From nobody Fri Dec 19 20:57:57 2025
Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com
 [209.85.216.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 891702135BB
	for <linux-kernel@vger.kernel.org>; Fri, 10 Jan 2025 16:59:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.73
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1736528354; cv=none;
 b=ihV+ouMiedNuvUo3CQsyP0SRSaTgzADXF2oxRT2pRu1U/Q6oUEgKRLFhQRerdIQ/ijSdTGufXzd9UwvHV/FArq/43QTrZkfcAEjNf/z5L0qn/7ONgwgX2jkd8hGOs/dOG3oTSjv/2c/k4z9qF9YeFgBBChYI8mZapQV4LDf2vqo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1736528354; c=relaxed/simple;
	bh=hh6dhmLspCbmSBU02gzstoakEnD7cjAVus+AxuBkDqI=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=oVZQFmnddBoxA6pSSROuM6P0GWt6xb4b4t8wFOTqbsntNPORYSpLUb0ZHGeTtF9LnCXnerzoj58Wz6F+QcPwywvPv+uVU0HPpKjDABoKPtIa8zbWmilajhJoSsLiNiJwLPDzqhV21dYeqPDNemXqneisn/0o68l8gqeZblobHM4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=nQWqdeRu; arc=none smtp.client-ip=209.85.216.73
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="nQWqdeRu"
Received: by mail-pj1-f73.google.com with SMTP id
 98e67ed59e1d1-2ef775ec883so4101216a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 10 Jan 2025 08:59:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1736528352; x=1737133152;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=zKt1DPL8dLAaFtUnRUzSqTKiJk4PTPPAGd+NFYdeSwg=;
        b=nQWqdeRuBMI75AedOsWGAov5WNdZDWJrgxfxbVHzXEta182JP7Dsychc/8JR3eBFGJ
         SRX8sOJnphk7nRCNuymPAEsm0Opzd9U8qYY6HM4TKE1RrZ7qRBuHxD0oxPcX1n05Zyse
         n3AqKDTQQ/aJh8YHgQJ1d6C+8OFmSawtuitmJmc2Hrpf7aZ+vD1B7e+fE1OLVEJIM3X0
         z+Ylp+zVjGPmqTFYUkLmFI3dOdd2fKmypONsJ/C2g6K+u6icUHP6ZqoWGhPxzC/z27ei
         Ij8UWjdEKxBfED+WzJmewmPBXftsJ0V6K66hTIvUGUrklYaX592cynVGJ7prtP5Xguci
         7YFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736528352; x=1737133152;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=zKt1DPL8dLAaFtUnRUzSqTKiJk4PTPPAGd+NFYdeSwg=;
        b=nsMJT+alJqyHhc1EjpT9zAWkMC5fR2FXWRF870tbiuwlafdjJ4PPcLbNdNnJS9c6zO
         JpR1/9beInnYGYL6JsPQ5o944GVqBErBWE13YaHMHU2knbOQjPHpp8n0fzlqqPOM9B4h
         fTwbfG2MelOWBMmWTtqFTLnLNBpF8/FSuuPVolNsIwf5VPGcwFlh1vJDmEg+AZ8q8JNY
         ZCF1IILHMcY2zFiQGPMBRl8qlKs17wuMvHA2LQrWfaXAjYM2J4Qio+5cl8yrh5FsZwx8
         pwoaNQ4voPEQ4eH2JbzxQSLOpBlUIfCEByMS/qREjUHyytv5891JH89+feuVBEeZy4Ab
         RAKw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWId3zeN+MYe52SsT65i0UVhWrT9K4yhoSA7AmBuJXRbX+D22J8jUTGOl1M3p11m7++yI4WucQsJgYwdd0=@vger.kernel.org
X-Gm-Message-State: AOJu0YyVGz/lLi186kTVW7nf76pHvAPctOr9hDvp2y7UTKm59htEIB01
	uwNPqBl+7Z+TXpf/R/l0Fk6sDlQ8zx7m8b1Ri16yaJ6I+/9dNWxCVYfG/D/en32Zsf5IqXndqXu
	qmSaPPnU45TOcjm+cDUzUecopvksnfNrcgQ==
X-Google-Smtp-Source: 
 AGHT+IH4zNEHH+SxAVpiiIGRgV/DdPoVtFRvZbNB2Vrw97PKwLA6EhCRn54go/tXkZHsIwhEFHnKyvwRUhcE1SM0KdlLzw==
X-Received: from pjbqi14.prod.google.com
 ([2002:a17:90b:274e:b0:2ef:d283:5089])
 (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:33d2:b0:2f1:4715:5987 with SMTP id
 98e67ed59e1d1-2f548f32f7fmr17624178a91.9.1736528351924;
 Fri, 10 Jan 2025 08:59:11 -0800 (PST)
Date: Fri, 10 Jan 2025 08:58:59 -0800
In-Reply-To: <20250110165904.3437374-1-isaacmanjarres@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250110165904.3437374-1-isaacmanjarres@google.com>
X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog
Message-ID: <20250110165904.3437374-2-isaacmanjarres@google.com>
Subject: [PATCH v4 1/2] mm/memfd: Refactor and cleanup the logic in
 memfd_create()
From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
To: lorenzo.stoakes@oracle.com, Andrew Morton <akpm@linux-foundation.org>
Cc: kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com,
	surenb@google.com, "Isaac J. Manjarres" <isaacmanjarres@google.com>,
 kernel-team@android.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

memfd_create() is a pretty busy function that could be easier to read
if some of the logic was split out into helper functions.

Therefore, split the flags sanitization, name allocation, and file
structure allocation into their own helper functions.

No functional change.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
---
 mm/memfd.c | 81 ++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 58 insertions(+), 23 deletions(-)

diff --git a/mm/memfd.c b/mm/memfd.c
index 5f5a23c9051d..04d9e2a23df8 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -369,15 +369,9 @@ int memfd_check_seals_mmap(struct file *file, unsigned=
 long *vm_flags_ptr)
 	return err;
 }
=20
-SYSCALL_DEFINE2(memfd_create,
-		const char __user *, uname,
-		unsigned int, flags)
+static int sanitize_flags(unsigned int *flags_ptr)
 {
-	unsigned int *file_seals;
-	struct file *file;
-	int fd, error;
-	char *name;
-	long len;
+	unsigned int flags =3D *flags_ptr;
=20
 	if (!(flags & MFD_HUGETLB)) {
 		if (flags & ~(unsigned int)MFD_ALL_FLAGS)
@@ -393,20 +387,25 @@ SYSCALL_DEFINE2(memfd_create,
 	if ((flags & MFD_EXEC) && (flags & MFD_NOEXEC_SEAL))
 		return -EINVAL;
=20
-	error =3D check_sysctl_memfd_noexec(&flags);
-	if (error < 0)
-		return error;
+	return check_sysctl_memfd_noexec(flags_ptr);
+}
+
+static char *alloc_name(const char __user *uname)
+{
+	int error;
+	char *name;
+	long len;
=20
 	/* length includes terminating zero */
 	len =3D strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
 	if (len <=3D 0)
-		return -EFAULT;
+		return ERR_PTR(-EFAULT);
 	if (len > MFD_NAME_MAX_LEN + 1)
-		return -EINVAL;
+		return ERR_PTR(-EINVAL);
=20
 	name =3D kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
 	if (!name)
-		return -ENOMEM;
+		return ERR_PTR(-ENOMEM);
=20
 	strcpy(name, MFD_NAME_PREFIX);
 	if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
@@ -420,23 +419,28 @@ SYSCALL_DEFINE2(memfd_create,
 		goto err_name;
 	}
=20
-	fd =3D get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
-	if (fd < 0) {
-		error =3D fd;
-		goto err_name;
-	}
+	return name;
+
+err_name:
+	kfree(name);
+	return ERR_PTR(error);
+}
+
+static struct file *alloc_file(const char *name, unsigned int flags)
+{
+	unsigned int *file_seals;
+	struct file *file;
=20
 	if (flags & MFD_HUGETLB) {
 		file =3D hugetlb_file_setup(name, 0, VM_NORESERVE,
 					HUGETLB_ANONHUGE_INODE,
 					(flags >> MFD_HUGE_SHIFT) &
 					MFD_HUGE_MASK);
-	} else
+	} else {
 		file =3D shmem_file_setup(name, 0, VM_NORESERVE);
-	if (IS_ERR(file)) {
-		error =3D PTR_ERR(file);
-		goto err_fd;
 	}
+	if (IS_ERR(file))
+		return file;
 	file->f_mode |=3D FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE;
 	file->f_flags |=3D O_LARGEFILE;
=20
@@ -456,6 +460,37 @@ SYSCALL_DEFINE2(memfd_create,
 			*file_seals &=3D ~F_SEAL_SEAL;
 	}
=20
+	return file;
+}
+
+SYSCALL_DEFINE2(memfd_create,
+		const char __user *, uname,
+		unsigned int, flags)
+{
+	struct file *file;
+	int fd, error;
+	char *name;
+
+	error =3D sanitize_flags(&flags);
+	if (error < 0)
+		return error;
+
+	name =3D alloc_name(uname);
+	if (IS_ERR(name))
+		return PTR_ERR(name);
+
+	fd =3D get_unused_fd_flags((flags & MFD_CLOEXEC) ? O_CLOEXEC : 0);
+	if (fd < 0) {
+		error =3D fd;
+		goto err_name;
+	}
+
+	file =3D alloc_file(name, flags);
+	if (IS_ERR(file)) {
+		error =3D PTR_ERR(file);
+		goto err_fd;
+	}
+
 	fd_install(fd, file);
 	kfree(name);
 	return fd;
--=20
2.47.1.613.gc27f4b7a9f-goog
From nobody Fri Dec 19 20:57:57 2025
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDF7A2135CF
	for <linux-kernel@vger.kernel.org>; Fri, 10 Jan 2025 16:59:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1736528358; cv=none;
 b=iGvUiojYKfDD1EckKB8crUkoCkhvVo2XAFzovSKcScFj/rcyg8H2r3fiZK7kgka1Nc+6fHUkR3l6W/8rm5wr9fV60ly0dnhHUtK4vX0Wxbx8c4KbopMgvoB4OyjrNJROuw06npRTyi4Hh76eyKXTPLO2ocXy8cbR9EEPC0q+5D8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1736528358; c=relaxed/simple;
	bh=Uy6XAFmqt/125AcZqf65RUpbNWGZ/KI3qFXH1MXnwQQ=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=n52GOswCT//RXu2AXNHCn07f126eeA5VoSwJego84BFQVZcYMfKER9VAyBi4WiiK4dvgfnxm80vauYdyqZ4AwIV2AYXzF3Vonj+hVv/QTs6P9ypUiftcqrS4j44qceXqLNPYUJOqALBh9TtxbH4MIKWRKGtBA1RjSQyg2mo4cx4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=2S3phMCK; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--isaacmanjarres.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="2S3phMCK"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-2163dc0f5dbso44485975ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 10 Jan 2025 08:59:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1736528356; x=1737133156;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=87gYSmAhUUPTZ2ifTvHPh1Wmr1y1LndPZnyTULuvJAc=;
        b=2S3phMCK9Fj960r7oTwMbquOlx/mh0QPA7esUy/izKneRTorMNzo/xkpMMaI0Q2+c9
         ZpZtANxcDVNImRY3HTWazeCJcOzscgdJVm9nWQ6aI47Up708yigkRU5lpQPLL1eAiZgA
         9z+BGqr1R3yxMzkf1qc3/viMnOKeGwpCzupou3Y577i84pC8sA6woYl4kYufrlbv2Qyz
         rJCH7mOtfd207HdehIuICo52oYgtB6NvdbIQd4PaLF5FYAUxMEAvfy7o5bv7DibTXWB4
         HeCrPy/KW1fBJtCev5sb4aG4i8BsMz7sIKH4idaEff+3cbegOL8cc+KJUIZd3N0nPn2k
         N/Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736528356; x=1737133156;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=87gYSmAhUUPTZ2ifTvHPh1Wmr1y1LndPZnyTULuvJAc=;
        b=d1rrq91GxddxpRoYY3lUpdaERhk18/jZq7+AIa/4bZwTOlqOdCEMuac1Oo3NBRfhCa
         TyMqfdAGaSYfczWrcidIWBrnfJp9t7ZP2dAv3P9167NIlNoiqpqsSjYrHtV0oQO725/v
         rzsFLP+zJfCVWmqKzjQ7bJg2ZDtd5LEXXXewiy8iozkEzq8ADtMLi9egCp/BKuCicsd6
         kFXaBKimofkzxuMMMuYVq2ThELcxQqxPQM26FzsSqr3hgjOAoJXaU+gMgUHag5UfDT2U
         5mqXpuPflX0GzKup6rzcd8LPvuaDC/Bx2UPoHXHGFn21K4lg7kbb+XdaFUr0kd8zD8zq
         6sRw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV6RFodrsySHwjlkUin5c70Ay6QJ+UbKtnM3bj7k4jPTZXBKeARVVuBjFX9/COz2KMUrwIWIqmjw69plBY=@vger.kernel.org
X-Gm-Message-State: AOJu0YyZQUMfBKhhzb8OW6I4f9FSEF98H9WMYccSTq+St2kX89umfcCy
	adGCBTz6cb3hjSwMO2avekMX6K2YQ5HuKs0eHf/peVXU8LsmEymHl9YYbHcFv9hCh0Yk/xYPxRx
	aadGWg7VfjdyjsaJjbtZXLshFoEYnMSkckQ==
X-Google-Smtp-Source: 
 AGHT+IHzLLNeN5JPm4/Gav9dB+0dA4OcMygrQgaBF3oyd/JvFuN6fVLk8F8FJEZyPWDxzBEBj30BV0B4BtXylqXJ/BYgkQ==
X-Received: from pfbjw26.prod.google.com
 ([2002:a05:6a00:929a:b0:72a:83ec:b170])
 (user=isaacmanjarres job=prod-delivery.src-stubby-dispatcher) by
 2002:a05:6a20:a10f:b0:1e1:a829:bfb6 with SMTP id
 adf61e73a8af0-1e88cf7f5bdmr19575187637.3.1736528356234;
 Fri, 10 Jan 2025 08:59:16 -0800 (PST)
Date: Fri, 10 Jan 2025 08:59:00 -0800
In-Reply-To: <20250110165904.3437374-1-isaacmanjarres@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20250110165904.3437374-1-isaacmanjarres@google.com>
X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog
Message-ID: <20250110165904.3437374-3-isaacmanjarres@google.com>
Subject: [PATCH v4 2/2] mm/memfd: Use strncpy_from_user() to read memfd name
From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
To: lorenzo.stoakes@oracle.com, Andrew Morton <akpm@linux-foundation.org>
Cc: kaleshsingh@google.com, jstultz@google.com, aliceryhl@google.com,
	surenb@google.com, "Isaac J. Manjarres" <isaacmanjarres@google.com>,
 kernel-team@android.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The existing logic uses strnlen_user() to calculate the length of the
memfd name from userspace and then copies the string into a buffer using
copy_from_user(). This is error-prone, as the string length
could have changed between the time when it was calculated and when the
string was copied. The existing logic handles this by ensuring that the
last byte in the buffer is the terminating zero.

This handling is contrived and can better be handled by using
strncpy_from_user(), which gets the length of the string and copies
it in one shot. Therefore, simplify the logic for copying the memfd
name by using strncpy_from_user().

No functional change.

Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
---
 mm/memfd.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/mm/memfd.c b/mm/memfd.c
index 04d9e2a23df8..37f7be57c2f5 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -396,26 +396,18 @@ static char *alloc_name(const char __user *uname)
 	char *name;
 	long len;
=20
-	/* length includes terminating zero */
-	len =3D strnlen_user(uname, MFD_NAME_MAX_LEN + 1);
-	if (len <=3D 0)
-		return ERR_PTR(-EFAULT);
-	if (len > MFD_NAME_MAX_LEN + 1)
-		return ERR_PTR(-EINVAL);
-
-	name =3D kmalloc(len + MFD_NAME_PREFIX_LEN, GFP_KERNEL);
+	name =3D kmalloc(NAME_MAX + 1, GFP_KERNEL);
 	if (!name)
 		return ERR_PTR(-ENOMEM);
=20
 	strcpy(name, MFD_NAME_PREFIX);
-	if (copy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, len)) {
+	/* returned length does not include terminating zero */
+	len =3D strncpy_from_user(&name[MFD_NAME_PREFIX_LEN], uname, MFD_NAME_MAX=
_LEN + 1);
+	if (len < 0) {
 		error =3D -EFAULT;
 		goto err_name;
-	}
-
-	/* terminating-zero may have changed after strnlen_user() returned */
-	if (name[len + MFD_NAME_PREFIX_LEN - 1]) {
-		error =3D -EFAULT;
+	} else if (len > MFD_NAME_MAX_LEN) {
+		error =3D -EINVAL;
 		goto err_name;
 	}
=20
--=20
2.47.1.613.gc27f4b7a9f-goog