Index: lib/libc/sys/shm_open.c =================================================================== --- lib/libc/sys/shm_open.c +++ lib/libc/sys/shm_open.c @@ -84,7 +84,7 @@ /* We've already validated that we're sufficiently sized. */ snprintf(memfd_name, NAME_MAX + 1, "%s%s", MEMFD_NAME_PREFIX, name); oflags = O_RDWR; - shmflags = 0; + shmflags = SHM_GROW_ON_WRITE; if ((flags & MFD_CLOEXEC) != 0) oflags |= O_CLOEXEC; if ((flags & MFD_ALLOW_SEALING) != 0) Index: sys/compat/linux/linux_file.c =================================================================== --- sys/compat/linux/linux_file.c +++ sys/compat/linux/linux_file.c @@ -1758,7 +1758,7 @@ if ((flags & MFD_HUGETLB) != 0) return (ENOSYS); oflags = O_RDWR; - shmflags = 0; + shmflags = SHM_GROW_ON_WRITE; if ((flags & MFD_CLOEXEC) != 0) oflags |= O_CLOEXEC; if ((flags & MFD_ALLOW_SEALING) != 0) Index: sys/kern/uipc_shm.c =================================================================== --- sys/kern/uipc_shm.c +++ sys/kern/uipc_shm.c @@ -315,6 +315,7 @@ struct shmfd *shmfd; void *rl_cookie; int error; + off_t size; shmfd = fp->f_data; #ifdef MAC @@ -323,17 +324,42 @@ return (error); #endif foffset_lock_uio(fp, uio, flags); + if (uio->uio_resid > OFF_MAX - uio->uio_offset) { + /* + * Overflow is only an error if we're supposed to expand on + * write. Otherwise, we'll just truncate the write to the + * size of the file, which can only grow up to OFF_MAX. + */ + if ((shmfd->shm_flags & SHM_GROW_ON_WRITE) != 0) { + foffset_unlock_uio(fp, uio, flags); + return (EFBIG); + } + + size = shmfd->shm_size; + } else { + size = uio->uio_offset + uio->uio_resid; + } if ((flags & FOF_OFFSET) == 0) { rl_cookie = rangelock_wlock(&shmfd->shm_rl, 0, OFF_MAX, &shmfd->shm_mtx); } else { rl_cookie = rangelock_wlock(&shmfd->shm_rl, uio->uio_offset, - uio->uio_offset + uio->uio_resid, &shmfd->shm_mtx); + size, &shmfd->shm_mtx); } - if ((shmfd->shm_seals & F_SEAL_WRITE) != 0) + if ((shmfd->shm_seals & F_SEAL_WRITE) != 0) { error = EPERM; - else - error = uiomove_object(shmfd->shm_object, shmfd->shm_size, uio); + } else { + error = 0; + if ((shmfd->shm_flags & SHM_GROW_ON_WRITE) != 0 && + size > shmfd->shm_size) { + VM_OBJECT_WLOCK(shmfd->shm_object); + error = shm_dotruncate_locked(shmfd, size, rl_cookie); + VM_OBJECT_WUNLOCK(shmfd->shm_object); + } + if (error == 0) + error = uiomove_object(shmfd->shm_object, + shmfd->shm_size, uio); + } rangelock_unlock(&shmfd->shm_rl, rl_cookie, &shmfd->shm_mtx); foffset_unlock_uio(fp, uio, flags); return (error); @@ -751,7 +777,7 @@ mode_t cmode; int error, fd, initial_seals; - if ((shmflags & ~SHM_ALLOW_SEALING) != 0) + if ((shmflags & ~(SHM_ALLOW_SEALING | SHM_GROW_ON_WRITE)) != 0) return (EINVAL); initial_seals = F_SEAL_SEAL; @@ -924,6 +950,7 @@ } } + shmfd->shm_flags = shmflags; if (name != NULL) shmfd->shm_name = strdup(name, M_SHMFD); Index: sys/sys/mman.h =================================================================== --- sys/sys/mman.h +++ sys/sys/mman.h @@ -190,6 +190,7 @@ * shmflags for shm_open2() */ #define SHM_ALLOW_SEALING 0x00000001 +#define SHM_GROW_ON_WRITE 0x00000002 /* * Flags for memfd_create(). @@ -278,6 +279,7 @@ struct rangelock shm_rl; struct mtx shm_mtx; + int shm_flags; int shm_seals; char *shm_name; /* Name, exposed via fdescfs. */ }; Index: tests/sys/kern/memfd_test.c =================================================================== --- tests/sys/kern/memfd_test.c +++ tests/sys/kern/memfd_test.c @@ -30,6 +30,7 @@ #include #include +#include #include #include @@ -38,18 +39,26 @@ ATF_TC_WITHOUT_HEAD(basic); ATF_TC_BODY(basic, tc) { + struct stat sb; int fd; char buf[8]; ATF_REQUIRE((fd = memfd_create("...", 0)) != -1); - /* File size should be initially 0 */ - ATF_REQUIRE(write(fd, buf, sizeof(buf)) == 0); + /* write(2) should grow us out automatically. */ + ATF_REQUIRE(write(fd, buf, sizeof(buf)) == sizeof(buf)); + ATF_REQUIRE(fstat(fd, &sb) == 0); + ATF_REQUIRE(sb.st_size == sizeof(buf)); /* ftruncate(2) must succeed without seals */ - ATF_REQUIRE(ftruncate(fd, sizeof(buf) - 1) == 0); + ATF_REQUIRE(ftruncate(fd, 2 * (sizeof(buf) - 1)) == 0); - ATF_REQUIRE(write(fd, buf, sizeof(buf)) == sizeof(buf) - 1); + /* write(2) again must not be limited by ftruncate(2) size. */ + ATF_REQUIRE(write(fd, buf, sizeof(buf)) == sizeof(buf)); + + /* Sanity check. */ + ATF_REQUIRE(fstat(fd, &sb) == 0); + ATF_REQUIRE(sb.st_size == 2 * sizeof(buf)); close(fd); }