From 48abfe05cd01279afe27159e98d7c7f932598f42 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Wed, 23 Apr 2008 19:37:58 -0700 Subject: [PATCH] tun: Fix minor race in TUNSETLINK ioctl handling. Noticed by Alan Cox. The IFF_UP test is a bit racey, because other entities outside of this driver's ioctl handler can modify that state, even though this ioctl handler runs under lock_kernel(). Signed-off-by: David S. Miller --- drivers/net/tun.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index d91856b19f6f..d8b1ba15aa6f 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -668,16 +668,23 @@ static int tun_chr_ioctl(struct inode *inode, struct file *file, break; case TUNSETLINK: + { + int ret; + /* Only allow setting the type when the interface is down */ + rtnl_lock(); if (tun->dev->flags & IFF_UP) { DBG(KERN_INFO "%s: Linktype set failed because interface is up\n", tun->dev->name); - return -EBUSY; + ret = -EBUSY; } else { tun->dev->type = (int) arg; DBG(KERN_INFO "%s: linktype set to %d\n", tun->dev->name, tun->dev->type); + ret = 0; } - break; + rtnl_unlock(); + return ret; + } #ifdef TUN_DEBUG case TUNSETDEBUG: