Hello Peter Ujfalusi, The patch 066c67624d8c: "ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages" from May 6, 2022, leads to the following Smatch static checker warning: sound/soc/sof/sof-client-ipc-msg-injector.c:95 sof_msg_inject_ipc4_dfs_read() warn: userbuf overflow? is '8' <= 'count' sound/soc/sof/sof-client-ipc-msg-injector.c 72 static ssize_t sof_msg_inject_ipc4_dfs_read(struct file *file, 73 char __user *buffer, 74 size_t count, loff_t *ppos) 75 { 76 struct sof_client_dev *cdev = file->private_data; 77 struct sof_msg_inject_priv *priv = cdev->data; 78 struct sof_ipc4_msg *ipc4_msg = priv->rx_buffer; 79 size_t remaining; 80 81 if (!ipc4_msg->header_u64 || !count || *ppos) 82 return 0; 83 84 remaining = sizeof(ipc4_msg->header_u64); 85 86 /* Only get large config have payload */ 87 if (SOF_IPC4_MSG_IS_MODULE_MSG(ipc4_msg->primary) && 88 (SOF_IPC4_MSG_TYPE_GET(ipc4_msg->primary) == SOF_IPC4_MOD_LARGE_CONFIG_GET)) 89 remaining += ipc4_msg->data_size; 90 91 if (count > remaining) 92 count = remaining; 93 94 /* copy the header first */ --> 95 if (copy_to_user(buffer, &ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64))) 96 return -EFAULT; 97 98 *ppos += sizeof(ipc4_msg->header_u64); 99 remaining -= sizeof(ipc4_msg->header_u64); 100 101 if (!remaining) 102 return count; 103 104 if (remaining > ipc4_msg->data_size) 105 remaining = ipc4_msg->data_size; 106 107 /* Copy the payload */ 108 if (copy_to_user(buffer + *ppos, ipc4_msg->data_ptr, remaining)) ^^^^^^^^^^^^^^^ Potentially writing more than count bytes resulting in corrupting the user space memory. 109 return -EFAULT; 110 111 *ppos += remaining; 112 return count; 113 } regards, dan carpenter