xfs: revert commit 8954c44ff477

The name passed into __xfs_xattr_put_listent is exactly namelen bytes
long and not null-terminated.  Passing namelen+1 to the strscpy function

    strscpy(offset, (char *)name, namelen + 1);

is therefore wrong.  Go back to the old code, which works fine because
strncpy won't find a null in @name and stops after namelen bytes.  It
really could be a memcpy call, but it worked for years.

Reported-by: syzbot+898115bc6d7140437215@syzkaller.appspotmail.com
Fixes: 8954c44ff477 ("xfs: use strscpy() to instead of strncpy()")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>

diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c
index 913c179..10aa1fd 100644 (file)
--- a/fs/xfs/xfs_xattr.c
+++ b/fs/xfs/xfs_xattr.c
@@ -212,7 +212,9 @@ __xfs_xattr_put_listent(
        offset = context->buffer + context->count;
        memcpy(offset, prefix, prefix_len);
        offset += prefix_len;
-       strscpy(offset, (char *)name, namelen + 1);                     /* real name */
+       strncpy(offset, (char *)name, namelen);                 /* real name */
+       offset += namelen;
+       *offset = '\0';
 
 compute_size:
        context->count += prefix_len + namelen + 1;