From a26af1e08a3a1e0f88e6f2685ac2313d713a59c9 Mon Sep 17 00:00:00 2001 From: Nathaniel Filardo Date: Tue, 5 Feb 2008 03:05:07 -0800 Subject: tun: impossible to deassert IFF_ONE_QUEUE or IFF_NO_PI From: "Nathaniel Filardo" Taken from http://bugzilla.kernel.org/show_bug.cgi?id=9806 The TUN/TAP driver only permits one-way transitions of IFF_NO_PI or IFF_ONE_QUEUE during the lifetime of a tap/tun interface. Note that tun_set_iff contains 541 if (ifr->ifr_flags & IFF_NO_PI) 542 tun->flags |= TUN_NO_PI; 543 544 if (ifr->ifr_flags & IFF_ONE_QUEUE) 545 tun->flags |= TUN_ONE_QUEUE; This is easily fixed by adding else branches which clear these bits. Steps to reproduce: This is easily reproduced by setting an interface persistant using tunctl then attempting to open it as IFF_TAP or IFF_TUN, without asserting the IFF_NO_PI flag. The ioctl() will succeed and the ifr.flags word is not modified, but the interface remains in IFF_NO_PI mode (as it was set by tunctl). Acked-by: Maxim Krasnyansky Signed-off-by: Andrew Morton Signed-off-by: David S. Miller --- drivers/net/tun.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'drivers/net') diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 46339f6bcd0..038c1ef94d2 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -529,9 +529,13 @@ static int tun_set_iff(struct file *file, struct ifreq *ifr) if (ifr->ifr_flags & IFF_NO_PI) tun->flags |= TUN_NO_PI; + else + tun->flags &= ~TUN_NO_PI; if (ifr->ifr_flags & IFF_ONE_QUEUE) tun->flags |= TUN_ONE_QUEUE; + else + tun->flags &= ~TUN_ONE_QUEUE; file->private_data = tun; tun->attached = 1; -- cgit v1.2.3