Hollis Blanchard <hollisb@us.ibm.com>

As pointed out by the Stanford checker, 'v' is not tainted.  The driver
shouldn't be using copy_to_user() in cadet_do_ioctl() at all:
cadet_do_ioctl() is being called by
drivers/media/video/videodev.c:video_usercopy(), which has already copied the
buffer 'arg' (aka 'v') into kernel space, and will copy it back after
cadet_do_ioctl() returns.  So all the direct 'v' accesses are correct.


 25-akpm/drivers/media/radio/radio-cadet.c |    6 ------
 1 files changed, 6 deletions(-)

diff -puN drivers/media/radio/radio-cadet.c~cadetradio-badcopy drivers/media/radio/radio-cadet.c
--- 25/drivers/media/radio/radio-cadet.c~cadetradio-badcopy	Mon Jun  2 13:25:36 2003
+++ 25-akpm/drivers/media/radio/radio-cadet.c	Mon Jun  2 13:25:36 2003
@@ -389,9 +389,6 @@ static int cadet_do_ioctl(struct inode *
 				        v->flags|=VIDEO_TUNER_STEREO_ON;
 			        }
 				v->flags|=cadet_getrds();
-			        if(copy_to_user(arg,&v, sizeof(v))) {
-				        return -EFAULT;
-			        }
 			        break;
 			        case 1:
 			        strcpy(v->name,"AM");
@@ -402,9 +399,6 @@ static int cadet_do_ioctl(struct inode *
 			        v->mode=0;
 			        v->mode|=VIDEO_MODE_AUTO;
 			        v->signal=sigstrength;
-			        if(copy_to_user(arg,&v, sizeof(v))) {
-				        return -EFAULT;
-			        }
 			        break;
 			}
 			return 0;

_