Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0.13 2026-06-19T11:47:50+00:00 2026-06-19T11:47:50+00:00 Richard Fitzgerald rf@opensource.cirrus.com 2026-06-04T10:12:44+00:00 urn:sha1:6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7 [ Upstream commit 7d3fb78b550301e43fdc60312aed733069694426 ] In wm_adsp_control_remove() check that the priv pointer is not NULL before attempting to cleanup what it points to. When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that wm_adsp can create its own private control data. There are two cases where private data is not created: 1. The control is a SYSTEM control, so an ALSA control is not created. 2. The codec driver has registered a control_add() callback that hides the control, so wm_adsp_control_add() is not called. When cs_dsp_remove destroys its control list it calls wm_adsp_control_remove() for each control. But wm_adsp_control_remove() was attempting to cleanup the private data pointed to by cs_ctl->priv without checking the pointer for NULL. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: 0700bc2fb94c ("ASoC: wm_adsp: Separate generic cs_dsp_coeff_ctl handling") Link: https://patch.msgid.link/20260604101244.1402862-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-09T10:32:25+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-05-27T12:24:00+00:00 urn:sha1:05ef77f02607a3dc5d7f9762cb990f76843315d4 [ Upstream commit f63ad68e18d774a5d15cd7e405ead63f6b322679 ] simple_mux_control_put() rejects values greater than e->items, but enum control values are zero based. For the two-entry mux used by this driver, valid values are 0 and 1, so value 2 must be rejected as well. Accepting e->items can store an invalid mux state, pass it to the GPIO setter, and pass it on to the DAPM mux update path where it is used as an index into the enum text array. Use the same >= e->items check used by the ASoC enum helpers. Fixes: 342fbb7578d1 ("ASoC: add simple-mux") Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260527-asoc-simple-mux-enum-bounds-v1-1-3f805b9fc671@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:54:53+00:00 Richard Fitzgerald rf@opensource.cirrus.com 2026-05-21T12:25:10+00:00 urn:sha1:39869f487a0b38c1f81c0d2b347911f690581de0 [ Upstream commit ba28a07a9a0b53a538c809e04e517e1ce1f1bee3 ] Rewrite cs_amp_create_debugfs() so that dput() will be called on a valid dentry returned from debugfs_lookup(). The pointer returned from debugfs_lookup() must be released by dput(). The pointer returned from debugfs_create_dir() does not need to be passed to dput(). Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: cdd27fa3298a ("ASoC: cs-amp-lib: Add helpers for factory calibration") Link: https://patch.msgid.link/20260521122511.987322-3-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:54:53+00:00 Richard Fitzgerald rf@opensource.cirrus.com 2026-05-21T12:25:09+00:00 urn:sha1:c83f9320c04de21f5cfcfb8cb7e7b561f9f31925 [ Upstream commit 67a52d3ebb5a0ae0c0e23ffa99470d9463179c9f ] When calculating data->count replace the incorrect sizeof(data) with use of struct_offset(). The faulty sizeof(data) was incorrectly calculating the size of the pointer instead of the size of the struct pointed to. As it happens, both values are 8 on a 64-bit CPU. In the unlikely event of using this code on a 32-bit CPU the number of available bytes would be calculated 4 larger than is actually available. Instead of changing to sizeof(*data) it has been replaced by struct_offset() because it has better chance of detecting these sorts of typos. Also the offset of the data[] array is actually what we want to know here anyway. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: 2b62e66626f0 ("ASoC: cs-amp-lib: Add function to write calibration to UEFI") Link: https://patch.msgid.link/20260521122511.987322-2-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:54:53+00:00 Richard Fitzgerald rf@opensource.cirrus.com 2026-05-21T12:30:57+00:00 urn:sha1:feec26aecf41b2a9e33b8bb2004cfd700a9b7cf1 [ Upstream commit 18e7bd9f2446664053f8c34b72abd4606d22d858 ] Use flush_work() instead of cancel_work_sync() to terminate pending IRQ work in cs35l56_sdw_remove(). And flush_work() again after masking the interrupts to flush any queueing that was racing with the masking. This is the same sequence as cs35l56_sdw_system_suspend(). cs35l56_sdw_interrupt() takes the pm_runtime to prevent the bus powering- down before the interrupt status can be read and handled. The work releases this pm_runtime. So cancelling it, instead of flushing, could leave an unbalanced pm_runtime. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: e49611252900 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56") Link: https://patch.msgid.link/20260521123057.988732-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:54:44+00:00 Alexander A. Klimov grandmaster@al2klimov.de 2026-05-13T19:08:52+00:00 urn:sha1:6daefdf1cd3c56483f61970a76c0ad6028e4118f [ Upstream commit 0d435a7ebcd4e97e47673c1ab6fb27f973a053ec ] In fs210x_effect_scene_info(), a string was copied like this: strscpy(DST, SRC, strlen(SRC) + 1); A buffer overflow would happen if strlen(SRC) >= sizeof(DST). Actually, strscpy() must be used this way: strscpy(DST, SRC, sizeof(DST)); strscpy(DST, SRC); // defaults to sizeof(DST) Fixes: 756117701779 ("ASoC: codecs: Add FourSemi FS2104/5S audio amplifier driver") Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://patch.msgid.link/20260513190852.196723-2-grandmaster@al2klimov.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:54:27+00:00 Jeongjun Park aha310510@gmail.com 2026-05-21T11:37:12+00:00 urn:sha1:285159ca199cbbe424223d4b14db227b279b5767 commit 09e8f9a9aa19aa8c1b0cc7a0ebc68f6ecf86a660 upstream. In the pcm512x chipset driver, pcm512x_overclock_xxx_put() is defined as a general mixer kcontrol instead of a DAPM kcontrol, so struct snd_soc_dapm_context must not be accessed via snd_soc_dapm_kcontrol_to_dapm(). This causes a NULL pointer dereference, so it must be modified to use snd_soc_component_to_dapm(). Cc: stable@kernel.org Closes: https://github.com/raspberrypi/linux/issues/7242 Fixes: 02dbbb7e982a ("ASoC: codecs: pcm512x: convert to snd_soc_dapm_xxx()") Signed-off-by: Jeongjun Park <aha310510@gmail.com> Link: https://patch.msgid.link/20260521113712.227438-1-aha310510@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-23T11:09:32+00:00 Christian A. Ehrhardt christian.ehrhardt@codasip.com 2026-04-28T19:22:49+00:00 urn:sha1:4dbb4a4ffcd1dad606c3823cbb2262534133d226 [ Upstream commit a201aef1a88b675e9eb8487e27d14e2eef3cef80 ] ab8500_filter_controls[i].private_value is initialized using .private_value = (unsigned long)&(struct filter_control) {.count = xcount, .min = xmin, .max = xmax} thus it's a pointer to a struct filter_control casted to unsigned long. So to get back that pointer .private_data must be cast back, not its address. Fixes: 679d7abdc754 ("ASoC: codecs: Add AB8500 codec-driver") Signed-off-by: Christian A. Ehrhardt <christian.ehrhardt@codasip.com> Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Link: https://patch.msgid.link/20260428192255.2294705-2-u.kleine-koenig@baylibre.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:09:32+00:00 Richard Fitzgerald rf@opensource.cirrus.com 2026-04-28T11:52:28+00:00 urn:sha1:fd012e165ae2db85494eccc8192af34398a5c1d5 [ Upstream commit be102efb832ef7e30e4cd4c2edf22bbf64ddf35a ] Mark the OTP_MEM registers as volatile so that regcache_sync() will not attempt to write to them. These registers hold a constant, and originally they were marked as readable non-volatile so that this value would be read into the regmap cache. The problem with this is regcache_sync() issues a write for any cached register that does not have a reg_default. Though these registers are constants and writing them in normal use cannot change OTP, it is illegal for the host to write to them. Fixes: e1830f66f6c6 ("ASoC: cs35l56: Add helper functions for amp calibration") Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Link: https://patch.msgid.link/20260428115228.158252-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-05-23T11:09:27+00:00 James Calligeros jcalligeros99@gmail.com 2026-04-25T00:44:05+00:00 urn:sha1:d5ca2ba62f2c65f0c3e2f496198c1e922a6aa97f [ Upstream commit c7ecb6a61908c2604dda6e42da66724d256de7b9 ] The order of operations to derive the temperature from the temp register values was wrong, since 1000 / 16 is not an integer. This resulted in the calculated temperature value deviating from the value represented by the registers slightly, which was most obvious when the registers were zeroed (-92.265 *C vs the expected -93.000 *C). Scale the reading before dividing the whole thing by 16 to correct this. Fixes: ff73e2780169 ("ASoC: tas2770: expose die temp to hwmon") Signed-off-by: James Calligeros <jcalligeros99@gmail.com> Link: https://patch.msgid.link/20260425-tas27xx-hwmon-fixes-v1-3-83c13b8e8f54@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>