The function simple_write_to_buffer() doesn't add string termination at the end of buf, we need to add it on our own if calling that function to write the size of count chars to buf. This change refers to the function tokenize_input() in debug.c and the function sof_dfsentry_trace_filter_write() in trace.c. We didn't find this potential issue in the past because sometimes we are very lucky, we kzalloc the size of count buf, the kernel not only returns a buf with buf[0 ... (count - 1)] = 0 but buf[count] = 0, with this luck, this issue will not be exposed. Fixes: 091c12e1f50c ("ASoC: SOF: debug: add new debugfs entries for IPC flood test") Signed-off-by: Hui Wang <hui.wang@xxxxxxxxxxxxx> --- sound/soc/sof/debug.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c index 30213a1beaaa..edd4893119dd 100644 --- a/sound/soc/sof/debug.c +++ b/sound/soc/sof/debug.c @@ -352,9 +352,10 @@ static ssize_t sof_dfsentry_write(struct file *file, const char __user *buffer, char *string; int ret; - string = kzalloc(count, GFP_KERNEL); + string = kzalloc(count+1, GFP_KERNEL); if (!string) return -ENOMEM; + string[count] = '\0'; size = simple_write_to_buffer(string, count, ppos, buffer, count); ret = size; -- 2.25.1