From nobody Thu Feb 12 23:03:57 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1F55149E00
	for <linux-kernel@vger.kernel.org>; Thu,  2 Jan 2025 23:07:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735859230; cv=none;
 b=cj6y14LAKRJxJIhDJytc4BKW3SjhZDk2RUvJ5JF4LmAkRgNcz8zKHSF59WknbL63juPOYiX7tLeQ4vrodo7GjzWkIrOt6xXQO56sJb0gODxb05ETJToi7WBBY+5q0uRyDyx9aXdxZ55UwvN8RDNPttHA1nZXNN3ArqYMmrE25wk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735859230; c=relaxed/simple;
	bh=s22mUIiZA3v7aWY5p5IItUgu8a5wsY/2z59IYpkjJQk=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=uBoyWoCNKlf8d9GSEsuG9Hd0H/YijeNNaf3EkryTQdy1Tf9Se3RevaW3k1LsFrnJcD73xbSQXmKn20pied3vzAP61TQIWb2KOyP4SJan3Kdk8GO/iKAqL6OpeisdZO8c9BHaduZ6ynL+hE7uMlXVUZRrqb6F/+IW2kHXLomZuoc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=eeELNLWt; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="eeELNLWt"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-21631cbf87dso142569445ad.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 02 Jan 2025 15:07:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1735859228; x=1736464028;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=oukJOp8a/TMok9WYKtZiYjZTJSlSkLa4mKjkY8cRWFM=;
        b=eeELNLWtm7M2Iyy8a1lzMfcx6qa5Jqsn2M1I5mfVvFz/5k4Ilv+oqK0IEVOh5B1Vvh
         MVmCRGUMnKTeBPFpwKGQ3gTUxZ8riCt/QWnR4oNPC/akDfWOEjugEwz0cx5JlPsOztMH
         DhY9A9LRydxgh0kC05Thx74IUjKwWDd2vpQRaDtTnlFbQHWZFGMwUZRZM3pZPk4h3fFj
         jv/eioCpMAzwyVjc9IeukQ4Tt6a/BSPCvbBORlP/Cprte+3JDvEL/PJbXKdMA8AFE8Qh
         +Bt3n7mm3f69GbEPAuSfWdRwW3eZoBBGBfOVKsXt57RIMlDDUOEJrQPFjVD4/7MZ0uBj
         6k+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1735859228; x=1736464028;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=oukJOp8a/TMok9WYKtZiYjZTJSlSkLa4mKjkY8cRWFM=;
        b=SBs0aduB+5bTzB1SjsOijr0bjkdwMi6gXHz9JIif62zqSMhSkSBgq+Ol7KtuC5c7dP
         N6bo+bANGnHLoE/89mLtCejjah9xWyyURPj7jgRuanqUD6PurhUsR/VvdONbKBHdgd/h
         borBJb30saNB41vkRXHa18bN9+0bA+FZy2Uhg4D4cv9lsrPXudOt1hN8h0foBj7dqdUr
         CPBX4jXG+cIqGb2D/n0NeAPvRAVioLToG8eWGTalFP5/orIK323GiG7eHRCxLTGKgWzn
         kYJDO42gq1h2U72YqXye9nRERpxbCc5hFD2L8SGpU2m8FDXhBkoVRFF78UZoYjsaykng
         P4zQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWvp9GcBphAmQop5mSEwqDH9oxKZit1hp8pX6QcoEj1ciX/+hbdOjg69lUVmFLzuuKmsV1Dgt9aucjZT/0=@vger.kernel.org
X-Gm-Message-State: AOJu0YwhgE8D4bEoCMJnIkvcZETHrhWGwiW98D4AF5UQOwSynFwNWog4
	PmzBEJs84oEFxOYKK9+JfUEYFjm/SJeiirJw9Rc6vyxXbUx80D5kNjbI+lmCiuN5FVgepuYE+lQ
	hRc4ue6gaOITM5lzatwyqcMkGgE5KfrBcxw==
X-Google-Smtp-Source: 
 AGHT+IHuF92dOUZi8JHInVoyGiPpTf/4WW1PFofvYbD/uxaxSwdrHBgggo7bixp9tF8fN4tBvaLn+HpwurCruzC8y+eL8g==
X-Received: from pfbeg22.prod.google.com
 ([2002:a05:6a00:8016:b0:725:d033:af87])
 (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:a103:b0:1e1:ae68:d900 with SMTP id
 adf61e73a8af0-1e5e04a2e64mr88252525637.22.1735859227902;
 Thu, 02 Jan 2025 15:07:07 -0800 (PST)
Date: Thu,  2 Jan 2025 15:06:54 -0800
In-Reply-To: <20250102230658.1112261-1-isaacmanjarres@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250102230658.1112261-1-isaacmanjarres@google.com>
X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog
Message-ID: <20250102230658.1112261-2-isaacmanjarres@google.com>
Subject: [PATCH v1 1/2] mm/memfd: Refactor and cleanup the logic in
 memfd_create()
From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
To: lorenzo.stoakes@oracle.com, Andrew Morton <akpm@linux-foundation.org>
Cc: kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com,
	surenb@google.com, "Isaac J. Manjarres" <isaacmanjarres@google.com>,
 kernel-team@android.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

memfd_create() is a pretty busy function that could be easier to read
if some of the logic was split out into helper functions.

Therefore, split the flags check, name creation, and file creation into
their own helper functions, and create the file structure before
creating the memfd. This allows for simplifying the error handling path
in memfd_create().

No functional change.

Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
---
 mm/memfd.c | 87 +++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 56 insertions(+), 31 deletions(-)

diff --git a/mm/memfd.c b/mm/memfd.c
index c17c3ea701a1..2372b9b1dc18 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -327,16 +327,8 @@ static int check_sysctl_memfd_noexec(unsigned int *fla=
gs)
 	return 0;
 }
=20
-SYSCALL_DEFINE2(memfd_create,
-		const char __user *, uname,
-		unsigned int, flags)
+static int memfd_validate_flags(unsigned int flags)
 {
-	unsigned int *file_seals;
-	struct file *file;
-	int fd, error;
-	char *name;
-	long len;
-
 	if (!(flags & MFD_HUGETLB)) {
 		if (flags & ~(unsigned int)MFD_ALL_FLAGS)
 			return -EINVAL;
@@ -351,20 +343,25 @@ SYSCALL_DEFINE2(memfd_create,
 	if ((flags & MFD_EXEC) && (flags & MFD_NOEXEC_SEAL))
 		return -EINVAL;
=20
-	error =3D check_sysctl_memfd_noexec(&flags);
-	if (error < 0)
-		return error;
+	return check_sysctl_memfd_noexec(&flags);
+}
+
+static char *memfd_create_name(const char __user *uname)
+{
+	int error;
+	char *name;
+	long len;
=20
 	/* length includes terminating zero */
 	len =3D strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
 	if (len <=3D 0)
-		return -EFAULT;
+		return ERR_PTR(-EFAULT);
 	if (len > MFD_NAME_MAX_LEN + 1)
-		return -EINVAL;
+		return ERR_PTR(-EINVAL);
=20
 	name =3D kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
 	if (!name)
-		return -ENOMEM;
+		return ERR_PTR(-ENOMEM);
=20
 	strcpy(name, MFD_NAME_PREFIX);
 	if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
@@ -378,11 +375,22 @@ SYSCALL_DEFINE2(memfd_create,
 		goto err_name;
 	}
=20
-	fd =3D get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
-	if (fd < 0) {
-		error =3D fd;
-		goto err_name;
-	}
+	return name;
+
+err_name:
+	kfree(name);
+	return ERR_PTR(error);
+}
+
+static struct file *memfd_file_create(const char *name, unsigned int flags)
+{
+	unsigned int *file_seals;
+	struct file *file;
+	int error;
+
+	error =3D memfd_validate_flags(flags);
+	if (error < 0)
+		return ERR_PTR(error);
=20
 	if (flags & MFD_HUGETLB) {
 		file =3D hugetlb_file_setup(name, 0, VM_NORESERVE,
@@ -391,10 +399,8 @@ SYSCALL_DEFINE2(memfd_create,
 					MFD_HUGE_MASK);
 	} else
 		file =3D shmem_file_setup(name, 0, VM_NORESERVE);
-	if (IS_ERR(file)) {
-		error =3D PTR_ERR(file);
-		goto err_fd;
-	}
+	if (IS_ERR(file))
+		return file;
 	file->f_mode |=3D FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE;
 	file->f_flags |=3D O_LARGEFILE;
=20
@@ -414,13 +420,32 @@ SYSCALL_DEFINE2(memfd_create,
 			*file_seals &=3D ~F_SEAL_SEAL;
 	}
=20
-	fd_install(fd, file);
-	kfree(name);
-	return fd;
+	return file;
+}
=20
-err_fd:
-	put_unused_fd(fd);
-err_name:
+SYSCALL_DEFINE2(memfd_create,
+		const char __user *, uname,
+		unsigned int, flags)
+{
+	struct file *file;
+	int fd;
+	char *name;
+
+	name =3D memfd_create_name(uname);
+	if (IS_ERR(name))
+		return PTR_ERR(name);
+
+	file =3D memfd_file_create(name, flags);
+	/* name is not needed beyond this point. */
 	kfree(name);
-	return error;
+	if (IS_ERR(file))
+		return PTR_ERR(file);
+
+	fd =3D get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
+	if (fd >=3D 0)
+		fd_install(fd, file);
+	else
+		fput(file);
+
+	return fd;
 }
--=20
2.47.1.613.gc27f4b7a9f-goog
From nobody Thu Feb 12 23:03:57 2026
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D324E1BC099
	for <linux-kernel@vger.kernel.org>; Thu,  2 Jan 2025 23:07:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.74
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735859234; cv=none;
 b=YHneN4h0st92CqcSRyC3KxJ4fGNmHFeQEyuEcdY9Yca7+zHiCyh3BXblwGQNmrKum8kuMUjpNOF/YW8F9dRpCTH8EWaf/DHuUmpMe7VrAmrRo1PjoieMozktrK2y2aXb+egOg40TXaU0D4yCYfSTD+lh1HV707+2c0uHWdhEW4E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735859234; c=relaxed/simple;
	bh=lVwz6EQc+GmUnf6SKzkPimN8I8gP1WT+3pKfoCYwtuU=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=dl85gJH64LHY7s2HFNDjowaOljvld5JuqqbSeGMfptE/mD9W1uVppvEenqmBZiAsQh4kyZbImJn3XIAOy2Wnh3FRA4HJXtXV5LCsyvAzUPVIFkjbvQHcAYx1R2m3Z6NFheWUf2JdT7b7OVCwHPY/NYMNNluFXmResv4UIJgAqhk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=wumlUs/f; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="wumlUs/f"
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-2ee86953aeaso15676322a91.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 02 Jan 2025 15:07:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1735859232; x=1736464032;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=Z1ymDQY9g5+AxfT3gggorOe2sQUyIfM9uTTESRagjDg=;
        b=wumlUs/fKDuyl9c8vcUTRH9hEMrCWhyzsKml/hEkfhs2fh+aLzKZOdyIkip+NsvNFp
         q/c2FNcUoR8Q6JTLWw3xi6sQoonvfPw6Y3LuRxLiF1kT2s0rLj0m/PEUPUZoFEGXCiDN
         OV90Y2Njx0MwftjLhbf3wO9jaoNB5DuSDJk9HScqt+HE9uacXZS0c/BAZsG9ua/PsB3k
         OvyVcS0Ncf7j8Y+OFcv4VxIvhWkwMoRHIM7qoEZn9m9eBAYnhPVWC3pr2tkA9CI4YnR/
         TJ75djeXnFMbRTwBzxXITk/zLrIvCq+xIGw8dY+QzAIdsPRdu4uWLhSQpTVEaBSYzuCs
         zXWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1735859232; x=1736464032;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Z1ymDQY9g5+AxfT3gggorOe2sQUyIfM9uTTESRagjDg=;
        b=rgtnFLzr0qBtG/SIHu6f4xuMArSUVVXGX2mXlWcVdlyHNRav54FzdNjV4H8r23hI1F
         NZdv/FZkIvQ+nJPebuf2t4I1FpVNg0dy2QUDqG4WnBOEZsO7UQlrVac0CkS7hGwIW0FP
         lrw+klLfsmfqFOdM5+XDBl3mPviNqQizhaR/prOQioHMNcLuzEfS1a6bI8UDm7zP0hqr
         TbCP0GzxJy082X4Wo4Q52qI3+NkSTvW2dDc0101SLGu+r9nLvFZ8pyufLHG1fSImiwPE
         nHznekkoC8aHwIQ93JmFC2X4QqKPWmi3c35vnNfvxrq1VjTGkT5kpLdfNAxli/WQh+jH
         LUHw==
X-Forwarded-Encrypted: i=1;
 AJvYcCUZvbx7Kwyo+khedPdBFx723D4fAVGD3BZQj3z0g+MVz255BhIMlcl+rbrGE1L6vDPvzVqfTnucuhEpyVI=@vger.kernel.org
X-Gm-Message-State: AOJu0YyTIQVfmJ0upcq2AZw8jlZiMGEL4KK6rlsPPRtO08KM5CX/YfOb
	UGedUldfi55IVA07dmvtf99L6gznVYOgx2XNgcFcWOqNMhp9jLXd6H3CmynRLRqO0GrhnrR58+U
	9RjbVHlA4DuPG2f5623MoTdV7NmwMnv6UAw==
X-Google-Smtp-Source: 
 AGHT+IGlO2YmLhygfiPAPycfbxYv+TTIibWfRCkG5aTHVjFfoRW/AJ/XcsZdOJEoQFgwv2UPlUl4ZPMk+b1NBVbvV+0+bw==
X-Received: from pjc5.prod.google.com ([2002:a17:90b:2f45:b0:2eb:12d7:fedd])
 (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90a:c2c8:b0:2ee:ead6:6213 with SMTP id
 98e67ed59e1d1-2f452e4c536mr70393518a91.19.1735859232037;
 Thu, 02 Jan 2025 15:07:12 -0800 (PST)
Date: Thu,  2 Jan 2025 15:06:55 -0800
In-Reply-To: <20250102230658.1112261-1-isaacmanjarres@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250102230658.1112261-1-isaacmanjarres@google.com>
X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog
Message-ID: <20250102230658.1112261-3-isaacmanjarres@google.com>
Subject: [PATCH v1 2/2] mm/memfd: Use strncpy_from_user() to read memfd name
From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
To: lorenzo.stoakes@oracle.com, Andrew Morton <akpm@linux-foundation.org>
Cc: kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com,
	surenb@google.com, "Isaac J. Manjarres" <isaacmanjarres@google.com>,
 kernel-team@android.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The existing logic uses strnlen_user() to calculate the length of the
memfd name from userspace and then copies the string into a buffer using
copy_from_user(). This is error-prone, as the string length
could have changed between the time when it was calculated and when the
string was copied. The existing logic handles this by ensuring that the
last byte in the buffer is the terminating zero.

This handling is contrived and can better be handled by using
strncpy_from_user(), which gets the length of the string and copies
it in one shot. Therefore, simplify the logic for copying the memfd
name by using strncpy_from_user().

No functional change.

Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
---
 mm/memfd.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/mm/memfd.c b/mm/memfd.c
index 2372b9b1dc18..e14ac2c41fbb 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -352,26 +352,18 @@ static char *memfd_create_name(const char __user *una=
me)
 	char *name;
 	long len;
=20
-	/* length includes terminating zero */
-	len =3D strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
-	if (len <=3D 0)
-		return ERR_PTR(-EFAULT);
-	if (len > MFD_NAME_MAX_LEN + 1)
-		return ERR_PTR(-EINVAL);
-
-	name =3D kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
+	name =3D kmalloc(MFD_NAME_PREFIX_LEN + MFD_NAME_MAX_LEN + 1, GFP_KERNEL);
 	if (!name)
 		return ERR_PTR(-ENOMEM);
=20
 	strcpy(name, MFD_NAME_PREFIX);
-	if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
+	/* length does not include terminating zero */
+	len =3D strncpy_from_user(name + MFD_NAME_PREFIX_LEN, uname, MFD_NAME_MAX=
_LEN + 1);
+	if (len < 0) {
 		error =3D -EFAULT;
 		goto err_name;
-	}
-
-	/* terminating-zero may have changed after strnlen_user() returned */
-	if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
-		error =3D -EFAULT;
+	} else if (len > MFD_NAME_MAX_LEN) {
+		error =3D -EINVAL;
 		goto err_name;
 	}
=20
--=20
2.47.1.613.gc27f4b7a9f-goog