reiserfs: prepare_error_buf wrongly consumes va_arg

vsprintf will consume varargs on its own. Skipping them manually
results in garbage in the error buffer, or Oopses in the case of
pointers.

This patch removes the advancement and fixes a number of bugs where
crashes were observed as side effects of a regular error report.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/reiserfs/prints.c b/fs/reiserfs/prints.c
index 50ed4bd3ef63b0f52a771efbc328e52a3ec3acc1..b87b23717c23115fb90be71a79501832ad7c4c32 100644 (file)
--- a/fs/reiserfs/prints.c
+++ b/fs/reiserfs/prints.c
@@ -157,19 +157,16 @@ static void sprintf_disk_child(char *buf, struct disk_child *dc)
                dc_size(dc));
 }
 
-static char *is_there_reiserfs_struct(char *fmt, int *what, int *skip)
+static char *is_there_reiserfs_struct(char *fmt, int *what)
 {
        char *k = fmt;
 
-       *skip = 0;
-
        while ((k = strchr(k, '%')) != NULL) {
                if (k[1] == 'k' || k[1] == 'K' || k[1] == 'h' || k[1] == 't' ||
                    k[1] == 'z' || k[1] == 'b' || k[1] == 'y' || k[1] == 'a') {
                        *what = k[1];
                        break;
                }
-               (*skip)++;
                k++;
        }
        return k;
@@ -193,18 +190,15 @@ static void prepare_error_buf(const char *fmt, va_list args)
        char *fmt1 = fmt_buf;
        char *k;
        char *p = error_buf;
-       int i, j, what, skip;
+       int what;
 
        strcpy(fmt1, fmt);
 
-       while ((k = is_there_reiserfs_struct(fmt1, &what, &skip)) != NULL) {
+       while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) {
                *k = 0;
 
                p += vsprintf(p, fmt1, args);
 
-               for (i = 0; i < skip; i++)
-                       j = va_arg(args, int);
-
                switch (what) {
                case 'k':
                        sprintf_le_key(p, va_arg(args, struct reiserfs_key *));