From d2f1a1cba98a1aacfff62b5e7034d1ce769ef839 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 1 May 2026 12:05:58 +0200 Subject: [PATCH] 5.10-stable patches added patches: alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch net-caif-clear-client-service-pointer-on-teardown.patch net-qrtr-ns-fix-use-after-free-in-driver-remove.patch net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch --- ...nlen-in-snd_ctl_elem_init_enum_names.patch | 47 +++++++++ ...-i_nlink-and-valid-mode-in-ext2_iget.patch | 99 +++++++++++++++++++ ...erflow-in-pattern-length-calculation.patch | 61 ++++++++++++ ...m_gpiod_get_optional-in-imx219_probe.patch | 42 ++++++++ ...r-client-service-pointer-on-teardown.patch | 62 ++++++++++++ ...-fix-use-after-free-in-driver-remove.patch | 74 ++++++++++++++ ...fix-skb_head-leak-in-strp_abort_strp.patch | 54 ++++++++++ ...volume-range-that-triggers-a-warning.patch | 47 +++++++++ queue-5.10/series | 8 ++ 9 files changed, 494 insertions(+) create mode 100644 queue-5.10/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch create mode 100644 queue-5.10/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch create mode 100644 queue-5.10/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch create mode 100644 queue-5.10/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch create mode 100644 queue-5.10/net-caif-clear-client-service-pointer-on-teardown.patch create mode 100644 queue-5.10/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch create mode 100644 queue-5.10/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch create mode 100644 queue-5.10/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch diff --git a/queue-5.10/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch b/queue-5.10/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch new file mode 100644 index 0000000000..04bbb18565 --- /dev/null +++ b/queue-5.10/alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch @@ -0,0 +1,47 @@ +From e0da8a8cac74f4b9f577979d131f0d2b88a84487 Mon Sep 17 00:00:00 2001 +From: Ziqing Chen +Date: Tue, 14 Apr 2026 21:24:37 +0800 +Subject: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() + +From: Ziqing Chen + +commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream. + +snd_ctl_elem_init_enum_names() advances pointer p through the names +buffer while decrementing buf_len. If buf_len reaches zero but items +remain, the next iteration calls strnlen(p, 0). + +While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 +error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks +maxlen against __builtin_dynamic_object_size(). When Clang loses track +of p's object size inside the loop, this triggers a BRK exception panic +before the return value is examined. + +Add a buf_len == 0 guard at the loop entry to prevent calling fortified +strnlen() on an exhausted buffer. + +Found by kernel fuzz testing through Xiaomi Smartphone. + +Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls") +Cc: stable@vger.kernel.org +Signed-off-by: Ziqing Chen +Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1387,6 +1387,10 @@ static int snd_ctl_elem_init_enum_names( + buf_len = ue->info.value.enumerated.names_length; + p = names; + for (i = 0; i < ue->info.value.enumerated.items; ++i) { ++ if (buf_len == 0) { ++ kvfree(names); ++ return -EINVAL; ++ } + name_len = strnlen(p, buf_len); + if (name_len == 0 || name_len >= 64 || name_len == buf_len) { + kvfree(names); diff --git a/queue-5.10/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch b/queue-5.10/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch new file mode 100644 index 0000000000..0543681dd9 --- /dev/null +++ b/queue-5.10/ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch @@ -0,0 +1,99 @@ +From 25947cc5b2374cd5bf627fe3141496444260d04f Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Sat, 4 Apr 2026 18:20:11 +0300 +Subject: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() + +From: Vasiliy Kovalev + +commit 25947cc5b2374cd5bf627fe3141496444260d04f upstream. + +ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is +zero or i_dtime is set, treating them as deleted. However, the case of +i_nlink == 0 with a non-zero mode and zero dtime slips through. Since +ext2 has no orphan list, such a combination can only result from +filesystem corruption - a legitimate inode deletion always sets either +i_dtime or clears i_mode before freeing the inode. + +A crafted image can exploit this gap to present such an inode to the +VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via +ext2_unlink(), ext2_rename() and ext2_rmdir(): + +WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 +CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1 +Call Trace: + + inode_dec_link_count include/linux/fs.h:2518 [inline] + ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295 + vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477 + do_unlinkat+0x53e/0x730 fs/namei.c:4541 + __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587 + do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 +CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1 +Call Trace: + + inode_dec_link_count include/linux/fs.h:2518 [inline] + ext2_rename+0x35e/0x850 fs/ext2/namei.c:374 + vfs_rename+0xf2f/0x2060 fs/namei.c:5021 + do_renameat2+0xbe2/0xd50 fs/namei.c:5178 + __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223 + do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 +CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1 +Call Trace: + + inode_dec_link_count include/linux/fs.h:2518 [inline] + ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311 + vfs_rmdir+0x204/0x690 fs/namei.c:4348 + do_rmdir+0x372/0x3e0 fs/namei.c:4407 + __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577 + do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Extend the existing i_nlink == 0 check to also catch this case, +reporting the corruption via ext2_error() and returning -EFSCORRUPTED. +This rejects the inode at load time and prevents it from reaching any +of the namei.c paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Vasiliy Kovalev +Link: https://patch.msgid.link/20260404152011.2590197-1-kovalev@altlinux.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext2/inode.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/ext2/inode.c ++++ b/fs/ext2/inode.c +@@ -1443,9 +1443,17 @@ struct inode *ext2_iget (struct super_bl + * the test is that same one that e2fsck uses + * NeilBrown 1999oct15 + */ +- if (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) { +- /* this inode is deleted */ +- ret = -ESTALE; ++ if (inode->i_nlink == 0) { ++ if (inode->i_mode == 0 || ei->i_dtime) { ++ /* this inode is deleted */ ++ ret = -ESTALE; ++ } else { ++ ext2_error(sb, __func__, ++ "inode %lu has zero i_nlink with mode 0%o and no dtime, " ++ "filesystem may be corrupt", ++ ino, inode->i_mode); ++ ret = -EFSCORRUPTED; ++ } + goto bad_inode; + } + inode->i_blocks = le32_to_cpu(raw_inode->i_blocks); diff --git a/queue-5.10/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch b/queue-5.10/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch new file mode 100644 index 0000000000..94d54d23a0 --- /dev/null +++ b/queue-5.10/lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch @@ -0,0 +1,61 @@ +From 8cdf30813ea8ce881cecc08664144416dbdb3e16 Mon Sep 17 00:00:00 2001 +From: Josh Law +Date: Sun, 8 Mar 2026 20:20:28 +0000 +Subject: lib/ts_kmp: fix integer overflow in pattern length calculation + +From: Josh Law + +commit 8cdf30813ea8ce881cecc08664144416dbdb3e16 upstream. + +The ts_kmp algorithm stores its prefix_tbl[] table and pattern in a single +allocation sized from the pattern length. If the prefix_tbl[] size +calculation wraps, the resulting allocation can be too small and +subsequent pattern copies can overflow it. + +Fix this by rejecting zero-length patterns and by using overflow helpers +before calculating the combined allocation size. + + +This fixes a potential heap overflow. The pattern length calculation can +wrap during a size_t addition, leading to an undersized allocation. +Because the textsearch library is reachable from userspace via Netfilter's +xt_string module, this is a security risk that should be backported to LTS +kernels. + +Link: https://lkml.kernel.org/r/20260308202028.2889285-2-objecting@objecting.org +Signed-off-by: Josh Law +Reviewed-by: Andrew Morton +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/ts_kmp.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/lib/ts_kmp.c ++++ b/lib/ts_kmp.c +@@ -94,8 +94,22 @@ static struct ts_config *kmp_init(const + struct ts_config *conf; + struct ts_kmp *kmp; + int i; +- unsigned int prefix_tbl_len = len * sizeof(unsigned int); +- size_t priv_size = sizeof(*kmp) + len + prefix_tbl_len; ++ unsigned int prefix_tbl_len; ++ size_t priv_size; ++ ++ /* Zero-length patterns would make kmp_find() read beyond kmp->pattern. */ ++ if (unlikely(!len)) ++ return ERR_PTR(-EINVAL); ++ ++ /* ++ * kmp->pattern is stored immediately after the prefix_tbl[] table. ++ * Reject lengths that would wrap while sizing either region. ++ */ ++ if (unlikely(check_mul_overflow(len, sizeof(*kmp->prefix_tbl), ++ &prefix_tbl_len) || ++ check_add_overflow(sizeof(*kmp), (size_t)len, &priv_size) || ++ check_add_overflow(priv_size, prefix_tbl_len, &priv_size))) ++ return ERR_PTR(-EINVAL); + + conf = alloc_ts_config(priv_size, gfp_mask); + if (IS_ERR(conf)) diff --git a/queue-5.10/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch b/queue-5.10/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch new file mode 100644 index 0000000000..cc89103978 --- /dev/null +++ b/queue-5.10/media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch @@ -0,0 +1,42 @@ +From 943b1f27a3eead21b22e2531a5432ea5910b60eb Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Wed, 4 Feb 2026 10:48:59 +0800 +Subject: media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() + +From: Chen Ni + +commit 943b1f27a3eead21b22e2531a5432ea5910b60eb upstream. + +The devm_gpiod_get_optional() function may return an error pointer +(ERR_PTR) in case of a genuine failure during GPIO acquisition, +not just NULL which indicates the legitimate absence of an optional +GPIO. + +Add an IS_ERR() check after the function call to catch such errors and +propagate them to the probe function, ensuring the driver fails to load +safely rather than proceeding with an invalid pointer. + +Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Chen Ni +Reviewed-by: Dave Stevenson +Reviewed-by: Jai Luthra +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx219.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/i2c/imx219.c ++++ b/drivers/media/i2c/imx219.c +@@ -1420,6 +1420,9 @@ static int imx219_probe(struct i2c_clien + /* Request optional enable pin */ + imx219->reset_gpio = devm_gpiod_get_optional(dev, "reset", + GPIOD_OUT_HIGH); ++ if (IS_ERR(imx219->reset_gpio)) ++ return dev_err_probe(dev, PTR_ERR(imx219->reset_gpio), ++ "failed to get reset gpio\n"); + + /* + * The sensor must be powered for imx219_identify_module() diff --git a/queue-5.10/net-caif-clear-client-service-pointer-on-teardown.patch b/queue-5.10/net-caif-clear-client-service-pointer-on-teardown.patch new file mode 100644 index 0000000000..d51ac4cc15 --- /dev/null +++ b/queue-5.10/net-caif-clear-client-service-pointer-on-teardown.patch @@ -0,0 +1,62 @@ +From f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 Mon Sep 17 00:00:00 2001 +From: Zhengchuan Liang +Date: Sat, 11 Apr 2026 23:10:26 +0800 +Subject: net: caif: clear client service pointer on teardown + +From: Zhengchuan Liang + +commit f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 upstream. + +`caif_connect()` can tear down an existing client after remote shutdown by +calling `caif_disconnect_client()` followed by `caif_free_client()`. +`caif_free_client()` releases the service layer referenced by +`adap_layer->dn`, but leaves that pointer stale. + +When the socket is later destroyed, `caif_sock_destructor()` calls +`caif_free_client()` again and dereferences the freed service pointer. + +Clear the client/service links before releasing the service object so +repeated teardown becomes harmless. + +Fixes: 43e369210108 ("caif: Move refcount from service layer to sock and dev.") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Zhengchuan Liang +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/9f3d37847c0037568aae698ca23cd47c6691acb0.1775897577.git.zcliangcn@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/cfsrvl.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/net/caif/cfsrvl.c ++++ b/net/caif/cfsrvl.c +@@ -197,10 +197,20 @@ bool cfsrvl_phyid_match(struct cflayer * + + void caif_free_client(struct cflayer *adap_layer) + { ++ struct cflayer *serv_layer; + struct cfsrvl *servl; +- if (adap_layer == NULL || adap_layer->dn == NULL) ++ ++ if (!adap_layer) ++ return; ++ ++ serv_layer = adap_layer->dn; ++ if (!serv_layer) + return; +- servl = container_obj(adap_layer->dn); ++ ++ layer_set_dn(adap_layer, NULL); ++ layer_set_up(serv_layer, NULL); ++ ++ servl = container_obj(serv_layer); + servl->release(&servl->layer); + } + EXPORT_SYMBOL(caif_free_client); diff --git a/queue-5.10/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch b/queue-5.10/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch new file mode 100644 index 0000000000..dd06d77175 --- /dev/null +++ b/queue-5.10/net-qrtr-ns-fix-use-after-free-in-driver-remove.patch @@ -0,0 +1,74 @@ +From 7809fea20c9404bfcfa6112ec08d1fe1d3520beb Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 9 Apr 2026 23:04:16 +0530 +Subject: net: qrtr: ns: Fix use-after-free in driver remove() + +From: Manivannan Sadhasivam + +commit 7809fea20c9404bfcfa6112ec08d1fe1d3520beb upstream. + +In the remove callback, if a packet arrives after destroy_workqueue() is +called, but before sock_release(), the qrtr_ns_data_ready() callback will +try to queue the work, causing use-after-free issue. + +Fix this issue by saving the default 'sk_data_ready' callback during +qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at +the start of remove(). This ensures that even if a packet arrives after +destroy_workqueue(), the work struct will not be dereferenced. + +Note that it is also required to ensure that the RX threads are completed +before destroying the workqueue, because the threads could be using the +qrtr_ns_data_ready() callback. + +Cc: stable@vger.kernel.org +Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20260409-qrtr-fix-v3-5-00a8a5ff2b51@oss.qualcomm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/ns.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/qrtr/ns.c ++++ b/net/qrtr/ns.c +@@ -23,6 +23,7 @@ static struct { + struct list_head lookups; + struct workqueue_struct *workqueue; + struct work_struct work; ++ void (*saved_data_ready)(struct sock *sk); + int local_node; + } qrtr_ns; + +@@ -796,6 +797,7 @@ int qrtr_ns_init(void) + goto err_sock; + } + ++ qrtr_ns.saved_data_ready = qrtr_ns.sock->sk->sk_data_ready; + qrtr_ns.sock->sk->sk_data_ready = qrtr_ns_data_ready; + + sq.sq_port = QRTR_PORT_CTRL; +@@ -836,6 +838,10 @@ int qrtr_ns_init(void) + return 0; + + err_wq: ++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready; ++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ + destroy_workqueue(qrtr_ns.workqueue); + err_sock: + sock_release(qrtr_ns.sock); +@@ -845,7 +851,12 @@ EXPORT_SYMBOL_GPL(qrtr_ns_init); + + void qrtr_ns_remove(void) + { ++ write_lock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ qrtr_ns.sock->sk->sk_data_ready = qrtr_ns.saved_data_ready; ++ write_unlock_bh(&qrtr_ns.sock->sk->sk_callback_lock); ++ + cancel_work_sync(&qrtr_ns.work); ++ synchronize_net(); + destroy_workqueue(qrtr_ns.workqueue); + + /* sock_release() expects the two references that were put during diff --git a/queue-5.10/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch b/queue-5.10/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch new file mode 100644 index 0000000000..b7ba1fa74e --- /dev/null +++ b/queue-5.10/net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch @@ -0,0 +1,54 @@ +From fe72340daaf1af588be88056faf98965f39e6032 Mon Sep 17 00:00:00 2001 +From: Luxiao Xu +Date: Sat, 11 Apr 2026 23:10:10 +0800 +Subject: net: strparser: fix skb_head leak in strp_abort_strp() + +From: Luxiao Xu + +commit fe72340daaf1af588be88056faf98965f39e6032 upstream. + +When the stream parser is aborted, for example after a message assembly timeout, +it can still hold a reference to a partially assembled message in +strp->skb_head. + +That skb is not released in strp_abort_strp(), which leaks the partially +assembled message and can be triggered repeatedly to exhaust memory. + +Fix this by freeing strp->skb_head and resetting the parser state in the +abort path. Leave strp_stop() unchanged so final cleanup still happens in +strp_done() after the work and timer have been synchronized. + +Fixes: 43a0c6751a32 ("strparser: Stream parser for messages") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuan Tan +Signed-off-by: Luxiao Xu +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/ade3857a9404999ce9a1c27ec523efc896072678.1775482694.git.rakukuip@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/strparser/strparser.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -45,6 +45,14 @@ static void strp_abort_strp(struct strpa + + strp->stopped = 1; + ++ if (strp->skb_head) { ++ kfree_skb(strp->skb_head); ++ strp->skb_head = NULL; ++ } ++ ++ strp->skb_nextp = NULL; ++ strp->need_bytes = 0; ++ + if (strp->sk) { + struct sock *sk = strp->sk; + diff --git a/queue-5.10/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch b/queue-5.10/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch new file mode 100644 index 0000000000..65b17aaac1 --- /dev/null +++ b/queue-5.10/revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch @@ -0,0 +1,47 @@ +From 41d78cb724f4b40b7548af420ccfe524b14023bb Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Wed, 4 Mar 2026 03:47:56 +0800 +Subject: Revert "ALSA: usb: Increase volume range that triggers a warning" + +From: Rong Zhang + +commit 41d78cb724f4b40b7548af420ccfe524b14023bb upstream. + +UAC uses 2 bytes to store volume values, so the maximum volume range is +0xFFFF (65535, val = -32768/32767/1). + +The reverted commit bumpped the range of triggering the warning to > +65535, effectively making the range check a no-op. It didn't fix +anything but covered any potential problems and deviated from the +original intention of the range check. + +This reverts commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62. + +Fixes: 6b971191fcfc ("ALSA: usb: Increase volume range that triggers a warning") +Cc: stable@vger.kernel.org +Signed-off-by: Rong Zhang +Acked-by: Arun Raghavan +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20260303194805.266158-2-i@rong.moe +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1748,10 +1748,11 @@ static void __build_feature_ctl(struct u + + range = (cval->max - cval->min) / cval->res; + /* +- * There are definitely devices with a range of ~20,000, so let's be +- * conservative and allow for a bit more. ++ * Are there devices with volume range more than 255? I use a bit more ++ * to be sure. 384 is a resolution magic number found on Logitech ++ * devices. It will definitively catch all buggy Logitech devices. + */ +- if (range > 65535) { ++ if (range > 384) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); diff --git a/queue-5.10/series b/queue-5.10/series index b46a680d3a..4cd35ccbd9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -151,3 +151,11 @@ padata-remove-comment-for-reorder_work.patch driver-core-don-t-let-a-device-probe-until-it-s-read.patch um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch crypto-pcrypt-fix-handling-of-may_backlog-requests.patch +alsa-control-validate-buf_len-before-strnlen-in-snd_ctl_elem_init_enum_names.patch +net-caif-clear-client-service-pointer-on-teardown.patch +net-strparser-fix-skb_head-leak-in-strp_abort_strp.patch +revert-alsa-usb-increase-volume-range-that-triggers-a-warning.patch +lib-ts_kmp-fix-integer-overflow-in-pattern-length-calculation.patch +media-i2c-imx219-check-return-value-of-devm_gpiod_get_optional-in-imx219_probe.patch +net-qrtr-ns-fix-use-after-free-in-driver-remove.patch +ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch -- 2.47.3