On 10/18/23 20:04, Gurchetan Singh wrote: > + > + ret = strncpy_from_user(vfpriv->debug_name, > + u64_to_user_ptr(value), > + DEBUG_NAME_MAX_LEN); > + > + if (ret < 0) { > + ret = -EFAULT; > + goto out_unlock; > + } > + > + /* > + * strncpy_from_user doesn't copy the NULL terminator when > + * DEBUG_NAME_MAX_LEN bytes is copied. Fix that here. > + */ > + if (ret == DEBUG_NAME_MAX_LEN) > + vfpriv->debug_name[DEBUG_NAME_MAX_LEN - 1] = '\0'; If you'll copy DEBUG_NAME_MAX_LEN-1 bytes, then string will be always NULL-terminated. It is a standard practice for strncpy usage to do it like this: ret = strncpy_from_user(vfpriv->debug_name, u64_to_user_ptr(value), DEBUG_NAME_MAX_LEN - 1); -- Best regards, Dmitry