l2tp: prevent possible tunnel refcount underflow

		l2tp_tunnel_inc_refcount(tunnel);

	}

	WRITE_ONCE(session->tunnel, tunnel);

	hlist_add_head_rcu(&session->hlist, head);

	spin_unlock_bh(&tunnel->hlist_lock);

		if (!session->lns_mode && !session->send_seq) {

			trace_session_seqnum_lns_enable(session);

			session->send_seq = 1;

			l2tp_session_set_header_len(session, tunnel->version);

			l2tp_session_set_header_len(session, tunnel->version,

						    tunnel->encap);

		}

	} else {

		/* No sequence numbers.

		if (!session->lns_mode && session->send_seq) {

			trace_session_seqnum_lns_disable(session);

			session->send_seq = 0;

			l2tp_session_set_header_len(session, tunnel->version);

			l2tp_session_set_header_len(session, tunnel->version,

						    tunnel->encap);

		} else if (session->send_seq) {

			pr_debug_ratelimited("%s: recv data has no seq numbers when required. Discarding.\n",

					     session->name);

/* We come here whenever a session's send_seq, cookie_len or

 * l2specific_type parameters are set.

 */

void l2tp_session_set_header_len(struct l2tp_session *session, int version)

void l2tp_session_set_header_len(struct l2tp_session *session, int version,

				 enum l2tp_encap_type encap)

{

	if (version == L2TP_HDR_VER_2) {

		session->hdr_len = 6;

	} else {

		session->hdr_len = 4 + session->cookie_len;

		session->hdr_len += l2tp_get_l2specific_len(session);

		if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP)

		if (encap == L2TP_ENCAPTYPE_UDP)

			session->hdr_len += 4;

	}

}

	session = kzalloc(sizeof(*session) + priv_size, GFP_KERNEL);

	if (session) {

		session->magic = L2TP_SESSION_MAGIC;

		session->tunnel = tunnel;

		session->session_id = session_id;

		session->peer_session_id = peer_session_id;

			memcpy(&session->peer_cookie[0], &cfg->peer_cookie[0], cfg->peer_cookie_len);

		}

		l2tp_session_set_header_len(session, tunnel->version);

		l2tp_session_set_header_len(session, tunnel->version, tunnel->encap);

		refcount_set(&session->ref_count, 1);

int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);

/* Transmit path helpers for sending packets over the tunnel socket. */

void l2tp_session_set_header_len(struct l2tp_session *session, int version);

void l2tp_session_set_header_len(struct l2tp_session *session, int version,

				 enum l2tp_encap_type encap);

int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb);

/* Pseudowire management.

		session->recv_seq = nla_get_u8(info->attrs[L2TP_ATTR_RECV_SEQ]);

	if (info->attrs[L2TP_ATTR_SEND_SEQ]) {

		struct l2tp_tunnel *tunnel = session->tunnel;

		session->send_seq = nla_get_u8(info->attrs[L2TP_ATTR_SEND_SEQ]);

		l2tp_session_set_header_len(session, session->tunnel->version);

		l2tp_session_set_header_len(session, tunnel->version, tunnel->encap);

	}

	if (info->attrs[L2TP_ATTR_LNS_MODE])

			po->chan.hdrlen = val ? PPPOL2TP_L2TP_HDR_SIZE_SEQ :

				PPPOL2TP_L2TP_HDR_SIZE_NOSEQ;

		}

		l2tp_session_set_header_len(session, session->tunnel->version);

		l2tp_session_set_header_len(session, session->tunnel->version,

					    session->tunnel->encap);

		break;

	case PPPOL2TP_SO_LNSMODE: