Re: [PATCH] hugetlbfs: enforce F_SEAL_EXEC in setattr

From: David Hildenbrand (Arm)

Date: Mon Jun 29 2026 - 14:25:00 EST


On 6/29/26 20:02, Eva Kurchatova wrote:
> Commit 6fd735518263 ('mm/memfd: add F_SEAL_EXEC') added the F_SEAL_EXEC
> seal to memfd, with the corresponding enforcement implemented in

$ git show 6fd735518263
fatal: ambiguous argument '6fd735518263': unknown revision or path not in the
working tree.

Is it

6fd7353829ca ?

commit 6fd7353829cafc4067aad9eea0dc95da67e7df16
Author: Daniel Verkamp <dverkamp@xxxxxxxxxxxx>
Date: Thu Dec 15 00:12:01 2022 +0000

mm/memfd: add F_SEAL_EXEC



> shmem_setattr(): once F_SEAL_EXEC is set, fchmod() of any of the execute
> bits (S_IXUSR|S_IXGRP|S_IXOTH) is rejected with -EPERM.
>
> The hugetlbfs equivalent in hugetlbfs_setattr() was missed, even though
> hugetlbfs memfd files carry the same 'info->seals' bitmap and the same
> F_SEAL_EXEC bit can be added through memfd_create(... MFD_HUGETLB ...)
> plus fcntl(F_ADD_SEALS, F_SEAL_EXEC). As a result, the seal is silently
> ignored on hugetlbfs memfds and fchmod() may turn execute bits back on
> after the seal has been applied.
>
> Mirror the shmem check in hugetlbfs_setattr() so that ATTR_MODE changes
> that flip any execute bit on a sealed inode return -EPERM. This also
> fixes the memfd_test 'hugetlbfs' SEAL-EXEC subtest, which previously
> aborted on:
>
> fchmod(/memfd:kern_memfd_seal_exec (deleted), 00777) didn't fail as expected
>
> Fixes: 6fd735518263 ("mm/memfd: add F_SEAL_EXEC")
> Signed-off-by: Eva Kurchatova <eva.kurchatova@xxxxxxxxxxxxx>
> ---
> fs/hugetlbfs/inode.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
> index 216e1a0dd0b2..812bf8e21b91 100644
> --- a/fs/hugetlbfs/inode.c
> +++ b/fs/hugetlbfs/inode.c
> @@ -841,6 +841,11 @@ static int hugetlbfs_setattr(struct mnt_idmap *idmap,
> if (error)
> return error;
>
> + if ((info->seals & F_SEAL_EXEC) && (ia_valid & ATTR_MODE)) {
> + if ((inode->i_mode ^ attr->ia_mode) & 0111)
> + return -EPERM;
> + }

This matches the mm/shmem.c change but could be written as

if ((info->seals & F_SEAL_EXEC) && (ia_valid & ATTR_MODE) &&
(inode->i_mode ^ attr->ia_mode) & 0111))
return -EPERM;

But even better would be factoring that out into a common helper that checks that?

In any case change itself looks like the right thing to do for me.

--
Cheers,

David