diff -Nru libvirt-8.0.0/debian/changelog libvirt-8.0.0/debian/changelog
--- libvirt-8.0.0/debian/changelog	2022-10-04 06:33:14.000000000 +0000
+++ libvirt-8.0.0/debian/changelog	2022-11-22 14:59:28.000000000 +0000
@@ -1,3 +1,13 @@
+libvirt (8.0.0-1ubuntu7.4) jammy; urgency=medium
+
+  * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent
+    apparmor denials on USB forwarding (LP: #1993304)
+  * d/p/u/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch:
+    tolerate the impact of too large udev data avoiding a busy loop
+    (LP: #1996176)
+
+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 22 Nov 2022 15:59:28 +0100
+
 libvirt (8.0.0-1ubuntu7.3) jammy; urgency=medium
 
   * d/p/u/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch:
diff -Nru libvirt-8.0.0/debian/patches/series libvirt-8.0.0/debian/patches/series
--- libvirt-8.0.0/debian/patches/series	2022-10-04 06:33:14.000000000 +0000
+++ libvirt-8.0.0/debian/patches/series	2022-11-22 14:59:28.000000000 +0000
@@ -35,3 +35,5 @@
 ubuntu/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch
 ubuntu/lp-1989078-apparmor-Allow-locking-AAVMF-firmware.patch
 ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch
+ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
+ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
diff -Nru libvirt-8.0.0/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch libvirt-8.0.0/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch
--- libvirt-8.0.0/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-8.0.0/debian/patches/ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch	2022-11-22 14:58:52.000000000 +0000
@@ -0,0 +1,49 @@
+From d6ecd766aa95028b35b6da0d709721720c75c7c1 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Thu, 17 Nov 2022 09:35:05 +0100
+Subject: [PATCH] apparmor: allow getattr on usb devices
+
+For the handling of usb we already allow plenty of read access,
+but so far /sys/bus/usb/devices only needed read access to the directory
+to enumerate the symlinks in there that point to the actual entries via
+relative links to ../../../devices/.
+
+But in more recent systemd with updated libraries a program might do
+getattr calls on those symlinks. And while symlinks in apparmor usually
+do not matter, as it is the effective target of an access that has to be
+allowed, here the getattr calls are on the links themselves.
+
+On USB hostdev usage that causes a set of denials like:
+ apparmor="DENIED" operation="getattr" class="file"
+ name="/sys/bus/usb/devices/usb1" comm="qemu-system-x86"
+ requested_mask="r" denied_mask="r" ...
+
+It is safe to read the links, therefore add a rule to allow it to
+the block of rules that covers the usb related access.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
+
+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/d6ecd766aa950
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1993304
+Last-Update: 2022-11-22
+
+---
+ src/security/apparmor/libvirt-qemu | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
+index 02ee273e7e..d0289b8943 100644
+--- a/src/security/apparmor/libvirt-qemu
++++ b/src/security/apparmor/libvirt-qemu
+@@ -42,6 +42,7 @@
+ 
+   # For hostdev access. The actual devices will be added dynamically
+   /sys/bus/usb/devices/ r,
++  /sys/bus/usb/devices/* r,
+   /sys/devices/**/usb[0-9]*/** r,
+   # libusb needs udev data about usb devices (~equal to content of lsusb -v)
+   /run/udev/data/+usb* r,
+-- 
+2.38.1
+
diff -Nru libvirt-8.0.0/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch libvirt-8.0.0/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch
--- libvirt-8.0.0/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-8.0.0/debian/patches/ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch	2022-11-22 14:58:07.000000000 +0000
@@ -0,0 +1,58 @@
+From 33a38492b75acb7dbec9b64c41a5dba4acde4240 Mon Sep 17 00:00:00 2001
+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Date: Thu, 10 Nov 2022 10:36:28 +0100
+Subject: [PATCH] nodedev: ignore EINVAL from libudev in udevEventHandleThread
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Certain udev entries might be of a size that makes libudev emit EINVAL
+which right now leads to udevEventHandleThread exiting. Due to no more
+handling events other elements of libvirt will start pushing for events
+to be consumed which never happens causing a busy loop burning a cpu
+without any gain.
+
+After evaluation of the example case discussed in in #245 and a test
+run ignoring EINVAL it was considered safe to add EINVAL to the ignored
+errnos to not exit udevEventHandleThread giving it more resilience.
+
+The root cause is in systemd and by now was discussed and fixed via
+https://github.com/systemd/systemd/issues/24987, but hardening libvirt
+to be able to better deal with EINVAL returned still is the right thing
+to avoid the reported busy loops on systemd with older systemd versions.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/245
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Origin: upstream, https://gitlab.com/libvirt/libvirt/-/commit/33a38492b75acb7
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1996176
+Last-Update: 2022-11-22
+
+---
+ src/node_device/node_device_udev.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c
+index 24ef1c25a9..2454cab8f8 100644
+--- a/src/node_device/node_device_udev.c
++++ b/src/node_device/node_device_udev.c
+@@ -1865,10 +1865,12 @@ udevEventHandleThread(void *opaque G_GNUC_UNUSED)
+             }
+ 
+             /* POSIX allows both EAGAIN and EWOULDBLOCK to be used
+-             * interchangeably when the read would block or timeout was fired
++             * interchangeably when the read would block or timeout was fired.
++             * EINVAL might happen on too large udev entries, ignore those for
++             * the robustness of udevEventHandleThread.
+              */
+             VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
+-            if (errno != EAGAIN && errno != EWOULDBLOCK) {
++            if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINVAL) {
+             VIR_WARNINGS_RESET
+                 virReportSystemError(errno, "%s",
+                                      _("failed to receive device from udev "
+-- 
+2.38.1
+