Changelog in Linux kernel 6.12.1

 
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer [+ + +] 
Author: Hyunwoo Kim <v4bel@theori.io>
Date:   Wed Nov 6 04:36:04 2024 -0500

    hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
    
    commit e629295bd60abf4da1db85b82819ca6a4f6c1e79 upstream.
    
    When hvs is released, there is a possibility that vsk->trans may not
    be initialized to NULL, which could lead to a dangling pointer.
    This issue is resolved by initializing vsk->trans to NULL.
    
    Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
    Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Link: https://patch.msgid.link/Zys4hCj61V+mQfX2@v4bel-B760M-AORUS-ELITE-AX
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
Linux: Linux 6.12.1 [+ + +] 
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Nov 22 15:30:26 2024 +0100

    Linux 6.12.1
    
    Link: https://lore.kernel.org/r/20241120124100.444648273@linuxfoundation.org
    Tested-by: Mark Brown <broonie@kernel.org>
    Tested-by: SeongJae Park <sj@kernel.org>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Christian Heusel <christian@heusel.eu>
    Tested-by: Salvatore Bonaccorso <carnil@debian.org>
    Tested-by: kernelci.org bot <bot@kernelci.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format [+ + +] 
Author: Benoit Sevens <bsevens@google.com>
Date:   Thu Nov 7 14:22:02 2024 +0000

    media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
    
    commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream.
    
    This can lead to out of bounds writes since frames of this type were not
    taken into account when calculating the size of the frames buffer in
    uvc_parse_streaming.
    
    Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
    Signed-off-by: Benoit Sevens <bsevens@google.com>
    Cc: stable@vger.kernel.org
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
mm/mmap: fix __mmap_region() error handling in rare merge failure case [+ + +] 
Author: Liam R. Howlett <Liam.Howlett@Oracle.com>
Date:   Tue Nov 19 12:59:45 2024 -0500

    mm/mmap: fix __mmap_region() error handling in rare merge failure case
    
    The mmap_region() function tries to install a new vma, which requires a
    pre-allocation for the maple tree write due to the complex locking
    scenarios involved.
    
    Recent efforts to simplify the error recovery required the relocation of
    the preallocation of the maple tree nodes (via vma_iter_prealloc()
    calling mas_preallocate()) higher in the function.
    
    The relocation of the preallocation meant that, if there was a file
    associated with the vma and the driver call (mmap_file()) modified the
    vma flags, then a new merge of the new vma with existing vmas is
    attempted.
    
    During the attempt to merge the existing vma with the new vma, the vma
    iterator is used - the same iterator that would be used for the next
    write attempt to the tree.  In the event of needing a further allocation
    and if the new allocations fails, the vma iterator (and contained maple
    state) will cleaned up, including freeing all previous allocations and
    will be reset internally.
    
    Upon returning to the __mmap_region() function, the error is available
    in the vma_merge_struct and can be used to detect the -ENOMEM status.
    
    Hitting an -ENOMEM scenario after the driver callback leaves the system
    in a state that undoing the mapping is worse than continuing by dipping
    into the reserve.
    
    A preallocation should be performed in the case of an -ENOMEM and the
    allocations were lost during the failure scenario.  The __GFP_NOFAIL
    flag is used in the allocation to ensure the allocation succeeds after
    implicitly telling the driver that the mapping was happening.
    
    The range is already set in the vma_iter_store() call below, so it is
    not necessary and is dropped.
    
    Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
    Fixes: 5de195060b2e2 ("mm: resolve faulty mmap_region() error path behaviour")
    Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
    Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
    Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
    Cc: Jann Horn <jannh@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>