kernel/linux.git/sound/core, branch v6.18.21

ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()

2026-03-19T15:08:22+00:00

commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 upstream. In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) — all referencing the linked stream's runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released. Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly") Cc: stable@vger.kernel.org Signed-off-by: Mehul Rao Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman

ALSA: pcm: Revert bufs move in snd_pcm_xfern_frames_ioctl()

2026-03-04T12:21:35+00:00

[ Upstream commit 0585c53b21541cd6b17ad5ab41b371a0d52e358c ] When building with clang older than 17 targeting architectures that use asm goto for their get_user() and put_user(), such as arm64, after commit f3d233daf011 ("ALSA: pcm: Relax __free() variable declarations"), there are bogus errors around skipping over a variable declared with the cleanup attribute: sound/core/pcm_native.c:3308:6: error: cannot jump from this asm goto statement to one of its possible targets if (put_user(result, &_xfern->result)) ^ ... arch/arm64/include/asm/uaccess.h:298:2: note: expanded from macro '__put_mem_asm' asm goto( ^ sound/core/pcm_native.c:3295:6: note: possible target of asm goto statement if (put_user(0, &_xfern->result)) ^ ... sound/core/pcm_native.c:3300:8: note: jump exits scope of variable with __attribute__((cleanup)) void *bufs __free(kfree) = ^ clang-17 fixed a bug in clang's jump scope checker [1] where all labels in a function were checked as valid targets for all asm goto instances in a function, regardless of whether they were actual targets in a paricular asm goto's provided list of labels. To workaround this, revert the change done to snd_pcm_xfern_frames_ioctl() by commit f3d233daf011 ("ALSA: pcm: Relax __free() variable declarations") to avoid a variable declared with cleanup from existing between multiple uses of asm goto. There are no other uses of cleanup in this function so there should be low risk from moving this variable back to the top of the function. Link: https://github.com/ClangBuiltLinux/linux/issues/1886 [1] Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202512190802.i4Jzbcsl-lkp@intel.com/ Signed-off-by: Nathan Chancellor Link: https://patch.msgid.link/20260106-pcm_native-revert-var-move-free-for-old-clang-v1-1-06a03693423d@kernel.org Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin

ALSA: mixer: oss: Add card disconnect checkpoints

2026-03-04T12:20:08+00:00

[ Upstream commit 084d5d44418148662365eced3e126ad1a81ee3e2 ] ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device. For avoiding the potential UAF scenarios, add sanity checks of the card disconnection at each entry point of OSS mixer accesses. The rwsem is taken just before that check, hence the rest context should be covered by that properly. Link: https://patch.msgid.link/20260209121212.171430-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin

ALSA: vmaster: Relax __free() variable declarations

2026-02-26T22:59:11+00:00

[ Upstream commit 3b7c7bda39e1e48f926fb3d280a5f5d20a939857 ] We used to have a variable declaration with __free() initialized with NULL. This was to keep the old coding style rule, but recently it's relaxed and rather recommends to follow the new rule to declare in place of use for __free() -- which avoids potential deadlocks or UAFs with nested cleanups. Although the current code has no bug, per se, let's follow the new standard and move the declaration to the place of assignment (or directly assign the allocated result) instead of NULL initializations. Fixes: fb9e197f3f27 ("ALSA: vmaster: Use automatic cleanup of kfree()") Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20251216140634.171890-9-tiwai@suse.de Signed-off-by: Sasha Levin

ALSA: pcm: Relax __free() variable declarations

2026-02-26T22:59:11+00:00

[ Upstream commit f3d233daf011abbad2f6ebd0e545b42d2f378a4f ] We used to have a variable declaration with __free() initialized with NULL. This was to keep the old coding style rule, but recently it's relaxed and rather recommends to follow the new rule to declare in place of use for __free() -- which avoids potential deadlocks or UAFs with nested cleanups. Although the current code has no bug, per se, let's follow the new standard and move the declaration to the place of assignment (or directly assign the allocated result) instead of NULL initializations. Fixes: ae9213984864 ("ALSA: pcm: Use automatic cleanup of kfree()") Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20251216140634.171890-4-tiwai@suse.de Signed-off-by: Sasha Levin

ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer

2026-01-23T10:21:23+00:00

commit 47c27c9c9c720bc93fdc69605d0ecd9382e99047 upstream. Handle the error code from snd_pcm_buffer_access_lock() in snd_pcm_runtime_buffer_set_silence() function. Found by Alexandros Panagiotou Fixes: 93a81ca06577 ("ALSA: pcm: Fix race of buffer access at PCM OSS layer") Cc: stable@vger.kernel.org # 6.15 Signed-off-by: Jaroslav Kysela Link: https://patch.msgid.link/20260107213642.332954-1-perex@perex.cz Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman

Merge tag 'sound-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

2025-10-02T18:37:19+00:00

Pull sound updates from Takashi Iwai: "It's been relatively calm in this cycle from the feature POV, but there were lots of cleanup works in the wide-range of code for converting with the auto-cleanup macros like guard(). The mostly user-visible changes are the support of a couple of new compress-offload API extensions, and the support of new ASoC codec / platform drivers as well as USB-audio quirks. Here we go with some highlights: Core: - Compress-offload API extension for 64bit timestamp support - Compress-offload API extension for OPUS codec support - Workaround for PCM locking issue with PREEMPT_RT and softirq - KCSAN warning fix for ALSA sequencer core ASoC: - Continued cleanup works for ASoC core APIs - Lots of cleanups and conversions of DT bindings - Substantial maintainance work on the Intel AVS drivers - Support for Qualcomm Glymur and PM4125, Realtek RT1321, Shanghai FourSemi FS2104/5S, Texas Instruments PCM1754 and TAS2783A - Remove support for TI WL1273 for old Nokia systems USB-audio: - Support for Tascam US-144mkII, Presonus S1824c support - More flexible quirk option handling - Fix for USB MIDI timer bug triggered by fuzzer Others: - A large series of cleanups with guard() & co macros over (non-ASoC) sound drivers (PCI, ISA, HD-audio, USB-audio, drivers, etc) - TAS5825 HD-audio side-codec support" * tag 'sound-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (454 commits) ALSA: usb-audio: don't hardcode gain for output channel of Presonus Studio ALSA: usb-audio: add the initial mix for Presonus Studio 1824c ALSA: doc: improved docs about quirk_flags in snd-usb-audio ALSA: usb-audio: make param quirk_flags change-able in runtime ALSA: usb-audio: improve module param quirk_flags ALSA: usb-audio: add two-way convert between name and bit for QUIRK_FLAG_* ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free ALSA: usb-audio: add mono main switch to Presonus S1824c ALSA: compress: document 'chan_map' member in snd_dec_opus ASoC: cs35l56: Add support for CS35L56 B2 silicon ASoC: cs35l56: Set fw_regs table after getting REVID ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100 ASoc: tas2783A: Fix an error code in probe() ASoC: tlv320aic3x: Fix class-D initialization for tlv320aic3007 ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075 ASoC: stm32: sai: manage context in set_sysclk callback ASoC: renesas: msiof: ignore 1st FSERR ASoC: renesas: msiof: Add note for The possibility of R/L opposite Capture ASoC: renesas: msiof: setup both (Playback/Capture) in the same time ASoC: renesas: msiof: tidyup DMAC stop timing ...

Merge tag 'asoc-v6.18' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next

2025-09-20T06:38:17+00:00

ASoC: Updates for v6.18 A relatively quiet release for ASoC, we've had a lot of maintainance work going on and several new drivers but really the most remarkable thing is that we removed a driver, the WL1273 driver used in some old Nokia systems that have had the underlying system support removed from the kernel. - Morimoto-san continues his work on cleanups of the core APIs and enforcement of abstraction layers. - Lots of cleanups and conversions of DT bindings. - Substantial maintainance work on the Intel AVS drivers. - Support for Qualcomm Glymur and PM4125, Realtek RT1321, Shanghai FourSemi FS2104/5S, Texas Instruments PCM1754. - Remove support for TI WL1273.

ALSA: seq: Fix KCSAN data-race warning at snd_seq_fifo_poll_wait()

2025-09-17T12:14:12+00:00

snd_seq_fifo_poll_wait() evaluates f->cells without locking after poll_wait(), and KCSAN doesn't like it as it appears to be a data-race. Although this doesn't matter much in practice as the value is volatile, it's still better to address it for the mind piece. Wrap it with f->lock spinlock for avoiding the potential data race. Reported-by: syzbot+c3dbc239259940ededba@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=c3dbc239259940ededba Signed-off-by: Takashi Iwai

ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT

2025-09-16T09:35:21+00:00

snd_pcm_group_lock_irq() acquires a spinlock_t and disables interrupts via spin_lock_irq(). This also implicitly disables the handling of softirqs such as TIMER_SOFTIRQ. On PREEMPT_RT softirqs are preemptible and spin_lock_irq() does not disable them. That means a timer can be invoked during spin_lock_irq() on the same CPU. Due to synchronisations reasons local_bh_disable() has a per-CPU lock named softirq_ctrl.lock which synchronizes individual softirq against each other. syz-bot managed to trigger a lockdep report where softirq_ctrl.lock is acquired in hrtimer_cancel() in addition to hrtimer_run_softirq(). This is a possible deadlock. The softirq_ctrl.lock can not be made part of spin_lock_irq() as this would lead to too much synchronisation against individual threads on the system. To avoid the possible deadlock, softirqs must be manually disabled before the lock is acquired. Disable softirqs before the lock is acquired on PREEMPT_RT. Reported-by: syzbot+10b4363fb0f46527f3f3@syzkaller.appspotmail.com Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Takashi Iwai