How to backport (with conflict resolution) CVE-fixing commits to stable releases?

[Quentin Schulz <quentin.schulz@cherry.de>]

Hi all,

I would like to backport 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a7ac22d53d0990152b108c3f4fe30df45fcb0181 
to linux-6.12.y. It is not a conflict-less cherry-pick as many commits 
have been made to that file between 6.12 and 6.19 when it was fixed, 
which makes git-cherry-pick conflict. I believe I have a patch that 
implements the same logic (moving code around, just that that code is 
different since it was modified after 6.12) in linux-6.12.y that does 
the original commit in 6.19.

My understanding is that this means this patch fits Option 3: 
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#option-3.

1) It is not specified there what to do with git trailer tags, e.g. 
Reviewed-by, Acked-by, Tested-by. I'm assuming 
https://www.kernel.org/doc/html/latest/process/submitting-patches.html#using-reported-by-tested-by-reviewed-by-suggested-by-and-fixes

"""
However if the patch has changed substantially in following version, 
these tags might not be applicable anymore and thus should be removed. 
Usually removal of someone’s Acked-by, Tested-by or Reviewed-by tags 
should be mentioned in the patch changelog with an explanation (after 
the ‘---’ separator).
"""

applies here but I think it should be made explicit in 
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#option-3. 
Did I understand this correctly? Could we specify in 
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#option-3 
what to do with those tags? Also should the people whose tags are 
removed be added in Cc of the backport patch (they won't be 
automatically with git-send-email anymore since their tags are removed)?

2) I'm also wondering if we should strip the Signed-off-by tags used in 
the original patch's delivery path to Linus. After all, it'll go through 
a different path: to stable "directly". For this specific commit, it 
doesn't matter as the Signed-off-by are for all authors including the 
maintainer as last, but the question remains, I don't believe it's 
always the case the last author Signed-off-by is the same as the 
maintainers' first and last Signed-off-by in the delivery path. What 
should we do?

3) Finally, the last question I have is whether it's 
required/recommended, and if so, how, to tell maintainers of 
https://git.kernel.org/pub/scm/linux/security/vulns.git that this patch 
is for CVE X, in my case 
https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/published/2026/CVE-2026-22986.dyad. 
Maybe their tooling will automatically pick it up once merged, but I 
couldn't find documentation either in 
https://www.kernel.org/doc/html/latest/process or  nor in the vulns git 
repo what to do. Did I miss or misread something? Is there anything we 
could add to 
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html, 
https://www.kernel.org/doc/html/latest/process/cve.html and/or 
https://git.kernel.org/pub/scm/linux/security/vulns.git to make this 
clearer? Greg seems to be saying "patches to vulns.git welcome" in 
http://www.kroah.com/log/blog/2026/02/16/linux-cve-assignment-process/ 
(Chapter "Changing a CVE"). But also "this is automated" in 
http://www.kroah.com/log/blog/2025/12/15/tracking-kernel-commits-across-branches/. 
However, those aren't on kernel.org :)

I hope I got all the right mailing lists and maintainers in the mail 
recipients, feel free to add more appropriate ones.

Cheers,
Quentin