<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/sound/usb, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-26T05:46:59+00:00</updated>
<entry>
<title>ALSA: FCP: Fix NULL pointer dereference in interface lookup</title>
<updated>2026-06-26T05:46:59+00:00</updated>
<author>
<name>Jiaming Zhang</name>
<email>r772577952@gmail.com</email>
</author>
<published>2026-06-25T13:49:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=e1e31e0ec8a609e17fd2e86b77bc00d9cbb24d7c'/>
<id>urn:sha1:e1e31e0ec8a609e17fd2e86b77bc00d9cbb24d7c</id>
<content type='text'>
A malformed USB device can provide a vendor-specific interface without
any endpoint descriptors. fcp_find_fc_interface() currently selects the
first vendor-specific interface and reads endpoint 0 from it, without
checking whether the interface actually has any endpoints.

When bNumEndpoints is zero, no endpoint array is allocated for the parsed
alternate setting, so get_endpoint(..., 0) yields an invalid endpoint
descriptor pointer. Dereferencing it through usb_endpoint_num() then
triggers a NULL pointer dereference.

Skip vendor-specific interfaces that do not have any endpoints.

Fixes: 46757a3e7d50 ("ALSA: FCP: Add Focusrite Control Protocol driver")
Reported-by: Jiaming Zhang &lt;r772577952@gmail.com&gt;
Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com/
Signed-off-by: Jiaming Zhang &lt;r772577952@gmail.com&gt;
Link: https://patch.msgid.link/20260625134933.425785-1-r772577952@gmail.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: usb-audio: qcom: Free QMI handle</title>
<updated>2026-06-25T11:56:21+00:00</updated>
<author>
<name>Xu Rao</name>
<email>raoxu@uniontech.com</email>
</author>
<published>2026-06-23T07:13:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=b8ff1f3578f83dedf5feb796d97a3f67c1bea58f'/>
<id>urn:sha1:b8ff1f3578f83dedf5feb796d97a3f67c1bea58f</id>
<content type='text'>
qc_usb_audio_probe() allocates svc-&gt;uaudio_svc_hdl separately from the
uaudio_qmi_svc object.

qmi_handle_release() releases the resources owned by an initialized QMI
handle, but does not free the memory containing the struct qmi_handle
itself. The probe error path and the remove path currently release the
handle and then free svc, losing the last pointer to the separately
allocated handle.

This leaks one struct qmi_handle on each affected probe unwind and on
each successful probe/remove cycle.

Free the handle after qmi_handle_release() in both paths.

Signed-off-by: Xu Rao &lt;raoxu@uniontech.com&gt;
Link: https://patch.msgid.link/9108EC860F3F87DF+20260623071308.2549182-1-raoxu@uniontech.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: usb-audio: avoid kobject path lookup in DualSense match</title>
<updated>2026-06-25T11:52:32+00:00</updated>
<author>
<name>Darvell Long</name>
<email>contact@darvell.me</email>
</author>
<published>2026-06-24T14:37:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=7693c0cc415f3a16a7a3355f245474a5e661be4e'/>
<id>urn:sha1:7693c0cc415f3a16a7a3355f245474a5e661be4e</id>
<content type='text'>
The DualSense jack-detection input handler verifies that a matching input
device belongs to the same physical controller by building kobject path
strings for both the input device and the USB audio device, then comparing
the path prefix.

This was observed when a weak physical connection caused the controller
to rapidly disconnect and reconnect. During that repeated hotplug,
snd_dualsense_ih_match() can run while the controller's USB device is
being disconnected. kobject_get_path() walks ancestor kobjects and
dereferences their names; if the USB device kobject name is no longer
valid, this can fault in strlen():

  RIP: 0010:strlen+0x10/0x30
  Call Trace:
   kobject_get_path+0x34/0x150
   snd_dualsense_ih_match+0x49/0xd0 [snd_usb_audio]
   input_register_device+0x566/0x6a0
   ps_probe+0xb89/0x1590 [hid_playstation]

The same ownership check can be done without building kobject path
strings. The input device is parented below the HID device, USB interface
and USB device, so walking the input device parent chain and comparing
against the mixer USB device preserves the check without dereferencing
kobject names during disconnect.

Fixes: 79d561c4ec04 ("ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5")
Cc: &lt;stable@vger.kernel.org&gt;
Assisted-by: Cute:gpt-5.5
Signed-off-by: Darvell Long &lt;contact@darvell.me&gt;
Link: https://patch.msgid.link/20260624143723.2986353-1-contact@darvell.me
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: FCP: Add Focusrite ISA C8X support</title>
<updated>2026-06-23T09:46:02+00:00</updated>
<author>
<name>Geoffrey D. Bennett</name>
<email>g@b4.vu</email>
</author>
<published>2026-06-22T17:29:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=e0ecb324246be9cf3a0689346a658e48a38546b2'/>
<id>urn:sha1:e0ecb324246be9cf3a0689346a658e48a38546b2</id>
<content type='text'>
Add USB PID 0x821e to the list of devices handled by the Focusrite
Control Protocol (FCP) driver.

Cc: stable@vger.kernel.org
Signed-off-by: Geoffrey D. Bennett &lt;g@b4.vu&gt;
Link: https://patch.msgid.link/ajlw4HK+2RSW3nUl@m.b4.vu
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: usb-audio: Kill MIDI 2.0 URBs before freeing endpoints</title>
<updated>2026-06-19T08:49:21+00:00</updated>
<author>
<name>Cen Zhang</name>
<email>zzzccc427@gmail.com</email>
</author>
<published>2026-06-18T17:00:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f199c8a8bdd54296d3458777e70fe82a78bd9817'/>
<id>urn:sha1:f199c8a8bdd54296d3458777e70fe82a78bd9817</id>
<content type='text'>
MIDI 2.0 input URBs are started during snd_usb_midi_v2_create(). A
later setup failure can still jump to snd_usb_midi_v2_free(), which
currently frees each endpoint and its coherent URB buffers without first
stopping the submitted URBs. A completion can then dereference the
embedded URB context and endpoint state after they have been freed, or
try to resubmit from the stale endpoint.

This was observed as a KASAN slab-use-after-free in
input_urb_complete().

The buggy scenario involves two paths, with each column showing the order
within that path:

probe error path:                         USB completion path:
1. start_input_streams() submits          1. The HCD still owns a
   input URBs.                               submitted input URB.
2. A later setup helper returns           2. input_urb_complete() runs
   an error.                                 with urb-&gt;context in ep.
3. snd_usb_midi_v2_free() frees           3. The completion reads ep
   endpoint storage and URB buffers.         state and can requeue URBs.

Make the endpoint destructor follow the same teardown ordering used for
disconnect when the endpoint has not already been disconnected: publish
ep-&gt;disconnected, kill the URBs synchronously, and drain the endpoint
before freeing URB buffers and endpoint storage. The guard avoids
repeating the stop sequence after the normal
snd_usb_midi_v2_disconnect_all() path, while still synchronizing the
direct MIDI 2.0 create-error free path.

Validation reproduced this kernel report:
BUG: KASAN: slab-use-after-free in input_urb_complete+0x37/0x1b0
Workqueue: usb_hub_wq hub_event
RIP: 0010:_raw_spin_unlock_irq+0x2e/0x50
Read of size 8
Call trace:
  dump_stack_lvl+0x77/0xb0
  print_report+0xce/0x5f0
  input_urb_complete+0x37/0x1b0 (sound/usb/midi2.c:186)
  srso_alias_return_thunk+0x5/0xfbef5
  __virt_addr_valid+0x19f/0x330
  kasan_report+0xe0/0x110
  __usb_hcd_giveback_urb+0x112/0x1d0
  dummy_timer+0xaaa/0x19a0
  lock_is_held_type+0x9a/0x110
  __lock_acquire+0x467/0x28b0
  mark_held_locks+0x40/0x70
  _raw_spin_unlock_irqrestore+0x44/0x60
  lockdep_hardirqs_on_prepare+0xbb/0x1a0
  __hrtimer_run_queues+0x101/0x520
  hrtimer_run_softirq+0xd0/0x130
  handle_softirqs+0x15b/0x670
  __irq_exit_rcu+0xd0/0x170
  irq_exit_rcu+0xe/0x20
  sysvec_apic_timer_interrupt+0x6c/0x80
  asm_sysvec_apic_timer_interrupt+0x1a/0x20

Fixes: d9c99876868c ("ALSA: usb-audio: Create UMP blocks from USB MIDI GTBs")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Cen Zhang &lt;zzzccc427@gmail.com&gt;
Link: https://patch.msgid.link/20260618170010.191433-1-zzzccc427@gmail.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: usb-audio: Add quirk for YAMAHA CDS3000</title>
<updated>2026-06-18T15:48:56+00:00</updated>
<author>
<name>Jean-Louis Colaco</name>
<email>jean-louis.colaco@orange.fr</email>
</author>
<published>2026-06-18T11:32:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=348f69320e4db6ebec6940c81154bec4b9eb275a'/>
<id>urn:sha1:348f69320e4db6ebec6940c81154bec4b9eb275a</id>
<content type='text'>
This quirk is identical to the one for the Yamaha Steinberg UR22, here
applied to a CD player that also uses the Steinberg USB interface.
This quirk is necessary to avoid sporadic "clic" noise when using the DAC
of the player.

Signed-off-by: Jean-Louis Colaco &lt;jean-louis.colaco@orange.fr&gt;
Link: https://patch.msgid.link/20260618113202.8363-1-jean-louis.colaco@orange.fr
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: usb-audio: qcom: clear opened when stream enable fails</title>
<updated>2026-06-18T10:44:59+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-06-18T02:51:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=3c7af07943b2718087ae791cad450af5cf646d90'/>
<id>urn:sha1:3c7af07943b2718087ae791cad450af5cf646d90</id>
<content type='text'>
On enable, subs-&gt;opened is set before the service_interval is validated;
an invalid interval jumps to the response label without clearing it, so
the substream is wedged at -EBUSY until a disable or disconnect.

Clear subs-&gt;opened on the enable error path.

Fixes: 326bbc348298a ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Link: https://patch.msgid.link/20260618025126.1862954-3-michael.bommarito@gmail.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: usb-audio: qcom: reject stream disable with no active interface</title>
<updated>2026-06-18T10:43:02+00:00</updated>
<author>
<name>Michael Bommarito</name>
<email>michael.bommarito@gmail.com</email>
</author>
<published>2026-06-18T02:51:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bdb640be82e645e2828731648f485224d0c2587b'/>
<id>urn:sha1:bdb640be82e645e2828731648f485224d0c2587b</id>
<content type='text'>
handle_uaudio_stream_req() resolves an interface index with
info_idx_from_ifnum(), which returns -EINVAL when no interface matches.
The enable branch and the response: cleanup label both guard against a
negative index, but the disable branch does not: it forms
info = &amp;uadev[pcm_card_num].info[info_idx] and dereferences it.

uadev[].info is a pointer allocated only when a stream is first enabled,
so a negative info_idx on the disable path is unsafe in two ways:

 - If the card was never enabled, .info is NULL and &amp;info[-EINVAL] is a
   wild pointer; reading info-&gt;data_ep_pipe faults (kernel oops).

 - If the card was enabled at least once (.info allocated) and the
   disable names an interface that does not match, &amp;info[-EINVAL] points
   before the allocation; info-&gt;data_ep_pipe / info-&gt;sync_ep_pipe are an
   out-of-bounds slab read and, when non-zero, an out-of-bounds 4-byte
   write (both pipe fields are cleared to 0). That is memory corruption,
   not just a NULL dereference.

The request is reachable from unprivileged local userspace over
AF_QIPCRTR. Reject a disable request with no resolved interface, matching
the guard the enable path already has.

Fixes: 326bbc348298a ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito &lt;michael.bommarito@gmail.com&gt;
Link: https://patch.msgid.link/20260618025126.1862954-2-michael.bommarito@gmail.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: caiaq: bound the length in the EP1 input parsers</title>
<updated>2026-06-18T10:37:50+00:00</updated>
<author>
<name>Maoyi Xie</name>
<email>maoyixie.tju@gmail.com</email>
</author>
<published>2026-06-18T06:03:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=58fc1275b3f288500ee79a02dbe89ed4197fdc3e'/>
<id>urn:sha1:58fc1275b3f288500ee79a02dbe89ed4197fdc3e</id>
<content type='text'>
snd_caiaq_input_read_erp() and snd_caiaq_input_read_io() can be reached
from snd_usb_caiaq_input_dispatch(). They read fixed byte offsets from
the reply buffer without checking the reported length. On a short reply
they decode stale bytes left from a previous, longer report and feed them
to the input layer.

This is not an out-of-bounds access. Every offset is a compile-time
driver constant. The largest is buf[21] in the Maschine ERP case. The
EP1 transfer buffer ep1_in_buf is EP1_BUFSIZE (64) bytes, and the USB
core caps actual_length at 64, so a short reply only reads in-bounds
stale data. Acting on data the device did not send is still wrong, so
bail out per usb_id case when the reply is shorter than the bytes that
case consumes.

  read_erp: AK1 needs 2 bytes, Kore needs 16, Maschine needs 22.
  read_io:  the Kore case needs 5 bytes (buf[4]) and the Traktor Kontrol
            X1 case needs 7 (buf[5]/buf[6]). The preceding key bit loop
            is already bounded by "i &lt; len * 8" and is left untouched.

snd_caiaq_input_read_analog() and snd_usb_caiaq_maschine_dispatch() are
not changed. Their callers already floor the reply length.

Suggested-by: Takashi Iwai &lt;tiwai@suse.com&gt;
Signed-off-by: Maoyi Xie &lt;maoyixie.tju@gmail.com&gt;
Link: https://patch.msgid.link/178176259547.3343534.6659489917322808916@maoyixie.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
<entry>
<title>ALSA: caiaq: fix out-of-bounds read in the Traktor Kontrol S4 input parser</title>
<updated>2026-06-18T10:37:40+00:00</updated>
<author>
<name>Maoyi Xie</name>
<email>maoyixie.tju@gmail.com</email>
</author>
<published>2026-06-18T06:03:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd'/>
<id>urn:sha1:f7f3f9fd81e7adbaa12c2e62ee07f0e094a543fd</id>
<content type='text'>
snd_usb_caiaq_tks4_dispatch() decodes the Traktor Kontrol S4 input
stream in fixed 16-byte (TKS4_MSGBLOCK_SIZE) message blocks. On every
iteration it advances buf and subtracts the block size while looping on
"while (len)".

len is urb-&gt;actual_length. That value is supplied by the device and is
not guaranteed to be a multiple of 16. When a final short block leaves
len between 1 and 15, the loop runs once more, reads up to buf[15], and
then does "len -= TKS4_MSGBLOCK_SIZE". As len is unsigned this underflows
to a huge value. The loop then keeps iterating and walking buf far past
the end of the 512-byte ep4_in_buf, reading out of bounds until a bogus
block id happens to be hit.

Iterate only while a full message block is available. This stops the
unsigned underflow and silently drops any trailing partial block, which
carries no complete control value anyway.

The sibling endpoint-4 parsers are not affected. The Traktor Kontrol X1
and Maschine arms in snd_usb_caiaq_ep4_reply_dispatch() floor
urb-&gt;actual_length before dispatching.

Fixes: 15c5ab607045 ("ALSA: snd-usb-caiaq: Add support for Traktor Kontrol S4")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie &lt;maoyixie.tju@gmail.com&gt;
Link: https://patch.msgid.link/178176259547.3343534.2724779296835237429@maoyixie.com
Signed-off-by: Takashi Iwai &lt;tiwai@suse.de&gt;
</content>
</entry>
</feed>
