[PATCH v2] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs

[PATCH v2] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs

[Yi Yang]

The acoustic_ctl_write debugfs handler allocates a buffer via
memdup_user(from, count) but only validates that count is not too
large. It then accesses src[0] through src[6] without ensuring
count >= 7.

Add a minimum-size check of 7 bytes.

Signed-off-by: Yi Yang <yangyi@moonshot.ai>
Assisted-by: kimi-cli:kimi-k2.6
---
v2: fix the sign-off mail as well as using Latin version of my name in the mail, so they match.
---
 sound/soc/codecs/tas2781-i2c.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
index a78a8f9b9833..73e2c5b47f96 100644
--- a/sound/soc/codecs/tas2781-i2c.c
+++ b/sound/soc/codecs/tas2781-i2c.c
@@ -1529,8 +1529,8 @@ static ssize_t acoustic_ctl_write(struct file *file,
        unsigned short chn;
        int ret = -1;
 
-       if (count > sizeof(*p)) {
-               dev_err(priv->dev, "count(%u) is larger than max(%u).\n",
+       if (count > sizeof(*p) || count < 7) {
+               dev_err(priv->dev, "count(%u) out of range [7, %u].\n",
                        (unsigned int)count, max_pkg_len);
                return ret;
        }
-- 
2.34.1

Re: [PATCH v2] ASoC: tas2781: reject too-short writes to acoustic_ctl debugfs

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 335 bytes --]

On Tue, May 12, 2026 at 11:55:35PM +0800, Yi Yang wrote:
> The acoustic_ctl_write debugfs handler allocates a buffer via
> memdup_user(from, count) but only validates that count is not too
> large. It then accesses src[0] through src[6] without ensuring
> count >= 7.

This doesn't apply against current code, please check and resend.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]