add initial 6.7 proposed changes to review

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 205 insertions, 0 deletions

diff --git a/cve/review/6.7.proposed b/cve/review/6.7.proposed
new file mode 100644
index 00000000..016eeefb
--- /dev/null
+++ b/cve/review/6.7.proposed
@@ -0,0 +1,205 @@
+560ea72c76eb drm/i915/dp_mst: Fix race between connector registration and setup
+a11d965a218f wifi: rt2x00: restart beacon queue when hardware reset
+5f99f312bd3b bpf: add register bounds sanity checks and sanitization
+d872ca165cb6 crypto: rsa - add a check for allocation failure
+3171e46d677a PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource()
+9862ec7ac1cb FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree
+27e56f59bab5 UBSAN: array-index-out-of-bounds in dtSplitRoot
+fa5492ee8946 jfs: fix slab-out-of-bounds Read in dtSearch
+74ecdda68242 jfs: fix array-index-out-of-bounds in dbAdjTree
+e0e1958f4c36 jfs: fix uaf in jfs_evict_inode
+cca974daeb6c jfs: fix shift-out-of-bounds in dbJoin
+aeb686a98a9e usb: gadget: uvc: Allocate uvc_requests one at a time
+da324ffce34c usb: gadget: uvc: Fix use-after-free for inflight usb_requests
+ded85b0c0edd media: pvrusb2: fix use after free on context disconnection
+d8212c5c87c1 media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices
+206c857dd17d media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
+475c58e1a471 EDAC/thunderx: Fix possible out-of-bounds string access
+ad90d0358bd3 serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed
+5bfa0e45e9e7 x86/cpu/intel_epb: Don't rely on link order
+2bbe6ab2be53 drm/sched: Fix bounds limiting when given a malformed entity
+49db9b1b86a8 reiserfs: Avoid touching renamed directory if parent does not change
+9d618d19b29c ocfs2: Avoid touching renamed directory if parent does not change
+a8b0026847b8 rename(): avoid a deadlock in the case of parents having no common ancestor
+df99da19c6c2 powerpc/lib: Avoid array bounds warnings in vec ops
+8f9abaa6d7de powerpc/lib: Validate size for vector operations
+53edb549565f f2fs: fix to avoid dirent corruption
+2adc886244df wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
+3cc12bb83e67 firmware: arm_scmi: Fix NULL pointer dereference during fastchannel init
+1692cf434ba1 perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology()
+5082b3e3027e wifi: ath11k: fix race due to setting ATH11K_FLAG_EXT_IRQ_ENABLED too early
+f9893fdac319 net: page_pool: fix general protection fault in page_pool_unlist
+b719a9c15d52 drm/amd/display: Fix NULL pointer dereference at hibernate
+bd68ffce69f6 powerpc/pseries/memhp: Fix access beyond end of drmem array
+e2e2aacf042f xhci: fix possible null pointer deref during xhci urb enqueue
+3de6ee94aae7 media: v4l: async: Fix duplicated list deletion
+3f489c2067c5 binder: fix use-after-free in shinker's callback
+876673364161 bpf: Defer the free of inner map when necessary
+730651268664 fs: use do_splice_direct() for nfsd/ksmbd server-side-copy
+ab125ed3ec1c bpf: fix check for attempt to corrupt spilled pointer
+18a433b62061 bpf: track aligned STACK_ZERO cases as imprecise spilled registers
+d87c49377d5b x86: intel_epb: Don't rely on link order
+72d9b9747e78 ACPI: extlog: fix NULL pointer dereference check
+514a1cc940c2 drm/amd/display: Fix array-index-out-of-bounds in dml2
+7a2464fac80d drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()
+5759aa4f9560 xfs: update dir3 leaf block metadata after swap
+76385d493c21 drm/debugfs: fix potential NULL pointer dereference
+41673c66b3d0 mfd: syscon: Fix null pointer dereference in of_syscon_register()
+c4fb7d2eac9f soc: qcom: pmic_glink_altmode: fix port sanity check
+c692696fc51c media: saa6752hs: Don't set format in sub-device state
+dff1eebf2be3 media: adv7183: Don't set format in sub-device state
+72c8cb48a4cc media: mt9t112: Don't set format in sub-device state
+09aee3995f9e media: rj54n1cb0c: Don't set format in sub-device state
+843750fb85fd media: tw9910: Don't set format in sub-device state
+e55a9482888d media: ov9640: Don't set format in sub-device state
+fca9448ae2f5 drm/imagination: Move dereference after NULL check in pvr_mmu_backing_page_init()
+78d60dae9a0c serial: imx: fix tx statemachine deadlock
+6b4a64bafd10 bpf: Fix accesses to uninit stack slots
+a3c205d0560f ipv6: do not check fib6_has_expires() in fib6_info_release()
+870565f063a5 media: rkisp1: Fix IRQ disable race issue
+12427de9439d Squashfs: fix variable overflow triggered by sysbot
+584db20c181f nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link
+8cf57c6df818 nilfs2: eliminate staggered calls to kunmap in nilfs_rename
+0e8d2444168d efivarfs: force RO when remounting if SetVariable is not supported
+8b13601d19c5 s390/ptrace: handle setting of fpc register correctly
+b988b1bb0053 KVM: s390: fix setting of fpc register
+4961acdd65c9 f2fs: fix to tag gcing flag on page during block migration
+4f973e211b3b IB/ipoib: Fix mcast list locking
+fe0a7776d4d1 wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()
+39042079a0c2 kmemleak: avoid RCU stalls when freeing metadata for per-CPU pointers
+60694edf668a drm/xe: Ensure VMA not userptr before calling xe_bo_is_stolen
+a2dd235df435 media: dvbdev: drop refcount on error path in dvb_device_open()
+669acc7eec22 powerpc/rtas: Fall back to linear search on failed token->function lookup
+e7582edb7861 powerpc/rtas: Move token validation from block_rtas_call() to sys_rtas()
+f46c8a75263f powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
+6f64f866aa1a block: add check that partition length needs to be aligned with block size
+eff9704f5332 bus: mhi: host: Add alignment check for event ring read pointer
+45284ff733e4 drm/msm/dpu: Add mutex lock in control vblank irq
+a7d84a2e7663 mtd: maps: vmu-flash: Fix the (mtd core) switch to ref counters
+3c12466b6b7b erofs: fix lz4 inplace decompression
+28dd788382c4 drivers/amd/pm: fix a use-after-free in kv_parse_power_table
+59e5791f59dd bpf: Fix a race condition between btf_put() and map_free()
+dbf4ab821804 serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
+f200fff8d019 spmi: mtk-pmif: Serialize PMIF status check and command submission
+e821d50ab5b9 spmi: mediatek: Fix UAF on device remove
+65a618dd7321 drm/amdkfd: svm range always mapped flag not working on APU
+04e6ccfc93c5 thermal: core: Fix NULL pointer dereference in zone registration error path
+80602b6b5a23 xhci: Fix null pointer dereference during S4 resume when resetting ep0
+86d7d57a3f09 f2fs: fix to check return value of f2fs_recover_xattr_data
+01bd694ac2f6 bus: mhi: host: Drop chan lock before queuing buffers
+8877243beafa gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
+6914968a0b52 drm/bridge: properly refcount DT nodes in aux bridge drivers
+bb57f6705960 iommu: Don't reserve 0-length IOVA region
+8892780834ae drm/amd/display: Wake DMCUB before sending a command
+b4eecedc75c1 drm/xe: Fix potential deadlock handling page faults
+1a545ed74b33 drm/xe: fix pvc unload issue
+2988cf02ee30 drm/xe: Fix memory use after free
+fc3a5534e2a8 libbpf: Fix NULL pointer dereference in bpf_object__collect_prog_relos
+f5c24d94512f dmaengine: fix NULL pointer in channel unregistration function
+5db4afe1db56 drm/xe: Fix unreffed ptr leak on engine lookup
+7f38e1e1063e drm/xe: fix bounds checking for 'len' in xe_engine_create_ioctl
+a00b8f1aae43 drm/xe: fix xe_device_mem_access_get() races
+fd84041d094c drm/xe: Make bind engines safe
+ca8656a2eb09 drm/xe: skip rebind_list if vma destroyed
+07431945d8ae drm/xe: Avoid 64-bit register reads
+3a13c2de442d drm/xe/hwmon: fix uaf on unload
+8c54ee8a8606 drm/xe: Ensure that we don't access the placements array out-of-bounds
+08e4c8c5919f netfilter: nf_tables: mark newset as dead on transaction abort
+a43bdc376dea mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
+da9065caa594 Bluetooth: Fix atomicity violation in {min,max}_key_size_set
+cb4daf271302 drm: Don't unref the same fb many times by mistake due to deadlock handling
+88f04bc3e737 power: supply: Fix null pointer dereference in smb2_probe
+75cbe49f9e2f drm/xe: Fix UBSAN splat in add_preempt_fences()
+ab7a781fd6f8 OPP: Fix _set_required_opps when opp is NULL
+315552310c7d sysctl: Fix out of bounds access for empty sysctl registers
+4f6ac47b55e3 xfs: fix a use after free in xfs_defer_finish_recovery
+d1adb25df711 mm: migrate: fix getting incorrect page mapping during page migration
+5ec8e8ea8b77 mm/sparsemem: fix race in accessing memory_section->usage
+fea153a84557 bcachefs: rcu protect trans->paths
+49f9637aafa6 jfs: fix array-index-out-of-bounds in diNewExt
+3027e7b15b02 ice: Fix some null pointer dereference issues in ice_ptp.c
+efa56305908b nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
+7839d0078e0d PM: sleep: Fix possible deadlocks in core system-wide PM code
+4b5c5f5ad38b drm/amdgpu/gfx11: need acquire mutex before access CP_VMID_RESET v2
+a0b84213f947 kunit: Fix NULL-dereference in kunit_init_suite() if suite->log is NULL
+b8d55a90fd55 drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()
+9c51f8788b5d perf env: Avoid recursively taking env->bpf_progs.lock
+16b2f264983d bpf: sockmap, fix proto update hook to avoid dup calls
+fb4cece17b45 scsi: smartpqi: Fix logical volume rescan race condition
+55a8210c9e7d apparmor: avoid crash when parsed profile name is empty
+0c9ae0b86050 uio: Fix use-after-free in uio_open
+93ec4a3b7640 class: fix use-after-free in class_register()
+ad362fe07fec KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
+1e24ce402c97 perf db-export: Fix missing reference count get in call_path_from_sample()
+715d82ba636c bpf: Fix re-attachment branch in bpf_tracing_prog_attach
+2dd23cc4d0e6 usb: mon: Fix atomicity violation in mon_bin_vma_fault
+be12ad45e15b hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume
+59b946ea3080 ASoC: Intel: bxt_da7219_max98357a: Fix kernel ops due to COMP_DUMMY change
+3ec71290db4d ASoC: Intel: bxt_rt298: Fix kernel ops due to COMP_DUMMY change
+c12ca110c613 PCI: keystone: Fix race condition when initializing PHYs
+47bf0f83fc86 drm/amdkfd: Fix lock dependency warning
+78996eee79eb riscv: Fix module loading free order
+2ad62d16cd24 drm/v3d: Free the job and assign it to NULL if initialization fails
+b33fb5b801c6 net: qualcomm: rmnet: fix global oob in rmnet_policy
+844f104790bd net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
+a297d07b9a1e pwm: Fix out-of-bounds access in of_pwm_single_xlate()
+4cccb6221cae fs/proc/task_mmu: move mmu notification mechanism inside mm lock
+118a8cf504d7 erofs: fix inconsistent per-file compression format
+38d20c62903d ksmbd: fix UAF issue in ksmbd_tcp_new_connection()
+1f1626ac0428 drm/ttm: fix ttm pool initialization for no-dma-device drivers
+19c022252424 drm/xe: Fix modifying exec_queue priority in xe_migrate_init
+8049e3954aea drm/xe: Fix bounds checking in __xe_bo_placement_for_flags()
+b493ad718b1f ceph: fix deadlock or deadcode of misusing dget()
+08ac6f132dd7 drm/bridge: sii902x: Fix probing race issue
+22c7fa171a02 bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS
+36a87385e31c LoongArch: BPF: Prevent out-of-bounds memory access
+ea937f772083 net: netdevsim: don't try to destroy PHC on VFs
+850fb7fa8c68 s390/vfio-ap: always filter entire AP matrix
+b7c510d04904 arm64/ptrace: Don't flush ZA/ZT storage when writing ZA via ptrace
+dc7eb8755797 arm64/sme: Always exit sme_alloc() early with existing storage
+cf4a0d840ecc wifi: iwlwifi: fix a memory corruption
+bcbc84af1183 wifi: mac80211: fix race condition on enabling fast-xmit
+172202152a12 ext4: do not trim the group with corrupted block bitmap
+c9b528c35795 ext4: regenerate buddy after block freeing failed if under fc replay
+993bf0f4c393 ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt
+4530b3660d39 ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()
+832698373a25 ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()
+c5f3a3821de4 ext4: mark the group block bitmap as corrupted before reporting an error
+efeb7dfea8ee mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path
+483ae90d8f97 mlxsw: spectrum_acl_tcam: Fix stack corruption
+f546c4282673 btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned
+dbc153fd3c14 net/smc: fix illegal rmb_desc access in SMC-D connection dump
+76025cc2285d smb: client: fix parsing of SMB3.1.1 POSIX create context
+198bc90e0e73 tcp: make sure init the accept_queue's spinlocks once
+467739baf636 bnxt_en: Fix possible crash after creating sw mqprio TCs
+437a310b2224 firmware: arm_scmi: Check mailbox/SMT channel for consistency
+13e788deb734 net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
+3be0b3ed1d76 netfs, fscache: Prevent Oops in fscache_put_cache()
+c3d6569a4332 cachefiles, erofs: Fix NULL deref in when cachefiles is not doing ondemand-mode
+7ed2632ec7d7 drm/ttm: fix ttm pool initialization for no-dma-device drivers
+de8b6e1c231a spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected
+4373534a9850 scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler
+d76fdd31f953 net/mlx5e: Fix peer flow lists handling
+edcf9725150e nfsd: fix RELEASE_LOCKOWNER
+e169bd4fb2b3 aoe: avoid potential deadlock at set_capacity
+f342de4e2f33 netfilter: nf_tables: reject QUEUE/DROP verdict parameters
+c5114710c8ce xsk: fix usage of multi-buffer BPF helpers for ZC XDP
+ebeae8adf89d ksmbd: fix global oob in ksmbd_nl_policy
+9319b647902c mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again
+00aab7dcb226 HID: i2c-hid-of: fix NULL-deref on failed power up
+e622502c310f ipmr: fix kernel panic when forwarding mcast packets
+a54a594d72f2 xhci: fix possible null pointer dereference at secondary interrupter removal
+12783c0b9e2c usb: core: Prevent null pointer dereference in update_port_device_state
+61a348857e86 usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
+30926783a468 serial: core: Fix atomicity violation in uart_tiocmget
+881f78f47255 xfs: remove conditional building of rt geometry validator functions
+aa2b2eb39348 llc: call sock_orphan() at release time
+8b1d72395635 parisc: Fix random data corruption from exception handler
+7104ba0f1958 phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP
+1e560864159d PCI/ASPM: Fix deadlock when enabling ASPM
+faf51b201bc4 drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue
+9c29282ecbee drm/amdkfd: reserve the BO before validating it
+4d322dce82a1 af_unix: fix lockdep positive in sk_diag_dump_icons()
+7e82a8745b95 pds_core: Prevent race issues involving the adminq
+710c69dbaccd nvmet-fc: avoid deadlock on delete association path
+e0526ec5360a hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
\ No newline at end of file