Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.15.209 2026-06-01T15:35:46+00:00 2026-06-01T15:35:46+00:00 Takashi Iwai tiwai@suse.de 2026-05-15T08:55:58+00:00 urn:sha1:34d0d492a2812b9289af14bca3573a89275965b2 commit 7b7d6572145c1dab2dd9bfb550b188e5f0ff3c3f upstream. find_control() to retrieve a cached info accesses the array with the given index blindly, which may lead to an OOB array access. Add a sanity check for avoiding it. Link: https://sashiko.dev/#/patchset/20260511230121.28606-1-rosenp%40gmail.com Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20260515085606.242284-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-01T15:35:46+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-05-19T03:32:15+00:00 urn:sha1:5c09382f1da218fbc02b45b7c17bd42a442eb10b commit b59d5c51bb328a60749b4dd5fe7e649bfb4089b4 upstream. find_format_descriptor() walks the class-specific interface extras by advancing with bLength. It rejects descriptors that extend past the remaining buffer, but it does not reject descriptor lengths smaller than a USB descriptor header. Reject too-short descriptors before using bLength to advance the local scan. This keeps the UA-101 parser robust against malformed descriptor data and matches the usual USB descriptor walking rules. Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260519-alsa-ua101-desc-len-v1-1-4307d1a5e054@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-01T15:35:44+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-05-07T03:40:51+00:00 urn:sha1:c65b137d351e21cbc5630e73ef0eb1e1d75f5b20 commit d6854daa67be623860f4e1873fd3d3c275aba4ed upstream. snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan. That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan. Stop walking when bLength is zero or extends past the remaining endpoint-extra scan. Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-01T15:35:43+00:00 wangdicheng wangdicheng@kylinos.cn 2026-04-28T08:04:50+00:00 urn:sha1:49c2c5924552e1d2f8b635dee663abebbb7cf63b [ Upstream commit b0e2333a231107adedd38c6fcfe1adc6162716fc ] In cx_probe(), the return value of snd_hda_jack_detect_enable_callback() is ignored. This function returns a pointer, and if it fails (e.g., due to memory allocation failure), it returns an error pointer which must be checked using IS_ERR(). If the registration fails, the driver continues to probe, but the jack detection callback will not be registered. This can lead to a kernel crash later when the driver attempts to handle jack events or accesses the uninitialized structure. Check the return value using IS_ERR() and propagate the error via PTR_ERR() to the probe caller. Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140") Signed-off-by: wangdicheng <wangdicheng@kylinos.cn> Link: https://patch.msgid.link/20260428080450.108801-1-wangdich9700@163.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:35:43+00:00 wangdicheng wangdicheng@kylinos.cn 2025-06-16T07:43:31+00:00 urn:sha1:7074bc53323fce5604f18da5f86b755982eac29d [ Upstream commit 7f4c540e0859e2025675d2c5c5c6ab88eaf817e2 ] Due to changes in the manufacturer's plan, all 0x14f11f86 will be named CX11880, and 0x14f11f87 will be named SN6140 Signed-off-by: wangdicheng <wangdicheng@kylinos.cn> Link: https://patch.msgid.link/20250616074331.581309-1-wangdich9700@163.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:35:43+00:00 Oldherl Oh me@oldherl.one 2024-09-30T08:41:32+00:00 urn:sha1:d35f9b77465f153c336a845b9274361b12c0edb9 [ Upstream commit 73253f2fd1d0a44708735c842e37163712e3f03b ] Fix some typos in patch_conexant.c Signed-off-by: Oldherl Oh <me@oldherl.one> Link: https://patch.msgid.link/20240930084132.3373750-1-me@oldherl.one Signed-off-by: Takashi Iwai <tiwai@suse.de> Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:35:43+00:00 bo liu bo.liu@senarytech.com 2022-05-06T02:57:35+00:00 urn:sha1:6f5c6189c6467dec9c7475540fe643d140b13874 [ Upstream commit ca348e7fe1ab9192ad7d9ff029a82a1594e0e289 ] The current kernel does not support the SN6140 codec chip. Add the SN6140 codec configuration item to kernel. Signed-off-by: bo liu <bo.liu@senarytech.com> Link: https://lore.kernel.org/r/20220506025735.17731-1-bo.liu@senarytech.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Stable-dep-of: b0e2333a2311 ("ALSA: hda/conexant: Fix missing error check for jack detection") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:35:42+00:00 Christian A. Ehrhardt christian.ehrhardt@codasip.com 2026-04-28T19:22:49+00:00 urn:sha1:2ab2797eab75a58e2c776119d6f0fa334012ec7f [ Upstream commit a201aef1a88b675e9eb8487e27d14e2eef3cef80 ] ab8500_filter_controls[i].private_value is initialized using .private_value = (unsigned long)&(struct filter_control) {.count = xcount, .min = xmin, .max = xmax} thus it's a pointer to a struct filter_control casted to unsigned long. So to get back that pointer .private_data must be cast back, not its address. Fixes: 679d7abdc754 ("ASoC: codecs: Add AB8500 codec-driver") Signed-off-by: Christian A. Ehrhardt <christian.ehrhardt@codasip.com> Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Link: https://patch.msgid.link/20260428192255.2294705-2-u.kleine-koenig@baylibre.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:35:32+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-04-10T03:54:32+00:00 urn:sha1:175729f03dcb4bb3274550b322c7c5ae07ba09da [ Upstream commit fb79bf127ac2577b4876132da6dba768018aad4c ] The driver may auto-select IRQ and DMA resources at probe time, but sc6000_init_board() still derives the SC-6000 soft configuration from the module parameter arrays. When irq=auto or dma=auto is used, the codec is created with the selected resources while the board is programmed with the unresolved values. Store the mapped ports and generated SC-6000 board configuration in card-private data, build that configuration from the live probe results instead of the raw module parameters, and keep the probe-time board programming in a shared helper. This fixes the resource-programming mismatch and leaves the driver with a stable board-state block that can be reused by suspend/resume. Fixes: c282866101bf ("ALSA: sc6000: add support for SC-6600 and SC-7000") Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260410-alsa-sc6000-pm-v1-1-4d9e95493d26@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:35:32+00:00 Takashi Iwai tiwai@suse.de 2024-08-07T13:34:23+00:00 urn:sha1:563da7952d634b558bf5955ef16f40ebceda196a [ Upstream commit e7c475b92043c02c3e6cd0c20e308fbb6f03ebde ] Use the standard print API with dev_*() instead of the old house-baked one. It gives better information and allows dynamically control of debug prints. Some functions are changed to receive a device pointer to be passed to dev_*() calls. Reviewed-by: Jaroslav Kysela <perex@perex.cz> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20240807133452.9424-34-tiwai@suse.de Stable-dep-of: fb79bf127ac2 ("ALSA: sc6000: Keep the programmed board state in card-private data") Signed-off-by: Sasha Levin <sashal@kernel.org>