ASoC: Fixes for v7.1
A fairly small collection of fixes, device IDs and quirks that came in
during the merge window, the most remarkable of which is one for SDCA
boolean firmware flags which is remarkable mainly because it is
partially in regmap.
snd_microii_spdif_switch_put() returns 0 when the requested
vendor register value differs from the cached one.
This comparison was inverted by the resume-support conversion,
so real SPDIF switch toggles are ignored while no-op writes still
issue SET_CUR and report success.
Return early only when the requested value matches the cached one.
Fixes: 288673beae ("ALSA: usb-audio: Add resume support for MicroII SPDIF ctls")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-microii-spdif-switch-fix-v1-1-5c50dc28b88f@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_emuusb_set_samplerate() unconditionally notifies the E-MU
SampleRate Extension Unit control after issuing SET_CUR.
If snd_usb_mixer_set_ctl_value() fails, the control value has not
changed, yet snd_usb_mixer_notify_id() still invalidates the cache and
emits a value-change event to userspace.
Notify the control only after a successful write.
Fixes: 7d2b451e65 ("ALSA: usb-audio - Added functionality for E-mu 0404USB/0202USB/TrackerPre")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-alsa-emuusb-samplerate-notify-v1-1-8b63bbc1d7f1@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Limit the digital gain and PA volumes to a combined -3 dB in the machine
driver to reduce the risk of speaker damage until we have active speaker
protection in place (or higher safe levels have been established).
Based on commit c481016bb4 ("ASoC: qcom: sc8280xp: limit speaker
volumes") which addressed the same issue on the sc8280x SoC with some
minor changes as explained below.
The Digital Volume behaves almost identical to sc8280x since both use
the same lpass-wsa-macro, but x1e80100 has two sets of controls prefixed
with WSA and WSA2.
For PA x1e80100 machines use wsa884x amplifiers which expose a linear
scale from -9 dB to 9 dB with a 1.5 dB step size giving us
0 dB = -9 dB + 6 * 1.5 dB.
On x1e80100 there are two different speaker topologies we need to handle:
2-Speakers: SpkrLeft, Spkr Right
4-Speakers: WooferLeft, WooferRight, TweeterLeft, TweeterRight
Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
Tested-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260422-x1e80100-audio-limit-v2-1-333258b97697@canonical.com
Signed-off-by: Mark Brown <broonie@kernel.org>
pcmtest allocates its pattern buffers and creates its debugfs tree
before registering the platform device and driver, but mod_init()
does not release those resources when a later init step fails.
As a result, a debugfs directory creation failure leaks the pattern
buffers, while platform_device_register() and
platform_driver_register() failures leave both the pattern buffers
and the debugfs tree behind. The recent fix for failed device
registration only dropped the embedded device reference.
Add the missing cleanup for the debugfs tree and pattern buffers in
the remaining module init error paths.
Fixes: 315a3d57c6 ("ALSA: Implement the new Virtual PCM Test Driver")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260421-alsa-pcmtest-init-unwind-v1-1-03fe0c423dbb@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The POD HD PRO is the rackmount version of the POD 500, with most of the
same behaviors. As with some of the other rackmount POD devices it will
not send captured audio to the host unless the host is sending playback
audio, so it has LINE6_CAP_IN_NEEDS_OUT in addition to the POD 500
flags.
Tested-By: Phil Willoughby <willerz@gmail.com>
Signed-off-by: Phil Willoughby <willerz@gmail.com>
Link: https://patch.msgid.link/20260420152405.7230-1-willerz@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Charles Keepax <ckeepax@opensource.cirrus.com> says:
MIPI DisCo uses the unfortunate convention of allowing boolean
properties to be present but having a zero value. Opposed to the
normal convention of simply not specifying the property. Fix an
issue in the SDCA code where mipi-sdca-control-deferrable is not
parsed correctly.
However, we also have some shipping ACPIs where these properties
are not specified correctly. Update the MBQ regmap to attempt defers
albeit with a warning in the case where a control attempts to defer
but is not marked at such. There is little down side to this as if
defer is genuinely not supported then the control will just return
the same error again.
snd_als4000_capture_trigger() updates chip->mode under mixer_lock,
while snd_als4000_set_rate() and snd_als4000_playback_trigger()
serialize the same rate-lock state with reg_lock.
The PCM core serializes callbacks only per acted-on substream, or for an
explicitly linked group, so unlinked playback and capture streams can
run concurrently.
That leaves two races on ALS4000 rate-lock state:
- playback and capture trigger callbacks can concurrently update
chip->mode and lose one of the SB_RATE_LOCK bits
- snd_als4000_set_rate() can observe chip->mode without the capture
lock bit set and reprogram the shared sample rate while capture is
being started
Fix this by taking reg_lock as the outer lock in
snd_als4000_capture_trigger() and nesting mixer_lock only for the CR1E
write. This keeps chip->mode serialized with the rest of the ALS4000
rate-lock users while preserving the existing CR1E programming
sequence.
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260417-als4000-capture-trigger-race-v1-1-daeffc2feb67@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks. The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock. Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync(). Although there shouldn't be
critical UAF, it's still better to be addressed.
This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above. The handling in
fasync->on flag is optimized in the loop to skip directly.
Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.
Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
Fixes: ef34a0ae7a ("ALSA: core: Add async signal helpers")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In the SPI driver probe, the chip ID must be set to TAS2781. Without this
initialization, calibration data fails to load correctly, causing audio
abnormalities on some devices.
And update the register bulk read API to handle the distinct requirements
of SPI and I2C devices.
Fixes: 05ac3846ff ("ALSA: hda/tas2781: A workaround solution to lower-vol issue among lower calibrated-impedance micro-speaker on TAS2781")
Signed-off-by: Baojun Xu <baojun.xu@ti.com>
Link: https://patch.msgid.link/20260418055030.765-1-baojun.xu@ti.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
control_put() always returns 1 and updates cdev->control_state[]
before sending the USB command. It also ignores transport errors
from usb_bulk_msg(), snd_usb_caiaq_send_command(), and
snd_usb_caiaq_send_command_bank().
That breaks the ALSA .put() contract and can leave control_get()
reporting a cached value the device never accepted.
Return 0 for unchanged values, propagate transport failures,
and restore the cached byte when the write fails.
Fixes: 8e3cd08ed8 ("[ALSA] caiaq - add control API and more input features")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260417-caiaq-control-put-v1-1-c37826e92447@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
When platform_device_register() fails in mod_init(), the embedded struct
device in pcmtst_pdev has already been initialized by
device_initialize(), but the failure path returns the error without
dropping the device reference for the current platform device:
mod_init()
-> platform_device_register(&pcmtst_pdev)
-> device_initialize(&pcmtst_pdev.dev)
-> setup_pdev_dma_masks(&pcmtst_pdev)
-> platform_device_add(&pcmtst_pdev)
This leads to a reference leak when platform_device_register() fails.
Fix this by calling platform_device_put() before returning the error.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fixes: 315a3d57c6 ("ALSA: Implement the new Virtual PCM Test Driver")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://patch.msgid.link/20260415193138.3861297-1-lgs201920130244@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
usb6fire_control_input_vol_put() stores the analog capture volume
as a signed offset in rt->input_vol[] (-15..+15), but it compares
the cached value against the user-visible mixer value (0..30)
before subtracting 15.
This mixes two domains in the change detection path. Since the
runtime is zero-initialized, the visible default is 15; writing 0
right after probe is ignored, while writing 15 is reported as a
change even though the cached value remains 0.
Normalize the user value before comparing it with the cached offset.
Fixes: 06bb4e7435 ("ALSA: snd-usb-6fire: add analog input volume control")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260416-alsa-6fire-input-volume-change-detection-v1-1-ec78299168df@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The NexiGo N930W 60fps webcam (USB ID 3443:930d) hits the same
'cannot get freq at ep 0x84' error in snd-usb-audio as its sibling
N930AF (1bcf:2283). Without QUIRK_FLAG_GET_SAMPLE_RATE the ADC clock
is never configured and the microphone streams only zero samples.
Testing on Linux 6.17 with QUIRK_FLAG_GET_SAMPLE_RATE |
QUIRK_FLAG_MIC_RES_16 (via quirk_alias=3443930d:1bcf2283) confirmed
the microphone captures real audio after a cold USB re-enumeration.
Adding a native quirk_flags_table entry avoids the alias workaround.
Signed-off-by: Johnathan Penberthy <johnathan.penberthy@gmail.com>
Link: https://patch.msgid.link/20260417010123.3080904-1-johnathan.penberthy@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Drop a kernel-doc struct comment since the struct member was removed.
This eliminates a kernel-doc warning when make W=1 is used.
virtio_pcm.h:65: warning: Excess struct member 'msg_last_enqueued'
description in 'virtio_pcm_substream'
Fixes: fe981e6756 ("ALSA: virtio: use ack callback")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260216055956.2784399-1-rdunlap@infradead.org
In es8311_set_bias_level(), the return value of
snd_soc_component_update_bits() was ignored. If this fails, not only
is the VMID selection not applied, but the previously enabled mclk
is left running, leading to an unbalanced clock reference count
(clock leak).
Check the return value and ensure clk_disable_unprepare() is called on
failure to maintain proper resource management.
Signed-off-by: Hsieh Hung-En <hungen3108@gmail.com>
Link: https://patch.msgid.link/20260415030252.5547-3-hungen3108@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The es8311_resume() function currently ignores the return value of
regcache_sync(). If syncing the cache fails, the function still returns
0, leaving the codec in a potentially incorrect state.
Check the return value and propagate it to the ASoC core to ensure
resume failures are properly handled.
Signed-off-by: Hsieh Hung-En <hungen3108@gmail.com>
Link: https://patch.msgid.link/20260415030252.5547-2-hungen3108@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The hda-intel driver uses request_firmware_nowait() for loading its
patch, and tries to continue the probe directly from the fw loader
callback. This works in principle, but it has a few drawbacks:
- The driver may be released before the firmware callback completes
- Having two ways of async probe makes the code flow unnecessarily
complex
The former issue is more severe, as it may potentially lead to a UAF,
and there is no explicit way to cancel the pending firmware worker
for now.
This patch changes the firmware loading to be performed rather in the
common probe work without *_nowait(). Then the pending work can be
easily canceled, and the code becomes more straightforward.
A nice bonus is that, by moving into the probe work, the firmware
doesn't need any longer to be cached, hence we can get rid of struct
azx.fw field, and release the firmware immediately after parsing it,
too.
Fixes: 5cb543dba9 ("ALSA: hda - Deferred probing with request_firmware_nowait()")
Link: https://patch.msgid.link/20260415135526.1813126-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
There are two duplicated code paths calling get_min_max() with the same
arguments in build_audio_procunit(). This once led to a failure to
notice a code path that caused the `err' variable uninitialized when
adding error checks for callers of get_min_max*() [1].
Move cases in the switch-case statement to tidy up the error check by
merging the duplicated code paths together with a fallthrough attribute.
This also eliminates the `err = 0' lines and aggregates the error check
along with the corresponding call together, so that the intent of these
code paths is clearer.
The refactor also has an interesting effect that shrinks the .text size
by 16 bytes (GCC 15 amd64). It seems that the compiler was unable to
perform dead code elimination for the `err = 0' paths before.
Link: https://lore.kernel.org/r/ad36dGpCBTGsyFr_@stanley.mountain/ [1]
Signed-off-by: Rong Zhang <i@rong.moe>
Link: https://patch.msgid.link/20260414-uac-build_auto_procunit-refactor-v1-1-afeb7efa6518@rong.moe
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The current code has deep indentation levels because of multiple if's.
Make it returning and reduce the multi-level conditionals for
increasing the code readability.
No functional change, just but a code refactoring.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260414132218.411013-4-tiwai@suse.de
snd-usb-6fire driver holds devices[] and chips[] pointer arrays to
keep the usb_device and sfire_chip objects assigned to multiple
interfaces. Those are, however, not properly cleared at the error
path of usb6fire_chip_probe(), which may confuse the later probes.
Also, the use of two pointer arrays makes things complicated; chips[]
may be NULL while devices[] may be left over.
For addressing this inconsistency, unify the pointer arrays, and use
only chips[] for managing the multiple devices, while the device is
checked with chip->dev pointer, instead. Also, the assignment of
chips[] is moved at a later point where the probe successfully
returns, so that we don't leave the pointer there after the error.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260414132218.411013-3-tiwai@suse.de
In 6fire driver, we protect the concurrent calls against probe and
disconnect with the register_mutex, but it's applied only partially.
Since we handle two global pointers in devices[] and chips[] pairs,
the assignment of the latter can be inconsistent upon concurrent
interface probes, and the refcount handling isn't properly protected
at disconnect, either.
This patch extends the mutex application range to the whole probe and
disconnect functions. It makes the code safer against potential
concurrent probles and disconnects, while it makes the code easier to
read, too.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260414132218.411013-2-tiwai@suse.de
The probe procedure of setup_card() in caiaq driver doesn't treat the
error cases gracefully, e.g. the error from snd_card_register() calls
snd_card_free() but continues. This would lead to a UAF for the
further calls like snd_usb_caiaq_control_init(), as Berk suggested in
another patch in the link below.
However, the problem is not only that; in general, this function drops
the all error handlings (as it's a void function) although its caller
can propagate an error to snd_probe(), which eventually calls
snd_card_free() as a proper error path. That said, we should treat
each error case in setup_card(), and just return the error code
promptly, which is then handled later as a fatal error in snd_probe().
This patch achieves it by changing the setup_card() to return an error
code. Also, the superfluous snd_card_free() call is removed, too.
Note that card->private_free can be set still safely at returning an
error. All called functions in card_free() have checks of the
unassigned resources or NULL checks.
Fixes: 8e3cd08ed8 ("[ALSA] caiaq - add control API and more input features")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20260413034941.1131465-2-berkcgoksel@gmail.com
Link: https://patch.msgid.link/20260414105916.364073-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
snd_ctl_elem_init_enum_names() advances pointer p through the names
buffer while decrementing buf_len. If buf_len reaches zero but items
remain, the next iteration calls strnlen(p, 0).
While strnlen(p, 0) returns 0 and would hit the existing name_len == 0
error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks
maxlen against __builtin_dynamic_object_size(). When Clang loses track
of p's object size inside the loop, this triggers a BRK exception panic
before the return value is examined.
Add a buf_len == 0 guard at the loop entry to prevent calling fortified
strnlen() on an exhausted buffer.
Found by kernel fuzz testing through Xiaomi Smartphone.
Fixes: 8d448162bd ("ALSA: control: add support for ENUMERATED user space controls")
Cc: stable@vger.kernel.org
Signed-off-by: Ziqing Chen <chenziqing@xiaomi.com>
Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The recent fix to add the error return value check from get_min_max*()
missed one case in build_audio_procunit() where no error value is set.
This may lead to an uninitialized variable and confuse the caller
(although this wouldn't happen practically because err is set for the
loop of num_ins at the beginning of the funciton).
Fix it by setting "err = 0" properly at the missing case, too.
Fixes: 4f55a85cd4 ("ALSA: usb-audio: Add error checks against get_min_max*()")
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/ad36dGpCBTGsyFr_@stanley.mountain
Link: https://patch.msgid.link/20260414093336.305464-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
The reset GPIO obtained via devm_gpiod_get() may return an ERR_PTR()
when the GPIO is missing or an error occurs. The current code
unconditionally assigns PTR_ERR() to ret and later dereferences
rst_gpio via desc_to_gpio(), which is incorrect when rst_gpio is an
error pointer.
Rework the logic to first check IS_ERR(rst_gpio) before converting the
descriptor. Handle -ENOENT by disabling reset GPIO support, and return
other errors to the caller as expected.
Fixes: c76d50b71e ("ASoC: ac97: Convert to GPIO descriptors")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604041426.i2C1xqHk-lkp@intel.com/
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://patch.msgid.link/20260413-ac97-v1-1-b44b9e084307@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
When both CONFIG_OF and CONFIG_ACPI are disabled, the ID table is not
referenced any more:
sound/soc/codecs/tas2781-i2c.c:102:35: error: 'tasdevice_id' defined but not used [-Werror=unused-const-variable=]
102 | static const struct i2c_device_id tasdevice_id[] = {
| ^~~~~~~~~~~~
Remove the #ifdef checks and just include the ID tables unconditionally
to get a clean build in all configurations. The code already uses
IS_ENABLED() checks for both to benefit from dead code elimination
and the ID tables are small enough that they can just be included
all the time.
Fixes: 9a52d1b7cb ("ASoC: tas2781: Explicit association of Device, Device Name, and Device ID")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20260413070059.3828364-1-arnd@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
ASoC: Updates for v7.1
There's one new core feature here but mostly this has been a fairly
quiet release, we've got a few new drivers and one core feature that's
likely to be relatively rarely used but the bulk of the work this time
around has been on quality.
- Support for bus keepers, this will be used by the Apple device
support.
- Enhancements to the SDCA support, incuding retaskable jacks.
- Unwinding of the pcm_new()/pcm_free() cleanups from Morimoto-san.
- Test improvements for the Cirrus Logic drivers.
- Large sets of fixes for the NXP, nVidia and Qualcomm drivers.
- Support for AMD RPL DMICs, Cirrus Logic CS42L43 and CS47L47, nVidia
machines with CPCAP and WM8962.
