On Mon, Nov 29, 2021 at 08:19:18AM +0100, Juergen Gross wrote:

Hi Greg,

could you please add the following upstream patches to the stable 5.10 kernel (I'll send separate mails for the older stable kernels as some of the patches don't apply for those)? They are hardening Xen PV frontends against attacks from related backends.

Qubes-OS has asked for those patches to be added to stable, too.

629a5d87e26fe96b ("xen: sync include/xen/interface/io/ring.h with Xen's newest version") 71b66243f9898d0e ("xen/blkfront: read response from backend only once") 8f5a695d99000fc3 ("xen/blkfront: don't take local copy of a request from the ring page") b94e4b147fd1992a ("xen/blkfront: don't trust the backend response data blindly") 8446066bf8c1f9f7 ("xen/netfront: read response from backend only once") 162081ec33c2686a ("xen/netfront: don't read data from request on the ring page") 21631d2d741a64a0 ("xen/netfront: disentangle tx_skb_freelist") a884daa61a7d9165 ("xen/netfront: don't trust the backend response data blindly") e679004dec37566f ("tty: hvc: replace BUG_ON() with negative return value")

All now queued up, thanks.

But people should be moving to the 5.15 kernel by now and not sticking with 5.10 anymore for stuff like this.

greg k-h