ACK: [CVE-2017-7487][PATCH T/Z] ipx: call ipxitf_put() in ioctl error path

[Colin Ian King]

On 20/07/17 08:57, Po-Hsu Lin wrote:
> From: Dan Carpenter <dan.carpenter at oracle.com>
> 
> CVE-2017-7487
> 
> We should call ipxitf_put() if the copy_to_user() fails.
> 
> Reported-by: 李强 <liqiang6-s at 360.cn>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
>  net/ipx/af_ipx.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
> index 6857ae4..654e39d 100644
> --- a/net/ipx/af_ipx.c
> +++ b/net/ipx/af_ipx.c
> @@ -1183,11 +1183,10 @@ static int ipxitf_ioctl(unsigned int cmd, void __user *arg)
>  		sipx->sipx_network	= ipxif->if_netnum;
>  		memcpy(sipx->sipx_node, ipxif->if_node,
>  			sizeof(sipx->sipx_node));
> -		rc = -EFAULT;
> +		rc = 0;
>  		if (copy_to_user(arg, &ifr, sizeof(ifr)))
> -			break;
> +			rc = -EFAULT;
>  		ipxitf_put(ipxif);
> -		rc = 0;
>  		break;
>  	}
>  	case SIOCAIPXITFCRT:
> 
Clean cherry pick. Looks good.

Acked-by: Colin Ian King <colin.king at canonical.com>