Hi Greg,
could you please add the following upstream patches to the stable 5.10 kernel (I'll send separate mails for the older stable kernels as some of the patches don't apply for those)? They are hardening Xen PV frontends against attacks from related backends.
Qubes-OS has asked for those patches to be added to stable, too.
629a5d87e26fe96b ("xen: sync include/xen/interface/io/ring.h with Xen's newest version") 71b66243f9898d0e ("xen/blkfront: read response from backend only once") 8f5a695d99000fc3 ("xen/blkfront: don't take local copy of a request from the ring page") b94e4b147fd1992a ("xen/blkfront: don't trust the backend response data blindly") 8446066bf8c1f9f7 ("xen/netfront: read response from backend only once") 162081ec33c2686a ("xen/netfront: don't read data from request on the ring page") 21631d2d741a64a0 ("xen/netfront: disentangle tx_skb_freelist") a884daa61a7d9165 ("xen/netfront: don't trust the backend response data blindly") e679004dec37566f ("tty: hvc: replace BUG_ON() with negative return value")
Thanks,
Juergen