[PATCH] proc: fix comm_write return value when truncated or error
From: Shengzhuo Wei
Date: Thu Apr 23 2026 - 16:08:20 EST
When count exceeds TASK_COMM_LEN-1, comm_write() copies at most
TASK_COMM_LEN-1 bytes but returns the original count. This violates
write(2) semantics, which require returning the number of bytes
actually written.
The count parameter is size_t and should not be repurposed to carry a
negative error code on the same_thread_group() failure path.
Introduce a local len for the truncated length and a separate ssize_t
ret for the return value.
Fixes: 4614a696bd1c ("procfs: allow threads to rename siblings via /proc/pid/tasks/tid/comm")
Signed-off-by: Shengzhuo Wei <me@xxxxxxxx>
---
fs/proc/base.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index d9acfa89c894bd1608580331e1d5b3018c59123b..5d34590dbe9d9f05147c3e6b34c615cbf0984b1c 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1727,8 +1727,10 @@ static ssize_t comm_write(struct file *file, const char __user *buf,
struct task_struct *p;
char buffer[TASK_COMM_LEN] = {};
const size_t maxlen = sizeof(buffer) - 1;
+ size_t len = count > maxlen ? maxlen : count;
+ ssize_t ret;
- if (copy_from_user(buffer, buf, count > maxlen ? maxlen : count))
+ if (copy_from_user(buffer, buf, len))
return -EFAULT;
p = get_proc_task(inode);
@@ -1738,13 +1740,14 @@ static ssize_t comm_write(struct file *file, const char __user *buf,
if (same_thread_group(current, p)) {
set_task_comm(p, buffer);
proc_comm_connector(p);
+ ret = len;
+ } else {
+ ret = -EINVAL;
}
- else
- count = -EINVAL;
put_task_struct(p);
- return count;
+ return ret;
}
static int comm_show(struct seq_file *m, void *v)
---
base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6
change-id: 20260424-fix_proc_write_return-cd48edb86600
Best regards,
--
Shengzhuo Wei <me@xxxxxxxx>