linux.git/sound/firewire, branch master Linux kernel source tree Merge tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound 2026-06-27T19:15:23+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-27T19:15:23+00:00 14923571e78ae448ff4cc250d46d6f5fa442761c Pull sound fixes from Takashi Iwai: "A collection of small bug fixes accumulated over the last week. Most are device-specific fixes while there are a few core fixes as well. Here are the highlights: ALSA Core: - A fix for an uninitialised heap leak in ALSA sequencer core - A fix for error handling/resource leak in compress-offload API USB-audio: - A teardown-ordering fix in USB MIDI 2.0 to prevent use-after-free - Bounds and length checks for packet data in Native Instruments caiaq / Traktor Kontrol input parsers - Avoidance of expensive kobject path lookups in DualSense controller matches - Robustness/memory leak fixes for Qualcomm USB offload driver - Focusrite Control Protocol (FCP) NULL-pointer dereference fix and a new device quirk (ISA C8X) - Device-specific quirks for Yamaha CDS3000 and SC13A HD-Audio: - A bunch of quirks and mute/mic-mute LED fixups for various laptops (Acer, Clevo, Lenovo, HP) ASoC & SoundWire: - Avoid failing card registration if the device_link creation fails - A workaround for SoundWire randconfig build failures by making helper functions static inline - Corrected MCLK reference validation for CS530x codecs - Clean up of untested, problematic guard() macro replacements in Rockchip SAI driver - Fix for eDMA maxburst misalignment with channel count in Freescale ASRC - Miscellaneous hardware-specific fixes (qcom, rt5650, tlv320aic3x, tas2781/3) Others: - Bounds and length checks for packet data in Apple iSight" * tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits) ALSA: FCP: Fix NULL pointer dereference in interface lookup ALSA: hda/realtek: Update Acer Nitro ANV15-41 quirk to enable mute LED ASoC: fsl_asrc_dma: fix eDMA maxburst misalignment with channel count ASoC: codecs: pcm512x: only print info once on no sclk ASoC: tas2781: Update default register address to TAS2563 ALSA: firewire: isight: bound the sample count to the packet payload ALSA: usb-audio: qcom: Free QMI handle ALSA: hda: Add Lenovo Legion 7i 16IAX7 17AA3874 quirk ALSA: usb-audio: avoid kobject path lookup in DualSense match ALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41 ASoC: soc-core: Don't fail if device_link could not be created ASoC: rockchip: rockchip_sai: #include <linux/platform_device.h> explicitly ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup() ASoC: rt5575: Use __le32 for SPI burst write address ASoC: tas2783: Update loaded firmware names to linux-firmware 20260519 ASoC: SDCA: Validate written enum value in ge_put_enum_double() ASoC: realtek: Add back local call to sdw_show_ping_status() ASoC: ti: Add back local call to sdw_show_ping_status() ASoC: max98373: Add back local call to sdw_show_ping_status() ASoC: es9356: Add back local call to sdw_show_ping_status() ... 
Pull sound fixes from Takashi Iwai:
 "A collection of small bug fixes accumulated over the last week.
  Most are device-specific fixes while there are a few core fixes as
  well.

  Here are the highlights:

  ALSA Core:
   - A fix for an uninitialised heap leak in ALSA sequencer core
   - A fix for error handling/resource leak in compress-offload API

  USB-audio:
   - A teardown-ordering fix in USB MIDI 2.0 to prevent use-after-free
   - Bounds and length checks for packet data in Native Instruments
     caiaq / Traktor Kontrol input parsers
   - Avoidance of expensive kobject path lookups in DualSense controller
     matches
   - Robustness/memory leak fixes for Qualcomm USB offload driver
   - Focusrite Control Protocol (FCP) NULL-pointer dereference fix and a
     new device quirk (ISA C8X)
   - Device-specific quirks for Yamaha CDS3000 and SC13A

  HD-Audio:
   - A bunch of quirks and mute/mic-mute LED fixups for various laptops
     (Acer, Clevo, Lenovo, HP)

  ASoC & SoundWire:
   - Avoid failing card registration if the device_link creation fails
   - A workaround for SoundWire randconfig build failures by making
     helper functions static inline
   - Corrected MCLK reference validation for CS530x codecs
   - Clean up of untested, problematic guard() macro replacements in
     Rockchip SAI driver
   - Fix for eDMA maxburst misalignment with channel count in Freescale
     ASRC
   - Miscellaneous hardware-specific fixes (qcom, rt5650, tlv320aic3x,
     tas2781/3)

  Others:
   - Bounds and length checks for packet data in Apple iSight"

* tag 'sound-fix-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits)
  ALSA: FCP: Fix NULL pointer dereference in interface lookup
  ALSA: hda/realtek: Update Acer Nitro ANV15-41 quirk to enable mute LED
  ASoC: fsl_asrc_dma: fix eDMA maxburst misalignment with channel count
  ASoC: codecs: pcm512x: only print info once on no sclk
  ASoC: tas2781: Update default register address to TAS2563
  ALSA: firewire: isight: bound the sample count to the packet payload
  ALSA: usb-audio: qcom: Free QMI handle
  ALSA: hda: Add Lenovo Legion 7i 16IAX7 17AA3874 quirk
  ALSA: usb-audio: avoid kobject path lookup in DualSense match
  ALSA: hda/realtek: Add quirk for Acer Nitro ANV15-41
  ASoC: soc-core: Don't fail if device_link could not be created
  ASoC: rockchip: rockchip_sai: #include <linux/platform_device.h> explicitly
  ALSA: seq: Fix uninitialised heap leak in snd_seq_event_dup()
  ASoC: rt5575: Use __le32 for SPI burst write address
  ASoC: tas2783: Update loaded firmware names to linux-firmware 20260519
  ASoC: SDCA: Validate written enum value in ge_put_enum_double()
  ASoC: realtek: Add back local call to sdw_show_ping_status()
  ASoC: ti: Add back local call to sdw_show_ping_status()
  ASoC: max98373: Add back local call to sdw_show_ping_status()
  ASoC: es9356: Add back local call to sdw_show_ping_status()
  ...
ALSA: firewire: isight: bound the sample count to the packet payload 2026-06-25T12:02:13+00:00 Maoyi Xie maoyixie.tju@gmail.com 2026-06-21T15:09:07+00:00 29b9667982e4df2ed7744f86b1144f8bb58eb698 isight_packet() takes the frame count from the device iso packet and checks it only against the device claimed iso length. count = be32_to_cpu(payload->sample_count); if (likely(count <= (length - 16) / 4)) isight_samples(isight, payload->samples, count); length is the iso header data_length. It can be up to 0xffff. So the gate allows a count up to about 16379. isight_samples() then copies count frames out of payload->samples into the PCM DMA buffer. payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The device multiplexes two samples per frame. A count past MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer size writes past runtime->dma_area. The smallest PCM buffer is larger than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET keeps both the read and the write in range. A malicious or faulty Apple iSight on the FireWire bus reaches this during a normal capture. Add the MAX_FRAMES_PER_PACKET bound to the gate. Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver") Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Cc: stable@vger.kernel.org Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com> Link: https://patch.msgid.link/178205454729.1900991.7807310178296762772@maoyixie.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 
isight_packet() takes the frame count from the device iso packet and
checks it only against the device claimed iso length.

	count = be32_to_cpu(payload->sample_count);
	if (likely(count <= (length - 16) / 4))
		isight_samples(isight, payload->samples, count);

length is the iso header data_length. It can be up to 0xffff. So the
gate allows a count up to about 16379. isight_samples() then copies
count frames out of payload->samples into the PCM DMA buffer.

payload->samples holds only 2 * MAX_FRAMES_PER_PACKET values. The
device multiplexes two samples per frame. A count past
MAX_FRAMES_PER_PACKET reads past the payload. A count past the buffer
size writes past runtime->dma_area. The smallest PCM buffer is larger
than MAX_FRAMES_PER_PACKET. Bounding the count to MAX_FRAMES_PER_PACKET
keeps both the read and the write in range.

A malicious or faulty Apple iSight on the FireWire bus reaches this
during a normal capture.

Add the MAX_FRAMES_PER_PACKET bound to the gate.

Fixes: 3a691b28a0ca ("ALSA: add Apple iSight microphone driver")
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/178205454729.1900991.7807310178296762772@maoyixie.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Merge tag 'firewire-updates-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394 2026-06-21T17:05:11+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-06-21T17:05:11+00:00 aff3ca32f39d5e64619eef10e1daef3a0ba76b25 Pull firewire updates from Takashi Sakamoto: - firewire drivers have been able to assign an arbitrary value in the mod_device entry, which is typed as kernel_ulong_t. While storing the pointer value is legitimate, conversion back to a pointer has been performed without preserving the const qualifier. Uwe Kleine-König introduced an union to provide safer and more robust conversions, as part of the ongoing CHERI enhancement work for ARM and RISC-V architectures. This includes changes to the sound subsystem, since the conversion pattern is widely used in ALSA firewire stack. - Userspace applications can request the core function to perform isochronous resource management procedures. Dingsoul reported a reference-count leak when these procedures are processed in workqueue contexts. This refactors the relevant code paths following a divide and conquer approach. Consequently, it became clear that the issue still remain in the path when userspace applications delegate automatic resource reallocation after bus resets to the core. In practice, the leak is rarely triggered, and a complete fix is still in progress. * tag 'firewire-updates-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: firewire: core: Open-code topology list walk firewire: core: cancel using delayed work for iso_resource_once management firewire: core: rename member name for channel mask of isoc resource firewire: core: minor code refactoring for case-dependent parameters of iso resources management ALSA: firewire: Make use of ieee1394's .driver_data_ptr firewire: Simplify storing pointers in device id struct firewire: core: move allocation/reallocation paths into specific branch after isoc resource management in cdev firewire: core: refactor notification type determination after isoc resource management in cdev firewire: core: use switch statement for post-processing of isoc resource management in cdev firewire: core: reduce critical section duration in pre-processing of isoc resource management in cdev firewire: core: code cleanup for iso resource auto creation firewire: core: append _auto suffix for non-once iso resource operations firewire: core: code cleanup to remove old implementations for once operation firewire: core: split functions for iso_resource once operation firewire: core: code refactoring for helper function to fill iso_resource parameters firewire: core: code refactoring to queue work item for iso_resource firewire: core: code refactoring for early return at client resource allocation 
Pull firewire updates from Takashi Sakamoto:

 - firewire drivers have been able to assign an arbitrary value in the
   mod_device entry, which is typed as kernel_ulong_t.

   While storing the pointer value is legitimate, conversion back to a
   pointer has been performed without preserving the const qualifier.

   Uwe Kleine-König introduced an union to provide safer and more robust
   conversions, as part of the ongoing CHERI enhancement work for ARM
   and RISC-V architectures. This includes changes to the sound
   subsystem, since the conversion pattern is widely used in ALSA
   firewire stack.

 - Userspace applications can request the core function to perform
   isochronous resource management procedures. Dingsoul reported a
   reference-count leak when these procedures are processed in workqueue
   contexts.

   This refactors the relevant code paths following a divide and conquer
   approach. Consequently, it became clear that the issue still remain
   in the path when userspace applications delegate automatic resource
   reallocation after bus resets to the core.

   In practice, the leak is rarely triggered, and a complete fix is
   still in progress.

* tag 'firewire-updates-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
  firewire: core: Open-code topology list walk
  firewire: core: cancel using delayed work for iso_resource_once management
  firewire: core: rename member name for channel mask of isoc resource
  firewire: core: minor code refactoring for case-dependent parameters of iso resources management
  ALSA: firewire: Make use of ieee1394's .driver_data_ptr
  firewire: Simplify storing pointers in device id struct
  firewire: core: move allocation/reallocation paths into specific branch after isoc resource management in cdev
  firewire: core: refactor notification type determination after isoc resource management in cdev
  firewire: core: use switch statement for post-processing of isoc resource management in cdev
  firewire: core: reduce critical section duration in pre-processing of isoc resource management in cdev
  firewire: core: code cleanup for iso resource auto creation
  firewire: core: append _auto suffix for non-once iso resource operations
  firewire: core: code cleanup to remove old implementations for once operation
  firewire: core: split functions for iso_resource once operation
  firewire: core: code refactoring for helper function to fill iso_resource parameters
  firewire: core: code refactoring to queue work item for iso_resource
  firewire: core: code refactoring for early return at client resource allocation
ALSA: firewire-motu: Protect register DSP event queue positions 2026-05-25T07:19:44+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-05-21T11:01:23+00:00 98fb1c1bb11e29eb609b7200a25e136e05aa4498 The register DSP event queue is updated under parser->lock, but snd_motu_register_dsp_message_parser_count_event() reads pull_pos and push_pos without the lock. snd_motu_register_dsp_message_parser_copy_event() also reads both queue positions before taking the lock. Protect these accesses with parser->lock as well. This keeps the hwdep poll/read path consistent with the producer side and with the cached meter/parameter accessors. Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260521-alsa-firewire-motu-event-locking-v1-1-708e1c2b5e56@gmail.com 
The register DSP event queue is updated under parser->lock, but
snd_motu_register_dsp_message_parser_count_event() reads pull_pos and
push_pos without the lock.
snd_motu_register_dsp_message_parser_copy_event() also reads both queue
positions before taking the lock.

Protect these accesses with parser->lock as well. This keeps the hwdep
poll/read path consistent with the producer side and with the cached
meter/parameter accessors.

Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260521-alsa-firewire-motu-event-locking-v1-1-708e1c2b5e56@gmail.com
ALSA: firewire: Make use of ieee1394's .driver_data_ptr 2026-05-11T10:45:03+00:00 Uwe Kleine-König (The Capable Hub) u.kleine-koenig@baylibre.com 2026-05-11T10:45:03+00:00 8208d94f149a53311ac7687c051cb3a6d58063f7 Recently struct ieee1394_device_id gained a new member to store a pointer to driver data. Make use of that to get rid of a bunch of casts. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Link: https://lore.kernel.org/r/6b7b7b3b8b54465ad5e7463412a202350fccbb62.1778494204.git.u.kleine-koenig@baylibre.com Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> 
Recently struct ieee1394_device_id gained a new member to store a pointer
to driver data. Make use of that to get rid of a bunch of casts.

Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/6b7b7b3b8b54465ad5e7463412a202350fccbb62.1778494204.git.u.kleine-koenig@baylibre.com
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
ALSA: firewire-tascam: Do not drop unread control events 2026-05-04T15:47:06+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-05-04T00:55:52+00:00 0749daa8eb5ab90334aaad3b0671efd7150d43b1 tscm_hwdep_read_queue() copies as many queued control events as fit in the userspace buffer. When the buffer is smaller than the current contiguous queue segment, length is rounded down to the number of bytes that can be copied. However, after copying that shortened length, the code advances pull_pos to the original tail_pos, marking the whole contiguous segment as consumed. Any events between the copied portion and tail_pos are lost. Limit tail_pos to the position after the entries actually copied before updating pull_pos. When the whole segment fits, this is equivalent to the old tail_pos update; when the buffer is smaller, the remaining events stay queued for the next read. Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications") Cc: stable@vger.kernel.org Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com 
tscm_hwdep_read_queue() copies as many queued control events as fit in
the userspace buffer. When the buffer is smaller than the current
contiguous queue segment, length is rounded down to the number of bytes
that can be copied.

However, after copying that shortened length, the code advances pull_pos
to the original tail_pos, marking the whole contiguous segment as
consumed. Any events between the copied portion and tail_pos are lost.

Limit tail_pos to the position after the entries actually copied before
updating pull_pos. When the whole segment fits, this is equivalent to the
old tail_pos update; when the buffer is smaller, the remaining events
stay queued for the next read.

Fixes: a8c0d13267a4 ("ALSA: firewire-tascam: notify events of change of state for userspace applications")
Cc: stable@vger.kernel.org
Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com
ALSA: fireworks: bound device-supplied status before string array lookup 2026-04-10T12:59:47+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-09T14:05:54+00:00 07704bbf36f57e4379e4cadf96410dab14621e3b The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status value outside that range goes off into the weeds when looking at the %s value. Even worse, the status could return EFR_STATUS_INCOMPLETE which is 0x80000000, and is obviously not in that array of potential strings. Fix this up by properly bounding the index against the array size and printing "unknown" if it's not recognized. Cc: Clemens Ladisch <clemens@ladisch.de> Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp> Cc: Jaroslav Kysela <perex@perex.cz> Cc: Takashi Iwai <tiwai@suse.com> Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands") Cc: stable <stable@kernel.org> Assisted-by: gregkh_clanker_t1000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The status field in an EFW response is a 32-bit value supplied by the
firewire device.  efr_status_names[] has 17 entries so a status value
outside that range goes off into the weeds when looking at the %s value.

Even worse, the status could return EFR_STATUS_INCOMPLETE which is
0x80000000, and is obviously not in that array of potential strings.

Fix this up by properly bounding the index against the array size and
printing "unknown" if it's not recognized.

Cc: Clemens Ladisch <clemens@ladisch.de>
Cc: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Fixes: bde8a8f23bbe ("ALSA: fireworks: Add transaction and some commands")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://patch.msgid.link/2026040953-astute-camera-1aa1@gregkh
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: firewire-lib: fix uninitialized local variable 2026-03-17T08:54:48+00:00 Alexey Nepomnyashih sdl@nppct.ru 2026-03-16T19:18:22+00:00 bb120ad57def62e3f23e3d999c5fbed11f610993 Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized local variable"), the local variable `curr_cycle_time` in process_rx_packets() is declared without initialization. When the tracepoint event is not probed, the variable may appear to be used without being initialized. In practice the value is only relevant when the tracepoint is enabled, however initializing it avoids potential use of an uninitialized value and improves code safety. Initialize `curr_cycle_time` to zero. Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI") Cc: stable@vger.kernel.org Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru> Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru Signed-off-by: Takashi Iwai <tiwai@suse.de> 
Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized
local variable"), the local variable `curr_cycle_time` in
process_rx_packets() is declared without initialization.

When the tracepoint event is not probed, the variable may appear to be
used without being initialized. In practice the value is only relevant
when the tracepoint is enabled, however initializing it avoids potential
use of an uninitialized value and improves code safety.

Initialize `curr_cycle_time` to zero.

Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI")
Cc: stable@vger.kernel.org
Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: firewire: dice: Fix printf warning with W=1 2026-02-28T08:31:13+00:00 Takashi Iwai tiwai@suse.de 2026-02-27T15:57:00+00:00 d4d5633d8b19b0e745a7910aea49956b3b47900d The use of snprintf() may cause a warning with W=1 due to the possibly truncated string. As the truncation doesn't really matter (and won't happen practically) in the case of dice driver, just shut it up by replacing with scnprintf(). Link: https://patch.msgid.link/20260227155705.1557224-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 
The use of snprintf() may cause a warning with W=1 due to the possibly
truncated string.  As the truncation doesn't really matter (and won't
happen practically) in the case of dice driver, just shut it up by
replacing with scnprintf().

Link: https://patch.msgid.link/20260227155705.1557224-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22T16:26:33+00:00 Kees Cook kees@kernel.org 2026-02-22T07:46:04+00:00 189f164e573e18d9f8876dbd3ad8fcbe11f93037 Conversion performed via this Coccinelle script: // SPDX-License-Identifier: GPL-2.0-only // Options: --include-headers-for-types --all-includes --include-headers --keep-comments virtual patch @gfp depends on patch && !(file in "tools") && !(file in "samples")@ identifier ALLOC = {kmalloc_obj,kmalloc_objs,kmalloc_flex, kzalloc_obj,kzalloc_objs,kzalloc_flex, kvmalloc_obj,kvmalloc_objs,kvmalloc_flex, kvzalloc_obj,kvzalloc_objs,kvzalloc_flex}; @@ ALLOC(... - , GFP_KERNEL ) $ make coccicheck MODE=patch COCCI=gfp.cocci Build and boot tested x86_64 with Fedora 42's GCC and Clang: Linux version 6.19.0+ (user@host) (gcc (GCC) 15.2.1 20260123 (Red Hat 15.2.1-7), GNU ld version 2.44-12.fc42) #1 SMP PREEMPT_DYNAMIC 1970-01-01 Linux version 6.19.0+ (user@host) (clang version 20.1.8 (Fedora 20.1.8-4.fc42), LLD 20.1.8) #1 SMP PREEMPT_DYNAMIC 1970-01-01 Signed-off-by: Kees Cook <kees@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Conversion performed via this Coccinelle script:

  // SPDX-License-Identifier: GPL-2.0-only
  // Options: --include-headers-for-types --all-includes --include-headers --keep-comments
  virtual patch

  @gfp depends on patch && !(file in "tools") && !(file in "samples")@
  identifier ALLOC = {kmalloc_obj,kmalloc_objs,kmalloc_flex,
 		    kzalloc_obj,kzalloc_objs,kzalloc_flex,
		    kvmalloc_obj,kvmalloc_objs,kvmalloc_flex,
		    kvzalloc_obj,kvzalloc_objs,kvzalloc_flex};
  @@

  	ALLOC(...
  -		, GFP_KERNEL
  	)

  $ make coccicheck MODE=patch COCCI=gfp.cocci

Build and boot tested x86_64 with Fedora 42's GCC and Clang:

Linux version 6.19.0+ (user@host) (gcc (GCC) 15.2.1 20260123 (Red Hat 15.2.1-7), GNU ld version 2.44-12.fc42) #1 SMP PREEMPT_DYNAMIC 1970-01-01
Linux version 6.19.0+ (user@host) (clang version 20.1.8 (Fedora 20.1.8-4.fc42), LLD 20.1.8) #1 SMP PREEMPT_DYNAMIC 1970-01-01

Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>