From: Greg Kroah-Hartman Date: Fri, 1 May 2026 10:06:13 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.12.86~77 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df54bb072f7217e98a09dde3afa8c02c5cafb8e1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch net-caif-clear-client-service-pointer-on-teardown.patch net-qrtr-ns-fix-use-after-free-in-driver-remove.patch net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch --- diff --git a/queue-5.15/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch b/queue-5.15/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch new file mode 100644 index 0000000000..f64eb3a8f8 --- /dev/null +++ b/queue-5.15/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch @@ -0,0 +1,47 @@ +From e0da8a8cac74f4b9f577979d131f0d2b88a84487 Mon Sep 17 00:00:00 2001 +From: Ziqing Chen +Date: Tue, 14 Apr 2026 21:24:37 +0800 +Subject: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() + +From: Ziqing Chen + +commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream. + +snd_ctl_elem_init_enum_names() advances pointer p through the names +buffer while decrementing buf_len. If buf_len reaches zero but items +remain, the next iteration calls strnlen(p, 0). + +While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 +error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks +maxlen against __builtin_dynamic_object_size(). When Clang loses track +of p's object size inside the loop, this triggers a BRK exception panic +before the return value is examined. + +Add a buf_len == 0 guard at the loop entry to prevent calling fortified +strnlen() on an exhausted buffer. + +Found by kernel fuzz testing through Xiaomi Smartphone. + +Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls") +Cc: stable@vger.kernel.org +Signed-off-by: Ziqing Chen +Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1441,6 +1441,10 @@ static int snd_ctl_elem_init_enum_names( + /* check that there are enough valid names */ + p = names; + for (i = 0; i < ue->info.value.enumerated.items; ++i) { ++ if (buf_len == 0) { ++ kvfree(names); ++ return -EINVAL; ++ } + name_len = strnlen(p, buf_len); + if (name_len == 0 || name_len >= 64 || name_len == buf_len) { + kvfree(names); diff --git a/queue-5.15/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch b/queue-5.15/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch new file mode 100644 index 0000000000..b57fc366ef --- /dev/null +++ b/queue-5.15/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch @@ -0,0 +1,99 @@ +From 25947cc5b2374cd5bf627fe3141496444260d04f Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Sat, 4 Apr 2026 18:20:11 +0300 +Subject: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() + +From: Vasiliy Kovalev + +commit 25947cc5b2374cd5bf627fe3141496444260d04f upstream. + +ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is +zero or i_dtime is set, treating them as deleted. However, the case of +i_nlink == 0 with a non-zero mode and zero dtime slips through. Since +ext2 has no orphan list, such a combination can only result from +filesystem corruption - a legitimate inode deletion always sets either +i_dtime or clears i_mode before freeing the inode. + +A crafted image can exploit this gap to present such an inode to the +VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via +ext2_unlink(), ext2_rename() and ext2_rmdir(): + +WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 +CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1 +Call Trace: + + inode_dec_link_count include/linux/fs.h:2518 [inline] + ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295 + vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477 + do_unlinkat+0x53e/0x730 fs/namei.c:4541 + __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587 + do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 +CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1 +Call Trace: + + inode_dec_link_count include/linux/fs.h:2518 [inline] + ext2_rename+0x35e/0x850 fs/ext2/namei.c:374 + vfs_rename+0xf2f/0x2060 fs/namei.c:5021 + do_renameat2+0xbe2/0xd50 fs/namei.c:5178 + __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223 + do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 +CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1 +Call Trace: + + inode_dec_link_count include/linux/fs.h:2518 [inline] + ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311 + vfs_rmdir+0x204/0x690 fs/namei.c:4348 + do_rmdir+0x372/0x3e0 fs/namei.c:4407 + __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577 + do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Extend the existing i_nlink == 0 check to also catch this case, +reporting the corruption via ext2_error() and returning -EFSCORRUPTED. +This rejects the inode at load time and prevents it from reaching any +of the namei.c paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Vasiliy Kovalev +Link: https://patch.msgid.link/20260404152011.2590197-1-kovalev@altlinux.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext2/inode.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -1457,9 +1457,17 @@ struct inode *ext2_iget (struct super_bl + * the test is that same one that e2fsck uses + * NeilBrown 1999oct15 + */ +- if (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) { +- /* this inode is deleted */ +- ret = -ESTALE; ++ if (inode->i_nlink == 0) { ++ if (inode->i_mode == 0 || ei->i_dtime) { ++ /* this inode is deleted */ ++ ret = -ESTALE; ++ } else { ++ ext2_error(sb, __func__, ++ "inode %lu has zero i_nlink with mode 0%o and no dtime, " ++ "filesystem may be corrupt", ++ ino, inode->i_mode); ++ ret = -EFSCORRUPTED; ++ } + goto bad_inode; + } + inode->i_blocks = le32_to_cpu(raw_inode->i_blocks); diff --git a/queue-5.15/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch b/queue-5.15/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch new file mode 100644 index 0000000000..94d54d23a0 --- /dev/null +++ b/queue-5.15/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch @@ -0,0 +1,61 @@ +From 8cdf30813ea8ce881cecc08664144416dbdb3e16 Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Sun, 8 Mar 2026 20:20:28 +0000 +Subject: lib/ts_kmp: fix integer overflow in pattern length calculation + +From: Josh Law + +commit 8cdf30813ea8ce881cecc08664144416dbdb3e16 upstream. + +The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single +allocation sized from the pattern length. If the prefix_tbl[] size +calculation wraps, the resulting allocation can be too small and +subsequent pattern copies can overflow it. + +Fix this by rejecting zero-length patterns and by using overflow helpers +before calculating the combined allocation size. + + +This fixes a potential heap overflow. The pattern length calculation can +wrap during a size_t addition, leading to an undersized allocation. +Because the textsearch library is reachable from userspace via Netfilter's +xt_string module, this is a security risk that should be backported to LTS +kernels. + +Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org +Signed-off-by: Josh Law +Reviewed-by: Andrew Morton +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/ts_kmp.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/lib/ts_kmp.c ++++ b/lib/ts_kmp.c +@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const + struct ts_config *conf; + struct ts_kmp *kmp; + int i; +- unsigned int prefix_tbl_len = len * sizeof(unsigned int); +- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len; ++ unsigned int prefix_tbl_len; ++ size_t priv_size; ++ ++ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */ ++ if (unlikely(!len)) ++ return ERR_PTR(-EINVAL); ++ ++ /* ++ * kmp->pattern is stored immediately after the prefix_tbl[] table. ++ * Reject lengths that would wrap while sizing either region. ++ */ ++ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl), ++ &prefix_tbl_len) || ++ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) || ++ check_add_overflow(priv_size, prefix_tbl_len, &priv_size))) ++ return ERR_PTR(-EINVAL); + + conf = alloc_ts_config(priv_size, gfp_mask); + if (IS_ERR(conf)) diff --git a/queue-5.15/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch b/queue-5.15/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch new file mode 100644 index 0000000000..24beb96cc2 --- /dev/null +++ b/queue-5.15/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch @@ -0,0 +1,42 @@ +From 943b1f27a3eead21b22e2531a5432ea5910b60eb Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Wed, 4 Feb 2026 10:48:59 +0800 +Subject: media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() + +From: Chen Ni + +commit 943b1f27a3eead21b22e2531a5432ea5910b60eb upstream. + +The devm_gpiod_get_optional() function may return an error pointer +(ERR_PTR) in case of a genuine failure during GPIO acquisition, +not just NULL which indicates the legitimate absence of an optional +GPIO. + +Add an IS_ERR() check after the function call to catch such errors and +propagate them to the probe function, ensuring the driver fails to load +safely rather than proceeding with an invalid pointer. + +Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Chen Ni +Reviewed-by: Dave Stevenson +Reviewed-by: Jai Luthra +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx219.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/i2c/imx219.c ++++ b/drivers/media/i2c/imx219.c +@@ -1435,6 +1435,9 @@ static int imx219_probe(struct i2c_clien + /* Request optional enable pin */ + imx219->reset_gpio = devm_gpiod_get_optional(dev, "reset", + GPIOD_OUT_HIGH); ++ if (IS_ERR(imx219->reset_gpio)) ++ return dev_err_probe(dev, PTR_ERR(imx219->reset_gpio), ++ "failed to get reset gpio\n"); + + /* + * The sensor must be powered for imx219_identify_module() diff --git a/queue-5.15/net-caif-clear-client-service-pointer-on-teardown.patch b/queue-5.15/net-caif-clear-client-service-pointer-on-teardown.patch new file mode 100644 index 0000000000..d51ac4cc15 --- /dev/null +++ b/queue-5.15/net-caif-clear-client-service-pointer-on-teardown.patch @@ -0,0 +1,62 @@ +From f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 Mon Sep 17 00:00:00 2001 +From: Zhengchuan Liang +Date: Sat, 11 Apr 2026 23:10:26 +0800 +Subject: net: caif: clear client service pointer on teardown + +From: Zhengchuan Liang + +commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream. + +`caif_connect()` can tear down an existing client after remote shutdown by +calling `caif_disconnect_client()` followed by `caif_free_client()`. +`caif_free_client()` releases the service layer referenced by +`adap_layer->dn`, but leaves that pointer stale. + +When the socket is later destroyed, `caif_sock_destructor()` calls +`caif_free_client()` again and dereferences the freed service pointer. + +Clear the client/service links before releasing the service object so +repeated teardown becomes harmless. + +Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/cfsrvl.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/net/caif/cfsrvl.c ++++ b/net/caif/cfsrvl.c +@@ -197,10 +197,20 @@ bool cfsrvl_phyid_match(struct cflayer * + + void caif_free_client(struct cflayer *adap_layer) + { ++ struct cflayer *serv_layer; + struct cfsrvl *servl; +- if (adap_layer == NULL || adap_layer->dn == NULL) ++ ++ if (!adap_layer) ++ return; ++ ++ serv_layer = adap_layer->dn; ++ if (!serv_layer) + return; +- servl = container_obj(adap_layer->dn); ++ ++ layer_set_dn(adap_layer, NULL); ++ layer_set_up(serv_layer, NULL); ++ ++ servl = container_obj(serv_layer); + servl->release(&servl->layer); + } + EXPORT_SYMBOL(caif_free_client); diff --git a/queue-5.15/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch b/queue-5.15/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch new file mode 100644 index 0000000000..0ad65f0166 --- /dev/null +++ b/queue-5.15/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch @@ -0,0 +1,74 @@ +From 7809fea20c9404bfcfa6112ec08d1fe1d3520beb Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 9 Apr 2026 23:04:16 +0530 +Subject: net: qrtr: ns: Fix use-after-free in driver remove() + +From: Manivannan Sadhasivam + +commit 7809fea20c9404bfcfa6112ec08d1fe1d3520beb upstream. + +In the remove callback, if a packet arrives after destroy_workqueue() is +called, but before sock_release(), the qrtr_ns_data_ready() callback will +try to queue the work, causing use-after-free issue. + +Fix this issue by saving the default 'sk_data_ready' callback during +qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at +the start of remove(). This ensures that even if a packet arrives after +destroy_workqueue(), the work struct will not be dereferenced. + +Note that it is also required to ensure that the RX threads are completed +before destroying the workqueue, because the threads could be using the +qrtr_ns_data_ready() callback. + +Cc: stable@vger.kernel.org +Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/ns.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -23,6 +23,7 @@ static struct { + struct list_head lookups; + struct workqueue_struct *workqueue; + struct work_struct work; ++ void (*saved_data_ready)(struct sock *sk); + int local_node; + } qrtr_ns; + +@@ -788,6 +789,7 @@ int qrtr_ns_init(void) + goto err_sock; + } + ++ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready; + qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready; + + sq.sq_port = QRTR_PORT_CTRL; +@@ -828,6 +830,10 @@ int qrtr_ns_init(void) + return 0; + + err_wq: ++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready; ++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ + destroy_workqueue(qrtr_ns.workqueue); + err_sock: + sock_release(qrtr_ns.sock); +@@ -837,7 +843,12 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init); + + void qrtr_ns_remove(void) + { ++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready; ++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ + cancel_work_sync(&qrtr_ns.work); ++ synchronize_net(); + destroy_workqueue(qrtr_ns.workqueue); + + /* sock_release() expects the two references that were put during diff --git a/queue-5.15/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch b/queue-5.15/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch new file mode 100644 index 0000000000..b7ba1fa74e --- /dev/null +++ b/queue-5.15/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch @@ -0,0 +1,54 @@ +From fe72340daaf1af588be88056faf98965f39e6032 Mon Sep 17 00:00:00 2001 +From: Luxiao Xu +Date: Sat, 11 Apr 2026 23:10:10 +0800 +Subject: net: strparser: fix skb_head leak in strp_abort_strp() + +From: Luxiao Xu + +commit fe72340daaf1af588be88056faf98965f39e6032 upstream. + +When the stream parser is aborted, for example after a message assembly timeout, +it can still hold a reference to a partially assembled message in +strp->skb_head. + +That skb is not released in strp_abort_strp(), which leaks the partially +assembled message and can be triggered repeatedly to exhaust memory. + +Fix this by freeing strp->skb_head and resetting the parser state in the +abort path. Leave strp_stop() unchanged so final cleanup still happens in +strp_done() after the work and timer have been synchronized. + +Fixes: 43a0c6751a32 ("strparser: Stream parser for messages") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuan Tan +Signed-off-by: Luxiao Xu +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/strparser/strparser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strpa + + strp->stopped = 1; + ++ if (strp->skb_head) { ++ kfree_skb(strp->skb_head); ++ strp->skb_head = NULL; ++ } ++ ++ strp->skb_nextp = NULL; ++ strp->need_bytes = 0; ++ + if (strp->sk) { + struct sock *sk = strp->sk; + diff --git a/queue-5.15/pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch b/queue-5.15/pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch new file mode 100644 index 0000000000..d3ede49c59 --- /dev/null +++ b/queue-5.15/pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch @@ -0,0 +1,121 @@ +From 3446beddba450c8d6f9aca2f028712ac527fead3 Mon Sep 17 00:00:00 2001 +From: Koichiro Den +Date: Thu, 26 Feb 2026 17:41:39 +0900 +Subject: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown + +From: Koichiro Den + +commit 3446beddba450c8d6f9aca2f028712ac527fead3 upstream. + +epf_ntb_epc_destroy() duplicates the teardown that the caller is +supposed to do later. This leads to an oops when .allow_link fails or +when .drop_link is performed. Remove the helper. + +Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC +group lifetime, and pci_epc_put() in the .drop_link path is sufficient. + +Fixes: 8b821cf76150 ("PCI: endpoint: Add EP function driver to provide NTB functionality") +Signed-off-by: Koichiro Den +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260226084142.2226875-3-den@valinux.co.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/functions/pci-epf-ntb.c | 56 --------------------------- + 1 file changed, 2 insertions(+), 54 deletions(-) + +--- a/drivers/pci/endpoint/functions/pci-epf-ntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-ntb.c +@@ -1495,47 +1495,6 @@ err_alloc_peer_mem: + } + + /** +- * epf_ntb_epc_destroy_interface() - Cleanup NTB EPC interface +- * @ntb: NTB device that facilitates communication between HOST1 and HOST2 +- * @type: PRIMARY interface or SECONDARY interface +- * +- * Unbind NTB function device from EPC and relinquish reference to pci_epc +- * for each of the interface. +- */ +-static void epf_ntb_epc_destroy_interface(struct epf_ntb *ntb, +- enum pci_epc_interface_type type) +-{ +- struct epf_ntb_epc *ntb_epc; +- struct pci_epc *epc; +- struct pci_epf *epf; +- +- if (type < 0) +- return; +- +- epf = ntb->epf; +- ntb_epc = ntb->epc[type]; +- if (!ntb_epc) +- return; +- epc = ntb_epc->epc; +- pci_epc_remove_epf(epc, epf, type); +- pci_epc_put(epc); +-} +- +-/** +- * epf_ntb_epc_destroy() - Cleanup NTB EPC interface +- * @ntb: NTB device that facilitates communication between HOST1 and HOST2 +- * +- * Wrapper for epf_ntb_epc_destroy_interface() to cleanup all the NTB interfaces +- */ +-static void epf_ntb_epc_destroy(struct epf_ntb *ntb) +-{ +- enum pci_epc_interface_type type; +- +- for (type = PRIMARY_INTERFACE; type <= SECONDARY_INTERFACE; type++) +- epf_ntb_epc_destroy_interface(ntb, type); +-} +- +-/** + * epf_ntb_epc_create_interface() - Create and initialize NTB EPC interface + * @ntb: NTB device that facilitates communication between HOST1 and HOST2 + * @epc: struct pci_epc to which a particular NTB interface should be associated +@@ -1614,15 +1573,8 @@ static int epf_ntb_epc_create(struct epf + + ret = epf_ntb_epc_create_interface(ntb, epf->sec_epc, + SECONDARY_INTERFACE); +- if (ret) { ++ if (ret) + dev_err(dev, "SECONDARY intf: Fail to create NTB EPC\n"); +- goto err_epc_create; +- } +- +- return 0; +- +-err_epc_create: +- epf_ntb_epc_destroy_interface(ntb, PRIMARY_INTERFACE); + + return ret; + } +@@ -1887,7 +1839,7 @@ static int epf_ntb_bind(struct pci_epf * + ret = epf_ntb_init_epc_bar(ntb); + if (ret) { + dev_err(dev, "Failed to create NTB EPC\n"); +- goto err_bar_init; ++ return ret; + } + + ret = epf_ntb_config_spad_bar_alloc_interface(ntb); +@@ -1909,9 +1861,6 @@ static int epf_ntb_bind(struct pci_epf * + err_bar_alloc: + epf_ntb_config_spad_bar_free(ntb); + +-err_bar_init: +- epf_ntb_epc_destroy(ntb); +- + return ret; + } + +@@ -1927,7 +1876,6 @@ static void epf_ntb_unbind(struct pci_ep + + epf_ntb_epc_cleanup(ntb); + epf_ntb_config_spad_bar_free(ntb); +- epf_ntb_epc_destroy(ntb); + } + + #define EPF_NTB_R(_name) \ diff --git a/queue-5.15/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch b/queue-5.15/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch new file mode 100644 index 0000000000..b0ed62abe2 --- /dev/null +++ b/queue-5.15/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch @@ -0,0 +1,47 @@ +From 41d78cb724f4b40b7548af420ccfe524b14023bb Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Wed, 4 Mar 2026 03:47:56 +0800 +Subject: Revert "ALSA: usb: Increase volume range that triggers a warning" + +From: Rong Zhang + +commit 41d78cb724f4b40b7548af420ccfe524b14023bb upstream. + +UAC uses 2 bytes to store volume values, so the maximum volume range is +0xFFFF (65535, val = -32768/32767/1). + +The reverted commit bumpped the range of triggering the warning to > +65535, effectively making the range check a no-op. It didn't fix +anything but covered any potential problems and deviated from the +original intention of the range check. + +This reverts commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62. + +Fixes: 6b971191fcfc ("ALSA: usb: Increase volume range that triggers a warning") +Cc: stable@vger.kernel.org +Signed-off-by: Rong Zhang +Acked-by: Arun Raghavan +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20260303194805.266158-2-i@rong.moe +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1804,10 +1804,11 @@ static void __build_feature_ctl(struct u + + range = (cval->max - cval->min) / cval->res; + /* +- * There are definitely devices with a range of ~20,000, so let's be +- * conservative and allow for a bit more. ++ * Are there devices with volume range more than 255? I use a bit more ++ * to be sure. 384 is a resolution magic number found on Logitech ++ * devices. It will definitively catch all buggy Logitech devices. + */ +- if (range > 65535) { ++ if (range > 384) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); diff --git a/queue-5.15/series b/queue-5.15/series index b6e040b2de..49a407b908 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -198,3 +198,12 @@ padata-remove-comment-for-reorder_work.patch driver-core-don-t-let-a-device-probe-until-it-s-read.patch um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch crypto-pcrypt-fix-handling-of-may_backlog-requests.patch +alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch +net-caif-clear-client-service-pointer-on-teardown.patch +net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch +pci-endpoint-pci-epf-ntb-remove-duplicate-resource-teardown.patch +revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch +lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch +media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch +net-qrtr-ns-fix-use-after-free-in-driver-remove.patch +ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch