ifr->ifr_data is supposed to point to a struct spppreq, and the first
member of struct spppreq is cmd which is int type. An user space
struct spppreq spr may be not explicitly zeroed, on 64bit architectures
fuword() or fueword() read 64bit word so garbage (extra 4 bytes) may
be read into kernel space.
Prior to f9d8181868ee, the subcmd is declared as int, on little endian
64bit architectures an implicitly conversion from long (fuword) to int
may overflow (UB), that can happen to trash the garbage (the extra 4 bytes,
high 32 bits). Since f9d8181868ee there is no implicitly conversion so
we end up mismatch subcmd between user space and kernel.
It is a bit hackish to get the value of cmd word via fueword, instead
we refer to it directly from spr->cmd.
This is a direct commit to stable/13 since sppp(4) is not present in
main and stable/14 branches.
PR: 173002
Fixes: f9d8181868ee Fixed yet more ioctl breakage due to the type of ...