--- /dev/null
+From dc88eef8f55e85e92d016cdf7e291f5560efd79b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Thu, 16 Apr 2026 10:24:40 -0300
+Subject: ALSA: 6fire: Fix input volume change detection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit dc88eef8f55e85e92d016cdf7e291f5560efd79b upstream.
+
+usb6fire_control_input_vol_put() stores the analog capture volume
+as a signed offset in rt->input_vol[] (-15..+15), but it compares
+the cached value against the user-visible mixer value (0..30)
+before subtracting 15.
+
+This mixes two domains in the change detection path. Since the
+runtime is zero-initialized, the visible default is 15; writing 0
+right after probe is ignored, while writing 15 is reported as a
+change even though the cached value remains 0.
+
+Normalize the user value before comparing it with the cached offset.
+
+Fixes: 06bb4e743501 ("ALSA: snd-usb-6fire: add analog input volume control")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260416-alsa-6fire-input-volume-change-detection-v1-1-ec78299168df@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/6fire/control.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/6fire/control.c
++++ b/sound/usb/6fire/control.c
+@@ -290,15 +290,17 @@ static int usb6fire_control_input_vol_pu
+ struct snd_ctl_elem_value *ucontrol)
+ {
+ struct control_runtime *rt = snd_kcontrol_chip(kcontrol);
++ int vol0 = ucontrol->value.integer.value[0] - 15;
++ int vol1 = ucontrol->value.integer.value[1] - 15;
+ int changed = 0;
+
+- if (rt->input_vol[0] != ucontrol->value.integer.value[0]) {
+- rt->input_vol[0] = ucontrol->value.integer.value[0] - 15;
++ if (rt->input_vol[0] != vol0) {
++ rt->input_vol[0] = vol0;
+ rt->ivol_updated &= ~(1 << 0);
+ changed = 1;
+ }
+- if (rt->input_vol[1] != ucontrol->value.integer.value[1]) {
+- rt->input_vol[1] = ucontrol->value.integer.value[1] - 15;
++ if (rt->input_vol[1] != vol1) {
++ rt->input_vol[1] = vol1;
+ rt->ivol_updated &= ~(1 << 1);
+ changed = 1;
+ }
--- /dev/null
+From a3542d1b30f92307f545f2def14e8d988dffdff0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= <cassiogabrielcontato@gmail.com>
+Date: Fri, 17 Apr 2026 10:41:33 -0300
+Subject: ALSA: caiaq: Fix control_put() result and cache rollback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+
+commit a3542d1b30f92307f545f2def14e8d988dffdff0 upstream.
+
+control_put() always returns 1 and updates cdev->control_state[]
+before sending the USB command. It also ignores transport errors
+from usb_bulk_msg(), snd_usb_caiaq_send_command(), and
+snd_usb_caiaq_send_command_bank().
+
+That breaks the ALSA .put() contract and can leave control_get()
+reporting a cached value the device never accepted.
+
+Return 0 for unchanged values, propagate transport failures,
+and restore the cached byte when the write fails.
+
+Fixes: 8e3cd08ed8e59 ("[ALSA] caiaq - add control API and more input features")
+Cc: stable@vger.kernel.org
+Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
+Link: https://patch.msgid.link/20260417-caiaq-control-put-v1-1-c37826e92447@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/control.c | 54 +++++++++++++++++++++++++++++++---------------
+ 1 file changed, 37 insertions(+), 17 deletions(-)
+
+--- a/sound/usb/caiaq/control.c
++++ b/sound/usb/caiaq/control.c
+@@ -87,6 +87,7 @@ static int control_put(struct snd_kcontr
+ struct snd_usb_caiaqdev *cdev = caiaqdev(chip->card);
+ int pos = kcontrol->private_value;
+ int v = ucontrol->value.integer.value[0];
++ int ret;
+ unsigned char cmd;
+
+ switch (cdev->chip.usb_id) {
+@@ -103,6 +104,10 @@ static int control_put(struct snd_kcontr
+
+ if (pos & CNT_INTVAL) {
+ int i = pos & ~CNT_INTVAL;
++ unsigned char old = cdev->control_state[i];
++
++ if (old == v)
++ return 0;
+
+ cdev->control_state[i] = v;
+
+@@ -113,10 +118,11 @@ static int control_put(struct snd_kcontr
+ cdev->ep8_out_buf[0] = i;
+ cdev->ep8_out_buf[1] = v;
+
+- usb_bulk_msg(cdev->chip.dev,
+- usb_sndbulkpipe(cdev->chip.dev, 8),
+- cdev->ep8_out_buf, sizeof(cdev->ep8_out_buf),
+- &actual_len, 200);
++ ret = usb_bulk_msg(cdev->chip.dev,
++ usb_sndbulkpipe(cdev->chip.dev, 8),
++ cdev->ep8_out_buf,
++ sizeof(cdev->ep8_out_buf),
++ &actual_len, 200);
+ } else if (cdev->chip.usb_id ==
+ USB_ID(USB_VID_NATIVEINSTRUMENTS, USB_PID_MASCHINECONTROLLER)) {
+
+@@ -128,21 +134,36 @@ static int control_put(struct snd_kcontr
+ offset = MASCHINE_BANK_SIZE;
+ }
+
+- snd_usb_caiaq_send_command_bank(cdev, cmd, bank,
+- cdev->control_state + offset,
+- MASCHINE_BANK_SIZE);
++ ret = snd_usb_caiaq_send_command_bank(cdev, cmd, bank,
++ cdev->control_state + offset,
++ MASCHINE_BANK_SIZE);
+ } else {
+- snd_usb_caiaq_send_command(cdev, cmd,
+- cdev->control_state, sizeof(cdev->control_state));
++ ret = snd_usb_caiaq_send_command(cdev, cmd,
++ cdev->control_state,
++ sizeof(cdev->control_state));
+ }
+- } else {
+- if (v)
+- cdev->control_state[pos / 8] |= 1 << (pos % 8);
+- else
+- cdev->control_state[pos / 8] &= ~(1 << (pos % 8));
+
+- snd_usb_caiaq_send_command(cdev, cmd,
+- cdev->control_state, sizeof(cdev->control_state));
++ if (ret < 0) {
++ cdev->control_state[i] = old;
++ return ret;
++ }
++ } else {
++ int idx = pos / 8;
++ unsigned char mask = 1 << (pos % 8);
++ unsigned char old = cdev->control_state[idx];
++ unsigned char val = v ? (old | mask) : (old & ~mask);
++
++ if (old == val)
++ return 0;
++
++ cdev->control_state[idx] = val;
++ ret = snd_usb_caiaq_send_command(cdev, cmd,
++ cdev->control_state,
++ sizeof(cdev->control_state));
++ if (ret < 0) {
++ cdev->control_state[idx] = old;
++ return ret;
++ }
+ }
+
+ return 1;
+@@ -640,4 +661,3 @@ int snd_usb_caiaq_control_init(struct sn
+
+ return ret;
+ }
+-
--- /dev/null
+From 28abd224db4a49560b452115bca3672a20e45b2f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 14 Apr 2026 12:59:00 +0200
+Subject: ALSA: caiaq: Handle probe errors properly
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 28abd224db4a49560b452115bca3672a20e45b2f upstream.
+
+The probe procedure of setup_card() in caiaq driver doesn't treat the
+error cases gracefully, e.g. the error from snd_card_register() calls
+snd_card_free() but continues. This would lead to a UAF for the
+further calls like snd_usb_caiaq_control_init(), as Berk suggested in
+another patch in the link below.
+
+However, the problem is not only that; in general, this function drops
+the all error handlings (as it's a void function) although its caller
+can propagate an error to snd_probe(), which eventually calls
+snd_card_free() as a proper error path. That said, we should treat
+each error case in setup_card(), and just return the error code
+promptly, which is then handled later as a fatal error in snd_probe().
+
+This patch achieves it by changing the setup_card() to return an error
+code. Also, the superfluous snd_card_free() call is removed, too.
+
+Note that card->private_free can be set still safely at returning an
+error. All called functions in card_free() have checks of the
+unassigned resources or NULL checks.
+
+Fixes: 8e3cd08ed8e5 ("[ALSA] caiaq - add control API and more input features")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20260413034941.1131465-2-berkcgoksel@gmail.com
+Link: https://patch.msgid.link/20260414105916.364073-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/caiaq/device.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/sound/usb/caiaq/device.c
++++ b/sound/usb/caiaq/device.c
+@@ -290,7 +290,7 @@ int snd_usb_caiaq_set_auto_msg(struct sn
+ tmp, sizeof(tmp));
+ }
+
+-static void setup_card(struct snd_usb_caiaqdev *cdev)
++static int setup_card(struct snd_usb_caiaqdev *cdev)
+ {
+ int ret;
+ char val[4];
+@@ -325,8 +325,10 @@ static void setup_card(struct snd_usb_ca
+ snd_usb_caiaq_send_command(cdev, EP1_CMD_READ_IO, NULL, 0);
+
+ if (!wait_event_timeout(cdev->ep1_wait_queue,
+- cdev->control_state[0] != 0xff, HZ))
+- return;
++ cdev->control_state[0] != 0xff, HZ)) {
++ dev_err(dev, "Read timeout for control state\n");
++ return -EINVAL;
++ }
+
+ /* fix up some defaults */
+ if ((cdev->control_state[1] != 2) ||
+@@ -347,33 +349,43 @@ static void setup_card(struct snd_usb_ca
+ cdev->spec.num_digital_audio_out +
+ cdev->spec.num_digital_audio_in > 0) {
+ ret = snd_usb_caiaq_audio_init(cdev);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(dev, "Unable to set up audio system (ret=%d)\n", ret);
++ return ret;
++ }
+ }
+
+ if (cdev->spec.num_midi_in +
+ cdev->spec.num_midi_out > 0) {
+ ret = snd_usb_caiaq_midi_init(cdev);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(dev, "Unable to set up MIDI system (ret=%d)\n", ret);
++ return ret;
++ }
+ }
+
+ #ifdef CONFIG_SND_USB_CAIAQ_INPUT
+ ret = snd_usb_caiaq_input_init(cdev);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(dev, "Unable to set up input system (ret=%d)\n", ret);
++ return ret;
++ }
+ #endif
+
+ /* finally, register the card and all its sub-instances */
+ ret = snd_card_register(cdev->chip.card);
+ if (ret < 0) {
+ dev_err(dev, "snd_card_register() returned %d\n", ret);
+- snd_card_free(cdev->chip.card);
++ return ret;
+ }
+
+ ret = snd_usb_caiaq_control_init(cdev);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(dev, "Unable to set up control system (ret=%d)\n", ret);
++ return ret;
++ }
++
++ return 0;
+ }
+
+ static void card_free(struct snd_card *card)
+@@ -499,8 +511,11 @@ static int init_card(struct snd_usb_caia
+ snprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
+ cdev->vendor_name, cdev->product_name, usbpath);
+
+- setup_card(cdev);
+ card->private_free = card_free;
++ err = setup_card(cdev);
++ if (err < 0)
++ return err;
++
+ return 0;
+
+ err_kill_urb:
--- /dev/null
+From 8146cd333d235ed32d48bb803fdf743472d7c783 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Apr 2026 08:17:20 +0200
+Subject: ALSA: core: Fix potential data race at fasync handling
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8146cd333d235ed32d48bb803fdf743472d7c783 upstream.
+
+In snd_fasync_work_fn(), which is the offload work for traversing and
+processing the pending fasync list, the call of kill_fasync() is done
+outside the snd_fasync_lock for avoiding deadlocks. The problem is
+that its the references of fasync->on, fasync->signal and fasync->poll
+are done there also outside the lock. Since these may be modified by
+snd_kill_fasync() call concurrently from other process, inconsistent
+values might be passed to kill_fasync(). Although there shouldn't be
+critical UAF, it's still better to be addressed.
+
+This patch moves the kill_fasync() argument evaluations inside the
+snd_fasync_lock for avoiding the data races above. The handling in
+fasync->on flag is optimized in the loop to skip directly.
+
+Also, for more clarity, snd_fasync_free() takes the lock and unlink
+the pending entry more directly instead of clearing fasync->on flag.
+
+Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
+Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/misc.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/sound/core/misc.c
++++ b/sound/core/misc.c
+@@ -171,14 +171,18 @@ static LIST_HEAD(snd_fasync_list);
+ static void snd_fasync_work_fn(struct work_struct *work)
+ {
+ struct snd_fasync *fasync;
++ int signal, poll;
+
+ spin_lock_irq(&snd_fasync_lock);
+ while (!list_empty(&snd_fasync_list)) {
+ fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list);
+ list_del_init(&fasync->list);
++ if (!fasync->on)
++ continue;
++ signal = fasync->signal;
++ poll = fasync->poll;
+ spin_unlock_irq(&snd_fasync_lock);
+- if (fasync->on)
+- kill_fasync(&fasync->fasync, fasync->signal, fasync->poll);
++ kill_fasync(&fasync->fasync, signal, poll);
+ spin_lock_irq(&snd_fasync_lock);
+ }
+ spin_unlock_irq(&snd_fasync_lock);
+@@ -234,7 +238,10 @@ void snd_fasync_free(struct snd_fasync *
+ {
+ if (!fasync)
+ return;
+- fasync->on = 0;
++
++ scoped_guard(spinlock_irq, &snd_fasync_lock)
++ list_del_init(&fasync->list);
++
+ flush_work(&snd_fasync_work);
+ kfree(fasync);
+ }
--- /dev/null
+From 8be19e233744961db6069da9c9ab63eb085a0447 Mon Sep 17 00:00:00 2001
+From: Jonathan Santos <Jonathan.Santos@analog.com>
+Date: Mon, 23 Feb 2026 08:59:26 -0300
+Subject: iio: adc: ad7768-1: fix one-shot mode data acquisition
+
+From: Jonathan Santos <Jonathan.Santos@analog.com>
+
+commit 8be19e233744961db6069da9c9ab63eb085a0447 upstream.
+
+According to the datasheet, one-shot mode requires a SYNC_IN pulse to
+trigger a new sample conversion. In the current implementation, No sync
+pulse was sent after switching to one-shot mode and reinit_completion()
+was called before mode switching, creating a race condition where spurious
+interrupts during mode change could trigger completion prematurely.
+
+Fix by sending a sync pulse after configuring one-shot mode and
+reinit_completion() to ensure it only waits for the actual conversion
+completion.
+
+Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support")
+Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7768-1.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ad7768-1.c
++++ b/drivers/iio/adc/ad7768-1.c
+@@ -241,12 +241,17 @@ static int ad7768_scan_direct(struct iio
+ struct ad7768_state *st = iio_priv(indio_dev);
+ int readval, ret;
+
+- reinit_completion(&st->completion);
+-
+ ret = ad7768_set_mode(st, AD7768_ONE_SHOT);
+ if (ret < 0)
+ return ret;
+
++ reinit_completion(&st->completion);
++
++ /* One-shot mode requires a SYNC pulse to generate a new sample */
++ ret = ad7768_send_sync_pulse(st);
++ if (ret)
++ return ret;
++
+ ret = wait_for_completion_timeout(&st->completion,
+ msecs_to_jiffies(1000));
+ if (!ret)
iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch
io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch
io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch
+alsa-core-fix-potential-data-race-at-fasync-handling.patch
+alsa-caiaq-fix-control_put-result-and-cache-rollback.patch
+alsa-caiaq-handle-probe-errors-properly.patch
+alsa-6fire-fix-input-volume-change-detection.patch
+iio-adc-ad7768-1-fix-one-shot-mode-data-acquisition.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
