Btrfs: fix use-after-free when cloning a trailing file hole

[pandora-kernel.git] / fs / coredump.c

diff --git a/fs/coredump.c b/fs/coredump.c
index e3ad709..0b2528f 100644 (file)
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -73,10 +73,15 @@ static int expand_corename(struct core_name *cn, int size)
 static int cn_vprintf(struct core_name *cn, const char *fmt, va_list arg)
 {
        int free, need;
+       va_list arg_copy;
 
 again:
        free = cn->size - cn->used;
-       need = vsnprintf(cn->corename + cn->used, free, fmt, arg);
+
+       va_copy(arg_copy, arg);
+       need = vsnprintf(cn->corename + cn->used, free, fmt, arg_copy);
+       va_end(arg_copy);
+
        if (need < free) {
                cn->used += need;
                return 0;