Next fund one, in net/ipv6/ip6_flowlabel.c:ipv6_flowlabel_opt() we
have this gem toward the end:

                if (!freq->flr_label) {
                        if (copy_to_user(&((struct in6_flowlabel_req __user 
                                         &fl->label, sizeof(fl->label))) {
                                /* Intentionally ignore fault. */

so it writes back to what was supposed to be the input parameter,
and only does it for a partial region.  Not sure how we could handle
that with any kind of copy to kernel in the caller scheme?

Reply via email to