Hi stable maintainers,
I have tried backporting some fixes to stable kernel 6.12.y which also have CVE numbers and are fixing commits in 6.12.y.
I am not a subsystem expert and have only done overall testing that we do for stable release candidate testing and not any patch specific testing.
Note: All these patches are present backports from upstream.
Patch 1: Fixes a race, by reading the code, I can confirm 6.12.y needs this backport -- Few conflicts resolved. This is fix for CVE-2025-38306
Patch 2,3,4,5 -- So this set corresponds to fixing CVE-2025-38272, commit: 1237c2d4a8db ("net: dsa: b53: do not enable EEE on bcm63xx"). While we can comeup with downstream fix byt writing a new function, I think backporting some prerequisites would help us backporting future fixes smoothly to 6.12.y. Patch 2,3,4 are pulled in as prerequisites. Patch3 has minor conflict resolution due to other missing patches. And Patch 5 is again a clean cherry-pick.
Patch 6,7,8: Patch 6 corresponds to the CVE-2025-22125 fix, Patch 7 is a fix for Patch6 and and Patch 8 fixes Patch 7. patch 6 had minor conflict resolution due to missing atomic writes feature in 6.12.y and Patches 7 and 8 are clean cherrypicks.
Patch 9, 10: Patch 10 is a fix for CVE-2025-22113 and patch 9 is pulled in as a prerequisite. Both are clean cherry-picks.
Patch 11: Had conflict resolution in the header file, this is fix for CVE-2025-38453
Patch 12, 13 : Patch 12 is a clean cherrypick and a fix for CVE-2025-23133. This wan't backported earlier or probably dropped as it showed up a regression which is fixed by Patch 13. [1], so we should be fine.
Patch 14: CVE-2025-22103 fix, clean cherry-pick
Patch 15: CVE-2025-22124 fix and a clean cherry-pick.
Please let me know if there are any comments.
Thanks, Harshit
[1] https://lore.kernel.org/all/2025041740-tableware-flight-b781@gregkh/
Al Viro (1): fs/fhandle.c: fix a race in call of has_locked_children()
Jens Axboe (1): io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU
Jonas Gorski (1): net: dsa: b53: do not enable EEE on bcm63xx
Ojaswin Mujoo (2): ext4: define ext4_journal_destroy wrapper ext4: avoid journaling sb update on error if journal is destroying
Russell King (Oracle) (3): net: dsa: add hook to determine whether EEE is supported net: dsa: provide implementation of .support_eee() net: dsa: b53/bcm_sf2: implement .support_eee() method
Su Yue (1): md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb
Wang Liang (1): net: fix NULL pointer dereference in l3mdev_l3_rcv
Wen Gong (2): wifi: ath11k: update channel list in reg notifier instead reg worker wifi: ath11k: update channel list in worker when wait flag is set
Yu Kuai (2): md/raid1,raid10: don't ignore IO flags md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT
Zheng Qixing (1): md/raid1,raid10: strip REQ_NOWAIT from member bios
drivers/md/md-bitmap.c | 6 +- drivers/md/raid1-10.c | 10 +++ drivers/md/raid1.c | 26 +++--- drivers/md/raid10.c | 20 ++--- drivers/net/dsa/b53/b53_common.c | 16 ++-- drivers/net/dsa/b53/b53_priv.h | 1 + drivers/net/dsa/bcm_sf2.c | 1 + drivers/net/ipvlan/ipvlan_l3s.c | 1 - drivers/net/wireless/ath/ath11k/core.c | 1 + drivers/net/wireless/ath/ath11k/core.h | 5 +- drivers/net/wireless/ath/ath11k/mac.c | 14 ++++ drivers/net/wireless/ath/ath11k/reg.c | 107 +++++++++++++++++-------- drivers/net/wireless/ath/ath11k/reg.h | 3 +- drivers/net/wireless/ath/ath11k/wmi.h | 1 + fs/ext4/ext4.h | 3 +- fs/ext4/ext4_jbd2.h | 29 +++++++ fs/ext4/super.c | 32 ++++---- fs/namespace.c | 18 ++++- include/linux/io_uring_types.h | 2 + include/net/dsa.h | 2 + io_uring/msg_ring.c | 4 +- net/dsa/port.c | 16 ++++ net/dsa/user.c | 8 ++ 23 files changed, 230 insertions(+), 96 deletions(-)