Index: lib/libc/sys/shm_open.c
===================================================================
--- lib/libc/sys/shm_open.c
+++ lib/libc/sys/shm_open.c
@@ -84,7 +84,7 @@
 	/* We've already validated that we're sufficiently sized. */
 	snprintf(memfd_name, NAME_MAX + 1, "%s%s", MEMFD_NAME_PREFIX, name);
 	oflags = O_RDWR;
-	shmflags = 0;
+	shmflags = SHM_GROW_ON_WRITE;
 	if ((flags & MFD_CLOEXEC) != 0)
 		oflags |= O_CLOEXEC;
 	if ((flags & MFD_ALLOW_SEALING) != 0)
Index: sys/compat/linux/linux_file.c
===================================================================
--- sys/compat/linux/linux_file.c
+++ sys/compat/linux/linux_file.c
@@ -1758,7 +1758,7 @@
 	if ((flags & MFD_HUGETLB) != 0)
 		return (ENOSYS);
 	oflags = O_RDWR;
-	shmflags = 0;
+	shmflags = SHM_GROW_ON_WRITE;
 	if ((flags & MFD_CLOEXEC) != 0)
 		oflags |= O_CLOEXEC;
 	if ((flags & MFD_ALLOW_SEALING) != 0)
Index: sys/kern/uipc_shm.c
===================================================================
--- sys/kern/uipc_shm.c
+++ sys/kern/uipc_shm.c
@@ -315,6 +315,7 @@
 	struct shmfd *shmfd;
 	void *rl_cookie;
 	int error;
+	off_t size;
 
 	shmfd = fp->f_data;
 #ifdef MAC
@@ -323,17 +324,42 @@
 		return (error);
 #endif
 	foffset_lock_uio(fp, uio, flags);
+	if (uio->uio_resid > OFF_MAX - uio->uio_offset) {
+		/*
+		 * Overflow is only an error if we're supposed to expand on
+		 * write.  Otherwise, we'll just truncate the write to the
+		 * size of the file, which can only grow up to OFF_MAX.
+		 */
+		if ((shmfd->shm_flags & SHM_GROW_ON_WRITE) != 0) {
+			foffset_unlock_uio(fp, uio, flags);
+			return (EFBIG);
+		}
+
+		size = shmfd->shm_size;
+	} else {
+		size = uio->uio_offset + uio->uio_resid;
+	}
 	if ((flags & FOF_OFFSET) == 0) {
 		rl_cookie = rangelock_wlock(&shmfd->shm_rl, 0, OFF_MAX,
 		    &shmfd->shm_mtx);
 	} else {
 		rl_cookie = rangelock_wlock(&shmfd->shm_rl, uio->uio_offset,
-		    uio->uio_offset + uio->uio_resid, &shmfd->shm_mtx);
+		    size, &shmfd->shm_mtx);
 	}
-	if ((shmfd->shm_seals & F_SEAL_WRITE) != 0)
+	if ((shmfd->shm_seals & F_SEAL_WRITE) != 0) {
 		error = EPERM;
-	else
-		error = uiomove_object(shmfd->shm_object, shmfd->shm_size, uio);
+	} else {
+		error = 0;
+		if ((shmfd->shm_flags & SHM_GROW_ON_WRITE) != 0 &&
+		    size > shmfd->shm_size) {
+			VM_OBJECT_WLOCK(shmfd->shm_object);
+			error = shm_dotruncate_locked(shmfd, size, rl_cookie);
+			VM_OBJECT_WUNLOCK(shmfd->shm_object);
+		}
+		if (error == 0)
+			error = uiomove_object(shmfd->shm_object,
+			    shmfd->shm_size, uio);
+	}
 	rangelock_unlock(&shmfd->shm_rl, rl_cookie, &shmfd->shm_mtx);
 	foffset_unlock_uio(fp, uio, flags);
 	return (error);
@@ -751,7 +777,7 @@
 	mode_t cmode;
 	int error, fd, initial_seals;
 
-	if ((shmflags & ~SHM_ALLOW_SEALING) != 0)
+	if ((shmflags & ~(SHM_ALLOW_SEALING | SHM_GROW_ON_WRITE)) != 0)
 		return (EINVAL);
 
 	initial_seals = F_SEAL_SEAL;
@@ -924,6 +950,7 @@
 		}
 	}
 
+	shmfd->shm_flags = shmflags;
 	if (name != NULL)
 		shmfd->shm_name = strdup(name, M_SHMFD);
 
Index: sys/sys/mman.h
===================================================================
--- sys/sys/mman.h
+++ sys/sys/mman.h
@@ -190,6 +190,7 @@
  * shmflags for shm_open2()
  */
 #define	SHM_ALLOW_SEALING		0x00000001
+#define	SHM_GROW_ON_WRITE		0x00000002
 
 /*
  * Flags for memfd_create().
@@ -278,6 +279,7 @@
 	struct rangelock shm_rl;
 	struct mtx	shm_mtx;
 
+	int		shm_flags;
 	int		shm_seals;
 	char		*shm_name;		/* Name, exposed via fdescfs. */
 };
Index: tests/sys/kern/memfd_test.c
===================================================================
--- tests/sys/kern/memfd_test.c
+++ tests/sys/kern/memfd_test.c
@@ -30,6 +30,7 @@
 
 #include <sys/fcntl.h>
 #include <sys/mman.h>
+#include <sys/stat.h>
 
 #include <atf-c.h>
 #include <errno.h>
@@ -38,18 +39,26 @@
 ATF_TC_WITHOUT_HEAD(basic);
 ATF_TC_BODY(basic, tc)
 {
+	struct stat sb;
 	int fd;
 	char buf[8];
 
 	ATF_REQUIRE((fd = memfd_create("...", 0)) != -1);
 
-	/* File size should be initially 0 */
-	ATF_REQUIRE(write(fd, buf, sizeof(buf)) == 0);
+	/* write(2) should grow us out automatically. */
+	ATF_REQUIRE(write(fd, buf, sizeof(buf)) == sizeof(buf));
+	ATF_REQUIRE(fstat(fd, &sb) == 0);
+	ATF_REQUIRE(sb.st_size == sizeof(buf));
 
 	/* ftruncate(2) must succeed without seals */
-	ATF_REQUIRE(ftruncate(fd, sizeof(buf) - 1) == 0);
+	ATF_REQUIRE(ftruncate(fd, 2 * (sizeof(buf) - 1)) == 0);
 
-	ATF_REQUIRE(write(fd, buf, sizeof(buf)) == sizeof(buf) - 1);
+	/* write(2) again must not be limited by ftruncate(2) size. */
+	ATF_REQUIRE(write(fd, buf, sizeof(buf)) == sizeof(buf));
+
+	/* Sanity check. */
+	ATF_REQUIRE(fstat(fd, &sb) == 0);
+	ATF_REQUIRE(sb.st_size == 2 * sizeof(buf));
 
 	close(fd);
 }