From: Harvey Harrison <harvey.harrison@gmail.com>

The copy_to_user was casting away the address space to get the offset of
the length member.  Use offsetof() instead and add it to the void __user
*argp.

drivers/mtd/mtdchar.c:527:23: warning: cast removes address space of expression
drivers/mtd/mtdchar.c:527:23: warning: incorrect type in argument 1 (different address spaces)
drivers/mtd/mtdchar.c:527:23:    expected void [noderef] <asn:1>*to
drivers/mtd/mtdchar.c:527:23:    got unsigned int *<noident>

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/mtd/mtdchar.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff -puN drivers/mtd/mtdchar.c~mtd-mtdcharc-silence-sparse-warning drivers/mtd/mtdchar.c
--- a/drivers/mtd/mtdchar.c~mtd-mtdcharc-silence-sparse-warning
+++ a/drivers/mtd/mtdchar.c
@@ -492,6 +492,7 @@ static int mtd_ioctl(struct inode *inode
 	{
 		struct mtd_oob_buf buf;
 		struct mtd_oob_ops ops;
+		struct mtd_oob_buf __user *user_buf = argp;
 	        uint32_t retlen;
 
 		if(!(file->f_mode & 2))
@@ -535,8 +536,7 @@ static int mtd_ioctl(struct inode *inode
 		if (ops.oobretlen > 0xFFFFFFFFU)
 			ret = -EOVERFLOW;
 		retlen = ops.oobretlen;
-		if (copy_to_user(&((struct mtd_oob_buf *)argp)->length,
-				 &retlen, sizeof(buf.length)))
+		if (copy_to_user(&user_buf->length, &retlen, sizeof(buf.length)))
 			ret = -EFAULT;
 
 		kfree(ops.oobbuf);
_