From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 4 Dec 2025 16:20:30 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v5.10.247~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=200a42b4bdb54c0c36f3919aca2e2250bdec5cbc;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	alsa-usb-audio-fix-missing-unlock-at-error-path-of-maxpacksize-check.patch
---

diff --git a/queue-5.15/alsa-usb-audio-fix-missing-unlock-at-error-path-of-maxpacksize-check.patch b/queue-5.15/alsa-usb-audio-fix-missing-unlock-at-error-path-of-maxpacksize-check.patch
new file mode 100644
index 0000000000..a8537738c4
--- /dev/null
+++ b/queue-5.15/alsa-usb-audio-fix-missing-unlock-at-error-path-of-maxpacksize-check.patch
@@ -0,0 +1,41 @@
+From fdf0dc82eb60091772ecea73cbc5a8fb7562fc45 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 26 Nov 2025 11:08:31 +0100
+Subject: ALSA: usb-audio: Fix missing unlock at error path of maxpacksize check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit fdf0dc82eb60091772ecea73cbc5a8fb7562fc45 upstream.
+
+The recent backport of the upstream commit 05a1fc5efdd8 ("ALSA:
+usb-audio: Fix potential overflow of PCM transfer buffer") on the
+older stable kernels like 6.12.y was broken since it doesn't consider
+the mutex unlock, where the upstream code manages with guard().
+In the older code, we still need an explicit unlock.
+
+This is a fix that corrects the error path, applied only on old stable
+trees.
+
+Reported-by: Pavel Machek <pavel@denx.de>
+Closes: https://lore.kernel.org/aSWtH0AZH5+aeb+a@duo.ucw.cz
+Fixes: 98e9d5e33bda ("ALSA: usb-audio: Fix potential overflow of PCM transfer buffer")
+Reviewed-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/endpoint.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -1377,7 +1377,8 @@ int snd_usb_endpoint_set_params(struct s
+ 	if (ep->packsize[1] > ep->maxpacksize) {
+ 		usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
+ 			      ep->maxpacksize, ep->cur_rate, ep->pps);
+-		return -EINVAL;
++		err = -EINVAL;
++		goto unlock;
+ 	}
+ 
+ 	/* calculate the frequency in 16.16 format */
diff --git a/queue-5.15/series b/queue-5.15/series
index a2648176d5..035666598f 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -274,6 +274,7 @@ strparser-fix-signed-unsigned-mismatch-bug.patch
 ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch
 fs-proc-fix-uaf-in-proc_readdir_de.patch
 alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch
+alsa-usb-audio-fix-missing-unlock-at-error-path-of-maxpacksize-check.patch
 spi-try-to-get-acpi-gpio-irq-earlier.patch
 edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch
 edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch