tun: impossible to deassert IFF_ONE_QUEUE or IFF_NO_PI

From: "Nathaniel Filardo" <nwfilardo@gmail.com>

Taken from http://bugzilla.kernel.org/show_bug.cgi?id=9806

The TUN/TAP driver only permits one-way transitions of IFF_NO_PI or
IFF_ONE_QUEUE during the lifetime of a tap/tun interface.  Note that
tun_set_iff contains

 541         if (ifr->ifr_flags & IFF_NO_PI)
 542                 tun->flags |= TUN_NO_PI;
 543 
 544         if (ifr->ifr_flags & IFF_ONE_QUEUE)
 545                 tun->flags |= TUN_ONE_QUEUE;

This is easily fixed by adding else branches which clear these bits.

Steps to reproduce:

This is easily reproduced by setting an interface persistant using tunctl then
attempting to open it as IFF_TAP or IFF_TUN, without asserting the IFF_NO_PI
flag.  The ioctl() will succeed and the ifr.flags word is not modified, but the
interface remains in IFF_NO_PI mode (as it was set by tunctl).

Acked-by: Maxim Krasnyansky <maxk@qualcomm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 4 insertions, 0 deletions

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 46339f6bcd00..038c1ef94d2e 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -529,9 +529,13 @@ static int tun_set_iff(struct file *file, struct ifreq *ifr)
 
 	if (ifr->ifr_flags & IFF_NO_PI)
 		tun->flags |= TUN_NO_PI;
+	else
+		tun->flags &= ~TUN_NO_PI;
 
 	if (ifr->ifr_flags & IFF_ONE_QUEUE)
 		tun->flags |= TUN_ONE_QUEUE;
+	else
+		tun->flags &= ~TUN_ONE_QUEUE;
 
 	file->private_data = tun;
 	tun->attached = 1;