l2tp: add udp encap socket destroy handler
[linux-3.10.git] / net / l2tp / l2tp_core.c
index c64ce0a..ee726a7 100644 (file)
@@ -18,6 +18,8 @@
  * published by the Free Software Foundation.
  */
 
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
 #include <linux/module.h>
 #include <linux/string.h>
 #include <linux/list.h>
 #include <net/inet_common.h>
 #include <net/xfrm.h>
 #include <net/protocol.h>
+#include <net/inet6_connection_sock.h>
+#include <net/inet_ecn.h>
+#include <net/ip6_route.h>
+#include <net/ip6_checksum.h>
 
 #include <asm/byteorder.h>
-#include <asm/atomic.h>
+#include <linux/atomic.h>
 
 #include "l2tp_core.h"
 
 /* Default trace flags */
 #define L2TP_DEFAULT_DEBUG_FLAGS       0
 
-#define PRINTK(_mask, _type, _lvl, _fmt, args...)                      \
-       do {                                                            \
-               if ((_mask) & (_type))                                  \
-                       printk(_lvl "L2TP: " _fmt, ##args);             \
-       } while (0)
-
 /* Private data stored for received packets in the skb.
  */
 struct l2tp_skb_cb {
@@ -101,6 +101,7 @@ struct l2tp_skb_cb {
 
 static atomic_t l2tp_tunnel_count;
 static atomic_t l2tp_session_count;
+static struct workqueue_struct *l2tp_wq;
 
 /* per-net private data for this module */
 static unsigned int l2tp_net_id;
@@ -122,7 +123,6 @@ static inline struct l2tp_net *l2tp_pernet(struct net *net)
        return net_generic(net, l2tp_net_id);
 }
 
-
 /* Tunnel reference counts. Incremented per session that is added to
  * the tunnel.
  */
@@ -137,14 +137,20 @@ static inline void l2tp_tunnel_dec_refcount_1(struct l2tp_tunnel *tunnel)
                l2tp_tunnel_free(tunnel);
 }
 #ifdef L2TP_REFCNT_DEBUG
-#define l2tp_tunnel_inc_refcount(_t) do { \
-               printk(KERN_DEBUG "l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n", __func__, __LINE__, (_t)->name, atomic_read(&_t->ref_count)); \
-               l2tp_tunnel_inc_refcount_1(_t);                         \
-       } while (0)
-#define l2tp_tunnel_dec_refcount(_t) do { \
-               printk(KERN_DEBUG "l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n", __func__, __LINE__, (_t)->name, atomic_read(&_t->ref_count)); \
-               l2tp_tunnel_dec_refcount_1(_t);                         \
-       } while (0)
+#define l2tp_tunnel_inc_refcount(_t)                                   \
+do {                                                                   \
+       pr_debug("l2tp_tunnel_inc_refcount: %s:%d %s: cnt=%d\n",        \
+                __func__, __LINE__, (_t)->name,                        \
+                atomic_read(&_t->ref_count));                          \
+       l2tp_tunnel_inc_refcount_1(_t);                                 \
+} while (0)
+#define l2tp_tunnel_dec_refcount(_t)
+do {                                                                   \
+       pr_debug("l2tp_tunnel_dec_refcount: %s:%d %s: cnt=%d\n",        \
+                __func__, __LINE__, (_t)->name,                        \
+                atomic_read(&_t->ref_count));                          \
+       l2tp_tunnel_dec_refcount_1(_t);                                 \
+} while (0)
 #else
 #define l2tp_tunnel_inc_refcount(t) l2tp_tunnel_inc_refcount_1(t)
 #define l2tp_tunnel_dec_refcount(t) l2tp_tunnel_dec_refcount_1(t)
@@ -162,6 +168,51 @@ l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
 
 }
 
+/* Lookup the tunnel socket, possibly involving the fs code if the socket is
+ * owned by userspace.  A struct sock returned from this function must be
+ * released using l2tp_tunnel_sock_put once you're done with it.
+ */
+struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
+{
+       int err = 0;
+       struct socket *sock = NULL;
+       struct sock *sk = NULL;
+
+       if (!tunnel)
+               goto out;
+
+       if (tunnel->fd >= 0) {
+               /* Socket is owned by userspace, who might be in the process
+                * of closing it.  Look the socket up using the fd to ensure
+                * consistency.
+                */
+               sock = sockfd_lookup(tunnel->fd, &err);
+               if (sock)
+                       sk = sock->sk;
+       } else {
+               /* Socket is owned by kernelspace */
+               sk = tunnel->sock;
+       }
+
+out:
+       return sk;
+}
+EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_lookup);
+
+/* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
+void l2tp_tunnel_sock_put(struct sock *sk)
+{
+       struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+       if (tunnel) {
+               if (tunnel->fd >= 0) {
+                       /* Socket is owned by userspace */
+                       sockfd_put(sk->sk_socket);
+               }
+               sock_put(sk);
+       }
+}
+EXPORT_SYMBOL_GPL(l2tp_tunnel_sock_put);
+
 /* Lookup a session by id in the global session list
  */
 static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
@@ -170,10 +221,9 @@ static struct l2tp_session *l2tp_session_find_2(struct net *net, u32 session_id)
        struct hlist_head *session_list =
                l2tp_session_id_hash_2(pn, session_id);
        struct l2tp_session *session;
-       struct hlist_node *walk;
 
        rcu_read_lock_bh();
-       hlist_for_each_entry_rcu(session, walk, session_list, global_hlist) {
+       hlist_for_each_entry_rcu(session, session_list, global_hlist) {
                if (session->session_id == session_id) {
                        rcu_read_unlock_bh();
                        return session;
@@ -202,7 +252,6 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn
 {
        struct hlist_head *session_list;
        struct l2tp_session *session;
-       struct hlist_node *walk;
 
        /* In L2TPv3, session_ids are unique over all tunnels and we
         * sometimes need to look them up before we know the
@@ -213,7 +262,7 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn
 
        session_list = l2tp_session_id_hash(tunnel, session_id);
        read_lock_bh(&tunnel->hlist_lock);
-       hlist_for_each_entry(session, walk, session_list, hlist) {
+       hlist_for_each_entry(session, session_list, hlist) {
                if (session->session_id == session_id) {
                        read_unlock_bh(&tunnel->hlist_lock);
                        return session;
@@ -228,13 +277,12 @@ EXPORT_SYMBOL_GPL(l2tp_session_find);
 struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
 {
        int hash;
-       struct hlist_node *walk;
        struct l2tp_session *session;
        int count = 0;
 
        read_lock_bh(&tunnel->hlist_lock);
        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
-               hlist_for_each_entry(session, walk, &tunnel->session_hlist[hash], hlist) {
+               hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
                        if (++count > nth) {
                                read_unlock_bh(&tunnel->hlist_lock);
                                return session;
@@ -255,12 +303,11 @@ struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
 {
        struct l2tp_net *pn = l2tp_pernet(net);
        int hash;
-       struct hlist_node *walk;
        struct l2tp_session *session;
 
        rcu_read_lock_bh();
        for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
-               hlist_for_each_entry_rcu(session, walk, &pn->l2tp_session_hlist[hash], global_hlist) {
+               hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
                        if (!strcmp(session->ifname, ifname)) {
                                rcu_read_unlock_bh();
                                return session;
@@ -326,16 +373,20 @@ static void l2tp_recv_queue_skb(struct l2tp_session *session, struct sk_buff *sk
        struct sk_buff *skbp;
        struct sk_buff *tmp;
        u32 ns = L2TP_SKB_CB(skb)->ns;
+       struct l2tp_stats *sstats;
 
        spin_lock_bh(&session->reorder_q.lock);
+       sstats = &session->stats;
        skb_queue_walk_safe(&session->reorder_q, skbp, tmp) {
                if (L2TP_SKB_CB(skbp)->ns > ns) {
                        __skb_queue_before(&session->reorder_q, skbp, skb);
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                              "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
-                              session->name, ns, L2TP_SKB_CB(skbp)->ns,
-                              skb_queue_len(&session->reorder_q));
-                       session->stats.rx_oos_packets++;
+                       l2tp_dbg(session, L2TP_MSG_SEQ,
+                                "%s: pkt %hu, inserted before %hu, reorder_q len=%d\n",
+                                session->name, ns, L2TP_SKB_CB(skbp)->ns,
+                                skb_queue_len(&session->reorder_q));
+                       u64_stats_update_begin(&sstats->syncp);
+                       sstats->rx_oos_packets++;
+                       u64_stats_update_end(&sstats->syncp);
                        goto out;
                }
        }
@@ -352,16 +403,23 @@ static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *
 {
        struct l2tp_tunnel *tunnel = session->tunnel;
        int length = L2TP_SKB_CB(skb)->length;
+       struct l2tp_stats *tstats, *sstats;
 
        /* We're about to requeue the skb, so return resources
         * to its current owner (a socket receive buffer).
         */
        skb_orphan(skb);
 
-       tunnel->stats.rx_packets++;
-       tunnel->stats.rx_bytes += length;
-       session->stats.rx_packets++;
-       session->stats.rx_bytes += length;
+       tstats = &tunnel->stats;
+       u64_stats_update_begin(&tstats->syncp);
+       sstats = &session->stats;
+       u64_stats_update_begin(&sstats->syncp);
+       tstats->rx_packets++;
+       tstats->rx_bytes += length;
+       sstats->rx_packets++;
+       sstats->rx_bytes += length;
+       u64_stats_update_end(&tstats->syncp);
+       u64_stats_update_end(&sstats->syncp);
 
        if (L2TP_SKB_CB(skb)->has_seq) {
                /* Bump our Nr */
@@ -371,8 +429,8 @@ static void l2tp_recv_dequeue_skb(struct l2tp_session *session, struct sk_buff *
                else
                        session->nr &= 0xffffff;
 
-               PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                      "%s: updated nr to %hu\n", session->name, session->nr);
+               l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated nr to %hu\n",
+                        session->name, session->nr);
        }
 
        /* call private receive handler */
@@ -392,22 +450,27 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
 {
        struct sk_buff *skb;
        struct sk_buff *tmp;
+       struct l2tp_stats *sstats;
 
        /* If the pkt at the head of the queue has the nr that we
         * expect to send up next, dequeue it and any other
         * in-sequence packets behind it.
         */
+start:
        spin_lock_bh(&session->reorder_q.lock);
+       sstats = &session->stats;
        skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
                if (time_after(jiffies, L2TP_SKB_CB(skb)->expires)) {
-                       session->stats.rx_seq_discards++;
-                       session->stats.rx_errors++;
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                              "%s: oos pkt %u len %d discarded (too old), "
-                              "waiting for %u, reorder_q_len=%d\n",
-                              session->name, L2TP_SKB_CB(skb)->ns,
-                              L2TP_SKB_CB(skb)->length, session->nr,
-                              skb_queue_len(&session->reorder_q));
+                       u64_stats_update_begin(&sstats->syncp);
+                       sstats->rx_seq_discards++;
+                       sstats->rx_errors++;
+                       u64_stats_update_end(&sstats->syncp);
+                       l2tp_dbg(session, L2TP_MSG_SEQ,
+                                "%s: oos pkt %u len %d discarded (too old), waiting for %u, reorder_q_len=%d\n",
+                                session->name, L2TP_SKB_CB(skb)->ns,
+                                L2TP_SKB_CB(skb)->length, session->nr,
+                                skb_queue_len(&session->reorder_q));
+                       session->reorder_skip = 1;
                        __skb_unlink(skb, &session->reorder_q);
                        kfree_skb(skb);
                        if (session->deref)
@@ -416,13 +479,20 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
                }
 
                if (L2TP_SKB_CB(skb)->has_seq) {
+                       if (session->reorder_skip) {
+                               l2tp_dbg(session, L2TP_MSG_SEQ,
+                                        "%s: advancing nr to next pkt: %u -> %u",
+                                        session->name, session->nr,
+                                        L2TP_SKB_CB(skb)->ns);
+                               session->reorder_skip = 0;
+                               session->nr = L2TP_SKB_CB(skb)->ns;
+                       }
                        if (L2TP_SKB_CB(skb)->ns != session->nr) {
-                               PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                                      "%s: holding oos pkt %u len %d, "
-                                      "waiting for %u, reorder_q_len=%d\n",
-                                      session->name, L2TP_SKB_CB(skb)->ns,
-                                      L2TP_SKB_CB(skb)->length, session->nr,
-                                      skb_queue_len(&session->reorder_q));
+                               l2tp_dbg(session, L2TP_MSG_SEQ,
+                                        "%s: holding oos pkt %u len %d, waiting for %u, reorder_q_len=%d\n",
+                                        session->name, L2TP_SKB_CB(skb)->ns,
+                                        L2TP_SKB_CB(skb)->length, session->nr,
+                                        skb_queue_len(&session->reorder_q));
                                goto out;
                        }
                }
@@ -433,7 +503,7 @@ static void l2tp_recv_dequeue(struct l2tp_session *session)
                 */
                spin_unlock_bh(&session->reorder_q.lock);
                l2tp_recv_dequeue_skb(session, skb);
-               spin_lock_bh(&session->reorder_q.lock);
+               goto start;
        }
 
 out:
@@ -445,21 +515,43 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk,
 {
        struct udphdr *uh = udp_hdr(skb);
        u16 ulen = ntohs(uh->len);
-       struct inet_sock *inet;
        __wsum psum;
 
-       if (sk->sk_no_check || skb_csum_unnecessary(skb) || !uh->check)
+       if (sk->sk_no_check || skb_csum_unnecessary(skb))
                return 0;
 
-       inet = inet_sk(sk);
-       psum = csum_tcpudp_nofold(inet->inet_saddr, inet->inet_daddr, ulen,
-                                 IPPROTO_UDP, 0);
-
-       if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
-           !csum_fold(csum_add(psum, skb->csum)))
-               return 0;
+#if IS_ENABLED(CONFIG_IPV6)
+       if (sk->sk_family == PF_INET6) {
+               if (!uh->check) {
+                       LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n");
+                       return 1;
+               }
+               if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
+                   !csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
+                                    &ipv6_hdr(skb)->daddr, ulen,
+                                    IPPROTO_UDP, skb->csum)) {
+                       skb->ip_summed = CHECKSUM_UNNECESSARY;
+                       return 0;
+               }
+               skb->csum = ~csum_unfold(csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
+                                                        &ipv6_hdr(skb)->daddr,
+                                                        skb->len, IPPROTO_UDP,
+                                                        0));
+       } else
+#endif
+       {
+               struct inet_sock *inet;
+               if (!uh->check)
+                       return 0;
+               inet = inet_sk(sk);
+               psum = csum_tcpudp_nofold(inet->inet_saddr, inet->inet_daddr,
+                                         ulen, IPPROTO_UDP, 0);
 
-       skb->csum = psum;
+               if ((skb->ip_summed == CHECKSUM_COMPLETE) &&
+                   !csum_fold(csum_add(psum, skb->csum)))
+                       return 0;
+               skb->csum = psum;
+       }
 
        return __skb_checksum_complete(skb);
 }
@@ -531,6 +623,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
        struct l2tp_tunnel *tunnel = session->tunnel;
        int offset;
        u32 ns, nr;
+       struct l2tp_stats *sstats = &session->stats;
 
        /* The ref count is increased since we now hold a pointer to
         * the session. Take care to decrement the refcnt when exiting
@@ -543,10 +636,13 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
        /* Parse and check optional cookie */
        if (session->peer_cookie_len > 0) {
                if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
-                       PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO,
-                              "%s: cookie mismatch (%u/%u). Discarding.\n",
-                              tunnel->name, tunnel->tunnel_id, session->session_id);
-                       session->stats.rx_cookie_discards++;
+                       l2tp_info(tunnel, L2TP_MSG_DATA,
+                                 "%s: cookie mismatch (%u/%u). Discarding.\n",
+                                 tunnel->name, tunnel->tunnel_id,
+                                 session->session_id);
+                       u64_stats_update_begin(&sstats->syncp);
+                       sstats->rx_cookie_discards++;
+                       u64_stats_update_end(&sstats->syncp);
                        goto discard;
                }
                ptr += session->peer_cookie_len;
@@ -572,9 +668,9 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                        L2TP_SKB_CB(skb)->ns = ns;
                        L2TP_SKB_CB(skb)->has_seq = 1;
 
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                              "%s: recv data ns=%u, nr=%u, session nr=%u\n",
-                              session->name, ns, nr, session->nr);
+                       l2tp_dbg(session, L2TP_MSG_SEQ,
+                                "%s: recv data ns=%u, nr=%u, session nr=%u\n",
+                                session->name, ns, nr, session->nr);
                }
        } else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
                u32 l2h = ntohl(*(__be32 *) ptr);
@@ -586,9 +682,9 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                        L2TP_SKB_CB(skb)->ns = ns;
                        L2TP_SKB_CB(skb)->has_seq = 1;
 
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                              "%s: recv data ns=%u, session nr=%u\n",
-                              session->name, ns, session->nr);
+                       l2tp_dbg(session, L2TP_MSG_SEQ,
+                                "%s: recv data ns=%u, session nr=%u\n",
+                                session->name, ns, session->nr);
                }
        }
 
@@ -601,9 +697,9 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                 * configure it so.
                 */
                if ((!session->lns_mode) && (!session->send_seq)) {
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_INFO,
-                              "%s: requested to enable seq numbers by LNS\n",
-                              session->name);
+                       l2tp_info(session, L2TP_MSG_SEQ,
+                                 "%s: requested to enable seq numbers by LNS\n",
+                                 session->name);
                        session->send_seq = -1;
                        l2tp_session_set_header_len(session, tunnel->version);
                }
@@ -612,10 +708,12 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                 * If user has configured mandatory sequence numbers, discard.
                 */
                if (session->recv_seq) {
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_WARNING,
-                              "%s: recv data has no seq numbers when required. "
-                              "Discarding\n", session->name);
-                       session->stats.rx_seq_discards++;
+                       l2tp_warn(session, L2TP_MSG_SEQ,
+                                 "%s: recv data has no seq numbers when required. Discarding.\n",
+                                 session->name);
+                       u64_stats_update_begin(&sstats->syncp);
+                       sstats->rx_seq_discards++;
+                       u64_stats_update_end(&sstats->syncp);
                        goto discard;
                }
 
@@ -625,16 +723,18 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                 * LAC is broken. Discard the frame.
                 */
                if ((!session->lns_mode) && (session->send_seq)) {
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_INFO,
-                              "%s: requested to disable seq numbers by LNS\n",
-                              session->name);
+                       l2tp_info(session, L2TP_MSG_SEQ,
+                                 "%s: requested to disable seq numbers by LNS\n",
+                                 session->name);
                        session->send_seq = 0;
                        l2tp_session_set_header_len(session, tunnel->version);
                } else if (session->send_seq) {
-                       PRINTK(session->debug, L2TP_MSG_SEQ, KERN_WARNING,
-                              "%s: recv data has no seq numbers when required. "
-                              "Discarding\n", session->name);
-                       session->stats.rx_seq_discards++;
+                       l2tp_warn(session, L2TP_MSG_SEQ,
+                                 "%s: recv data has no seq numbers when required. Discarding.\n",
+                                 session->name);
+                       u64_stats_update_begin(&sstats->syncp);
+                       sstats->rx_seq_discards++;
+                       u64_stats_update_end(&sstats->syncp);
                        goto discard;
                }
        }
@@ -688,13 +788,14 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                         * packets
                         */
                        if (L2TP_SKB_CB(skb)->ns != session->nr) {
-                               session->stats.rx_seq_discards++;
-                               PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                                      "%s: oos pkt %u len %d discarded, "
-                                      "waiting for %u, reorder_q_len=%d\n",
-                                      session->name, L2TP_SKB_CB(skb)->ns,
-                                      L2TP_SKB_CB(skb)->length, session->nr,
-                                      skb_queue_len(&session->reorder_q));
+                               u64_stats_update_begin(&sstats->syncp);
+                               sstats->rx_seq_discards++;
+                               u64_stats_update_end(&sstats->syncp);
+                               l2tp_dbg(session, L2TP_MSG_SEQ,
+                                        "%s: oos pkt %u len %d discarded, waiting for %u, reorder_q_len=%d\n",
+                                        session->name, L2TP_SKB_CB(skb)->ns,
+                                        L2TP_SKB_CB(skb)->length, session->nr,
+                                        skb_queue_len(&session->reorder_q));
                                goto discard;
                        }
                        skb_queue_tail(&session->reorder_q, skb);
@@ -715,7 +816,9 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
        return;
 
 discard:
-       session->stats.rx_errors++;
+       u64_stats_update_begin(&sstats->syncp);
+       sstats->rx_errors++;
+       u64_stats_update_end(&sstats->syncp);
        kfree_skb(skb);
 
        if (session->deref)
@@ -738,9 +841,9 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
        unsigned char *ptr, *optr;
        u16 hdrflags;
        u32 tunnel_id, session_id;
-       int offset;
        u16 version;
        int length;
+       struct l2tp_stats *tstats;
 
        if (tunnel->sock && l2tp_verify_udp_checksum(tunnel->sock, skb))
                goto discard_bad_csum;
@@ -750,39 +853,34 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 
        /* Short packet? */
        if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
-               PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO,
-                      "%s: recv short packet (len=%d)\n", tunnel->name, skb->len);
+               l2tp_info(tunnel, L2TP_MSG_DATA,
+                         "%s: recv short packet (len=%d)\n",
+                         tunnel->name, skb->len);
                goto error;
        }
 
-       /* Point to L2TP header */
-       optr = ptr = skb->data;
-
        /* Trace packet contents, if enabled */
        if (tunnel->debug & L2TP_MSG_DATA) {
                length = min(32u, skb->len);
                if (!pskb_may_pull(skb, length))
                        goto error;
 
-               printk(KERN_DEBUG "%s: recv: ", tunnel->name);
-
-               offset = 0;
-               do {
-                       printk(" %02X", ptr[offset]);
-               } while (++offset < length);
-
-               printk("\n");
+               pr_debug("%s: recv\n", tunnel->name);
+               print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
        }
 
+       /* Point to L2TP header */
+       optr = ptr = skb->data;
+
        /* Get L2TP header flags */
        hdrflags = ntohs(*(__be16 *) ptr);
 
        /* Check protocol version */
        version = hdrflags & L2TP_HDR_VER_MASK;
        if (version != tunnel->version) {
-               PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO,
-                      "%s: recv protocol version mismatch: got %d expected %d\n",
-                      tunnel->name, version, tunnel->version);
+               l2tp_info(tunnel, L2TP_MSG_DATA,
+                         "%s: recv protocol version mismatch: got %d expected %d\n",
+                         tunnel->name, version, tunnel->version);
                goto error;
        }
 
@@ -791,8 +889,9 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 
        /* If type is control packet, it is handled by userspace. */
        if (hdrflags & L2TP_HDRFLAG_T) {
-               PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_DEBUG,
-                      "%s: recv control packet, len=%d\n", tunnel->name, length);
+               l2tp_dbg(tunnel, L2TP_MSG_DATA,
+                        "%s: recv control packet, len=%d\n",
+                        tunnel->name, length);
                goto error;
        }
 
@@ -820,9 +919,9 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
        session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
        if (!session || !session->recv_skb) {
                /* Not found? Pass to userspace to deal with */
-               PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_INFO,
-                      "%s: no session found (%u/%u). Passing up.\n",
-                      tunnel->name, tunnel_id, session_id);
+               l2tp_info(tunnel, L2TP_MSG_DATA,
+                         "%s: no session found (%u/%u). Passing up.\n",
+                         tunnel->name, tunnel_id, session_id);
                goto error;
        }
 
@@ -833,7 +932,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
 discard_bad_csum:
        LIMIT_NETDEBUG("%s: UDP: bad checksum\n", tunnel->name);
        UDP_INC_STATS_USER(tunnel->l2tp_net, UDP_MIB_INERRORS, 0);
-       tunnel->stats.rx_errors++;
+       tstats = &tunnel->stats;
+       u64_stats_update_begin(&tstats->syncp);
+       tstats->rx_errors++;
+       u64_stats_update_end(&tstats->syncp);
        kfree_skb(skb);
 
        return 0;
@@ -859,8 +961,8 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
        if (tunnel == NULL)
                goto pass_up;
 
-       PRINTK(tunnel->debug, L2TP_MSG_DATA, KERN_DEBUG,
-              "%s: received %d bytes\n", tunnel->name, skb->len);
+       l2tp_dbg(tunnel, L2TP_MSG_DATA, "%s: received %d bytes\n",
+                tunnel->name, skb->len);
 
        if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
                goto pass_up_put;
@@ -902,8 +1004,8 @@ static int l2tp_build_l2tpv2_header(struct l2tp_session *session, void *buf)
                *bufp++ = 0;
                session->ns++;
                session->ns &= 0xffff;
-               PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                      "%s: updated ns to %u\n", session->name, session->ns);
+               l2tp_dbg(session, L2TP_MSG_SEQ, "%s: updated ns to %u\n",
+                        session->name, session->ns);
        }
 
        return bufp - optr;
@@ -939,8 +1041,9 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
                                l2h = 0x40000000 | session->ns;
                                session->ns++;
                                session->ns &= 0xffffff;
-                               PRINTK(session->debug, L2TP_MSG_SEQ, KERN_DEBUG,
-                                      "%s: updated ns to %u\n", session->name, session->ns);
+                               l2tp_dbg(session, L2TP_MSG_SEQ,
+                                        "%s: updated ns to %u\n",
+                                        session->name, session->ns);
                        }
 
                        *((__be32 *) bufp) = htonl(l2h);
@@ -954,51 +1057,55 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
 }
 
 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
-                         size_t data_len)
+                         struct flowi *fl, size_t data_len)
 {
        struct l2tp_tunnel *tunnel = session->tunnel;
        unsigned int len = skb->len;
        int error;
+       struct l2tp_stats *tstats, *sstats;
 
        /* Debug */
        if (session->send_seq)
-               PRINTK(session->debug, L2TP_MSG_DATA, KERN_DEBUG,
-                      "%s: send %Zd bytes, ns=%u\n", session->name,
-                      data_len, session->ns - 1);
+               l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes, ns=%u\n",
+                        session->name, data_len, session->ns - 1);
        else
-               PRINTK(session->debug, L2TP_MSG_DATA, KERN_DEBUG,
-                      "%s: send %Zd bytes\n", session->name, data_len);
+               l2tp_dbg(session, L2TP_MSG_DATA, "%s: send %Zd bytes\n",
+                        session->name, data_len);
 
        if (session->debug & L2TP_MSG_DATA) {
-               int i;
                int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
                unsigned char *datap = skb->data + uhlen;
 
-               printk(KERN_DEBUG "%s: xmit:", session->name);
-               for (i = 0; i < (len - uhlen); i++) {
-                       printk(" %02X", *datap++);
-                       if (i == 31) {
-                               printk(" ...");
-                               break;
-                       }
-               }
-               printk("\n");
+               pr_debug("%s: xmit\n", session->name);
+               print_hex_dump_bytes("", DUMP_PREFIX_OFFSET,
+                                    datap, min_t(size_t, 32, len - uhlen));
        }
 
        /* Queue the packet to IP for output */
        skb->local_df = 1;
-       error = ip_queue_xmit(skb);
+#if IS_ENABLED(CONFIG_IPV6)
+       if (skb->sk->sk_family == PF_INET6)
+               error = inet6_csk_xmit(skb, NULL);
+       else
+#endif
+               error = ip_queue_xmit(skb, fl);
 
        /* Update stats */
+       tstats = &tunnel->stats;
+       u64_stats_update_begin(&tstats->syncp);
+       sstats = &session->stats;
+       u64_stats_update_begin(&sstats->syncp);
        if (error >= 0) {
-               tunnel->stats.tx_packets++;
-               tunnel->stats.tx_bytes += len;
-               session->stats.tx_packets++;
-               session->stats.tx_bytes += len;
+               tstats->tx_packets++;
+               tstats->tx_bytes += len;
+               sstats->tx_packets++;
+               sstats->tx_bytes += len;
        } else {
-               tunnel->stats.tx_errors++;
-               session->stats.tx_errors++;
+               tstats->tx_errors++;
+               sstats->tx_errors++;
        }
+       u64_stats_update_end(&tstats->syncp);
+       u64_stats_update_end(&sstats->syncp);
 
        return 0;
 }
@@ -1020,6 +1127,31 @@ static inline void l2tp_skb_set_owner_w(struct sk_buff *skb, struct sock *sk)
        skb->destructor = l2tp_sock_wfree;
 }
 
+#if IS_ENABLED(CONFIG_IPV6)
+static void l2tp_xmit_ipv6_csum(struct sock *sk, struct sk_buff *skb,
+                               int udp_len)
+{
+       struct ipv6_pinfo *np = inet6_sk(sk);
+       struct udphdr *uh = udp_hdr(skb);
+
+       if (!skb_dst(skb) || !skb_dst(skb)->dev ||
+           !(skb_dst(skb)->dev->features & NETIF_F_IPV6_CSUM)) {
+               __wsum csum = skb_checksum(skb, 0, udp_len, 0);
+               skb->ip_summed = CHECKSUM_UNNECESSARY;
+               uh->check = csum_ipv6_magic(&np->saddr, &np->daddr, udp_len,
+                                           IPPROTO_UDP, csum);
+               if (uh->check == 0)
+                       uh->check = CSUM_MANGLED_0;
+       } else {
+               skb->ip_summed = CHECKSUM_PARTIAL;
+               skb->csum_start = skb_transport_header(skb) - skb->head;
+               skb->csum_offset = offsetof(struct udphdr, check);
+               uh->check = ~csum_ipv6_magic(&np->saddr, &np->daddr,
+                                            udp_len, IPPROTO_UDP, 0);
+       }
+}
+#endif
+
 /* If caller requires the skb to have a ppp header, the header must be
  * inserted in the skb data before calling this function.
  */
@@ -1028,14 +1160,14 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
        int data_len = skb->len;
        struct l2tp_tunnel *tunnel = session->tunnel;
        struct sock *sk = tunnel->sock;
+       struct flowi *fl;
        struct udphdr *uh;
        struct inet_sock *inet;
        __wsum csum;
-       int old_headroom;
-       int new_headroom;
        int headroom;
        int uhlen = (tunnel->encap == L2TP_ENCAPTYPE_UDP) ? sizeof(struct udphdr) : 0;
        int udp_len;
+       int ret = NET_XMIT_SUCCESS;
 
        /* Check that there's enough headroom in the skb to insert IP,
         * UDP and L2TP headers. If not enough, expand it to
@@ -1043,14 +1175,12 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
         */
        headroom = NET_SKB_PAD + sizeof(struct iphdr) +
                uhlen + hdr_len;
-       old_headroom = skb_headroom(skb);
-       if (skb_cow_head(skb, headroom))
-               goto abort;
+       if (skb_cow_head(skb, headroom)) {
+               kfree_skb(skb);
+               return NET_XMIT_DROP;
+       }
 
-       new_headroom = skb_headroom(skb);
        skb_orphan(skb);
-       skb->truesize += new_headroom - old_headroom;
-
        /* Setup L2TP header */
        session->build_header(session, __skb_push(skb, hdr_len));
 
@@ -1060,14 +1190,22 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
                              IPSKB_REROUTED);
        nf_reset(skb);
 
+       bh_lock_sock(sk);
+       if (sock_owned_by_user(sk)) {
+               kfree_skb(skb);
+               ret = NET_XMIT_DROP;
+               goto out_unlock;
+       }
+
        /* Get routing info from the tunnel socket */
        skb_dst_drop(skb);
-       skb_dst_set(skb, dst_clone(__sk_dst_get(sk)));
+       skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
 
+       inet = inet_sk(sk);
+       fl = &inet->cork.fl;
        switch (tunnel->encap) {
        case L2TP_ENCAPTYPE_UDP:
                /* Setup UDP header */
-               inet = inet_sk(sk);
                __skb_push(skb, sizeof(*uh));
                skb_reset_transport_header(skb);
                uh = udp_hdr(skb);
@@ -1078,6 +1216,11 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
                uh->check = 0;
 
                /* Calculate UDP checksum if configured to do so */
+#if IS_ENABLED(CONFIG_IPV6)
+               if (sk->sk_family == PF_INET6)
+                       l2tp_xmit_ipv6_csum(sk, skb, udp_len);
+               else
+#endif
                if (sk->sk_no_check == UDP_CSUM_NOXMIT)
                        skb->ip_summed = CHECKSUM_NONE;
                else if ((skb_dst(skb) && skb_dst(skb)->dev) &&
@@ -1105,10 +1248,11 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
 
        l2tp_skb_set_owner_w(skb, sk);
 
-       l2tp_xmit_core(session, skb, data_len);
+       l2tp_xmit_core(session, skb, fl, data_len);
+out_unlock:
+       bh_unlock_sock(sk);
 
-abort:
-       return 0;
+       return ret;
 }
 EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
 
@@ -1123,39 +1267,45 @@ EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
 static void l2tp_tunnel_destruct(struct sock *sk)
 {
        struct l2tp_tunnel *tunnel;
+       struct l2tp_net *pn;
 
        tunnel = sk->sk_user_data;
        if (tunnel == NULL)
                goto end;
 
-       PRINTK(tunnel->debug, L2TP_MSG_CONTROL, KERN_INFO,
-              "%s: closing...\n", tunnel->name);
+       l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
 
-       /* Close all sessions */
-       l2tp_tunnel_closeall(tunnel);
 
+       /* Disable udp encapsulation */
        switch (tunnel->encap) {
        case L2TP_ENCAPTYPE_UDP:
                /* No longer an encapsulation socket. See net/ipv4/udp.c */
                (udp_sk(sk))->encap_type = 0;
                (udp_sk(sk))->encap_rcv = NULL;
+               (udp_sk(sk))->encap_destroy = NULL;
                break;
        case L2TP_ENCAPTYPE_IP:
                break;
        }
 
        /* Remove hooks into tunnel socket */
-       tunnel->sock = NULL;
        sk->sk_destruct = tunnel->old_sk_destruct;
        sk->sk_user_data = NULL;
+       tunnel->sock = NULL;
 
-       /* Call the original destructor */
-       if (sk->sk_destruct)
-               (*sk->sk_destruct)(sk);
+       /* Remove the tunnel struct from the tunnel list */
+       pn = l2tp_pernet(tunnel->l2tp_net);
+       spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+       list_del_rcu(&tunnel->list);
+       spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
+       atomic_dec(&l2tp_tunnel_count);
 
-       /* We're finished with the socket */
+       l2tp_tunnel_closeall(tunnel);
        l2tp_tunnel_dec_refcount(tunnel);
 
+       /* Call the original destructor */
+       if (sk->sk_destruct)
+               (*sk->sk_destruct)(sk);
 end:
        return;
 }
@@ -1171,8 +1321,8 @@ static void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel)
 
        BUG_ON(tunnel == NULL);
 
-       PRINTK(tunnel->debug, L2TP_MSG_CONTROL, KERN_INFO,
-              "%s: closing all sessions...\n", tunnel->name);
+       l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing all sessions...\n",
+                 tunnel->name);
 
        write_lock_bh(&tunnel->hlist_lock);
        for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
@@ -1180,8 +1330,8 @@ again:
                hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
                        session = hlist_entry(walk, struct l2tp_session, hlist);
 
-                       PRINTK(session->debug, L2TP_MSG_CONTROL, KERN_INFO,
-                              "%s: closing session\n", session->name);
+                       l2tp_info(session, L2TP_MSG_CONTROL,
+                                 "%s: closing session\n", session->name);
 
                        hlist_del_init(&session->hlist);
 
@@ -1211,6 +1361,8 @@ again:
                        if (session->deref != NULL)
                                (*session->deref)(session);
 
+                       l2tp_session_dec_refcount(session);
+
                        write_lock_bh(&tunnel->hlist_lock);
 
                        /* Now restart from the beginning of this hash
@@ -1224,62 +1376,136 @@ again:
        write_unlock_bh(&tunnel->hlist_lock);
 }
 
+/* Tunnel socket destroy hook for UDP encapsulation */
+static void l2tp_udp_encap_destroy(struct sock *sk)
+{
+       struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+       if (tunnel) {
+               l2tp_tunnel_closeall(tunnel);
+               sock_put(sk);
+       }
+}
+
 /* Really kill the tunnel.
  * Come here only when all sessions have been cleared from the tunnel.
  */
 static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
 {
-       struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
-
        BUG_ON(atomic_read(&tunnel->ref_count) != 0);
        BUG_ON(tunnel->sock != NULL);
+       l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: free...\n", tunnel->name);
+       kfree_rcu(tunnel, rcu);
+}
 
-       PRINTK(tunnel->debug, L2TP_MSG_CONTROL, KERN_INFO,
-              "%s: free...\n", tunnel->name);
+/* Workqueue tunnel deletion function */
+static void l2tp_tunnel_del_work(struct work_struct *work)
+{
+       struct l2tp_tunnel *tunnel = NULL;
+       struct socket *sock = NULL;
+       struct sock *sk = NULL;
 
-       /* Remove from tunnel list */
-       spin_lock_bh(&pn->l2tp_tunnel_list_lock);
-       list_del_rcu(&tunnel->list);
-       spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-       synchronize_rcu();
+       tunnel = container_of(work, struct l2tp_tunnel, del_work);
+       sk = l2tp_tunnel_sock_lookup(tunnel);
+       if (!sk)
+               return;
 
-       atomic_dec(&l2tp_tunnel_count);
-       kfree(tunnel);
+       sock = sk->sk_socket;
+       BUG_ON(!sock);
+
+       /* If the tunnel socket was created directly by the kernel, use the
+        * sk_* API to release the socket now.  Otherwise go through the
+        * inet_* layer to shut the socket down, and let userspace close it.
+        * In either case the tunnel resources are freed in the socket
+        * destructor when the tunnel socket goes away.
+        */
+       if (sock->file == NULL) {
+               kernel_sock_shutdown(sock, SHUT_RDWR);
+               sk_release_kernel(sk);
+       } else {
+               inet_shutdown(sock, 2);
+       }
+
+       l2tp_tunnel_sock_put(sk);
 }
 
 /* Create a socket for the tunnel, if one isn't set up by
  * userspace. This is used for static tunnels where there is no
  * managing L2TP daemon.
+ *
+ * Since we don't want these sockets to keep a namespace alive by
+ * themselves, we drop the socket's namespace refcount after creation.
+ * These sockets are freed when the namespace exits using the pernet
+ * exit hook.
  */
-static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct socket **sockp)
+static int l2tp_tunnel_sock_create(struct net *net,
+                               u32 tunnel_id,
+                               u32 peer_tunnel_id,
+                               struct l2tp_tunnel_cfg *cfg,
+                               struct socket **sockp)
 {
        int err = -EINVAL;
-       struct sockaddr_in udp_addr;
-       struct sockaddr_l2tpip ip_addr;
        struct socket *sock = NULL;
+       struct sockaddr_in udp_addr = {0};
+       struct sockaddr_l2tpip ip_addr = {0};
+#if IS_ENABLED(CONFIG_IPV6)
+       struct sockaddr_in6 udp6_addr = {0};
+       struct sockaddr_l2tpip6 ip6_addr = {0};
+#endif
 
        switch (cfg->encap) {
        case L2TP_ENCAPTYPE_UDP:
-               err = sock_create(AF_INET, SOCK_DGRAM, 0, sockp);
-               if (err < 0)
-                       goto out;
+#if IS_ENABLED(CONFIG_IPV6)
+               if (cfg->local_ip6 && cfg->peer_ip6) {
+                       err = sock_create_kern(AF_INET6, SOCK_DGRAM, 0, &sock);
+                       if (err < 0)
+                               goto out;
 
-               sock = *sockp;
+                       sk_change_net(sock->sk, net);
 
-               memset(&udp_addr, 0, sizeof(udp_addr));
-               udp_addr.sin_family = AF_INET;
-               udp_addr.sin_addr = cfg->local_ip;
-               udp_addr.sin_port = htons(cfg->local_udp_port);
-               err = kernel_bind(sock, (struct sockaddr *) &udp_addr, sizeof(udp_addr));
-               if (err < 0)
-                       goto out;
+                       udp6_addr.sin6_family = AF_INET6;
+                       memcpy(&udp6_addr.sin6_addr, cfg->local_ip6,
+                              sizeof(udp6_addr.sin6_addr));
+                       udp6_addr.sin6_port = htons(cfg->local_udp_port);
+                       err = kernel_bind(sock, (struct sockaddr *) &udp6_addr,
+                                         sizeof(udp6_addr));
+                       if (err < 0)
+                               goto out;
 
-               udp_addr.sin_family = AF_INET;
-               udp_addr.sin_addr = cfg->peer_ip;
-               udp_addr.sin_port = htons(cfg->peer_udp_port);
-               err = kernel_connect(sock, (struct sockaddr *) &udp_addr, sizeof(udp_addr), 0);
-               if (err < 0)
-                       goto out;
+                       udp6_addr.sin6_family = AF_INET6;
+                       memcpy(&udp6_addr.sin6_addr, cfg->peer_ip6,
+                              sizeof(udp6_addr.sin6_addr));
+                       udp6_addr.sin6_port = htons(cfg->peer_udp_port);
+                       err = kernel_connect(sock,
+                                            (struct sockaddr *) &udp6_addr,
+                                            sizeof(udp6_addr), 0);
+                       if (err < 0)
+                               goto out;
+               } else
+#endif
+               {
+                       err = sock_create_kern(AF_INET, SOCK_DGRAM, 0, &sock);
+                       if (err < 0)
+                               goto out;
+
+                       sk_change_net(sock->sk, net);
+
+                       udp_addr.sin_family = AF_INET;
+                       udp_addr.sin_addr = cfg->local_ip;
+                       udp_addr.sin_port = htons(cfg->local_udp_port);
+                       err = kernel_bind(sock, (struct sockaddr *) &udp_addr,
+                                         sizeof(udp_addr));
+                       if (err < 0)
+                               goto out;
+
+                       udp_addr.sin_family = AF_INET;
+                       udp_addr.sin_addr = cfg->peer_ip;
+                       udp_addr.sin_port = htons(cfg->peer_udp_port);
+                       err = kernel_connect(sock,
+                                            (struct sockaddr *) &udp_addr,
+                                            sizeof(udp_addr), 0);
+                       if (err < 0)
+                               goto out;
+               }
 
                if (!cfg->use_udp_checksums)
                        sock->sk->sk_no_check = UDP_CSUM_NOXMIT;
@@ -1287,27 +1513,59 @@ static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2t
                break;
 
        case L2TP_ENCAPTYPE_IP:
-               err = sock_create(AF_INET, SOCK_DGRAM, IPPROTO_L2TP, sockp);
-               if (err < 0)
-                       goto out;
+#if IS_ENABLED(CONFIG_IPV6)
+               if (cfg->local_ip6 && cfg->peer_ip6) {
+                       err = sock_create_kern(AF_INET6, SOCK_DGRAM,
+                                         IPPROTO_L2TP, &sock);
+                       if (err < 0)
+                               goto out;
 
-               sock = *sockp;
+                       sk_change_net(sock->sk, net);
 
-               memset(&ip_addr, 0, sizeof(ip_addr));
-               ip_addr.l2tp_family = AF_INET;
-               ip_addr.l2tp_addr = cfg->local_ip;
-               ip_addr.l2tp_conn_id = tunnel_id;
-               err = kernel_bind(sock, (struct sockaddr *) &ip_addr, sizeof(ip_addr));
-               if (err < 0)
-                       goto out;
+                       ip6_addr.l2tp_family = AF_INET6;
+                       memcpy(&ip6_addr.l2tp_addr, cfg->local_ip6,
+                              sizeof(ip6_addr.l2tp_addr));
+                       ip6_addr.l2tp_conn_id = tunnel_id;
+                       err = kernel_bind(sock, (struct sockaddr *) &ip6_addr,
+                                         sizeof(ip6_addr));
+                       if (err < 0)
+                               goto out;
 
-               ip_addr.l2tp_family = AF_INET;
-               ip_addr.l2tp_addr = cfg->peer_ip;
-               ip_addr.l2tp_conn_id = peer_tunnel_id;
-               err = kernel_connect(sock, (struct sockaddr *) &ip_addr, sizeof(ip_addr), 0);
-               if (err < 0)
-                       goto out;
+                       ip6_addr.l2tp_family = AF_INET6;
+                       memcpy(&ip6_addr.l2tp_addr, cfg->peer_ip6,
+                              sizeof(ip6_addr.l2tp_addr));
+                       ip6_addr.l2tp_conn_id = peer_tunnel_id;
+                       err = kernel_connect(sock,
+                                            (struct sockaddr *) &ip6_addr,
+                                            sizeof(ip6_addr), 0);
+                       if (err < 0)
+                               goto out;
+               } else
+#endif
+               {
+                       err = sock_create_kern(AF_INET, SOCK_DGRAM,
+                                         IPPROTO_L2TP, &sock);
+                       if (err < 0)
+                               goto out;
+
+                       sk_change_net(sock->sk, net);
 
+                       ip_addr.l2tp_family = AF_INET;
+                       ip_addr.l2tp_addr = cfg->local_ip;
+                       ip_addr.l2tp_conn_id = tunnel_id;
+                       err = kernel_bind(sock, (struct sockaddr *) &ip_addr,
+                                         sizeof(ip_addr));
+                       if (err < 0)
+                               goto out;
+
+                       ip_addr.l2tp_family = AF_INET;
+                       ip_addr.l2tp_addr = cfg->peer_ip;
+                       ip_addr.l2tp_conn_id = peer_tunnel_id;
+                       err = kernel_connect(sock, (struct sockaddr *) &ip_addr,
+                                            sizeof(ip_addr), 0);
+                       if (err < 0)
+                               goto out;
+               }
                break;
 
        default:
@@ -1315,14 +1573,18 @@ static int l2tp_tunnel_sock_create(u32 tunnel_id, u32 peer_tunnel_id, struct l2t
        }
 
 out:
+       *sockp = sock;
        if ((err < 0) && sock) {
-               sock_release(sock);
+               kernel_sock_shutdown(sock, SHUT_RDWR);
+               sk_release_kernel(sock->sk);
                *sockp = NULL;
        }
 
        return err;
 }
 
+static struct lock_class_key l2tp_socket_class;
+
 int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
 {
        struct l2tp_tunnel *tunnel = NULL;
@@ -1337,15 +1599,23 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
         * kernel socket.
         */
        if (fd < 0) {
-               err = l2tp_tunnel_sock_create(tunnel_id, peer_tunnel_id, cfg, &sock);
+               err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id,
+                               cfg, &sock);
                if (err < 0)
                        goto err;
        } else {
-               err = -EBADF;
                sock = sockfd_lookup(fd, &err);
                if (!sock) {
-                       printk(KERN_ERR "tunl %hu: sockfd_lookup(fd=%d) returned %d\n",
+                       pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n",
                               tunnel_id, fd, err);
+                       err = -EBADF;
+                       goto err;
+               }
+
+               /* Reject namespace mismatches */
+               if (!net_eq(sock_net(sock->sk), net)) {
+                       pr_err("tunl %u: netns mismatch\n", tunnel_id);
+                       err = -EINVAL;
                        goto err;
                }
        }
@@ -1360,7 +1630,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        case L2TP_ENCAPTYPE_UDP:
                err = -EPROTONOSUPPORT;
                if (sk->sk_protocol != IPPROTO_UDP) {
-                       printk(KERN_ERR "tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
+                       pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
                               tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
                        goto err;
                }
@@ -1368,7 +1638,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        case L2TP_ENCAPTYPE_IP:
                err = -EPROTONOSUPPORT;
                if (sk->sk_protocol != IPPROTO_L2TP) {
-                       printk(KERN_ERR "tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
+                       pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
                               tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
                        goto err;
                }
@@ -1411,6 +1681,13 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
                udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP;
                udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
+               udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
+#if IS_ENABLED(CONFIG_IPV6)
+               if (sk->sk_family == PF_INET6)
+                       udpv6_encap_enable();
+               else
+#endif
+               udp_encap_enable();
        }
 
        sk->sk_user_data = tunnel;
@@ -1421,20 +1698,25 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        tunnel->old_sk_destruct = sk->sk_destruct;
        sk->sk_destruct = &l2tp_tunnel_destruct;
        tunnel->sock = sk;
+       tunnel->fd = fd;
+       lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
+
        sk->sk_allocation = GFP_ATOMIC;
 
+       /* Init delete workqueue struct */
+       INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work);
+
        /* Add tunnel to our list */
        INIT_LIST_HEAD(&tunnel->list);
-       spin_lock_bh(&pn->l2tp_tunnel_list_lock);
-       list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
-       spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-       synchronize_rcu();
        atomic_inc(&l2tp_tunnel_count);
 
        /* Bump the reference count. The tunnel context is deleted
-        * only when this drops to zero.
+        * only when this drops to zero. Must be done before list insertion
         */
        l2tp_tunnel_inc_refcount(tunnel);
+       spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+       list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
+       spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
 
        err = 0;
 err:
@@ -1455,25 +1737,7 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
  */
 int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
 {
-       int err = 0;
-       struct socket *sock = tunnel->sock ? tunnel->sock->sk_socket : NULL;
-
-       /* Force the tunnel socket to close. This will eventually
-        * cause the tunnel to be deleted via the normal socket close
-        * mechanisms when userspace closes the tunnel socket.
-        */
-       if (sock != NULL) {
-               err = inet_shutdown(sock, 2);
-
-               /* If the tunnel's socket was created by the kernel,
-                * close the socket here since the socket was not
-                * created by userspace.
-                */
-               if (sock->file == NULL)
-                       err = inet_release(sock);
-       }
-
-       return err;
+       return (false == queue_work(l2tp_wq, &tunnel->del_work));
 }
 EXPORT_SYMBOL_GPL(l2tp_tunnel_delete);
 
@@ -1565,7 +1829,7 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 
                session->session_id = session_id;
                session->peer_session_id = peer_session_id;
-               session->nr = 1;
+               session->nr = 0;
 
                sprintf(&session->name[0], "sess %u/%u",
                        tunnel->tunnel_id, session->session_id);
@@ -1626,7 +1890,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
                        hlist_add_head_rcu(&session->global_hlist,
                                           l2tp_session_id_hash_2(pn, session_id));
                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
-                       synchronize_rcu();
                }
 
                /* Ignore management session in session count value */
@@ -1658,8 +1921,21 @@ static __net_init int l2tp_init_net(struct net *net)
        return 0;
 }
 
+static __net_exit void l2tp_exit_net(struct net *net)
+{
+       struct l2tp_net *pn = l2tp_pernet(net);
+       struct l2tp_tunnel *tunnel = NULL;
+
+       rcu_read_lock_bh();
+       list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+               (void)l2tp_tunnel_delete(tunnel);
+       }
+       rcu_read_unlock_bh();
+}
+
 static struct pernet_operations l2tp_net_ops = {
        .init = l2tp_init_net,
+       .exit = l2tp_exit_net,
        .id   = &l2tp_net_id,
        .size = sizeof(struct l2tp_net),
 };
@@ -1672,7 +1948,14 @@ static int __init l2tp_init(void)
        if (rc)
                goto out;
 
-       printk(KERN_INFO "L2TP core driver, %s\n", L2TP_DRV_VERSION);
+       l2tp_wq = alloc_workqueue("l2tp", WQ_NON_REENTRANT | WQ_UNBOUND, 0);
+       if (!l2tp_wq) {
+               pr_err("alloc_workqueue failed\n");
+               rc = -ENOMEM;
+               goto out;
+       }
+
+       pr_info("L2TP core driver, %s\n", L2TP_DRV_VERSION);
 
 out:
        return rc;
@@ -1681,6 +1964,10 @@ out:
 static void __exit l2tp_exit(void)
 {
        unregister_pernet_device(&l2tp_net_ops);
+       if (l2tp_wq) {
+               destroy_workqueue(l2tp_wq);
+               l2tp_wq = NULL;
+       }
 }
 
 module_init(l2tp_init);