* [PATCH] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs
@ 2026-05-09 17:51 杨弋
2026-05-10 1:27 ` Mark Brown
0 siblings, 1 reply; 2+ messages in thread
From: 杨弋 @ 2026-05-09 17:51 UTC (permalink / raw)
To: Shenghao Ding, Kevin Lu, Baojun Xu
Cc: Liam Girdwood, Mark Brown, Jaroslav Kysela, Takashi Iwai,
linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org
The acoustic_ctl_write debugfs handler allocates a buffer via
memdup_user(from, count) but only validates that count is not too
large. It then accesses src[0] through src[6] without ensuring
count >= 7.
Add a minimum-size check of 7 bytes.
Signed-off-by: Yi Yang <yangyi@msh.team>
Assisted-by: kimi-cli:kimi-k2.6
---
sound/soc/codecs/tas2781-i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
index a78a8f9b9833..73e2c5b47f96 100644
--- a/sound/soc/codecs/tas2781-i2c.c
+++ b/sound/soc/codecs/tas2781-i2c.c
@@ -1529,8 +1529,8 @@ static ssize_t acoustic_ctl_write(struct file *file,
unsigned short chn;
int ret = -1;
- if (count > sizeof(*p)) {
- dev_err(priv->dev, "count(%u) is larger than max(%u).\n",
+ if (count > sizeof(*p) || count < 7) {
+ dev_err(priv->dev, "count(%u) out of range [7, %u].\n",
(unsigned int)count, max_pkg_len);
return ret;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs
2026-05-09 17:51 [PATCH] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs 杨弋
@ 2026-05-10 1:27 ` Mark Brown
0 siblings, 0 replies; 2+ messages in thread
From: Mark Brown @ 2026-05-10 1:27 UTC (permalink / raw)
To: 杨弋
Cc: Shenghao Ding, Kevin Lu, Baojun Xu, Liam Girdwood,
Jaroslav Kysela, Takashi Iwai, linux-sound@vger.kernel.org,
linux-kernel@vger.kernel.org
[-- Attachment #1: Type: text/plain, Size: 656 bytes --]
On Sun, May 10, 2026 at 01:51:54AM +0800, 杨弋 wrote:
> The acoustic_ctl_write debugfs handler allocates a buffer via
> memdup_user(from, count) but only validates that count is not too
> large. It then accesses src[0] through src[6] without ensuring
> count >= 7.
>
> Add a minimum-size check of 7 bytes.
>
> Signed-off-by: Yi Yang <yangyi@msh.team>
> Assisted-by: kimi-cli:kimi-k2.6
You haven't provided a good signoff here, the name and email you're
using here don't obviously correspond to those used in the email body.
Please see Documentation/process/submitting-patches.rst for details
on what this is and why it's important.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-10 1:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-09 17:51 [PATCH] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs 杨弋
2026-05-10 1:27 ` Mark Brown
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox