kernel/linux.git/sound, branch linux-7.1.y

Merge tag 'asoc-fix-v7.1-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

2026-06-11T19:29:47+00:00

ASoC: Fixes for v7.1 A few more fixes for this release, some smaller driver specific ones plus a final quirk.

ASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions

2026-06-11T14:55:23+00:00

sdca_dev_unregister_functions() iterates over all SDCA function descriptors and calls sdca_dev_unregister() on each func_dev without checking for NULL. When a function registration has failed partway through, or the device cleanup races with probe deferral, func_dev entries may be NULL, leading to a kernel oops: BUG: kernel NULL pointer dereference, address: 0000000000000040 RIP: 0010:device_del+0x1e/0x3e0 Call Trace: sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca] release_nodes+0x35/0xb0 devres_release_all+0x90/0x100 device_unbind_cleanup+0xe/0x80 device_release_driver_internal+0x1c1/0x200 bus_remove_device+0xc6/0x130 device_del+0x161/0x3e0 device_unregister+0x17/0x60 sdw_delete_slave+0xb6/0xd0 [soundwire_bus] sdw_bus_master_delete+0x1e/0x50 [soundwire_bus] ... sof_probe_work+0x19/0x30 [snd_sof] This was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake) with the SOF audio driver probe failing due to missing Panther Lake firmware, causing the subsequent cleanup of SoundWire devices to trigger the crash. Fix this with three changes: 1) Add a NULL guard in sdca_dev_unregister() so that callers do not need to pre-validate the pointer (defense in depth). 2) In sdca_dev_unregister_functions(), skip NULL func_dev entries and clear func_dev to NULL after unregistration, making the function idempotent and safe against double-invocation. 3) In sdca_dev_register_functions(), roll back all previously registered functions when a later one fails, so the function array is never left in a partially-populated state. Fixes: 4496d1c65bad ("ASoC: SDCA: add function devices") Signed-off-by: Kean Ren Reviewed-by: Charles Keepax Link: https://patch.msgid.link/20260611023757.1553960-1-rh_king@163.com Signed-off-by: Mark Brown

ASoC: loongson: Fix invalid position error in ls_pcm_pointer

2026-06-11T10:21:24+00:00

The "invalid position" error occurred when the DMA position descriptor returned an invalid address value (e.g., pos = -1048838144). This happened because the `bytes_to_frames()` function returns a signed value, but when `addr < runtime->dma_addr`, the subtraction produces a negative result that gets interpreted as a large unsigned integer in comparisons. when the addr is abnormal, for example,the DMA controller is abnormal in hardware,x=0 should not be a point(x == runtime->buffer_size),but a range, which includes the addr address being less than runtime ->dma1-adr, and the addr exceeding the DMA address range.the value of pos should not better a negative，return 0, maybe better. [ 32.834431][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 [ 32.845019][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 [ 32.855588][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 [ 32.866145][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 [ 32.995394][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 [ 33.006025][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 [ 33.016748][ 2] soc-audio soc-audio: invalid position: , pos = -1048838144 Signed-off-by: Li Jun [Remove XRUN reporting I'd mistakenly avised adding on prior review -- broonie] Link: https://patch.msgid.link/20260611010045.3668574-1-lijun01@kylinos.cn Signed-off-by: Mark Brown

ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1403CDA

2026-06-09T23:07:06+00:00

Add a DMI quirk for the ASUS EXPERTBOOK PM1403CDA fixing the issue where the internal microphone was not detected. Link: https://bugzilla.kernel.org/show_bug.cgi?id=221608 Signed-off-by: Zhang Heng Link: https://patch.msgid.link/20260604125815.42297-1-zhangheng@kylinos.cn Signed-off-by: Mark Brown

ASoC: SOF: amd: set ipc flags to zero

2026-06-09T17:30:40+00:00

As per design, set IPC conf structure flags to zero during acp init sequence. Link: https://github.com/thesofproject/linux/pull/5642 Signed-off-by: Vijendar Mukunda Tested-by: Umang Jain Link: https://patch.msgid.link/20260609160938.3717513-2-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown

ASoC: SOF: amd: fix for ipc flags check

2026-06-09T17:30:39+00:00

Firmware will set dsp_ack to 1 when firmware sends response for the IPC command issued by host. Similarly dsp_msg flag will be updated to 1. During ACP D0 entry, the value read from the sof_dsp_ack_write scratch flag can be uninitialized. A non-zero garbage value is treated as a pending DSP IPC ack before SOF_FW_BOOT_COMPLETE, causing a spurious "IPC reply before FW_BOOT_COMPLETE" log. Fix the condition checks for ipc flags. Fixes: 738a2b5e2cc9 ("ASoC: SOF: amd: Add IPC support for ACP IP block") Link: https://github.com/thesofproject/linux/pull/5642 Signed-off-by: Vijendar Mukunda Tested-by: Umang Jain Link: https://patch.msgid.link/20260609160938.3717513-1-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown

ASoC: wm_adsp: Fix NULL dereference when removing firmware controls

2026-06-08T17:50:30+00:00

In wm_adsp_control_remove() check that the priv pointer is not NULL before attempting to cleanup what it points to. When cs_dsp creates a control it calls wm_adsp_control_add_cb() so that wm_adsp can create its own private control data. There are two cases where private data is not created: 1. The control is a SYSTEM control, so an ALSA control is not created. 2. The codec driver has registered a control_add() callback that hides the control, so wm_adsp_control_add() is not called. When cs_dsp_remove destroys its control list it calls wm_adsp_control_remove() for each control. But wm_adsp_control_remove() was attempting to cleanup the private data pointed to by cs_ctl->priv without checking the pointer for NULL. Signed-off-by: Richard Fitzgerald Fixes: 0700bc2fb94c ("ASoC: wm_adsp: Separate generic cs_dsp_coeff_ctl handling") Link: https://patch.msgid.link/20260604101244.1402862-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown

ALSA: timer: Fix UAF at snd_timer_user_params()

2026-06-07T07:23:44+00:00

At releasing a timer object, e.g. when a userspace timer (CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it tries to detach the timer instances and release the resources. However, it's still possible that other in-flight tasks are holding the timer instance where the to-be-deleted timer object is associated, and this may lead to racy accesses. Fortunately, most of ioctls dealing with the timer instance list already have the protection with register_mutex, and this also avoids such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the concurrent ioctl may lead to use-after-free. This patch just adds the guard with register_mutex to protect snd_timer_user_params() for covering the code path as a quick workaround. It's no hot-path but rather a rarely issued ioctl, so the performance penalty doesn't matter. Reported-by: Kyle Zeng Tested-by: Kyle Zeng Cc: Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de Signed-off-by: Takashi Iwai

ALSA: timer: Forcibly close timer instances at closing

2026-06-07T07:23:33+00:00

When snd_timer object is freed via snd_timer_free() and still pending snd_timer_instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG_SND_UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer. This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd_timer_close[_locked]() forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd_timer_close() might be called later by the driver that created that instance, the check of SNDRV_TIMER_IFLG_DEAD is added at the beginning, too. Reported-by: Kyle Zeng Tested-by: Kyle Zeng Fixes: 37745918e0e7 ("ALSA: timer: Introduce virtual userspace-driven timers") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260606161145.1933447-1-tiwai@suse.de Signed-off-by: Takashi Iwai

ALSA: seq: dummy: fix UMP event stack overread

2026-06-05T08:08:57+00:00

The dummy sequencer port forwards events by copying an incoming struct snd_seq_event into a stack temporary, rewriting source and destination, and dispatching the temporary to subscribers. That legacy event storage is smaller than struct snd_seq_ump_event. When a UMP event reaches the dummy client, the copy leaves the UMP flag set but only provides legacy-sized stack storage. The subscriber delivery path then uses snd_seq_event_packet_size() and copies a UMP-sized packet from that stack object, reading past the end of the temporary. Use the existing union __snd_seq_event storage and copy the packet size reported for the incoming event before rewriting the common routing fields. This preserves the full UMP packet for UMP events while keeping legacy event handling unchanged. Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion") Signed-off-by: Kyle Zeng Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com Signed-off-by: Takashi Iwai