linux/sound/core, branch master

ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()

2026-04-14T13:31:10Z

snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone. Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls") Cc: stable@vger.kernel.org Signed-off-by: Ziqing Chen Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com Signed-off-by: Takashi Iwai

ALSA: compress: Pay attention if drivers error out retrieving pointers

2026-04-02T09:10:28Z

Currently we have a return code on the driver pointer operation but the core ignores that. Let's start paying attention. Reported-by: Péter Ujfalusi Signed-off-by: Mark Brown Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20260401-alsa-unconfigured-tstamp-v1-2-694c2cb5f71d@kernel.org

ALSA: compress: Refuse to update timestamps for unconfigured streams

2026-04-02T09:10:28Z

There are a number of mechanisms, including the userspace accessible timestamp and buffer availability ioctl()s, which allow us to trigger a timestamp update on a stream before it has been configured. Since drivers might rely on stream configuration for reporting of pcm_io_frames, including potentially doing a division by the number of channels, and these operations are not meaningful for an unconfigured stream reject attempts to read timestamps before any configuration is done. Signed-off-by: Mark Brown Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Link: https://patch.msgid.link/20260401-alsa-unconfigured-tstamp-v1-1-694c2cb5f71d@kernel.org

Merge branch 'for-linus' into for-next

2026-04-01T12:43:00Z

Pull 7.0 devel branch for further cleanups of ctxfi driver & co. Signed-off-by: Takashi Iwai

ALSA: core: Validate compress device numbers without dynamic minors

2026-03-28T09:55:35Z

Without CONFIG_SND_DYNAMIC_MINORS, ALSA reserves only two fixed minors for compress devices on each card: comprD0 and comprD1. snd_find_free_minor() currently computes the compress minor as type + dev without validating dev first, so device numbers greater than 1 spill into the HWDEP minor range instead of failing registration. ASoC passes rtd->id to snd_compress_new(), so this can happen on real non-dynamic-minor builds. Add a dedicated fixed-minor check for SNDRV_DEVICE_TYPE_COMPRESS in snd_find_free_minor() and reject out-of-range device numbers with -EINVAL before constructing the minor. Also remove the stale TODO in compress_offload.c that still claims multiple compress nodes are missing. Fixes: 3eafc959b32f ("ALSA: core: add support for compressed devices") Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260325-alsa-compress-static-minors-v1-1-0628573bee1c@gmail.com Signed-off-by: Takashi Iwai

ALSA: pcm: Serialize snd_pcm_suspend_all() with open_mutex

2026-03-27T14:12:28Z

snd_pcm_suspend_all() walks all PCM substreams and uses a lockless runtime check to skip closed streams. It then calls snd_pcm_suspend() for each remaining substream and finally runs snd_pcm_sync_stop() in a second pass. The runtime lifetime is still controlled by pcm->open_mutex in the open/release path. That means a concurrent close can clear or free substream->runtime after the initial check in snd_pcm_suspend_all(), leaving the later suspend or sync-stop path to dereference a stale or NULL runtime pointer. Serialize snd_pcm_suspend_all() with pcm->open_mutex so the runtime pointer stays stable across both loops. This matches the existing PCM runtime lifetime rule already used by other core paths that access substream->runtime outside the stream lock. Suggested-by: Takashi Iwai Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260327-alsa-pcm-suspend-open-close-lock-v2-1-cc4baca4dcd6@gmail.com Signed-off-by: Takashi Iwai

ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes

2026-03-27T13:40:24Z

snd_seq_oss_write() currently returns the raw load_patch() callback result for SEQ_FULLSIZE events. That callback is documented as returning 0 on success and -errno on failure, but snd_seq_oss_write() is the file write path and should report the number of user bytes consumed on success. Some in-tree backends also return backend-specific positive values, which can still be shorter than the original write size. Return the full byte count for successful SEQ_FULLSIZE writes. Preserve negative errors and convert any nonnegative completion to the original count. Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260324-alsa-seq-oss-fullsize-write-return-v1-1-66d448510538@gmail.com Signed-off-by: Takashi Iwai

ALSA: core/seq: Optimize the return logic in cc_ev_to_ump_midi2

2026-03-27T13:40:24Z

There are multiple early return branches within the func, and compiler optimizations(such as -O2/-O3)lead to abnormal stack frame analysis - objtool cannot comfirm that the stack frames of all branches can be correctly restored, thus generating false warnings. Below: >> sound/core/seq/seq_ump_convert.o: warning: objtool: cc_ev_to_ump_midi2+0x589: return with modified stack frame So we modify it by uniformly returning at the and of the function. Signed-off-by: songxiebing Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202503200535.J3hAvcjw-lkp@intel.com/ Link: https://patch.msgid.link/20260325015119.175835-1-songxiebing@kylinos.cn Signed-off-by: Takashi Iwai

ALSA: pcm: Use pcm_lib_apply_appl_ptr() in x32 sync_ptr

2026-03-27T13:40:24Z

snd_pcm_ioctl_sync_ptr_x32() still handles incoming appl_ptr updates differently from the other SYNC_PTR paths. The native handler and the 32-bit compat handler both pass appl_ptr through pcm_lib_apply_appl_ptr(), but the x32 handler still writes control->appl_ptr directly. That direct assignment skips the common appl_ptr validation against runtime->boundary and also bypasses the substream ack() callback. This makes the x32 ioctl path behave differently from the native and compat32 cases, and it can miss the driver notification that explicit appl_ptr synchronization relies on. Use pcm_lib_apply_appl_ptr() for x32 too, so appl_ptr updates are validated consistently and drivers relying on ack() notifications see the same behavior. Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260321-alsa-pcm-x32-sync-ptr-v1-1-02ce655657c6@gmail.com Signed-off-by: Takashi Iwai

ALSA: timer: keep a list of open masters for slave lookup

2026-03-17T08:16:24Z

snd_timer_check_slave() still walks all registered timers and all open timer instances to find a matching master for a newly opened slave. Maintain a global list of open master instances that can accept slave links and use it for the slave lookup path instead. This keeps the existing matching semantics while avoiding the nested walk over snd_timer_list and each timer open_list_head. The reverse path in snd_timer_check_master() already scans only the pending slave list, so this makes both lookup paths closer in shape without changing the master/slave linking logic. Signed-off-by: Cássio Gabriel Link: https://patch.msgid.link/20260316-alsa-timer-master-list-v1-1-fb95e547110a@gmail.com Signed-off-by: Takashi Iwai