The acoustic_ctl_write debugfs handler allocates a buffer via 
memdup_user(from, count) but only validates that count is not too 
large. It then accesses src[0] through src[6] without ensuring
count >= 7.

Add a minimum-size check of 7 bytes.

Signed-off-by: Yi Yang <yangyi@msh.team>
Assisted-by: kimi-cli:kimi-k2.6
---
 sound/soc/codecs/tas2781-i2c.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
index a78a8f9b9833..73e2c5b47f96 100644
--- a/sound/soc/codecs/tas2781-i2c.c
+++ b/sound/soc/codecs/tas2781-i2c.c
@@ -1529,8 +1529,8 @@ static ssize_t acoustic_ctl_write(struct file *file,
    unsigned short chn;
    int ret = -1; 
 
-   if (count > sizeof(*p)) {
-       dev_err(priv->dev, "count(%u) is larger than max(%u).\n",
+   if (count > sizeof(*p) || count < 7) {
+       dev_err(priv->dev, "count(%u) out of range [7, %u].\n",
            (unsigned int)count, max_pkg_len);
        return ret;
    }   
-- 
2.34.1

On Sun, May 10, 2026 at 01:51:54AM +0800, 杨弋 wrote:
> The acoustic_ctl_write debugfs handler allocates a buffer via 
> memdup_user(from, count) but only validates that count is not too 
> large. It then accesses src[0] through src[6] without ensuring
> count >= 7.
> 
> Add a minimum-size check of 7 bytes.
> 
> Signed-off-by: Yi Yang <yangyi@msh.team>
> Assisted-by: kimi-cli:kimi-k2.6

You haven't provided a good signoff here, the name and email you're
using here don't obviously correspond to those used in the email body.
Please see Documentation/process/submitting-patches.rst for details
on what this is and why it's important.

Apologizes, pretty new to this particular mail client and produced messy result. Will send a v2 to clean up.