I'm building up my own OS by cloning this repo. However, I've noticed that some CVEs which were confirmed and fixed by linux do not get patched in this repo. To enhance the availability of my project as far as possible, I will appreciate it if any of the CVE below do exist in this repo as well, so that I can fix these security issue myself by applying the corresponding patch.
Here are the CVEs I found in this repo unpatched, but get fixed in linux:

CVE-2022-23038 in drivers/scsi/xen-scsifront.c's function void scsifront_gnttab_done (struct vscsifrnt_info *info,struct vscsifrnt_shadow *shadow), with patch here for your reference.

CVE-2022-3202 in fs/jfs/inode.c's function void jfs_evict_inode (struct inode *inode), with patch here for your reference.

CVE-2023-23006 in drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c's function int dr_domain_init_resources (struct mlx5dr_domain *dmn), with patch here for your reference.

CVE-2022-33740 in drivers/net/xen-netfront.c's function struct sk_buff xennet_alloc_one_rx_buffer (struct netfront_queue *queue), with patch here for your reference.

CVE-2022-23037 in drivers/net/xen-netfront.c's function void xennet_tx_buf_gc (struct netfront_queue *queue), with patch here for your reference.

CVE-2023-23004 in drivers/gpu/drm/arm/malidp_planes.c's function bool malidp_check_pages_threshold (struct malidp_plane_state *ms,u32 pgsize), with patch here for your reference.

Hi,

As of today we are not merging linux-stable in our release branches as you can see from the minor version number. So you have to do it yourself and resolve the possible merge conflicts (or just cherry pick the patches you're interested in but that is prone to errors though).

We do understand the above is far from being ideal and we've been already discussing it internally. We still need to decide some things related to the process/workflow (like the cadence of the merges and things like that).

Unfortunately, it's unlikely for us to start doing it now on the current release branch (2021_R2) as we should have a new release soon (worst case scenario, by the end of the year). But, OTOH, it's very likely for us to start doing this process starting from the next release... So, if you can wait until the next release, you should be covered. If not, I'm afraid you'll have to handle the merge yourself.

Very good and pertinent question!

Hi,

As of today we are not merging linux-stable in our release branches as you can see from the minor version number. So you have to do it yourself and resolve the possible merge conflicts (or just cherry pick the patches you're interested in but that is prone to errors though).

We do understand the above is far from being ideal and we've been already discussing it internally. We still need to decide some things related to the process/workflow (like the cadence of the merges and things like that).

Unfortunately, it's unlikely for us to start doing it now on the current release branch (2021_R2) as we should have a new release soon (worst case scenario, by the end of the year). But, OTOH, it's very likely for us to start doing this process starting from the next release... So, if you can wait until the next release, you should be covered. If not, I'm afraid you'll have to handle the merge yourself.

Very good and pertinent question!

That is to say, all of the 6 CVE I've listed previously do impact this repo? Thanks a lot for your reply, then I'll apply the corresponding patch in order to start my own work as soon as possible. After you have your new release, I'll keep up with your newer version to continue my customization.