--- /dev/null
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: [PATCH] reiserfs: prepare_error_buf wrongly consumes va_arg
+
+ vsprintf will consume varargs on its own. Skipping them manually
+ results in garbage in the error buffer, or Oopses in the case of
+ pointers.
+
+ This patch removes the advancement and fixes a number of bugs where
+ crashes were observed as side effects of a regular error report.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+---
+
+ fs/reiserfs/prints.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/reiserfs/prints.c
++++ b/fs/reiserfs/prints.c
+@@ -157,19 +157,16 @@ static void sprintf_disk_child(char *buf
+ dc_size(dc));
+ }
+
+-static char *is_there_reiserfs_struct(char *fmt, int *what, int *skip)
++static char *is_there_reiserfs_struct(char *fmt, int *what)
+ {
+ char *k = fmt;
+
+- *skip = 0;
+-
+ while ((k = strchr(k, '%')) != NULL) {
+ if (k[1] == 'k' || k[1] == 'K' || k[1] == 'h' || k[1] == 't' ||
+ k[1] == 'z' || k[1] == 'b' || k[1] == 'y' || k[1] == 'a') {
+ *what = k[1];
+ break;
+ }
+- (*skip)++;
+ k++;
+ }
+ return k;
+@@ -193,18 +190,15 @@ static void prepare_error_buf(const char
+ char *fmt1 = fmt_buf;
+ char *k;
+ char *p = error_buf;
+- int i, j, what, skip;
++ int what;
+
+ strcpy(fmt1, fmt);
+
+- while ((k = is_there_reiserfs_struct(fmt1, &what, &skip)) != NULL) {
++ while ((k = is_there_reiserfs_struct(fmt1, &what)) != NULL) {
+ *k = 0;
+
+ p += vsprintf(p, fmt1, args);
+
+- for (i = 0; i < skip; i++)
+- j = va_arg(args, int);
+-
+ switch (what) {
+ case 'k':
+ sprintf_le_key(p, va_arg(args, struct reiserfs_key *));