Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cacbe3d7 authored by Jeff Mahoney's avatar Jeff Mahoney Committed by Linus Torvalds
Browse files

reiserfs: prepare_error_buf wrongly consumes va_arg 



vsprintf will consume varargs on its own. Skipping them manually
results in garbage in the error buffer, or Oopses in the case of
pointers.

This patch removes the advancement and fixes a number of bugs where
crashes were observed as side effects of a regular error report.

Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 45b03d5e

fs/reiserfs/prints.c

+3 −9
Original line number Diff line number Diff line
@@ -157,19 +157,16 @@ static void sprintf_disk_child(char *buf, struct disk_child *dc) 
		dc_size(dc));

}



static char *is_there_reiserfs_struct(char *fmt, int *what, int *skip)

static char *is_there_reiserfs_struct(char *fmt, int *what)

{

	char *k = fmt;



	*skip = 0;



	while ((k = strchr(k, '%')) != NULL) {

		if (k[1] == 'k' || k[1] == 'K' || k[1] == 'h' || k[1] == 't' ||

		    k[1] == 'z' || k[1] == 'b' || k[1] == 'y' || k[1] == 'a') {

			*what = k[1];

			break;

		}

		(*skip)++;

		k++;

	}

	return k;
@@ -193,18 +190,15 @@ static void prepare_error_buf(const char *fmt, va_list args) 
	char *fmt1 = fmt_buf;

	char *k;

	char *p = error_buf;

	int i, j, what, skip;

	int what;



	strcpy(fmt1, fmt);



	while ((k = is_there_reiserfs_struct(fmt1, &what, &skip)) != NULL) {

	while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) {

		*k = 0;



		p += vsprintf(p, fmt1, args);



		for (i = 0; i < skip; i++)

			j = va_arg(args, int);



		switch (what) {

		case 'k':

			sprintf_le_key(p, va_arg(args, struct reiserfs_key *));