after the later got reset. The race is not so hard to
trigger and syzbot found a pretty reliable reproducer:
https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf
Before d02ba2a6110c, another race could let pppol2tp_release()
overwrite the ->__sk pointer of an L2TP session, thus tricking
pppol2tp_put_sk() into calling sock_put() on a socket that is different
than the one for which pppol2tp_release() was originally called. To get
there, we had to trigger the race described above, therefore having one
PPPoL2TP socket being released, while the session it is connected to is
reconnecting to a different PPPoL2TP socket. When releasing this new
socket fast enough, pppol2tp_release() overwrites the session's
->__sk pointer with the address of the new socket, before the first
pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
invoked by the original socket will sock_put() the new socket,
potentially dropping its last reference. When the second
pppol2tp_put_sk() finally runs, its socket has already been freed.
With d02ba2a6110c, the session takes a reference on both sockets.
Furthermore, the session's ->sk pointer is reset in the
pppol2tp_session_close() callback function rather than in
pppol2tp_release(). Therefore, ->__sk can't be overwritten and
pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
run pppol2tp_session_close() once, to protect the session against
concurrent deletion requests). Now pppol2tp_put_sk() will properly
sock_put() the original socket, but the new socket will remain, as
l2tp_session_delete() prevented the release process from completing.
Here, we don't depend on the ->__sk race to trigger the bug. Getting
into the pppol2tp_connect() race is enough to leak the reference, no
matter when new socket is released.
So it all boils down to pppol2tp_connect() failing to realise that the
session has already been connected. This patch drops the unneeded extra
reference counting (mostly reverting d02ba2a6110c) and checks that
neither ->sk nor ->__sk is set before allowing a session to be
connected.
Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-04 16:52:19 +00:00
|
|
|
struct pppol2tp_session *ps;
|
|
|
|
|
l2tp: initialise PPP sessions before registering them
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
l2tp_session_delete(session);
|
l2tp: fix refcount leakage on PPPoL2TP sockets
Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session
object destroy") tried to fix a race condition where a PPPoL2TP socket
would disappear while the L2TP session was still using it. However, it
missed the root issue which is that an L2TP session may accept to be
reconnected if its associated socket has entered the release process.
The tentative fix makes the session hold the socket it is connected to.
That saves the kernel from crashing, but introduces refcount leakage,
preventing the socket from completing the release process. Once stalled,
everything the socket depends on can't be released anymore, including
the L2TP session and the l2tp_ppp module.
The root issue is that, when releasing a connected PPPoL2TP socket, the
session's ->sk pointer (RCU-protected) is reset to NULL and we have to
wait for a grace period before destroying the socket. The socket drops
the session in its ->sk_destruct callback function, so the session
will exist until the last reference on the socket is dropped.
Therefore, there is a time frame where pppol2tp_connect() may accept
reconnecting a session, as it only checks ->sk to figure out if the
session is connected. This time frame is shortened by the fact that
pppol2tp_release() calls l2tp_session_delete(), making the session
unreachable before resetting ->sk. However, pppol2tp_connect() may
grab the session before it gets unhashed by l2tp_session_delete(), but
it may test ->sk after the later got reset. The race is not so hard to
trigger and syzbot found a pretty reliable reproducer:
https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf
Before d02ba2a6110c, another race could let pppol2tp_release()
overwrite the ->__sk pointer of an L2TP session, thus tricking
pppol2tp_put_sk() into calling sock_put() on a socket that is different
than the one for which pppol2tp_release() was originally called. To get
there, we had to trigger the race described above, therefore having one
PPPoL2TP socket being released, while the session it is connected to is
reconnecting to a different PPPoL2TP socket. When releasing this new
socket fast enough, pppol2tp_release() overwrites the session's
->__sk pointer with the address of the new socket, before the first
pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
invoked by the original socket will sock_put() the new socket,
potentially dropping its last reference. When the second
pppol2tp_put_sk() finally runs, its socket has already been freed.
With d02ba2a6110c, the session takes a reference on both sockets.
Furthermore, the session's ->sk pointer is reset in the
pppol2tp_session_close() callback function rather than in
pppol2tp_release(). Therefore, ->__sk can't be overwritten and
pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
run pppol2tp_session_close() once, to protect the session against
concurrent deletion requests). Now pppol2tp_put_sk() will properly
sock_put() the original socket, but the new socket will remain, as
l2tp_session_delete() prevented the release process from completing.
Here, we don't depend on the ->__sk race to trigger the bug. Getting
into the pppol2tp_connect() race is enough to leak the reference, no
matter when new socket is released.
So it all boils down to pppol2tp_connect() failing to realise that the
session has already been connected. This patch drops the unneeded extra
reference counting (mostly reverting d02ba2a6110c) and checks that
neither ->sk nor ->__sk is set before allowing a session to be
connected.
Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-04 16:52:19 +00:00
|
|
|
|
|
|
|
ps = l2tp_session_priv(session);
|
|
|
|
mutex_lock(&ps->sk_lock);
|
|
|
|
ps->__sk = rcu_dereference_protected(ps->sk,
|
|
|
|
lockdep_is_held(&ps->sk_lock));
|
|
|
|
RCU_INIT_POINTER(ps->sk, NULL);
|
|
|
|
mutex_unlock(&ps->sk_lock);
|
|
|
|
call_rcu(&ps->rcu, pppol2tp_put_sk);
|
|
|
|
|
|
|
|
/* Rely on the sock_put() call at the end of the function for
|
|
|
|
* dropping the reference held by pppol2tp_sock_to_session().
|
|
|
|
* The last reference will be dropped by pppol2tp_put_sk().
|
|
|
|
*/
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
2018-02-23 17:45:46 +00:00
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
release_sock(sk);
|
|
|
|
|
|
|
|
/* This will delete the session context via
|
|
|
|
* pppol2tp_session_destruct() if the socket's refcnt drops to
|
|
|
|
* zero.
|
|
|
|
*/
|
|
|
|
sock_put(sk);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error:
|
|
|
|
release_sock(sk);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct proto pppol2tp_sk_proto = {
|
|
|
|
.name = "PPPOL2TP",
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.obj_size = sizeof(struct pppox_sock),
|
|
|
|
};
|
|
|
|
|
|
|
|
static int pppol2tp_backlog_recv(struct sock *sk, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
rc = l2tp_udp_encap_recv(sk, skb);
|
|
|
|
if (rc)
|
|
|
|
kfree_skb(skb);
|
|
|
|
|
|
|
|
return NET_RX_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* socket() handler. Initialize a new struct sock.
|
|
|
|
*/
|
2015-05-09 02:09:13 +00:00
|
|
|
static int pppol2tp_create(struct net *net, struct socket *sock, int kern)
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
|
|
|
int error = -ENOMEM;
|
|
|
|
struct sock *sk;
|
|
|
|
|
2015-05-09 02:09:13 +00:00
|
|
|
sk = sk_alloc(net, PF_PPPOX, GFP_KERNEL, &pppol2tp_sk_proto, kern);
|
2010-04-02 06:18:33 +00:00
|
|
|
if (!sk)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
sock_init_data(sock, sk);
|
|
|
|
|
|
|
|
sock->state = SS_UNCONNECTED;
|
|
|
|
sock->ops = &pppol2tp_ops;
|
|
|
|
|
|
|
|
sk->sk_backlog_rcv = pppol2tp_backlog_recv;
|
|
|
|
sk->sk_protocol = PX_PROTO_OL2TP;
|
|
|
|
sk->sk_family = PF_PPPOX;
|
|
|
|
sk->sk_state = PPPOX_NONE;
|
|
|
|
sk->sk_type = SOCK_STREAM;
|
|
|
|
sk->sk_destruct = pppol2tp_session_destruct;
|
|
|
|
|
|
|
|
error = 0;
|
|
|
|
|
|
|
|
out:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:19:33 +00:00
|
|
|
static void pppol2tp_show(struct seq_file *m, void *arg)
|
|
|
|
{
|
|
|
|
struct l2tp_session *session = arg;
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
struct sock *sk;
|
|
|
|
|
|
|
|
sk = pppol2tp_session_get_sock(session);
|
|
|
|
if (sk) {
|
|
|
|
struct pppox_sock *po = pppox_sk(sk);
|
2010-04-02 06:19:33 +00:00
|
|
|
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
|
|
|
|
sock_put(sk);
|
2010-04-02 06:19:33 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
l2tp: initialise PPP sessions before registering them
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
static void pppol2tp_session_init(struct l2tp_session *session)
|
|
|
|
{
|
|
|
|
struct pppol2tp_session *ps;
|
|
|
|
|
|
|
|
session->recv_skb = pppol2tp_recv;
|
2018-08-13 21:43:05 +00:00
|
|
|
if (IS_ENABLED(CONFIG_L2TP_DEBUGFS))
|
|
|
|
session->show = pppol2tp_show;
|
l2tp: initialise PPP sessions before registering them
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
|
|
|
|
ps = l2tp_session_priv(session);
|
|
|
|
mutex_init(&ps->sk_lock);
|
|
|
|
ps->owner = current->pid;
|
|
|
|
}
|
|
|
|
|
2018-06-26 16:41:36 +00:00
|
|
|
struct l2tp_connect_info {
|
|
|
|
u8 version;
|
|
|
|
int fd;
|
|
|
|
u32 tunnel_id;
|
|
|
|
u32 peer_tunnel_id;
|
|
|
|
u32 session_id;
|
|
|
|
u32 peer_session_id;
|
|
|
|
};
|
|
|
|
|
|
|
|
static int pppol2tp_sockaddr_get_info(const void *sa, int sa_len,
|
|
|
|
struct l2tp_connect_info *info)
|
|
|
|
{
|
|
|
|
switch (sa_len) {
|
|
|
|
case sizeof(struct sockaddr_pppol2tp):
|
|
|
|
{
|
|
|
|
const struct sockaddr_pppol2tp *sa_v2in4 = sa;
|
|
|
|
|
|
|
|
if (sa_v2in4->sa_protocol != PX_PROTO_OL2TP)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
info->version = 2;
|
|
|
|
info->fd = sa_v2in4->pppol2tp.fd;
|
|
|
|
info->tunnel_id = sa_v2in4->pppol2tp.s_tunnel;
|
|
|
|
info->peer_tunnel_id = sa_v2in4->pppol2tp.d_tunnel;
|
|
|
|
info->session_id = sa_v2in4->pppol2tp.s_session;
|
|
|
|
info->peer_session_id = sa_v2in4->pppol2tp.d_session;
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case sizeof(struct sockaddr_pppol2tpv3):
|
|
|
|
{
|
|
|
|
const struct sockaddr_pppol2tpv3 *sa_v3in4 = sa;
|
|
|
|
|
|
|
|
if (sa_v3in4->sa_protocol != PX_PROTO_OL2TP)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
info->version = 3;
|
|
|
|
info->fd = sa_v3in4->pppol2tp.fd;
|
|
|
|
info->tunnel_id = sa_v3in4->pppol2tp.s_tunnel;
|
|
|
|
info->peer_tunnel_id = sa_v3in4->pppol2tp.d_tunnel;
|
|
|
|
info->session_id = sa_v3in4->pppol2tp.s_session;
|
|
|
|
info->peer_session_id = sa_v3in4->pppol2tp.d_session;
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case sizeof(struct sockaddr_pppol2tpin6):
|
|
|
|
{
|
|
|
|
const struct sockaddr_pppol2tpin6 *sa_v2in6 = sa;
|
|
|
|
|
|
|
|
if (sa_v2in6->sa_protocol != PX_PROTO_OL2TP)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
info->version = 2;
|
|
|
|
info->fd = sa_v2in6->pppol2tp.fd;
|
|
|
|
info->tunnel_id = sa_v2in6->pppol2tp.s_tunnel;
|
|
|
|
info->peer_tunnel_id = sa_v2in6->pppol2tp.d_tunnel;
|
|
|
|
info->session_id = sa_v2in6->pppol2tp.s_session;
|
|
|
|
info->peer_session_id = sa_v2in6->pppol2tp.d_session;
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case sizeof(struct sockaddr_pppol2tpv3in6):
|
|
|
|
{
|
|
|
|
const struct sockaddr_pppol2tpv3in6 *sa_v3in6 = sa;
|
|
|
|
|
|
|
|
if (sa_v3in6->sa_protocol != PX_PROTO_OL2TP)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
info->version = 3;
|
|
|
|
info->fd = sa_v3in6->pppol2tp.fd;
|
|
|
|
info->tunnel_id = sa_v3in6->pppol2tp.s_tunnel;
|
|
|
|
info->peer_tunnel_id = sa_v3in6->pppol2tp.d_tunnel;
|
|
|
|
info->session_id = sa_v3in6->pppol2tp.s_session;
|
|
|
|
info->peer_session_id = sa_v3in6->pppol2tp.d_session;
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-08-03 10:38:37 +00:00
|
|
|
/* Rough estimation of the maximum payload size a tunnel can transmit without
|
|
|
|
* fragmenting at the lower IP layer. Assumes L2TPv2 with sequence
|
|
|
|
* numbers and no IP option. Not quite accurate, but the result is mostly
|
|
|
|
* unused anyway.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_tunnel_mtu(const struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
int mtu;
|
|
|
|
|
|
|
|
mtu = l2tp_tunnel_dst_mtu(tunnel);
|
|
|
|
if (mtu <= PPPOL2TP_HEADER_OVERHEAD)
|
|
|
|
return 1500 - PPPOL2TP_HEADER_OVERHEAD;
|
|
|
|
|
|
|
|
return mtu - PPPOL2TP_HEADER_OVERHEAD;
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
/* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
|
|
|
|
*/
|
|
|
|
static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
|
|
|
|
int sockaddr_len, int flags)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct pppox_sock *po = pppox_sk(sk);
|
|
|
|
struct l2tp_session *session = NULL;
|
2018-06-26 16:41:36 +00:00
|
|
|
struct l2tp_connect_info info;
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
struct pppol2tp_session *ps;
|
|
|
|
struct l2tp_session_cfg cfg = { 0, };
|
2017-03-31 11:02:27 +00:00
|
|
|
bool drop_refcnt = false;
|
2017-10-30 16:58:58 +00:00
|
|
|
bool drop_tunnel = false;
|
2018-06-13 13:09:21 +00:00
|
|
|
bool new_session = false;
|
|
|
|
bool new_tunnel = false;
|
2018-06-26 16:41:36 +00:00
|
|
|
int error;
|
2018-04-23 14:15:14 +00:00
|
|
|
|
2018-06-26 16:41:36 +00:00
|
|
|
error = pppol2tp_sockaddr_get_info(uservaddr, sockaddr_len, &info);
|
|
|
|
if (error < 0)
|
|
|
|
return error;
|
2018-04-23 14:15:14 +00:00
|
|
|
|
2018-06-26 16:41:36 +00:00
|
|
|
lock_sock(sk);
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
/* Check for already bound sockets */
|
|
|
|
error = -EBUSY;
|
|
|
|
if (sk->sk_state & PPPOX_CONNECTED)
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
/* We don't supporting rebinding anyway */
|
|
|
|
error = -EALREADY;
|
|
|
|
if (sk->sk_user_data)
|
|
|
|
goto end; /* socket is already attached */
|
|
|
|
|
2010-04-02 06:18:54 +00:00
|
|
|
/* Don't bind if tunnel_id is 0 */
|
2010-04-02 06:18:33 +00:00
|
|
|
error = -EINVAL;
|
2018-06-26 16:41:36 +00:00
|
|
|
if (!info.tunnel_id)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
2018-06-26 16:41:36 +00:00
|
|
|
tunnel = l2tp_tunnel_get(sock_net(sk), info.tunnel_id);
|
2017-10-30 16:58:58 +00:00
|
|
|
if (tunnel)
|
|
|
|
drop_tunnel = true;
|
2010-04-02 06:19:10 +00:00
|
|
|
|
2010-04-02 06:18:54 +00:00
|
|
|
/* Special case: create tunnel context if session_id and
|
|
|
|
* peer_session_id is 0. Otherwise look up tunnel using supplied
|
2010-04-02 06:18:33 +00:00
|
|
|
* tunnel id.
|
|
|
|
*/
|
2018-06-26 16:41:36 +00:00
|
|
|
if (!info.session_id && !info.peer_session_id) {
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!tunnel) {
|
2010-04-02 06:19:10 +00:00
|
|
|
struct l2tp_tunnel_cfg tcfg = {
|
|
|
|
.encap = L2TP_ENCAPTYPE_UDP,
|
|
|
|
};
|
2018-06-13 13:09:20 +00:00
|
|
|
|
|
|
|
/* Prevent l2tp_tunnel_register() from trying to set up
|
|
|
|
* a kernel socket.
|
|
|
|
*/
|
2018-06-26 16:41:36 +00:00
|
|
|
if (info.fd < 0) {
|
2018-06-13 13:09:20 +00:00
|
|
|
error = -EBADF;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2020-09-03 08:54:49 +00:00
|
|
|
error = l2tp_tunnel_create(info.fd,
|
2018-06-26 16:41:36 +00:00
|
|
|
info.version,
|
|
|
|
info.tunnel_id,
|
|
|
|
info.peer_tunnel_id, &tcfg,
|
|
|
|
&tunnel);
|
2010-04-02 06:19:10 +00:00
|
|
|
if (error < 0)
|
|
|
|
goto end;
|
l2tp: fix races in tunnel creation
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel
list and sets the socket's ->sk_user_data field, before returning it to
the caller. Therefore, there are two ways the tunnel can be accessed
and freed, before the caller even had the opportunity to take a
reference. In practice, syzbot could crash the module by closing the
socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so
that the caller can safely hold a reference before publishing the
tunnel. This second step is done with the new l2tp_tunnel_register()
function, which is now responsible for associating the tunnel to its
socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications
have been done. First, the socket validation tests are done in a helper
function, for clarity. Also, modifying the socket is now done after
having inserted the tunnel to the namespace's tunnels list. This will
allow insertion to fail, without having to revert theses modifications
in the error path (a followup patch will check for duplicate tunnels
before insertion). Either the socket is a kernel socket which we
control, or it is a user-space socket for which we have a reference on
the file descriptor. In any case, the socket isn't going to be closed
from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-04-10 19:01:12 +00:00
|
|
|
|
|
|
|
l2tp_tunnel_inc_refcount(tunnel);
|
|
|
|
error = l2tp_tunnel_register(tunnel, sock_net(sk),
|
|
|
|
&tcfg);
|
|
|
|
if (error < 0) {
|
|
|
|
kfree(tunnel);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
drop_tunnel = true;
|
2018-06-13 13:09:21 +00:00
|
|
|
new_tunnel = true;
|
2010-04-02 06:19:10 +00:00
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
} else {
|
|
|
|
/* Error if we can't find the tunnel */
|
|
|
|
error = -ENOENT;
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!tunnel)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
/* Error if socket is not prepped */
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!tunnel->sock)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2012-04-29 21:48:50 +00:00
|
|
|
if (tunnel->peer_tunnel_id == 0)
|
2018-06-26 16:41:36 +00:00
|
|
|
tunnel->peer_tunnel_id = info.peer_tunnel_id;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2018-08-10 11:21:57 +00:00
|
|
|
session = l2tp_tunnel_get_session(tunnel, info.session_id);
|
2017-03-31 11:02:27 +00:00
|
|
|
if (session) {
|
|
|
|
drop_refcnt = true;
|
2018-06-13 13:09:19 +00:00
|
|
|
|
|
|
|
if (session->pwtype != L2TP_PWTYPE_PPP) {
|
|
|
|
error = -EPROTOTYPE;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2017-03-31 11:02:27 +00:00
|
|
|
ps = l2tp_session_priv(session);
|
|
|
|
|
|
|
|
/* Using a pre-existing session is fine as long as it hasn't
|
|
|
|
* been connected yet.
|
2010-04-02 06:19:10 +00:00
|
|
|
*/
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
mutex_lock(&ps->sk_lock);
|
|
|
|
if (rcu_dereference_protected(ps->sk,
|
l2tp: fix refcount leakage on PPPoL2TP sockets
Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session
object destroy") tried to fix a race condition where a PPPoL2TP socket
would disappear while the L2TP session was still using it. However, it
missed the root issue which is that an L2TP session may accept to be
reconnected if its associated socket has entered the release process.
The tentative fix makes the session hold the socket it is connected to.
That saves the kernel from crashing, but introduces refcount leakage,
preventing the socket from completing the release process. Once stalled,
everything the socket depends on can't be released anymore, including
the L2TP session and the l2tp_ppp module.
The root issue is that, when releasing a connected PPPoL2TP socket, the
session's ->sk pointer (RCU-protected) is reset to NULL and we have to
wait for a grace period before destroying the socket. The socket drops
the session in its ->sk_destruct callback function, so the session
will exist until the last reference on the socket is dropped.
Therefore, there is a time frame where pppol2tp_connect() may accept
reconnecting a session, as it only checks ->sk to figure out if the
session is connected. This time frame is shortened by the fact that
pppol2tp_release() calls l2tp_session_delete(), making the session
unreachable before resetting ->sk. However, pppol2tp_connect() may
grab the session before it gets unhashed by l2tp_session_delete(), but
it may test ->sk after the later got reset. The race is not so hard to
trigger and syzbot found a pretty reliable reproducer:
https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf
Before d02ba2a6110c, another race could let pppol2tp_release()
overwrite the ->__sk pointer of an L2TP session, thus tricking
pppol2tp_put_sk() into calling sock_put() on a socket that is different
than the one for which pppol2tp_release() was originally called. To get
there, we had to trigger the race described above, therefore having one
PPPoL2TP socket being released, while the session it is connected to is
reconnecting to a different PPPoL2TP socket. When releasing this new
socket fast enough, pppol2tp_release() overwrites the session's
->__sk pointer with the address of the new socket, before the first
pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
invoked by the original socket will sock_put() the new socket,
potentially dropping its last reference. When the second
pppol2tp_put_sk() finally runs, its socket has already been freed.
With d02ba2a6110c, the session takes a reference on both sockets.
Furthermore, the session's ->sk pointer is reset in the
pppol2tp_session_close() callback function rather than in
pppol2tp_release(). Therefore, ->__sk can't be overwritten and
pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
run pppol2tp_session_close() once, to protect the session against
concurrent deletion requests). Now pppol2tp_put_sk() will properly
sock_put() the original socket, but the new socket will remain, as
l2tp_session_delete() prevented the release process from completing.
Here, we don't depend on the ->__sk race to trigger the bug. Getting
into the pppol2tp_connect() race is enough to leak the reference, no
matter when new socket is released.
So it all boils down to pppol2tp_connect() failing to realise that the
session has already been connected. This patch drops the unneeded extra
reference counting (mostly reverting d02ba2a6110c) and checks that
neither ->sk nor ->__sk is set before allowing a session to be
connected.
Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-06-04 16:52:19 +00:00
|
|
|
lockdep_is_held(&ps->sk_lock)) ||
|
|
|
|
ps->__sk) {
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
mutex_unlock(&ps->sk_lock);
|
2017-03-31 11:02:27 +00:00
|
|
|
error = -EEXIST;
|
|
|
|
goto end;
|
|
|
|
}
|
2010-04-02 06:19:10 +00:00
|
|
|
} else {
|
2018-06-13 13:09:18 +00:00
|
|
|
cfg.pw_type = L2TP_PWTYPE_PPP;
|
2010-04-02 06:19:10 +00:00
|
|
|
|
2017-03-31 11:02:27 +00:00
|
|
|
session = l2tp_session_create(sizeof(struct pppol2tp_session),
|
2018-06-26 16:41:36 +00:00
|
|
|
tunnel, info.session_id,
|
|
|
|
info.peer_session_id, &cfg);
|
2017-03-31 11:02:27 +00:00
|
|
|
if (IS_ERR(session)) {
|
|
|
|
error = PTR_ERR(session);
|
2010-04-02 06:19:10 +00:00
|
|
|
goto end;
|
2017-03-31 11:02:27 +00:00
|
|
|
}
|
2017-10-27 14:51:50 +00:00
|
|
|
|
l2tp: initialise PPP sessions before registering them
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
pppol2tp_session_init(session);
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
ps = l2tp_session_priv(session);
|
2017-10-27 14:51:50 +00:00
|
|
|
l2tp_session_inc_refcount(session);
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
|
|
|
|
mutex_lock(&ps->sk_lock);
|
2017-10-27 14:51:50 +00:00
|
|
|
error = l2tp_session_register(session, tunnel);
|
|
|
|
if (error < 0) {
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
mutex_unlock(&ps->sk_lock);
|
2017-10-27 14:51:50 +00:00
|
|
|
kfree(session);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
drop_refcnt = true;
|
2018-06-13 13:09:21 +00:00
|
|
|
new_session = true;
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Special case: if source & dest session_id == 0x0000, this
|
|
|
|
* socket is being created to manage the tunnel. Just set up
|
|
|
|
* the internal context for use by ioctl() and sockopt()
|
|
|
|
* handlers.
|
|
|
|
*/
|
2020-07-23 11:29:51 +00:00
|
|
|
if (session->session_id == 0 && session->peer_session_id == 0) {
|
2010-04-02 06:18:33 +00:00
|
|
|
error = 0;
|
|
|
|
goto out_no_ppp;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* The only header we need to worry about is the L2TP
|
|
|
|
* header. This size is different depending on whether
|
|
|
|
* sequence numbers are enabled for the data channel.
|
|
|
|
*/
|
|
|
|
po->chan.hdrlen = PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
|
|
|
|
|
|
|
|
po->chan.private = sk;
|
|
|
|
po->chan.ops = &pppol2tp_chan_ops;
|
2018-08-03 10:38:37 +00:00
|
|
|
po->chan.mtu = pppol2tp_tunnel_mtu(tunnel);
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
error = ppp_register_net_channel(sock_net(sk), &po->chan);
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
if (error) {
|
|
|
|
mutex_unlock(&ps->sk_lock);
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
out_no_ppp:
|
|
|
|
/* This is how we get the session context from the socket. */
|
|
|
|
sk->sk_user_data = session;
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
rcu_assign_pointer(ps->sk, sk);
|
|
|
|
mutex_unlock(&ps->sk_lock);
|
|
|
|
|
l2tp: initialise PPP sessions before registering them
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
/* Keep the reference we've grabbed on the session: sk doesn't expect
|
|
|
|
* the session to disappear. pppol2tp_session_destruct() is responsible
|
|
|
|
* for dropping it.
|
|
|
|
*/
|
|
|
|
drop_refcnt = false;
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
sk->sk_state = PPPOX_CONNECTED;
|
|
|
|
|
|
|
|
end:
|
2018-06-13 13:09:21 +00:00
|
|
|
if (error) {
|
|
|
|
if (new_session)
|
|
|
|
l2tp_session_delete(session);
|
|
|
|
if (new_tunnel)
|
|
|
|
l2tp_tunnel_delete(tunnel);
|
|
|
|
}
|
2017-03-31 11:02:27 +00:00
|
|
|
if (drop_refcnt)
|
|
|
|
l2tp_session_dec_refcount(session);
|
2017-10-30 16:58:58 +00:00
|
|
|
if (drop_tunnel)
|
|
|
|
l2tp_tunnel_dec_refcount(tunnel);
|
2010-04-02 06:18:33 +00:00
|
|
|
release_sock(sk);
|
|
|
|
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:19:10 +00:00
|
|
|
#ifdef CONFIG_L2TP_V3
|
|
|
|
|
2017-09-01 15:58:51 +00:00
|
|
|
/* Called when creating sessions via the netlink interface. */
|
|
|
|
static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel,
|
|
|
|
u32 session_id, u32 peer_session_id,
|
|
|
|
struct l2tp_session_cfg *cfg)
|
2010-04-02 06:19:10 +00:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
|
|
|
/* Error if tunnel socket is not prepped */
|
2017-09-01 15:58:51 +00:00
|
|
|
if (!tunnel->sock) {
|
|
|
|
error = -ENOENT;
|
2017-10-27 14:51:50 +00:00
|
|
|
goto err;
|
2017-09-01 15:58:51 +00:00
|
|
|
}
|
2010-04-02 06:19:10 +00:00
|
|
|
|
|
|
|
/* Allocate and initialize a new session context. */
|
|
|
|
session = l2tp_session_create(sizeof(struct pppol2tp_session),
|
|
|
|
tunnel, session_id,
|
|
|
|
peer_session_id, cfg);
|
2017-03-31 11:02:27 +00:00
|
|
|
if (IS_ERR(session)) {
|
|
|
|
error = PTR_ERR(session);
|
2017-10-27 14:51:50 +00:00
|
|
|
goto err;
|
2017-03-31 11:02:27 +00:00
|
|
|
}
|
2010-04-02 06:19:10 +00:00
|
|
|
|
l2tp: initialise PPP sessions before registering them
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
pppol2tp_session_init(session);
|
2010-04-02 06:19:10 +00:00
|
|
|
|
2017-10-27 14:51:50 +00:00
|
|
|
error = l2tp_session_register(session, tunnel);
|
|
|
|
if (error < 0)
|
|
|
|
goto err_sess;
|
2010-04-02 06:19:10 +00:00
|
|
|
|
2017-10-27 14:51:50 +00:00
|
|
|
return 0;
|
2010-04-02 06:19:10 +00:00
|
|
|
|
2017-10-27 14:51:50 +00:00
|
|
|
err_sess:
|
|
|
|
kfree(session);
|
|
|
|
err:
|
2010-04-02 06:19:10 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* CONFIG_L2TP_V3 */
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
/* getname() support.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_getname(struct socket *sock, struct sockaddr *uaddr,
|
2018-02-12 19:00:20 +00:00
|
|
|
int peer)
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
2010-04-02 06:18:54 +00:00
|
|
|
int len = 0;
|
2010-04-02 06:18:33 +00:00
|
|
|
int error = 0;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct inet_sock *inet;
|
|
|
|
struct pppol2tp_session *pls;
|
|
|
|
|
|
|
|
error = -ENOTCONN;
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!sk)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
2016-08-19 05:36:23 +00:00
|
|
|
if (!(sk->sk_state & PPPOX_CONNECTED))
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
error = -EBADF;
|
|
|
|
session = pppol2tp_sock_to_session(sk);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!session)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
pls = l2tp_session_priv(session);
|
2017-11-10 21:06:31 +00:00
|
|
|
tunnel = session->tunnel;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2012-03-20 03:57:54 +00:00
|
|
|
inet = inet_sk(tunnel->sock);
|
2020-07-23 11:29:51 +00:00
|
|
|
if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET) {
|
2010-04-02 06:18:54 +00:00
|
|
|
struct sockaddr_pppol2tp sp;
|
2020-07-22 16:32:05 +00:00
|
|
|
|
2010-04-02 06:18:54 +00:00
|
|
|
len = sizeof(sp);
|
|
|
|
memset(&sp, 0, len);
|
|
|
|
sp.sa_family = AF_PPPOX;
|
|
|
|
sp.sa_protocol = PX_PROTO_OL2TP;
|
|
|
|
sp.pppol2tp.fd = tunnel->fd;
|
|
|
|
sp.pppol2tp.pid = pls->owner;
|
|
|
|
sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
|
|
|
|
sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
|
|
|
|
sp.pppol2tp.s_session = session->session_id;
|
|
|
|
sp.pppol2tp.d_session = session->peer_session_id;
|
|
|
|
sp.pppol2tp.addr.sin_family = AF_INET;
|
|
|
|
sp.pppol2tp.addr.sin_port = inet->inet_dport;
|
|
|
|
sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
|
|
|
|
memcpy(uaddr, &sp, len);
|
2012-04-27 08:24:18 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2020-07-23 11:29:51 +00:00
|
|
|
} else if (tunnel->version == 2 && tunnel->sock->sk_family == AF_INET6) {
|
2012-04-27 08:24:18 +00:00
|
|
|
struct sockaddr_pppol2tpin6 sp;
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-03 22:42:29 +00:00
|
|
|
|
2012-04-27 08:24:18 +00:00
|
|
|
len = sizeof(sp);
|
|
|
|
memset(&sp, 0, len);
|
|
|
|
sp.sa_family = AF_PPPOX;
|
|
|
|
sp.sa_protocol = PX_PROTO_OL2TP;
|
|
|
|
sp.pppol2tp.fd = tunnel->fd;
|
|
|
|
sp.pppol2tp.pid = pls->owner;
|
|
|
|
sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
|
|
|
|
sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
|
|
|
|
sp.pppol2tp.s_session = session->session_id;
|
|
|
|
sp.pppol2tp.d_session = session->peer_session_id;
|
|
|
|
sp.pppol2tp.addr.sin6_family = AF_INET6;
|
|
|
|
sp.pppol2tp.addr.sin6_port = inet->inet_dport;
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-03 22:42:29 +00:00
|
|
|
memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
|
|
|
|
sizeof(tunnel->sock->sk_v6_daddr));
|
2012-04-27 08:24:18 +00:00
|
|
|
memcpy(uaddr, &sp, len);
|
2020-07-23 11:29:51 +00:00
|
|
|
} else if (tunnel->version == 3 && tunnel->sock->sk_family == AF_INET6) {
|
2012-04-27 08:24:18 +00:00
|
|
|
struct sockaddr_pppol2tpv3in6 sp;
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-03 22:42:29 +00:00
|
|
|
|
2012-04-27 08:24:18 +00:00
|
|
|
len = sizeof(sp);
|
|
|
|
memset(&sp, 0, len);
|
|
|
|
sp.sa_family = AF_PPPOX;
|
|
|
|
sp.sa_protocol = PX_PROTO_OL2TP;
|
|
|
|
sp.pppol2tp.fd = tunnel->fd;
|
|
|
|
sp.pppol2tp.pid = pls->owner;
|
|
|
|
sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
|
|
|
|
sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
|
|
|
|
sp.pppol2tp.s_session = session->session_id;
|
|
|
|
sp.pppol2tp.d_session = session->peer_session_id;
|
|
|
|
sp.pppol2tp.addr.sin6_family = AF_INET6;
|
|
|
|
sp.pppol2tp.addr.sin6_port = inet->inet_dport;
|
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-03 22:42:29 +00:00
|
|
|
memcpy(&sp.pppol2tp.addr.sin6_addr, &tunnel->sock->sk_v6_daddr,
|
|
|
|
sizeof(tunnel->sock->sk_v6_daddr));
|
2012-04-27 08:24:18 +00:00
|
|
|
memcpy(uaddr, &sp, len);
|
|
|
|
#endif
|
2010-04-02 06:18:54 +00:00
|
|
|
} else if (tunnel->version == 3) {
|
|
|
|
struct sockaddr_pppol2tpv3 sp;
|
2020-07-22 16:32:05 +00:00
|
|
|
|
2010-04-02 06:18:54 +00:00
|
|
|
len = sizeof(sp);
|
|
|
|
memset(&sp, 0, len);
|
|
|
|
sp.sa_family = AF_PPPOX;
|
|
|
|
sp.sa_protocol = PX_PROTO_OL2TP;
|
|
|
|
sp.pppol2tp.fd = tunnel->fd;
|
|
|
|
sp.pppol2tp.pid = pls->owner;
|
|
|
|
sp.pppol2tp.s_tunnel = tunnel->tunnel_id;
|
|
|
|
sp.pppol2tp.d_tunnel = tunnel->peer_tunnel_id;
|
|
|
|
sp.pppol2tp.s_session = session->session_id;
|
|
|
|
sp.pppol2tp.d_session = session->peer_session_id;
|
|
|
|
sp.pppol2tp.addr.sin_family = AF_INET;
|
|
|
|
sp.pppol2tp.addr.sin_port = inet->inet_dport;
|
|
|
|
sp.pppol2tp.addr.sin_addr.s_addr = inet->inet_daddr;
|
|
|
|
memcpy(uaddr, &sp, len);
|
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2018-02-12 19:00:20 +00:00
|
|
|
error = len;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
sock_put(sk);
|
|
|
|
end:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/****************************************************************************
|
|
|
|
* ioctl() handlers.
|
|
|
|
*
|
|
|
|
* The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
|
|
|
|
* sockets. However, in order to control kernel tunnel features, we allow
|
|
|
|
* userspace to create a special "tunnel" PPPoX socket which is used for
|
|
|
|
* control only. Tunnel PPPoX sockets have session_id == 0 and simply allow
|
|
|
|
* the user application to issue L2TP setsockopt(), getsockopt() and ioctl()
|
|
|
|
* calls.
|
|
|
|
****************************************************************************/
|
|
|
|
|
|
|
|
static void pppol2tp_copy_stats(struct pppol2tp_ioc_stats *dest,
|
2018-08-10 11:22:02 +00:00
|
|
|
const struct l2tp_stats *stats)
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
2018-08-10 11:22:02 +00:00
|
|
|
memset(dest, 0, sizeof(*dest));
|
|
|
|
|
2013-03-19 06:11:22 +00:00
|
|
|
dest->tx_packets = atomic_long_read(&stats->tx_packets);
|
|
|
|
dest->tx_bytes = atomic_long_read(&stats->tx_bytes);
|
|
|
|
dest->tx_errors = atomic_long_read(&stats->tx_errors);
|
|
|
|
dest->rx_packets = atomic_long_read(&stats->rx_packets);
|
|
|
|
dest->rx_bytes = atomic_long_read(&stats->rx_bytes);
|
|
|
|
dest->rx_seq_discards = atomic_long_read(&stats->rx_seq_discards);
|
|
|
|
dest->rx_oos_packets = atomic_long_read(&stats->rx_oos_packets);
|
|
|
|
dest->rx_errors = atomic_long_read(&stats->rx_errors);
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
2018-08-10 11:22:00 +00:00
|
|
|
static int pppol2tp_tunnel_copy_stats(struct pppol2tp_ioc_stats *stats,
|
|
|
|
struct l2tp_tunnel *tunnel)
|
|
|
|
{
|
|
|
|
struct l2tp_session *session;
|
|
|
|
|
|
|
|
if (!stats->session_id) {
|
|
|
|
pppol2tp_copy_stats(stats, &tunnel->stats);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* If session_id is set, search the corresponding session in the
|
|
|
|
* context of this tunnel and record the session's statistics.
|
|
|
|
*/
|
|
|
|
session = l2tp_tunnel_get_session(tunnel, stats->session_id);
|
|
|
|
if (!session)
|
|
|
|
return -EBADR;
|
|
|
|
|
|
|
|
if (session->pwtype != L2TP_PWTYPE_PPP) {
|
|
|
|
l2tp_session_dec_refcount(session);
|
|
|
|
return -EBADR;
|
|
|
|
}
|
|
|
|
|
|
|
|
pppol2tp_copy_stats(stats, &session->stats);
|
|
|
|
l2tp_session_dec_refcount(session);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
static int pppol2tp_ioctl(struct socket *sock, unsigned int cmd,
|
|
|
|
unsigned long arg)
|
|
|
|
{
|
2018-08-10 11:22:00 +00:00
|
|
|
struct pppol2tp_ioc_stats stats;
|
2010-04-02 06:18:33 +00:00
|
|
|
struct l2tp_session *session;
|
2018-08-10 11:21:58 +00:00
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case PPPIOCGMRU:
|
|
|
|
case PPPIOCGFLAGS:
|
|
|
|
session = sock->sk->sk_user_data;
|
|
|
|
if (!session)
|
|
|
|
return -ENOTCONN;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2020-09-03 08:54:51 +00:00
|
|
|
if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
|
|
|
|
return -EBADF;
|
|
|
|
|
2018-08-10 11:21:58 +00:00
|
|
|
/* Not defined for tunnels */
|
|
|
|
if (!session->session_id && !session->peer_session_id)
|
|
|
|
return -ENOSYS;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2018-08-10 11:21:58 +00:00
|
|
|
if (put_user(0, (int __user *)arg))
|
|
|
|
return -EFAULT;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPIOCSMRU:
|
|
|
|
case PPPIOCSFLAGS:
|
|
|
|
session = sock->sk->sk_user_data;
|
|
|
|
if (!session)
|
|
|
|
return -ENOTCONN;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2020-09-03 08:54:51 +00:00
|
|
|
if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
|
|
|
|
return -EBADF;
|
|
|
|
|
2018-08-10 11:21:58 +00:00
|
|
|
/* Not defined for tunnels */
|
|
|
|
if (!session->session_id && !session->peer_session_id)
|
|
|
|
return -ENOSYS;
|
|
|
|
|
2019-04-17 20:51:55 +00:00
|
|
|
if (!access_ok((int __user *)arg, sizeof(int)))
|
2018-08-10 11:21:58 +00:00
|
|
|
return -EFAULT;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPIOCGL2TPSTATS:
|
|
|
|
session = sock->sk->sk_user_data;
|
|
|
|
if (!session)
|
|
|
|
return -ENOTCONN;
|
|
|
|
|
2020-09-03 08:54:51 +00:00
|
|
|
if (WARN_ON(session->magic != L2TP_SESSION_MAGIC))
|
|
|
|
return -EBADF;
|
|
|
|
|
2018-08-10 11:21:58 +00:00
|
|
|
/* Session 0 represents the parent tunnel */
|
2018-08-10 11:22:00 +00:00
|
|
|
if (!session->session_id && !session->peer_session_id) {
|
|
|
|
u32 session_id;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (copy_from_user(&stats, (void __user *)arg,
|
|
|
|
sizeof(stats)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
session_id = stats.session_id;
|
|
|
|
err = pppol2tp_tunnel_copy_stats(&stats,
|
|
|
|
session->tunnel);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
stats.session_id = session_id;
|
|
|
|
} else {
|
2018-08-10 11:22:01 +00:00
|
|
|
pppol2tp_copy_stats(&stats, &session->stats);
|
|
|
|
stats.session_id = session->session_id;
|
2018-08-10 11:22:00 +00:00
|
|
|
}
|
|
|
|
stats.tunnel_id = session->tunnel->tunnel_id;
|
|
|
|
stats.using_ipsec = l2tp_tunnel_uses_xfrm(session->tunnel);
|
|
|
|
|
|
|
|
if (copy_to_user((void __user *)arg, &stats, sizeof(stats)))
|
|
|
|
return -EFAULT;
|
2018-08-10 11:21:58 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2018-08-10 11:22:03 +00:00
|
|
|
return -ENOIOCTLCMD;
|
2018-08-10 11:21:58 +00:00
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2018-08-10 11:21:58 +00:00
|
|
|
return 0;
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* setsockopt() / getsockopt() support.
|
|
|
|
*
|
|
|
|
* The PPPoX socket is created for L2TP sessions: tunnels have their own UDP
|
|
|
|
* sockets. In order to control kernel tunnel features, we allow userspace to
|
|
|
|
* create a special "tunnel" PPPoX socket which is used for control only.
|
|
|
|
* Tunnel PPPoX sockets have session_id == 0 and simply allow the user
|
|
|
|
* application to issue L2TP setsockopt(), getsockopt() and ioctl() calls.
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
/* Tunnel setsockopt() helper.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_tunnel_setsockopt(struct sock *sk,
|
|
|
|
struct l2tp_tunnel *tunnel,
|
|
|
|
int optname, int val)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case PPPOL2TP_SO_DEBUG:
|
2020-08-22 14:59:08 +00:00
|
|
|
/* Tunnel debug flags option is deprecated */
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
err = -ENOPROTOOPT;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Session setsockopt helper.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_session_setsockopt(struct sock *sk,
|
|
|
|
struct l2tp_session *session,
|
|
|
|
int optname, int val)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case PPPOL2TP_SO_RECVSEQ:
|
2020-07-23 11:29:51 +00:00
|
|
|
if (val != 0 && val != 1) {
|
2010-04-02 06:18:33 +00:00
|
|
|
err = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
2016-11-07 20:39:28 +00:00
|
|
|
session->recv_seq = !!val;
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_SENDSEQ:
|
2020-07-23 11:29:51 +00:00
|
|
|
if (val != 0 && val != 1) {
|
2010-04-02 06:18:33 +00:00
|
|
|
err = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
2016-11-07 20:39:28 +00:00
|
|
|
session->send_seq = !!val;
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
struct pppox_sock *po = pppox_sk(sk);
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
po->chan.hdrlen = val ? PPPOL2TP_L2TP_HDR_SIZE_SEQ :
|
|
|
|
PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;
|
|
|
|
}
|
2014-03-06 10:14:30 +00:00
|
|
|
l2tp_session_set_header_len(session, session->tunnel->version);
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_LNSMODE:
|
2020-07-23 11:29:51 +00:00
|
|
|
if (val != 0 && val != 1) {
|
2010-04-02 06:18:33 +00:00
|
|
|
err = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
2016-11-07 20:39:28 +00:00
|
|
|
session->lns_mode = !!val;
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_DEBUG:
|
2020-08-22 14:59:08 +00:00
|
|
|
/* Session debug flags option is deprecated */
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_REORDERTO:
|
|
|
|
session->reorder_timeout = msecs_to_jiffies(val);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
err = -ENOPROTOOPT;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Main setsockopt() entry point.
|
|
|
|
* Does API checks, then calls either the tunnel or session setsockopt
|
|
|
|
* handler, according to whether the PPPoL2TP socket is a for a regular
|
|
|
|
* session or the special tunnel type.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
|
2020-07-23 06:09:07 +00:00
|
|
|
sockptr_t optval, unsigned int optlen)
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
int val;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (level != SOL_PPPOL2TP)
|
2014-07-15 00:02:31 +00:00
|
|
|
return -EINVAL;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
if (optlen < sizeof(int))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-23 06:09:07 +00:00
|
|
|
if (copy_from_sockptr(&val, optval, sizeof(int)))
|
2010-04-02 06:18:33 +00:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
err = -ENOTCONN;
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!sk->sk_user_data)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
/* Get session context from the socket */
|
|
|
|
err = -EBADF;
|
|
|
|
session = pppol2tp_sock_to_session(sk);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!session)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
/* Special case: if session_id == 0x0000, treat as operation on tunnel
|
|
|
|
*/
|
2020-07-23 11:29:51 +00:00
|
|
|
if (session->session_id == 0 && session->peer_session_id == 0) {
|
2017-11-10 21:06:31 +00:00
|
|
|
tunnel = session->tunnel;
|
2010-04-02 06:18:33 +00:00
|
|
|
err = pppol2tp_tunnel_setsockopt(sk, tunnel, optname, val);
|
2017-11-10 21:06:31 +00:00
|
|
|
} else {
|
2010-04-02 06:18:33 +00:00
|
|
|
err = pppol2tp_session_setsockopt(sk, session, optname, val);
|
2017-11-10 21:06:31 +00:00
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
sock_put(sk);
|
|
|
|
end:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Tunnel getsockopt helper. Called with sock locked.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_tunnel_getsockopt(struct sock *sk,
|
|
|
|
struct l2tp_tunnel *tunnel,
|
|
|
|
int optname, int *val)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case PPPOL2TP_SO_DEBUG:
|
2020-08-22 14:59:08 +00:00
|
|
|
/* Tunnel debug flags option is deprecated */
|
|
|
|
*val = 0;
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
err = -ENOPROTOOPT;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Session getsockopt helper. Called with sock locked.
|
|
|
|
*/
|
|
|
|
static int pppol2tp_session_getsockopt(struct sock *sk,
|
|
|
|
struct l2tp_session *session,
|
|
|
|
int optname, int *val)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
switch (optname) {
|
|
|
|
case PPPOL2TP_SO_RECVSEQ:
|
|
|
|
*val = session->recv_seq;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_SENDSEQ:
|
|
|
|
*val = session->send_seq;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_LNSMODE:
|
|
|
|
*val = session->lns_mode;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_DEBUG:
|
2020-08-22 14:59:08 +00:00
|
|
|
/* Session debug flags option is deprecated */
|
|
|
|
*val = 0;
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case PPPOL2TP_SO_REORDERTO:
|
2020-07-22 16:32:05 +00:00
|
|
|
*val = (int)jiffies_to_msecs(session->reorder_timeout);
|
2010-04-02 06:18:33 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
err = -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Main getsockopt() entry point.
|
|
|
|
* Does API checks, then calls either the tunnel or session getsockopt
|
|
|
|
* handler, according to whether the PPPoX socket is a for a regular session
|
|
|
|
* or the special tunnel type.
|
|
|
|
*/
|
2012-06-03 17:41:40 +00:00
|
|
|
static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
|
|
|
|
char __user *optval, int __user *optlen)
|
2010-04-02 06:18:33 +00:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct l2tp_session *session;
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
int val, len;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (level != SOL_PPPOL2TP)
|
2014-07-15 00:02:31 +00:00
|
|
|
return -EINVAL;
|
2010-04-02 06:18:33 +00:00
|
|
|
|
2012-06-03 17:41:40 +00:00
|
|
|
if (get_user(len, optlen))
|
2010-04-02 06:18:33 +00:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
len = min_t(unsigned int, len, sizeof(int));
|
|
|
|
|
|
|
|
if (len < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
err = -ENOTCONN;
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!sk->sk_user_data)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
/* Get the session context */
|
|
|
|
err = -EBADF;
|
|
|
|
session = pppol2tp_sock_to_session(sk);
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!session)
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
/* Special case: if session_id == 0x0000, treat as operation on tunnel */
|
2020-07-23 11:29:51 +00:00
|
|
|
if (session->session_id == 0 && session->peer_session_id == 0) {
|
2017-11-10 21:06:31 +00:00
|
|
|
tunnel = session->tunnel;
|
2010-04-02 06:18:33 +00:00
|
|
|
err = pppol2tp_tunnel_getsockopt(sk, tunnel, optname, &val);
|
2017-04-06 16:31:21 +00:00
|
|
|
if (err)
|
|
|
|
goto end_put_sess;
|
|
|
|
} else {
|
2010-04-02 06:18:33 +00:00
|
|
|
err = pppol2tp_session_getsockopt(sk, session, optname, &val);
|
2017-04-06 16:31:21 +00:00
|
|
|
if (err)
|
|
|
|
goto end_put_sess;
|
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
err = -EFAULT;
|
2012-06-03 17:41:40 +00:00
|
|
|
if (put_user(len, optlen))
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end_put_sess;
|
|
|
|
|
2020-07-22 16:32:05 +00:00
|
|
|
if (copy_to_user((void __user *)optval, &val, len))
|
2010-04-02 06:18:33 +00:00
|
|
|
goto end_put_sess;
|
|
|
|
|
|
|
|
err = 0;
|
|
|
|
|
|
|
|
end_put_sess:
|
|
|
|
sock_put(sk);
|
|
|
|
end:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* /proc filesystem for debug
|
2010-04-02 06:18:49 +00:00
|
|
|
* Since the original pppol2tp driver provided /proc/net/pppol2tp for
|
|
|
|
* L2TPv2, we dump only L2TPv2 tunnels and sessions here.
|
2010-04-02 06:18:33 +00:00
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
static unsigned int pppol2tp_net_id;
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
|
|
|
|
struct pppol2tp_seq_data {
|
|
|
|
struct seq_net_private p;
|
|
|
|
int tunnel_idx; /* current tunnel */
|
|
|
|
int session_idx; /* index of session within current tunnel */
|
|
|
|
struct l2tp_tunnel *tunnel;
|
|
|
|
struct l2tp_session *session; /* NULL means get next tunnel */
|
|
|
|
};
|
|
|
|
|
|
|
|
static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
|
|
|
|
{
|
2018-04-12 18:50:34 +00:00
|
|
|
/* Drop reference taken during previous invocation */
|
|
|
|
if (pd->tunnel)
|
|
|
|
l2tp_tunnel_dec_refcount(pd->tunnel);
|
|
|
|
|
2010-04-02 06:18:49 +00:00
|
|
|
for (;;) {
|
2018-04-12 18:50:34 +00:00
|
|
|
pd->tunnel = l2tp_tunnel_get_nth(net, pd->tunnel_idx);
|
2010-04-02 06:18:49 +00:00
|
|
|
pd->tunnel_idx++;
|
|
|
|
|
2018-04-12 18:50:34 +00:00
|
|
|
/* Only accept L2TPv2 tunnels */
|
|
|
|
if (!pd->tunnel || pd->tunnel->version == 2)
|
|
|
|
return;
|
2010-04-02 06:18:49 +00:00
|
|
|
|
2018-04-12 18:50:34 +00:00
|
|
|
l2tp_tunnel_dec_refcount(pd->tunnel);
|
2010-04-02 06:18:49 +00:00
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
|
|
|
|
{
|
2018-04-25 17:54:14 +00:00
|
|
|
/* Drop reference taken during previous invocation */
|
|
|
|
if (pd->session)
|
|
|
|
l2tp_session_dec_refcount(pd->session);
|
|
|
|
|
2017-10-31 16:36:42 +00:00
|
|
|
pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx);
|
2010-04-02 06:18:33 +00:00
|
|
|
pd->session_idx++;
|
2010-04-02 06:18:49 +00:00
|
|
|
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!pd->session) {
|
2010-04-02 06:18:33 +00:00
|
|
|
pd->session_idx = 0;
|
|
|
|
pppol2tp_next_tunnel(net, pd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void *pppol2tp_seq_start(struct seq_file *m, loff_t *offs)
|
|
|
|
{
|
|
|
|
struct pppol2tp_seq_data *pd = SEQ_START_TOKEN;
|
|
|
|
loff_t pos = *offs;
|
|
|
|
struct net *net;
|
|
|
|
|
|
|
|
if (!pos)
|
|
|
|
goto out;
|
|
|
|
|
2020-07-24 15:31:54 +00:00
|
|
|
if (WARN_ON(!m->private)) {
|
|
|
|
pd = NULL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
pd = m->private;
|
|
|
|
net = seq_file_net(m);
|
|
|
|
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!pd->tunnel)
|
2010-04-02 06:18:33 +00:00
|
|
|
pppol2tp_next_tunnel(net, pd);
|
|
|
|
else
|
|
|
|
pppol2tp_next_session(net, pd);
|
|
|
|
|
|
|
|
/* NULL tunnel and session indicates end of list */
|
2020-07-23 11:29:50 +00:00
|
|
|
if (!pd->tunnel && !pd->session)
|
2010-04-02 06:18:33 +00:00
|
|
|
pd = NULL;
|
|
|
|
|
|
|
|
out:
|
|
|
|
return pd;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void *pppol2tp_seq_next(struct seq_file *m, void *v, loff_t *pos)
|
|
|
|
{
|
|
|
|
(*pos)++;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void pppol2tp_seq_stop(struct seq_file *p, void *v)
|
|
|
|
{
|
2018-04-12 18:50:34 +00:00
|
|
|
struct pppol2tp_seq_data *pd = v;
|
|
|
|
|
|
|
|
if (!pd || pd == SEQ_START_TOKEN)
|
|
|
|
return;
|
|
|
|
|
2018-04-25 17:54:14 +00:00
|
|
|
/* Drop reference taken by last invocation of pppol2tp_next_session()
|
|
|
|
* or pppol2tp_next_tunnel().
|
|
|
|
*/
|
|
|
|
if (pd->session) {
|
|
|
|
l2tp_session_dec_refcount(pd->session);
|
|
|
|
pd->session = NULL;
|
|
|
|
}
|
2018-04-19 14:20:48 +00:00
|
|
|
if (pd->tunnel) {
|
2018-04-12 18:50:34 +00:00
|
|
|
l2tp_tunnel_dec_refcount(pd->tunnel);
|
2018-04-19 14:20:48 +00:00
|
|
|
pd->tunnel = NULL;
|
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
|
|
|
|
{
|
|
|
|
struct l2tp_tunnel *tunnel = v;
|
|
|
|
|
|
|
|
seq_printf(m, "\nTUNNEL '%s', %c %d\n",
|
|
|
|
tunnel->name,
|
|
|
|
(tunnel == tunnel->sock->sk_user_data) ? 'Y' : 'N',
|
2017-07-04 12:52:57 +00:00
|
|
|
refcount_read(&tunnel->ref_count) - 1);
|
2013-03-19 06:11:22 +00:00
|
|
|
seq_printf(m, " %08x %ld/%ld/%ld %ld/%ld/%ld\n",
|
2020-08-22 14:59:08 +00:00
|
|
|
0,
|
2013-03-19 06:11:22 +00:00
|
|
|
atomic_long_read(&tunnel->stats.tx_packets),
|
|
|
|
atomic_long_read(&tunnel->stats.tx_bytes),
|
|
|
|
atomic_long_read(&tunnel->stats.tx_errors),
|
|
|
|
atomic_long_read(&tunnel->stats.rx_packets),
|
|
|
|
atomic_long_read(&tunnel->stats.rx_bytes),
|
|
|
|
atomic_long_read(&tunnel->stats.rx_errors));
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void pppol2tp_seq_session_show(struct seq_file *m, void *v)
|
|
|
|
{
|
|
|
|
struct l2tp_session *session = v;
|
|
|
|
struct l2tp_tunnel *tunnel = session->tunnel;
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
unsigned char state;
|
|
|
|
char user_data_ok;
|
|
|
|
struct sock *sk;
|
2010-04-02 06:18:33 +00:00
|
|
|
u32 ip = 0;
|
|
|
|
u16 port = 0;
|
|
|
|
|
|
|
|
if (tunnel->sock) {
|
|
|
|
struct inet_sock *inet = inet_sk(tunnel->sock);
|
2020-07-22 16:32:05 +00:00
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
ip = ntohl(inet->inet_saddr);
|
|
|
|
port = ntohs(inet->inet_sport);
|
|
|
|
}
|
|
|
|
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
sk = pppol2tp_session_get_sock(session);
|
|
|
|
if (sk) {
|
|
|
|
state = sk->sk_state;
|
|
|
|
user_data_ok = (session == sk->sk_user_data) ? 'Y' : 'N';
|
|
|
|
} else {
|
|
|
|
state = 0;
|
|
|
|
user_data_ok = 'N';
|
|
|
|
}
|
|
|
|
|
2020-07-22 16:32:07 +00:00
|
|
|
seq_printf(m, " SESSION '%s' %08X/%d %04X/%04X -> %04X/%04X %d %c\n",
|
2010-04-02 06:18:33 +00:00
|
|
|
session->name, ip, port,
|
|
|
|
tunnel->tunnel_id,
|
|
|
|
session->session_id,
|
|
|
|
tunnel->peer_tunnel_id,
|
|
|
|
session->peer_session_id,
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
state, user_data_ok);
|
2018-08-03 10:38:37 +00:00
|
|
|
seq_printf(m, " 0/0/%c/%c/%s %08x %u\n",
|
2010-04-02 06:18:33 +00:00
|
|
|
session->recv_seq ? 'R' : '-',
|
|
|
|
session->send_seq ? 'S' : '-',
|
|
|
|
session->lns_mode ? "LNS" : "LAC",
|
2020-08-22 14:59:08 +00:00
|
|
|
0,
|
2010-04-02 06:18:33 +00:00
|
|
|
jiffies_to_msecs(session->reorder_timeout));
|
2013-03-19 06:11:22 +00:00
|
|
|
seq_printf(m, " %hu/%hu %ld/%ld/%ld %ld/%ld/%ld\n",
|
2010-04-02 06:18:33 +00:00
|
|
|
session->nr, session->ns,
|
2013-03-19 06:11:22 +00:00
|
|
|
atomic_long_read(&session->stats.tx_packets),
|
|
|
|
atomic_long_read(&session->stats.tx_bytes),
|
|
|
|
atomic_long_read(&session->stats.tx_errors),
|
|
|
|
atomic_long_read(&session->stats.rx_packets),
|
|
|
|
atomic_long_read(&session->stats.rx_bytes),
|
|
|
|
atomic_long_read(&session->stats.rx_errors));
|
2010-04-02 06:18:44 +00:00
|
|
|
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
if (sk) {
|
|
|
|
struct pppox_sock *po = pppox_sk(sk);
|
|
|
|
|
2010-04-02 06:18:44 +00:00
|
|
|
seq_printf(m, " interface %s\n", ppp_dev_name(&po->chan));
|
l2tp: protect sock pointer of struct pppol2tp_session with RCU
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 14:51:52 +00:00
|
|
|
sock_put(sk);
|
|
|
|
}
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int pppol2tp_seq_show(struct seq_file *m, void *v)
|
|
|
|
{
|
|
|
|
struct pppol2tp_seq_data *pd = v;
|
|
|
|
|
|
|
|
/* display header on line 1 */
|
|
|
|
if (v == SEQ_START_TOKEN) {
|
|
|
|
seq_puts(m, "PPPoL2TP driver info, " PPPOL2TP_DRV_VERSION "\n");
|
|
|
|
seq_puts(m, "TUNNEL name, user-data-ok session-count\n");
|
|
|
|
seq_puts(m, " debug tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
|
2020-07-22 16:32:07 +00:00
|
|
|
seq_puts(m, " SESSION name, addr/port src-tid/sid dest-tid/sid state user-data-ok\n");
|
2010-04-02 06:18:33 +00:00
|
|
|
seq_puts(m, " mtu/mru/rcvseq/sendseq/lns debug reorderto\n");
|
|
|
|
seq_puts(m, " nr/ns tx-pkts/bytes/errs rx-pkts/bytes/errs\n");
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2018-04-25 17:54:14 +00:00
|
|
|
if (!pd->session)
|
2010-04-02 06:18:33 +00:00
|
|
|
pppol2tp_seq_tunnel_show(m, pd->tunnel);
|
2018-04-25 17:54:14 +00:00
|
|
|
else
|
2010-04-02 06:18:33 +00:00
|
|
|
pppol2tp_seq_session_show(m, pd->session);
|
|
|
|
|
|
|
|
out:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct seq_operations pppol2tp_seq_ops = {
|
|
|
|
.start = pppol2tp_seq_start,
|
|
|
|
.next = pppol2tp_seq_next,
|
|
|
|
.stop = pppol2tp_seq_stop,
|
|
|
|
.show = pppol2tp_seq_show,
|
|
|
|
};
|
|
|
|
#endif /* CONFIG_PROC_FS */
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* Network namespace
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
static __net_init int pppol2tp_init_net(struct net *net)
|
|
|
|
{
|
|
|
|
struct proc_dir_entry *pde;
|
|
|
|
int err = 0;
|
|
|
|
|
2018-04-10 17:42:55 +00:00
|
|
|
pde = proc_create_net("pppol2tp", 0444, net->proc_net,
|
2020-07-22 16:32:08 +00:00
|
|
|
&pppol2tp_seq_ops, sizeof(struct pppol2tp_seq_data));
|
2010-04-02 06:18:33 +00:00
|
|
|
if (!pde) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static __net_exit void pppol2tp_exit_net(struct net *net)
|
|
|
|
{
|
2013-02-18 01:34:56 +00:00
|
|
|
remove_proc_entry("pppol2tp", net->proc_net);
|
2010-04-02 06:18:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct pernet_operations pppol2tp_net_ops = {
|
|
|
|
.init = pppol2tp_init_net,
|
|
|
|
.exit = pppol2tp_exit_net,
|
|
|
|
.id = &pppol2tp_net_id,
|
|
|
|
};
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
|
|
* Init and cleanup
|
|
|
|
*****************************************************************************/
|
|
|
|
|
|
|
|
static const struct proto_ops pppol2tp_ops = {
|
|
|
|
.family = AF_PPPOX,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.release = pppol2tp_release,
|
|
|
|
.bind = sock_no_bind,
|
|
|
|
.connect = pppol2tp_connect,
|
|
|
|
.socketpair = sock_no_socketpair,
|
|
|
|
.accept = sock_no_accept,
|
|
|
|
.getname = pppol2tp_getname,
|
2018-06-28 16:43:44 +00:00
|
|
|
.poll = datagram_poll,
|
2010-04-02 06:18:33 +00:00
|
|
|
.listen = sock_no_listen,
|
|
|
|
.shutdown = sock_no_shutdown,
|
|
|
|
.setsockopt = pppol2tp_setsockopt,
|
|
|
|
.getsockopt = pppol2tp_getsockopt,
|
|
|
|
.sendmsg = pppol2tp_sendmsg,
|
|
|
|
.recvmsg = pppol2tp_recvmsg,
|
|
|
|
.mmap = sock_no_mmap,
|
|
|
|
.ioctl = pppox_ioctl,
|
2019-07-30 19:25:20 +00:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
.compat_ioctl = pppox_compat_ioctl,
|
|
|
|
#endif
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
2010-09-21 06:43:54 +00:00
|
|
|
static const struct pppox_proto pppol2tp_proto = {
|
2010-04-02 06:18:33 +00:00
|
|
|
.create = pppol2tp_create,
|
2013-07-02 01:02:07 +00:00
|
|
|
.ioctl = pppol2tp_ioctl,
|
|
|
|
.owner = THIS_MODULE,
|
2010-04-02 06:18:33 +00:00
|
|
|
};
|
|
|
|
|
2010-04-02 06:19:10 +00:00
|
|
|
#ifdef CONFIG_L2TP_V3
|
|
|
|
|
|
|
|
static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
|
|
|
|
.session_create = pppol2tp_session_create,
|
2013-03-19 06:11:21 +00:00
|
|
|
.session_delete = l2tp_session_delete,
|
2010-04-02 06:19:10 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
#endif /* CONFIG_L2TP_V3 */
|
|
|
|
|
2010-04-02 06:18:33 +00:00
|
|
|
static int __init pppol2tp_init(void)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = register_pernet_device(&pppol2tp_net_ops);
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = proto_register(&pppol2tp_sk_proto, 0);
|
|
|
|
if (err)
|
|
|
|
goto out_unregister_pppol2tp_pernet;
|
|
|
|
|
|
|
|
err = register_pppox_proto(PX_PROTO_OL2TP, &pppol2tp_proto);
|
|
|
|
if (err)
|
|
|
|
goto out_unregister_pppol2tp_proto;
|
|
|
|
|
2010-04-02 06:19:10 +00:00
|
|
|
#ifdef CONFIG_L2TP_V3
|
|
|
|
err = l2tp_nl_register_ops(L2TP_PWTYPE_PPP, &pppol2tp_nl_cmd_ops);
|
|
|
|
if (err)
|
|
|
|
goto out_unregister_pppox;
|
|
|
|
#endif
|
|
|
|
|
2012-05-16 09:55:56 +00:00
|
|
|
pr_info("PPPoL2TP kernel driver, %s\n", PPPOL2TP_DRV_VERSION);
|
2010-04-02 06:18:33 +00:00
|
|
|
|
|
|
|
out:
|
|
|
|
return err;
|
2010-04-02 06:19:10 +00:00
|
|
|
|
|
|
|
#ifdef CONFIG_L2TP_V3
|
|
|
|
out_unregister_pppox:
|
|
|
|
unregister_pppox_proto(PX_PROTO_OL2TP);
|
|
|
|
#endif
|
2010-04-02 06:18:33 +00:00
|
|
|
out_unregister_pppol2tp_proto:
|
|
|
|
proto_unregister(&pppol2tp_sk_proto);
|
|
|
|
out_unregister_pppol2tp_pernet:
|
|
|
|
unregister_pernet_device(&pppol2tp_net_ops);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit pppol2tp_exit(void)
|
|
|
|
{
|
2010-04-02 06:19:10 +00:00
|
|
|
#ifdef CONFIG_L2TP_V3
|
|
|
|
l2tp_nl_unregister_ops(L2TP_PWTYPE_PPP);
|
|
|
|
#endif
|
2010-04-02 06:18:33 +00:00
|
|
|
unregister_pppox_proto(PX_PROTO_OL2TP);
|
|
|
|
proto_unregister(&pppol2tp_sk_proto);
|
|
|
|
unregister_pernet_device(&pppol2tp_net_ops);
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(pppol2tp_init);
|
|
|
|
module_exit(pppol2tp_exit);
|
|
|
|
|
|
|
|
MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
|
|
|
|
MODULE_DESCRIPTION("PPP over L2TP over UDP");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_VERSION(PPPOL2TP_DRV_VERSION);
|
2015-12-02 15:27:39 +00:00
|
|
|
MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OL2TP);
|
2017-04-03 11:23:15 +00:00
|
|
|
MODULE_ALIAS_L2TP_PWTYPE(7);
|