diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json
index 0b16729cb7..f0cfcd27e5 100644
--- a/SPECS/kernel-headers/kernel-headers.signatures.json
+++ b/SPECS/kernel-headers/kernel-headers.signatures.json
@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "linux-6.12.55.tar.gz": "c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3"
+    "linux-6.12.59.tar.gz": "93dfe627d321f016291054449a8e4bf9051de19687fbf1a6f584a2b79f8f5d2c"
   }
 }
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index ecda5ff11f..5f2eded90c 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -13,14 +13,14 @@
 
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        6.12.55
-Release:        2%{?dist}
+Version:        6.12.59
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Intel Corporation
 Distribution:   Edge Microvisor Toolkit
 Group:          System Environment/Kernel
 URL:            https://www.kernel.org/pub/linux/kernel
-Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz
+Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.59.tar.gz
 # Historical name shipped by other distros
 Provides:       glibc-kernheaders = %{version}-%{release}
 BuildArch:      noarch
@@ -41,7 +41,7 @@ cross-glibc package.
 %endif
 
 %prep
-%setup -q -n linux-6.12.55
+%setup -q -n linux-6.12.59
 
 %build
 make mrproper
@@ -76,6 +76,9 @@ done
 %endif
 
 %changelog
+* Thu Dec 11 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.59-1
+- Update kernel to 6.12.59
+
 * Thu Nov 27 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.55-2
 - Update audio and virtio gpu kernel config
 
diff --git a/SPECS/kernel-rt/0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac b/SPECS/kernel-rt/0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
new file mode 100644
index 0000000000..bb155c4a22
--- /dev/null
+++ b/SPECS/kernel-rt/0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
@@ -0,0 +1,59 @@
+From 4384532f29b08a758e951581980b6a1428c950f0 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Wed, 6 Nov 2024 11:35:45 +0000
+Subject: [PATCH 1/6] EDAC/igen6: Initialize edac_op_state according to the
+ configuration data
+
+Currently, igen6_edac sets edac_op_state to EDAC_OPSTATE_NMI, while the
+driver also supports memory errors reported from Machine Check. Initialize
+edac_op_state to the correct value according to the configuration data
+that the driver probed.
+
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/all/20241106114024.941659-2-orange@aiven.io
+---
+ drivers/edac/igen6_edac.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 28a168cc569385..0524b83c8ab335 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -1389,6 +1389,15 @@ static void unregister_err_handler(void)
+ 	unregister_nmi_handler(NMI_SERR, IGEN6_NMI_NAME);
+ }
+ 
++static void opstate_set(struct res_config *cfg)
++{
++	/* Set the mode according to the configuration data. */
++	if (cfg->machine_check)
++		edac_op_state = EDAC_OPSTATE_INT;
++	else
++		edac_op_state = EDAC_OPSTATE_NMI;
++}
++
+ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ 	u64 mchbar;
+@@ -1406,6 +1415,8 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	if (rc)
+ 		goto fail;
+ 
++	opstate_set(res_cfg);
++
+ 	for (i = 0; i < res_cfg->num_imc; i++) {
+ 		rc = igen6_register_mci(i, mchbar, pdev);
+ 		if (rc)
+@@ -1489,8 +1500,6 @@ static int __init igen6_init(void)
+ 	if (owner && strncmp(owner, EDAC_MOD_STR, sizeof(EDAC_MOD_STR)))
+ 		return -EBUSY;
+ 
+-	edac_op_state = EDAC_OPSTATE_NMI;
+-
+ 	rc = pci_register_driver(&igen6_driver);
+ 	if (rc)
+ 		return rc;
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0001-drm-i915-Do-not-advertise-about-CCS.sriov b/SPECS/kernel-rt/0001-drm-i915-Do-not-advertise-about-CCS.sriov
new file mode 100644
index 0000000000..0bb5c07446
--- /dev/null
+++ b/SPECS/kernel-rt/0001-drm-i915-Do-not-advertise-about-CCS.sriov
@@ -0,0 +1,39 @@
+From 1e5d5fbf3f18d0c4b534c431fa71c065ee048a63 Mon Sep 17 00:00:00 2001
+From: "Zawawi, Muhammad Zul Husni" <muhammad.zul.husni.zawawi@intel.com>
+Date: Thu, 20 Nov 2025 15:27:35 +0800
+Subject: [PATCH] drm/i915: Do not advertise about CCS
+
+Do not advertise CCS is available for
+selected platforms (DG1,TGL,ADL-S/P)
+as CCS is not actually functional on those.
+
+Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
+Signed-off-by: Zawawi, Muhammad Zul Husni <muhammad.zul.husni.zawawi@intel.com>
+---
+ drivers/gpu/drm/i915/i915_query.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
+index 7c6669cc4c96..72201c8d9ecd 100644
+--- a/drivers/gpu/drm/i915/i915_query.c
++++ b/drivers/gpu/drm/i915/i915_query.c
+@@ -159,6 +159,16 @@ query_engine_info(struct drm_i915_private *i915,
+ 	info_ptr = &query_ptr->engines[0];
+ 
+ 	for_each_uabi_engine(engine, i915) {
++		/* Do not advertise CCS is available for selected platforms
++		 * as CCS is not actually functional on those.
++		 */
++		if ((INTEL_INFO(i915)->platform == INTEL_DG1 ||
++				INTEL_INFO(i915)->platform == INTEL_TIGERLAKE ||
++				INTEL_INFO(i915)->platform == INTEL_ALDERLAKE_S ||
++				INTEL_INFO(i915)->platform == INTEL_ALDERLAKE_P) &&
++				engine->uabi_class == I915_ENGINE_CLASS_COMPUTE)
++			continue;
++
+ 		info.engine.engine_class = engine->uabi_class;
+ 		info.engine.engine_instance = engine->uabi_instance;
+ 		info.flags = I915_ENGINE_INFO_HAS_LOGICAL_INSTANCE;
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm b/SPECS/kernel-rt/0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
new file mode 100644
index 0000000000..03ecdf9d52
--- /dev/null
+++ b/SPECS/kernel-rt/0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
@@ -0,0 +1,37 @@
+From 22bfa1d0a8bacb0b9a80e92f5e6920ff4204c7bc Mon Sep 17 00:00:00 2001
+From: "Mazlan, Hazwan Arif" <hazwan.arif.mazlan@intel.com>
+Date: Tue, 4 Nov 2025 13:22:44 +0800
+Subject: [PATCH] i915/gt: Upgrade GuC 70.44.1 => 70.49.4
+
+FW Upstream: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
+FW Upstream commit: 20251021&id=20cf22e50252d63cfd0d06b5026c21b7a77ad821
+
+Signed-off-by: Mazlan, Hazwan Arif <hazwan.arif.mazlan@intel.com>
+---
+ drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c b/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c
+index 86afc6d175c48..5005b45f0dace 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c
+@@ -88,12 +88,12 @@ void intel_uc_fw_change_status(struct intel_uc_fw *uc_fw,
+  * security fixes, etc. to be enabled.
+  */
+ #define INTEL_GUC_FIRMWARE_DEFS(fw_def, guc_maj, guc_mmp) \
+-	fw_def(METEORLAKE,   0, guc_maj(mtl,  70, 44, 1)) \
+-	fw_def(DG2,          0, guc_maj(dg2,  70, 44, 1)) \
+-	fw_def(ALDERLAKE_P,  0, guc_maj(adlp, 70, 44, 1)) \
++	fw_def(METEORLAKE,   0, guc_maj(mtl,  70, 49, 4)) \
++	fw_def(DG2,          0, guc_maj(dg2,  70, 49, 4)) \
++	fw_def(ALDERLAKE_P,  0, guc_maj(adlp, 70, 49, 4)) \
+ 	fw_def(ALDERLAKE_P,  0, guc_mmp(adlp, 70, 1, 1)) \
+ 	fw_def(ALDERLAKE_P,  0, guc_mmp(adlp, 69, 0, 3)) \
+-	fw_def(ALDERLAKE_S,  0, guc_maj(tgl,  70, 44, 1)) \
++	fw_def(ALDERLAKE_S,  0, guc_maj(tgl,  70, 49, 4)) \
+ 	fw_def(ALDERLAKE_S,  0, guc_mmp(tgl,  70, 1, 1)) \
+ 	fw_def(ALDERLAKE_S,  0, guc_mmp(tgl,  69, 0, 3)) \
+ 	fw_def(DG1,          0, guc_maj(dg1,  70, 5, 1)) \
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0002-EDAC-igen6-Add-polling-support.edac b/SPECS/kernel-rt/0002-EDAC-igen6-Add-polling-support.edac
new file mode 100644
index 0000000000..0dfea740e0
--- /dev/null
+++ b/SPECS/kernel-rt/0002-EDAC-igen6-Add-polling-support.edac
@@ -0,0 +1,93 @@
+From c008b6393fbc6d5b748162907dc84e260c7b1922 Mon Sep 17 00:00:00 2001
+From: Orange Kao <orange@aiven.io>
+Date: Wed, 6 Nov 2024 11:35:46 +0000
+Subject: [PATCH 2/6] EDAC/igen6: Add polling support
+
+Some PCs with Intel N100 (with PCI device 8086:461c, DID_ADL_N_SKU4)
+experienced issues with error interrupts not working, even with the
+following configuration in the BIOS.
+
+    In-Band ECC Support: Enabled
+    In-Band ECC Operation Mode: 2 (make all requests protected and
+                                   ignore range checks)
+    IBECC Error Injection Control: Inject Correctable Error on insertion
+                                   counter
+    Error Injection Insertion Count: 251658240 (0xf000000)
+
+Add polling mode support for these machines to ensure that memory error
+events are handled.
+
+Signed-off-by: Orange Kao <orange@aiven.io>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Link: https://lore.kernel.org/all/20241106114024.941659-3-orange@aiven.io
+---
+ drivers/edac/igen6_edac.c | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 0524b83c8ab335..da89cb0d4df42c 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -1209,6 +1209,20 @@ static int igen6_pci_setup(struct pci_dev *pdev, u64 *mchbar)
+ 	return -ENODEV;
+ }
+ 
++static void igen6_check(struct mem_ctl_info *mci)
++{
++	struct igen6_imc *imc = mci->pvt_info;
++	u64 ecclog;
++
++	/* errsts_clear() isn't NMI-safe. Delay it in the IRQ context */
++	ecclog = ecclog_read_and_clear(imc);
++	if (!ecclog)
++		return;
++
++	if (!ecclog_gen_pool_add(imc->mc, ecclog))
++		irq_work_queue(&ecclog_irq_work);
++}
++
+ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ {
+ 	struct edac_mc_layer layers[2];
+@@ -1250,6 +1264,8 @@ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ 	mci->edac_cap = EDAC_FLAG_SECDED;
+ 	mci->mod_name = EDAC_MOD_STR;
+ 	mci->dev_name = pci_name(pdev);
++	if (edac_op_state == EDAC_OPSTATE_POLL)
++		mci->edac_check = igen6_check;
+ 	mci->pvt_info = &igen6_pvt->imc[mc];
+ 
+ 	imc = mci->pvt_info;
+@@ -1389,8 +1405,18 @@ static void unregister_err_handler(void)
+ 	unregister_nmi_handler(NMI_SERR, IGEN6_NMI_NAME);
+ }
+ 
+-static void opstate_set(struct res_config *cfg)
++static void opstate_set(struct res_config *cfg, const struct pci_device_id *ent)
+ {
++	/*
++	 * Quirk: Certain SoCs' error reporting interrupts don't work.
++	 *        Force polling mode for them to ensure that memory error
++	 *        events can be handled.
++	 */
++	if (ent->device == DID_ADL_N_SKU4) {
++		edac_op_state = EDAC_OPSTATE_POLL;
++		return;
++	}
++
+ 	/* Set the mode according to the configuration data. */
+ 	if (cfg->machine_check)
+ 		edac_op_state = EDAC_OPSTATE_INT;
+@@ -1415,7 +1441,7 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	if (rc)
+ 		goto fail;
+ 
+-	opstate_set(res_cfg);
++	opstate_set(res_cfg, ent);
+ 
+ 	for (i = 0; i < res_cfg->num_imc; i++) {
+ 		rc = igen6_register_mci(i, mchbar, pdev);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac b/SPECS/kernel-rt/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
new file mode 100644
index 0000000000..a29eec1fe3
--- /dev/null
+++ b/SPECS/kernel-rt/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
@@ -0,0 +1,61 @@
+From 22e60a53039e0f951345db05219e78e18f3f0870 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Wed, 12 Feb 2025 16:33:54 +0800
+Subject: [PATCH 3/6] EDAC/igen6: Fix the flood of invalid error reports
+
+The ECC_ERROR_LOG register of certain SoCs may contain the invalid value
+~0, which results in a flood of invalid error reports in polling mode.
+
+Fix the flood of invalid error reports by skipping the invalid ECC error
+log value ~0.
+
+Fixes: e14232afa944 ("EDAC/igen6: Add polling support")
+Reported-by: Ramses <ramses@well-founded.dev>
+Closes: https://lore.kernel.org/all/OISL8Rv--F-9@well-founded.dev/
+Tested-by: Ramses <ramses@well-founded.dev>
+Reported-by: John <therealgraysky@proton.me>
+Closes: https://lore.kernel.org/all/p5YcxOE6M3Ncxpn2-Ia_wCt61EM4LwIiN3LroQvT_-G2jMrFDSOW5k2A9D8UUzD2toGpQBN1eI0sL5dSKnkO8iteZegLoQEj-DwQaMhGx4A=@proton.me/
+Tested-by: John <therealgraysky@proton.me>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20250212083354.31919-1-qiuxu.zhuo@intel.com
+---
+ drivers/edac/igen6_edac.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index da89cb0d4df42c..4c54de702156a4 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -816,13 +816,22 @@ static u64 ecclog_read_and_clear(struct igen6_imc *imc)
+ {
+ 	u64 ecclog = readq(imc->window + ECC_ERROR_LOG_OFFSET);
+ 
+-	if (ecclog & (ECC_ERROR_LOG_CE | ECC_ERROR_LOG_UE)) {
+-		/* Clear CE/UE bits by writing 1s */
+-		writeq(ecclog, imc->window + ECC_ERROR_LOG_OFFSET);
+-		return ecclog;
+-	}
++	/*
++	 * Quirk: The ECC_ERROR_LOG register of certain SoCs may contain
++	 *        the invalid value ~0. This will result in a flood of invalid
++	 *        error reports in polling mode. Skip it.
++	 */
++	if (ecclog == ~0)
++		return 0;
+ 
+-	return 0;
++	/* Neither a CE nor a UE. Skip it.*/
++	if (!(ecclog & (ECC_ERROR_LOG_CE | ECC_ERROR_LOG_UE)))
++		return 0;
++
++	/* Clear CE/UE bits by writing 1s */
++	writeq(ecclog, imc->window + ECC_ERROR_LOG_OFFSET);
++
++	return ecclog;
+ }
+ 
+ static void errsts_clear(struct igen6_imc *imc)
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan b/SPECS/kernel-rt/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
index a3ea64e517..c6cf6f0f5f 100644
--- a/SPECS/kernel-rt/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+++ b/SPECS/kernel-rt/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
@@ -23,11 +23,11 @@ Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
  drivers/bus/mhi/host/pm.c       | 3 ++-
  2 files changed, 3 insertions(+), 2 deletions(-)
 
-diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h
-index d057e877932e3..304870cb7611e 100644
+Index: b/drivers/bus/mhi/host/internal.h
+===================================================================
 --- a/drivers/bus/mhi/host/internal.h
 +++ b/drivers/bus/mhi/host/internal.h
-@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI_EE_MAX];
+@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI
  
  #define MHI_IN_PBL(ee) (ee == MHI_EE_PBL || ee == MHI_EE_PTHRU || \
  			ee == MHI_EE_EDL)
@@ -36,16 +36,16 @@ index d057e877932e3..304870cb7611e 100644
  #define MHI_FW_LOAD_CAPABLE(ee) (ee == MHI_EE_PBL || ee == MHI_EE_EDL)
  #define MHI_IN_MISSION_MODE(ee) (ee == MHI_EE_AMSS || ee == MHI_EE_WFW || \
  				 ee == MHI_EE_FP)
-diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c
-index 11c0e751f2239..a69d21075e98a 100644
+Index: b/drivers/bus/mhi/host/pm.c
+===================================================================
 --- a/drivers/bus/mhi/host/pm.c
 +++ b/drivers/bus/mhi/host/pm.c
-@@ -1263,10 +1263,11 @@ int mhi_sync_power_up(struct mhi_controller *mhi_cntrl)
+@@ -1279,10 +1279,11 @@ int mhi_sync_power_up(struct mhi_control
  		mhi_cntrl->ready_timeout_ms : mhi_cntrl->timeout_ms;
  	wait_event_timeout(mhi_cntrl->state_event,
  			   MHI_IN_MISSION_MODE(mhi_cntrl->ee) ||
 +			   mhi_cntrl->ee == MHI_EE_SBL ||
- 			   MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state),
+ 			   MHI_PM_FATAL_ERROR(mhi_cntrl->pm_state),
  			   msecs_to_jiffies(timeout_ms));
  
 -	ret = (MHI_IN_MISSION_MODE(mhi_cntrl->ee)) ? 0 : -ETIMEDOUT;
@@ -53,6 +53,3 @@ index 11c0e751f2239..a69d21075e98a 100644
  	if (ret)
  		mhi_power_down(mhi_cntrl, false);
  
--- 
-2.25.1
-
diff --git a/SPECS/kernel-rt/0004-EDAC-igen6-Constify-struct-res_config.edac b/SPECS/kernel-rt/0004-EDAC-igen6-Constify-struct-res_config.edac
new file mode 100644
index 0000000000..1eb9359c2b
--- /dev/null
+++ b/SPECS/kernel-rt/0004-EDAC-igen6-Constify-struct-res_config.edac
@@ -0,0 +1,128 @@
+From c9cf3881dd7a5eaa109433910b2c6af77a80ce7e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 31 Jan 2025 21:27:02 +0100
+Subject: [PATCH 4/6] EDAC/igen6: Constify struct res_config
+
+The res_config structs are not modified in this driver.
+
+Constifying these structures moves some data to a read-only section, so
+increase overall security, especially when the structure holds some function
+pointers.
+
+On a x86_64, with allmodconfig, as an example:
+
+  Before:
+  ======
+     text	   data	    bss	    dec	    hex	filename
+    36777	   2479	   4304	  43560	   aa28	drivers/edac/igen6_edac.o
+
+  After:
+  =====
+     text	   data	    bss	    dec	    hex	filename
+    37297	   1959	   4304	  43560	   aa28	drivers/edac/igen6_edac.o
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Link: https://lore.kernel.org/r/a06153870951a64b438e76adf97d440e02c1a1fc.1738355198.git.christophe.jaillet@wanadoo.fr
+---
+ drivers/edac/igen6_edac.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 4c54de702156a4..f1f996894a8fc3 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -126,7 +126,7 @@
+ #define MEM_SLICE_HASH_MASK(v)		(GET_BITFIELD(v, 6, 19) << 6)
+ #define MEM_SLICE_HASH_LSB_MASK_BIT(v)	GET_BITFIELD(v, 24, 26)
+ 
+-static struct res_config {
++static const struct res_config {
+ 	bool machine_check;
+ 	int num_imc;
+ 	u32 imc_base;
+@@ -478,7 +478,7 @@ static u64 rpl_p_err_addr(u64 ecclog)
+ 	return ECC_ERROR_LOG_ADDR45(ecclog);
+ }
+ 
+-static struct res_config ehl_cfg = {
++static const struct res_config ehl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xdc00,
+@@ -488,7 +488,7 @@ static struct res_config ehl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config icl_cfg = {
++static const struct res_config icl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xd800,
+@@ -498,7 +498,7 @@ static struct res_config icl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config tgl_cfg = {
++static const struct res_config tgl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0x5000,
+@@ -512,7 +512,7 @@ static struct res_config tgl_cfg = {
+ 	.err_addr_to_imc_addr	= tgl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config adl_cfg = {
++static const struct res_config adl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -523,7 +523,7 @@ static struct res_config adl_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config adl_n_cfg = {
++static const struct res_config adl_n_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 1,
+ 	.imc_base		= 0xd800,
+@@ -534,7 +534,7 @@ static struct res_config adl_n_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config rpl_p_cfg = {
++static const struct res_config rpl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -546,7 +546,7 @@ static struct res_config rpl_p_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config mtl_ps_cfg = {
++static const struct res_config mtl_ps_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -557,7 +557,7 @@ static struct res_config mtl_ps_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config mtl_p_cfg = {
++static const struct res_config mtl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -1414,7 +1414,7 @@ static void unregister_err_handler(void)
+ 	unregister_nmi_handler(NMI_SERR, IGEN6_NMI_NAME);
+ }
+ 
+-static void opstate_set(struct res_config *cfg, const struct pci_device_id *ent)
++static void opstate_set(const struct res_config *cfg, const struct pci_device_id *ent)
+ {
+ 	/*
+ 	 * Quirk: Certain SoCs' error reporting interrupts don't work.
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0005-EDAC-igen6-Skip-absent-memory-controllers.edac b/SPECS/kernel-rt/0005-EDAC-igen6-Skip-absent-memory-controllers.edac
new file mode 100644
index 0000000000..ede566998f
--- /dev/null
+++ b/SPECS/kernel-rt/0005-EDAC-igen6-Skip-absent-memory-controllers.edac
@@ -0,0 +1,154 @@
+From e0bff20645871be982bce78d3ae11dbad92af0e7 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Tue, 8 Apr 2025 21:24:53 +0800
+Subject: [PATCH 5/6] EDAC/igen6: Skip absent memory controllers
+
+Some BIOS versions may fuse off certain memory controllers and set the
+registers of these absent memory controllers to ~0. The current igen6_edac
+mistakenly enumerates these absent memory controllers and registers them
+with the EDAC core.
+
+Skip the absent memory controllers to avoid mistakenly enumerating them.
+
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20250408132455.489046-2-qiuxu.zhuo@intel.com
+---
+ drivers/edac/igen6_edac.c | 78 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 62 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index f1f996894a8fc3..19e6a55a2fbb61 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -128,6 +128,7 @@
+ 
+ static const struct res_config {
+ 	bool machine_check;
++	/* The number of present memory controllers. */
+ 	int num_imc;
+ 	u32 imc_base;
+ 	u32 cmf_base;
+@@ -1232,23 +1233,21 @@ static void igen6_check(struct mem_ctl_info *mci)
+ 		irq_work_queue(&ecclog_irq_work);
+ }
+ 
+-static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
++/* Check whether the memory controller is absent. */
++static bool igen6_imc_absent(void __iomem *window)
++{
++	return readl(window + MAD_INTER_CHANNEL_OFFSET) == ~0;
++}
++
++static int igen6_register_mci(int mc, void __iomem *window, struct pci_dev *pdev)
+ {
+ 	struct edac_mc_layer layers[2];
+ 	struct mem_ctl_info *mci;
+ 	struct igen6_imc *imc;
+-	void __iomem *window;
+ 	int rc;
+ 
+ 	edac_dbg(2, "\n");
+ 
+-	mchbar += mc * MCHBAR_SIZE;
+-	window = ioremap(mchbar, MCHBAR_SIZE);
+-	if (!window) {
+-		igen6_printk(KERN_ERR, "Failed to ioremap 0x%llx\n", mchbar);
+-		return -ENODEV;
+-	}
+-
+ 	layers[0].type = EDAC_MC_LAYER_CHANNEL;
+ 	layers[0].size = NUM_CHANNELS;
+ 	layers[0].is_virt_csrow = false;
+@@ -1314,7 +1313,6 @@ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ fail2:
+ 	edac_mc_free(mci);
+ fail:
+-	iounmap(window);
+ 	return rc;
+ }
+ 
+@@ -1340,6 +1338,56 @@ static void igen6_unregister_mcis(void)
+ 	}
+ }
+ 
++static int igen6_register_mcis(struct pci_dev *pdev, u64 mchbar)
++{
++	void __iomem *window;
++	int lmc, pmc, rc;
++	u64 base;
++
++	for (lmc = 0, pmc = 0; pmc < NUM_IMC; pmc++) {
++		base   = mchbar + pmc * MCHBAR_SIZE;
++		window = ioremap(base, MCHBAR_SIZE);
++		if (!window) {
++			igen6_printk(KERN_ERR, "Failed to ioremap 0x%llx for mc%d\n", base, pmc);
++			rc = -ENOMEM;
++			goto out_unregister_mcis;
++		}
++
++		if (igen6_imc_absent(window)) {
++			iounmap(window);
++			edac_dbg(2, "Skip absent mc%d\n", pmc);
++			continue;
++		}
++
++		rc = igen6_register_mci(lmc, window, pdev);
++		if (rc)
++			goto out_iounmap;
++
++		/* Done, if all present MCs are detected and registered. */
++		if (++lmc >= res_cfg->num_imc)
++			break;
++	}
++
++	if (!lmc) {
++		igen6_printk(KERN_ERR, "No mc found.\n");
++		return -ENODEV;
++	}
++
++	if (lmc < res_cfg->num_imc)
++		igen6_printk(KERN_WARNING, "Expected %d mcs, but only %d detected.",
++			     res_cfg->num_imc, lmc);
++
++	return 0;
++
++out_iounmap:
++	iounmap(window);
++
++out_unregister_mcis:
++	igen6_unregister_mcis();
++
++	return rc;
++}
++
+ static int igen6_mem_slice_setup(u64 mchbar)
+ {
+ 	struct igen6_imc *imc = &igen6_pvt->imc[0];
+@@ -1436,7 +1484,7 @@ static void opstate_set(const struct res_config *cfg, const struct pci_device_id
+ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ 	u64 mchbar;
+-	int i, rc;
++	int rc;
+ 
+ 	edac_dbg(2, "\n");
+ 
+@@ -1452,11 +1500,9 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 
+ 	opstate_set(res_cfg, ent);
+ 
+-	for (i = 0; i < res_cfg->num_imc; i++) {
+-		rc = igen6_register_mci(i, mchbar, pdev);
+-		if (rc)
+-			goto fail2;
+-	}
++	rc = igen6_register_mcis(pdev, mchbar);
++	if (rc)
++		goto fail;
+ 
+ 	if (res_cfg->num_imc > 1) {
+ 		rc = igen6_mem_slice_setup(mchbar);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac b/SPECS/kernel-rt/0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
new file mode 100644
index 0000000000..f6a14ffacc
--- /dev/null
+++ b/SPECS/kernel-rt/0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
@@ -0,0 +1,154 @@
+From 292e6af510a558ecd012343f11ef200ecc800bf3 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Thu, 19 Jun 2025 00:23:06 +0800
+Subject: [PATCH 6/6] EDAC/igen6: Fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A kernel panic was reported with the following kernel log:
+
+  EDAC igen6: Expected 2 mcs, but only 1 detected.
+  BUG: unable to handle page fault for address: 000000000000d570
+  ...
+  Hardware name: Notebook V54x_6x_TU/V54x_6x_TU, BIOS Dasharo (coreboot+UEFI) v0.9.0 07/17/2024
+  RIP: e030:ecclog_handler+0x7e/0xf0 [igen6_edac]
+  ...
+  igen6_probe+0x2a0/0x343 [igen6_edac]
+  ...
+  igen6_init+0xc5/0xff0 [igen6_edac]
+  ...
+
+This issue occurred because one memory controller was disabled by
+the BIOS but the igen6_edac driver still checked all the memory
+controllers, including this absent one, to identify the source of
+the error. Accessing the null MMIO for the absent memory controller
+resulted in the oops above.
+
+Fix this issue by reverting the configuration structure to non-const
+and updating the field 'res_cfg->num_imc' to reflect the number of
+detected memory controllers.
+
+Fixes: 20e190b1c1fd ("EDAC/igen6: Skip absent memory controllers")
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Closes: https://lore.kernel.org/all/aFFN7RlXkaK_loQb@mail-itl/
+Suggested-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Link: https://lore.kernel.org/r/20250618162307.1523736-1-qiuxu.zhuo@intel.com
+---
+ drivers/edac/igen6_edac.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 19e6a55a2fbb61..4b343fea285122 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -126,7 +126,7 @@
+ #define MEM_SLICE_HASH_MASK(v)		(GET_BITFIELD(v, 6, 19) << 6)
+ #define MEM_SLICE_HASH_LSB_MASK_BIT(v)	GET_BITFIELD(v, 24, 26)
+ 
+-static const struct res_config {
++static struct res_config {
+ 	bool machine_check;
+ 	/* The number of present memory controllers. */
+ 	int num_imc;
+@@ -479,7 +479,7 @@ static u64 rpl_p_err_addr(u64 ecclog)
+ 	return ECC_ERROR_LOG_ADDR45(ecclog);
+ }
+ 
+-static const struct res_config ehl_cfg = {
++static struct res_config ehl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xdc00,
+@@ -489,7 +489,7 @@ static const struct res_config ehl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config icl_cfg = {
++static struct res_config icl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xd800,
+@@ -499,7 +499,7 @@ static const struct res_config icl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config tgl_cfg = {
++static struct res_config tgl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0x5000,
+@@ -513,7 +513,7 @@ static const struct res_config tgl_cfg = {
+ 	.err_addr_to_imc_addr	= tgl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config adl_cfg = {
++static struct res_config adl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -524,7 +524,7 @@ static const struct res_config adl_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config adl_n_cfg = {
++static struct res_config adl_n_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 1,
+ 	.imc_base		= 0xd800,
+@@ -535,7 +535,7 @@ static const struct res_config adl_n_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config rpl_p_cfg = {
++static struct res_config rpl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -547,7 +547,7 @@ static const struct res_config rpl_p_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config mtl_ps_cfg = {
++static struct res_config mtl_ps_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -558,7 +558,7 @@ static const struct res_config mtl_ps_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config mtl_p_cfg = {
++static struct res_config mtl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -569,7 +569,7 @@ static const struct res_config mtl_p_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct pci_device_id igen6_pci_tbl[] = {
++static struct pci_device_id igen6_pci_tbl[] = {
+ 	{ PCI_VDEVICE(INTEL, DID_EHL_SKU5), (kernel_ulong_t)&ehl_cfg },
+ 	{ PCI_VDEVICE(INTEL, DID_EHL_SKU6), (kernel_ulong_t)&ehl_cfg },
+ 	{ PCI_VDEVICE(INTEL, DID_EHL_SKU7), (kernel_ulong_t)&ehl_cfg },
+@@ -1373,9 +1373,11 @@ static int igen6_register_mcis(struct pci_dev *pdev, u64 mchbar)
+ 		return -ENODEV;
+ 	}
+ 
+-	if (lmc < res_cfg->num_imc)
++	if (lmc < res_cfg->num_imc) {
+ 		igen6_printk(KERN_WARNING, "Expected %d mcs, but only %d detected.",
+ 			     res_cfg->num_imc, lmc);
++		res_cfg->num_imc = lmc;
++	}
+ 
+ 	return 0;
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan b/SPECS/kernel-rt/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
index dc98c07bbe..66ca2d21b5 100644
--- a/SPECS/kernel-rt/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+++ b/SPECS/kernel-rt/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
@@ -9,11 +9,11 @@ This reverts commit 32f346ee23bcf98937fab2356321563d1640c839.
  drivers/bus/mhi/host/pm.c       | 3 +--
  2 files changed, 2 insertions(+), 3 deletions(-)
 
-diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h
-index 304870cb7611e..d057e877932e3 100644
+Index: b/drivers/bus/mhi/host/internal.h
+===================================================================
 --- a/drivers/bus/mhi/host/internal.h
 +++ b/drivers/bus/mhi/host/internal.h
-@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI_EE_MAX];
+@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI
  
  #define MHI_IN_PBL(ee) (ee == MHI_EE_PBL || ee == MHI_EE_PTHRU || \
  			ee == MHI_EE_EDL)
@@ -22,16 +22,16 @@ index 304870cb7611e..d057e877932e3 100644
  #define MHI_FW_LOAD_CAPABLE(ee) (ee == MHI_EE_PBL || ee == MHI_EE_EDL)
  #define MHI_IN_MISSION_MODE(ee) (ee == MHI_EE_AMSS || ee == MHI_EE_WFW || \
  				 ee == MHI_EE_FP)
-diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c
-index a69d21075e98a..11c0e751f2239 100644
+Index: b/drivers/bus/mhi/host/pm.c
+===================================================================
 --- a/drivers/bus/mhi/host/pm.c
 +++ b/drivers/bus/mhi/host/pm.c
-@@ -1263,11 +1263,10 @@ int mhi_sync_power_up(struct mhi_controller *mhi_cntrl)
+@@ -1279,11 +1279,10 @@ int mhi_sync_power_up(struct mhi_control
  		mhi_cntrl->ready_timeout_ms : mhi_cntrl->timeout_ms;
  	wait_event_timeout(mhi_cntrl->state_event,
  			   MHI_IN_MISSION_MODE(mhi_cntrl->ee) ||
 -			   mhi_cntrl->ee == MHI_EE_SBL ||
- 			   MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state),
+ 			   MHI_PM_FATAL_ERROR(mhi_cntrl->pm_state),
  			   msecs_to_jiffies(timeout_ms));
  
 -	ret = (MHI_IN_MISSION_MODE(mhi_cntrl->ee) || mhi_cntrl->ee == MHI_EE_SBL) ? 0 : -ETIMEDOUT;
@@ -39,6 +39,3 @@ index a69d21075e98a..11c0e751f2239 100644
  	if (ret)
  		mhi_power_down(mhi_cntrl, false);
  
--- 
-2.25.1
-
diff --git a/SPECS/kernel-rt/CVE-2024-57995.patch b/SPECS/kernel-rt/CVE-2024-57995.patch
deleted file mode 100644
index adfc02f8ea..0000000000
--- a/SPECS/kernel-rt/CVE-2024-57995.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From dc03b5a4900e8f87da9c82098fbc47adbad1dd65 Mon Sep 17 00:00:00 2001
-From: Aditya Kumar Singh <quic_adisi@quicinc.com>
-Date: Tue, 10 Dec 2024 10:56:33 +0530
-Subject: [PATCH 25/27] wifi: ath12k: fix read pointer after free in
- ath12k_mac_assign_vif_to_vdev()
-
-In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different
-radio, it gets deleted from that radio through a call to
-ath12k_mac_unassign_link_vif(). This action frees the arvif pointer.
-Subsequently, there is a check involving arvif, which will result in a
-read-after-free scenario.
-
-Fix this by moving this check after arvif is again assigned via call to
-ath12k_mac_assign_link_vif().
-
-Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
-
-Closes: https://scan5.scan.coverity.com/#/project-view/63541/10063?selectedIssue=1636423
-Fixes: b5068bc9180d ("wifi: ath12k: Cache vdev configs before vdev create")
-Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
-Acked-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
-Acked-by: Kalle Valo <kvalo@kernel.org>
-Link: https://patch.msgid.link/20241210-read_after_free-v1-1-969f69c7d66c@quicinc.com
-Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
----
- drivers/net/wireless/ath/ath12k/mac.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
-index 7e902f63ce9a..f61e130ce5ab 100644
---- a/drivers/net/wireless/ath/ath12k/mac.c
-+++ b/drivers/net/wireless/ath/ath12k/mac.c
-@@ -6735,15 +6735,15 @@ static struct ath12k *ath12k_mac_assign_vif_to_vdev(struct ieee80211_hw *hw,
- 
- 	mutex_lock(&ar->conf_mutex);
- 
--	if (arvif->is_created)
--		goto flush;
--
- 	if (vif->type == NL80211_IFTYPE_AP &&
- 	    ar->num_peers > (ar->max_num_peers - 1)) {
- 		ath12k_warn(ab, "failed to create vdev due to insufficient peer entry resource in firmware\n");
- 		goto unlock;
- 	}
- 
-+	if (arvif->is_created)
-+		goto flush;
-+
- 	if (ar->num_created_vdevs > (TARGET_NUM_VDEVS - 1)) {
- 		ath12k_warn(ab, "failed to create vdev, reached max vdev limit %d\n",
- 			    TARGET_NUM_VDEVS);
--- 
-2.43.0
-
diff --git a/SPECS/kernel-rt/CVE-2025-22105-1.patch b/SPECS/kernel-rt/CVE-2025-22105-1.patch
deleted file mode 100644
index 0529cb2919..0000000000
--- a/SPECS/kernel-rt/CVE-2025-22105-1.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 2ad91123cc24d7ff8afa247fbddc5ff6c09300f3 Mon Sep 17 00:00:00 2001
-From: Wang Liang <wangliang74@huawei.com>
-Date: Fri, 21 Mar 2025 12:48:52 +0800
-Subject: [PATCH 2/2] bonding: check xdp prog when set bond mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Following operations can trigger a warning[1]:
-
-    ip netns add ns1
-    ip netns exec ns1 ip link add bond0 type bond mode balance-rr
-    ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
-    ip netns exec ns1 ip link set bond0 type bond mode broadcast
-    ip netns del ns1
-
-When delete the namespace, dev_xdp_uninstall() is called to remove xdp
-program on bond dev, and bond_xdp_set() will check the bond mode. If bond
-mode is changed after attaching xdp program, the warning may occur.
-
-Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
-with xdp program attached is not good. Add check for xdp program when set
-bond mode.
-
-    [1]
-    ------------[ cut here ]------------
-    WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
-    Modules linked in:
-    CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
-    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
-    Workqueue: netns cleanup_net
-    RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
-    Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
-    RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
-    RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
-    RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
-    RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
-    R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
-    R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
-    FS:  0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
-    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-    CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
-    Call Trace:
-     <TASK>
-     ? __warn+0x83/0x130
-     ? unregister_netdevice_many_notify+0x8d9/0x930
-     ? report_bug+0x18e/0x1a0
-     ? handle_bug+0x54/0x90
-     ? exc_invalid_op+0x18/0x70
-     ? asm_exc_invalid_op+0x1a/0x20
-     ? unregister_netdevice_many_notify+0x8d9/0x930
-     ? bond_net_exit_batch_rtnl+0x5c/0x90
-     cleanup_net+0x237/0x3d0
-     process_one_work+0x163/0x390
-     worker_thread+0x293/0x3b0
-     ? __pfx_worker_thread+0x10/0x10
-     kthread+0xec/0x1e0
-     ? __pfx_kthread+0x10/0x10
-     ? __pfx_kthread+0x10/0x10
-     ret_from_fork+0x2f/0x50
-     ? __pfx_kthread+0x10/0x10
-     ret_from_fork_asm+0x1a/0x30
-     </TASK>
-    ---[ end trace 0000000000000000 ]---
-
-Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
-Signed-off-by: Wang Liang <wangliang74@huawei.com>
-Acked-by: Jussi Maki <joamaki@gmail.com>
-Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
-Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
-Link: https://patch.msgid.link/20250321044852.1086551-1-wangliang74@huawei.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
----
- drivers/net/bonding/bond_main.c    | 8 ++++----
- drivers/net/bonding/bond_options.c | 3 +++
- include/net/bonding.h              | 1 +
- 3 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index 56a55151b545..6c1909153806 100644
---- a/drivers/net/bonding/bond_main.c
-+++ b/drivers/net/bonding/bond_main.c
-@@ -322,9 +322,9 @@ static bool bond_sk_check(struct bonding *bond)
- 	}
- }
- 
--static bool bond_xdp_check(struct bonding *bond)
-+bool bond_xdp_check(struct bonding *bond, int mode)
- {
--	switch (BOND_MODE(bond)) {
-+	switch (mode) {
- 	case BOND_MODE_ROUNDROBIN:
- 	case BOND_MODE_ACTIVEBACKUP:
- 		return true;
-@@ -1928,7 +1928,7 @@ void bond_xdp_set_features(struct net_device *bond_dev)
- 
- 	ASSERT_RTNL();
- 
--	if (!bond_xdp_check(bond) || !bond_has_slaves(bond)) {
-+	if (!bond_xdp_check(bond, BOND_MODE(bond)) || !bond_has_slaves(bond)) {
- 		xdp_clear_features_flag(bond_dev);
- 		return;
- 	}
-@@ -5690,7 +5690,7 @@ static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
- 
- 	ASSERT_RTNL();
- 
--	if (!bond_xdp_check(bond)) {
-+	if (!bond_xdp_check(bond, BOND_MODE(bond))) {
- 		BOND_NL_ERR(dev, extack,
- 			    "No native XDP support for the current bonding mode");
- 		return -EOPNOTSUPP;
-diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
-index d1b095af253b..91893c29b899 100644
---- a/drivers/net/bonding/bond_options.c
-+++ b/drivers/net/bonding/bond_options.c
-@@ -868,6 +868,9 @@ static bool bond_set_xfrm_features(struct bonding *bond)
- static int bond_option_mode_set(struct bonding *bond,
- 				const struct bond_opt_value *newval)
- {
-+	if (bond->xdp_prog && !bond_xdp_check(bond, newval->value))
-+		return -EOPNOTSUPP;
-+
- 	if (!bond_mode_uses_arp(newval->value)) {
- 		if (bond->params.arp_interval) {
- 			netdev_dbg(bond->dev, "%s mode is incompatible with arp monitoring, start mii monitoring\n",
-diff --git a/include/net/bonding.h b/include/net/bonding.h
-index 8bb5f016969f..95f67b308c19 100644
---- a/include/net/bonding.h
-+++ b/include/net/bonding.h
-@@ -695,6 +695,7 @@ void bond_debug_register(struct bonding *bond);
- void bond_debug_unregister(struct bonding *bond);
- void bond_debug_reregister(struct bonding *bond);
- const char *bond_mode_name(int mode);
-+bool bond_xdp_check(struct bonding *bond, int mode);
- void bond_setup(struct net_device *bond_dev);
- unsigned int bond_get_num_tx_queues(void);
- int bond_netlink_init(void);
--- 
-2.25.1
-
diff --git a/SPECS/kernel-rt/CVE-2025-22105.patch b/SPECS/kernel-rt/CVE-2025-22105.patch
deleted file mode 100644
index 034bcc04fe..0000000000
--- a/SPECS/kernel-rt/CVE-2025-22105.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 3a156e6b6ce88b058cafaba691db7b4d2cdbe75a Mon Sep 17 00:00:00 2001
-From: Hangbin Liu <liuhangbin@gmail.com>
-Date: Mon, 21 Oct 2024 03:12:10 +0000
-Subject: [PATCH 1/2] bonding: return detailed error when loading native XDP
- fails
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bonding only supports native XDP for specific modes, which can lead to
-confusion for users regarding why XDP loads successfully at times and
-fails at others. This patch enhances error handling by returning detailed
-error messages, providing users with clearer insights into the specific
-reasons for the failure when loading native XDP.
-
-Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
-Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
-Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
-Link: https://patch.msgid.link/20241021031211.814-2-liuhangbin@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
----
- drivers/net/bonding/bond_main.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index 4d73abae503d..56a55151b545 100644
---- a/drivers/net/bonding/bond_main.c
-+++ b/drivers/net/bonding/bond_main.c
-@@ -5690,8 +5690,11 @@ static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
- 
- 	ASSERT_RTNL();
- 
--	if (!bond_xdp_check(bond))
-+	if (!bond_xdp_check(bond)) {
-+		BOND_NL_ERR(dev, extack,
-+			    "No native XDP support for the current bonding mode");
- 		return -EOPNOTSUPP;
-+	}
- 
- 	old_prog = bond->xdp_prog;
- 	bond->xdp_prog = prog;
--- 
-2.25.1
-
diff --git a/SPECS/kernel-rt/CVE-2025-22121-1.patch b/SPECS/kernel-rt/CVE-2025-22121-1.patch
deleted file mode 100644
index 8b3a84f382..0000000000
--- a/SPECS/kernel-rt/CVE-2025-22121-1.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From 22f2cf997cf0ca600a12b5d4999620c5e8c4bc83 Mon Sep 17 00:00:00 2001
-From: Ye Bin <yebin10@huawei.com>
-Date: Sat, 8 Feb 2025 14:31:41 +0800
-Subject: [PATCH 2/2] ext4: fix out-of-bound read in
- ext4_xattr_inode_dec_ref_all()
-
-There's issue as follows:
-BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
-Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
-
-CPU: 3 PID: 15172 Comm: syz-executor.0
-Call Trace:
- __dump_stack lib/dump_stack.c:82 [inline]
- dump_stack+0xbe/0xfd lib/dump_stack.c:123
- print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
- __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
- kasan_report+0x3a/0x50 mm/kasan/report.c:585
- ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
- ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
- ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
- evict+0x39f/0x880 fs/inode.c:622
- iput_final fs/inode.c:1746 [inline]
- iput fs/inode.c:1772 [inline]
- iput+0x525/0x6c0 fs/inode.c:1758
- ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
- ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
- mount_bdev+0x355/0x410 fs/super.c:1446
- legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
- vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
- do_new_mount fs/namespace.c:2983 [inline]
- path_mount+0x119a/0x1ad0 fs/namespace.c:3316
- do_mount+0xfc/0x110 fs/namespace.c:3329
- __do_sys_mount fs/namespace.c:3540 [inline]
- __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
- do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
- entry_SYSCALL_64_after_hwframe+0x67/0xd1
-
-Memory state around the buggy address:
- ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
->ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-                   ^
- ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-
-Above issue happens as ext4_xattr_delete_inode() isn't check xattr
-is valid if xattr is in inode.
-To solve above issue call xattr_check_inode() check if xattr if valid
-in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
-so that there is no divergent verification.
-
-Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
-Signed-off-by: Ye Bin <yebin10@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://patch.msgid.link/20250208063141.1539283-3-yebin@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- fs/ext4/inode.c |  5 +++++
- fs/ext4/xattr.c | 26 +-------------------------
- fs/ext4/xattr.h |  7 +++++++
- 3 files changed, 13 insertions(+), 25 deletions(-)
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index ffa6aa55a1a7..1ee5216c2e95 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -4650,6 +4650,11 @@ static inline int ext4_iget_extra_inode(struct inode *inode,
- 	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
- 		int err;
- 
-+		err = xattr_check_inode(inode, IHDR(inode, raw_inode),
-+					ITAIL(inode, raw_inode));
-+		if (err)
-+			return err;
-+
- 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
- 		err = ext4_find_inline_data_nolock(inode);
- 		if (!err && ext4_has_inline_data(inode))
-diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 7cdece4ea6fa..8ced9beba2f7 100644
---- a/fs/ext4/xattr.c
-+++ b/fs/ext4/xattr.c
-@@ -308,7 +308,7 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh,
- 	__ext4_xattr_check_block((inode), (bh),  __func__, __LINE__)
- 
- 
--static inline int
-+int
- __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
- 			 void *end, const char *function, unsigned int line)
- {
-@@ -316,9 +316,6 @@ __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
- 			    function, line);
- }
- 
--#define xattr_check_inode(inode, header, end) \
--	__xattr_check_inode((inode), (header), (end), __func__, __LINE__)
--
- static int
- xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry,
- 		 void *end, int name_index, const char *name, int sorted)
-@@ -650,9 +647,6 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
- 	end = ITAIL(inode, raw_inode);
--	error = xattr_check_inode(inode, header, end);
--	if (error)
--		goto cleanup;
- 	entry = IFIRST(header);
- 	error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
- 	if (error)
-@@ -783,7 +777,6 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
- 	struct ext4_xattr_ibody_header *header;
- 	struct ext4_inode *raw_inode;
- 	struct ext4_iloc iloc;
--	void *end;
- 	int error;
- 
- 	if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR))
-@@ -793,14 +786,9 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
- 		return error;
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
--	end = ITAIL(inode, raw_inode);
--	error = xattr_check_inode(inode, header, end);
--	if (error)
--		goto cleanup;
- 	error = ext4_xattr_list_entries(dentry, IFIRST(header),
- 					buffer, buffer_size);
- 
--cleanup:
- 	brelse(iloc.bh);
- 	return error;
- }
-@@ -868,7 +856,6 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
- 	struct ext4_xattr_ibody_header *header;
- 	struct ext4_xattr_entry *entry;
- 	qsize_t ea_inode_refs = 0;
--	void *end;
- 	int ret;
- 
- 	lockdep_assert_held_read(&EXT4_I(inode)->xattr_sem);
-@@ -879,10 +866,6 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
- 			goto out;
- 		raw_inode = ext4_raw_inode(&iloc);
- 		header = IHDR(inode, raw_inode);
--		end = ITAIL(inode, raw_inode);
--		ret = xattr_check_inode(inode, header, end);
--		if (ret)
--			goto out;
- 
- 		for (entry = IFIRST(header); !IS_LAST_ENTRY(entry);
- 		     entry = EXT4_XATTR_NEXT(entry))
-@@ -2246,9 +2229,6 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
- 	is->s.here = is->s.first;
- 	is->s.end = ITAIL(inode, raw_inode);
- 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
--		error = xattr_check_inode(inode, header, is->s.end);
--		if (error)
--			return error;
- 		/* Find the named attribute. */
- 		error = xattr_find_entry(inode, &is->s.here, is->s.end,
- 					 i->name_index, i->name, 0);
-@@ -2799,10 +2779,6 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
- 	min_offs = end - base;
- 	total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- 
--	error = xattr_check_inode(inode, header, end);
--	if (error)
--		goto cleanup;
--
- 	ifree = ext4_xattr_free_space(base, &min_offs, base, &total_ino);
- 	if (ifree >= isize_diff)
- 		goto shift;
-diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
-index 5197f17ffd9a..1fedf44d4fb6 100644
---- a/fs/ext4/xattr.h
-+++ b/fs/ext4/xattr.h
-@@ -209,6 +209,13 @@ extern int ext4_xattr_ibody_set(handle_t *handle, struct inode *inode,
- extern struct mb_cache *ext4_xattr_create_cache(void);
- extern void ext4_xattr_destroy_cache(struct mb_cache *);
- 
-+extern int
-+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
-+		    void *end, const char *function, unsigned int line);
-+
-+#define xattr_check_inode(inode, header, end) \
-+	__xattr_check_inode((inode), (header), (end), __func__, __LINE__)
-+
- #ifdef CONFIG_EXT4_FS_SECURITY
- extern int ext4_init_security(handle_t *handle, struct inode *inode,
- 			      struct inode *dir, const struct qstr *qstr);
--- 
-2.25.1
-
diff --git a/SPECS/kernel-rt/CVE-2025-22121.patch b/SPECS/kernel-rt/CVE-2025-22121.patch
deleted file mode 100644
index b8878b0d71..0000000000
--- a/SPECS/kernel-rt/CVE-2025-22121.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 77065730b4067c145d50e315e64b6f1992bd0546 Mon Sep 17 00:00:00 2001
-From: Ye Bin <yebin10@huawei.com>
-Date: Sat, 8 Feb 2025 14:31:40 +0800
-Subject: [PATCH 1/2] ext4: introduce ITAIL helper
-
-Introduce ITAIL helper to get the bound of xattr in inode.
-
-Signed-off-by: Ye Bin <yebin10@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://patch.msgid.link/20250208063141.1539283-2-yebin@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- fs/ext4/xattr.c | 10 +++++-----
- fs/ext4/xattr.h |  3 +++
- 2 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 6ff94cdf1515..7cdece4ea6fa 100644
---- a/fs/ext4/xattr.c
-+++ b/fs/ext4/xattr.c
-@@ -649,7 +649,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
- 		return error;
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
--	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	end = ITAIL(inode, raw_inode);
- 	error = xattr_check_inode(inode, header, end);
- 	if (error)
- 		goto cleanup;
-@@ -793,7 +793,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
- 		return error;
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
--	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	end = ITAIL(inode, raw_inode);
- 	error = xattr_check_inode(inode, header, end);
- 	if (error)
- 		goto cleanup;
-@@ -879,7 +879,7 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
- 			goto out;
- 		raw_inode = ext4_raw_inode(&iloc);
- 		header = IHDR(inode, raw_inode);
--		end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+		end = ITAIL(inode, raw_inode);
- 		ret = xattr_check_inode(inode, header, end);
- 		if (ret)
- 			goto out;
-@@ -2244,7 +2244,7 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
- 	header = IHDR(inode, raw_inode);
- 	is->s.base = is->s.first = IFIRST(header);
- 	is->s.here = is->s.first;
--	is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	is->s.end = ITAIL(inode, raw_inode);
- 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
- 		error = xattr_check_inode(inode, header, is->s.end);
- 		if (error)
-@@ -2795,7 +2795,7 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
- 	 */
- 
- 	base = IFIRST(header);
--	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	end = ITAIL(inode, raw_inode);
- 	min_offs = end - base;
- 	total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- 
-diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
-index b25c2d7b5f99..5197f17ffd9a 100644
---- a/fs/ext4/xattr.h
-+++ b/fs/ext4/xattr.h
-@@ -67,6 +67,9 @@ struct ext4_xattr_entry {
- 		((void *)raw_inode + \
- 		EXT4_GOOD_OLD_INODE_SIZE + \
- 		EXT4_I(inode)->i_extra_isize))
-+#define ITAIL(inode, raw_inode) \
-+	((void *)(raw_inode) + \
-+	 EXT4_SB((inode)->i_sb)->s_inode_size)
- #define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
- 
- /*
--- 
-2.25.1
-
diff --git a/SPECS/kernel-rt/CVE-2025-23129.patch b/SPECS/kernel-rt/CVE-2025-23129.patch
deleted file mode 100644
index fb60b46e19..0000000000
--- a/SPECS/kernel-rt/CVE-2025-23129.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 3c9c3377f96f5c7cb389f28c25d21e242b95846e Mon Sep 17 00:00:00 2001
-From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-Date: Tue, 25 Feb 2025 11:04:45 +0530
-Subject: [PATCH 16/27] wifi: ath11k: Clear affinity hint before calling
- ath11k_pcic_free_irq() in error path
-
-If a shared IRQ is used by the driver due to platform limitation, then the
-IRQ affinity hint is set right after the allocation of IRQ vectors in
-ath11k_pci_alloc_msi(). This does no harm unless one of the functions
-requesting the IRQ fails and attempt to free the IRQ. This results in the
-below warning:
-
-WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c
-Call trace:
- free_irq+0x278/0x29c
- ath11k_pcic_free_irq+0x70/0x10c [ath11k]
- ath11k_pci_probe+0x800/0x820 [ath11k_pci]
- local_pci_probe+0x40/0xbc
-
-The warning is due to not clearing the affinity hint before freeing the
-IRQs.
-
-So to fix this issue, clear the IRQ affinity hint before calling
-ath11k_pcic_free_irq() in the error path. The affinity will be cleared once
-again further down the error path due to code organization, but that does
-no harm.
-
-Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
-
-Cc: Baochen Qiang <quic_bqiang@quicinc.com>
-Fixes: 39564b475ac5 ("wifi: ath11k: fix boot failure with one MSI vector")
-Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
-Link: https://patch.msgid.link/20250225053447.16824-2-manivannan.sadhasivam@linaro.org
-Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
----
- drivers/net/wireless/ath/ath11k/pci.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
-index 6ebfa5d02e2e..c1d576ff77fa 100644
---- a/drivers/net/wireless/ath/ath11k/pci.c
-+++ b/drivers/net/wireless/ath/ath11k/pci.c
-@@ -936,6 +936,8 @@ static int ath11k_pci_probe(struct pci_dev *pdev,
- 	return 0;
- 
- err_free_irq:
-+	/* __free_irq() expects the caller to have cleared the affinity hint */
-+	ath11k_pci_set_irq_affinity_hint(ab_pci, NULL);
- 	ath11k_pcic_free_irq(ab);
- 
- err_ce_free:
--- 
-2.43.0
-
diff --git a/SPECS/kernel-rt/CVE-2025-23130.patch b/SPECS/kernel-rt/CVE-2025-23130.patch
deleted file mode 100644
index 2eb241e816..0000000000
--- a/SPECS/kernel-rt/CVE-2025-23130.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From 1c0ac623e1fbb056350f04efb184950a725aba18 Mon Sep 17 00:00:00 2001
-From: Chao Yu <chao@kernel.org>
-Date: Tue, 11 Feb 2025 14:36:57 +0800
-Subject: [PATCH 15/27] f2fs: fix to avoid panic once fallocation fails for
- pinfile
-
-syzbot reports a f2fs bug as below:
-
-------------[ cut here ]------------
-kernel BUG at fs/f2fs/segment.c:2746!
-CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
-RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
-RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
-Call Trace:
- <TASK>
- __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
- f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
- f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
- f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
- f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940
- vfs_fallocate+0x569/0x6e0 fs/open.c:327
- do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885
- __do_sys_ioctl fs/ioctl.c:904 [inline]
- __se_sys_ioctl+0x80/0x170 fs/ioctl.c:892
- do_syscall_x64 arch/x86/entry/common.c:52 [inline]
- do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-
-Concurrent pinfile allocation may run out of free section, result in
-panic in get_new_segment(), let's expand pin_sem lock coverage to
-include f2fs_gc(), so that we can make sure to reclaim enough free
-space for following allocation.
-
-In addition, do below changes to enhance error path handling:
-- call f2fs_bug_on() only in non-pinfile allocation path in
-get_new_segment().
-- call reset_curseg_fields() to reset all fields of curseg in
-new_curseg()
-
-Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
-Reported-by: syzbot+15669ec8c35ddf6c3d43@syzkaller.appspotmail.com
-Closes: https://lore.kernel.org/linux-f2fs-devel/675cd64e.050a0220.37aaf.00bb.GAE@google.com
-Signed-off-by: Chao Yu <chao@kernel.org>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
----
- fs/f2fs/file.c    |  8 +++++---
- fs/f2fs/segment.c | 20 ++++++++++----------
- 2 files changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
-index d9037e74631c..38dbc105fbe5 100644
---- a/fs/f2fs/file.c
-+++ b/fs/f2fs/file.c
-@@ -1828,18 +1828,20 @@ static int f2fs_expand_inode_data(struct inode *inode, loff_t offset,
- 
- 		map.m_len = sec_blks;
- next_alloc:
-+		f2fs_down_write(&sbi->pin_sem);
-+
- 		if (has_not_enough_free_secs(sbi, 0, f2fs_sb_has_blkzoned(sbi) ?
- 			ZONED_PIN_SEC_REQUIRED_COUNT :
- 			GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) {
- 			f2fs_down_write(&sbi->gc_lock);
- 			stat_inc_gc_call_count(sbi, FOREGROUND);
- 			err = f2fs_gc(sbi, &gc_control);
--			if (err && err != -ENODATA)
-+			if (err && err != -ENODATA) {
-+				f2fs_up_write(&sbi->pin_sem);
- 				goto out_err;
-+			}
- 		}
- 
--		f2fs_down_write(&sbi->pin_sem);
--
- 		err = f2fs_allocate_pinning_section(sbi);
- 		if (err) {
- 			f2fs_up_write(&sbi->pin_sem);
-diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
-index e48b5e2efea2..8ac6206110a1 100644
---- a/fs/f2fs/segment.c
-+++ b/fs/f2fs/segment.c
-@@ -2749,7 +2749,7 @@ static int get_new_segment(struct f2fs_sb_info *sbi,
- 							MAIN_SECS(sbi));
- 		if (secno >= MAIN_SECS(sbi)) {
- 			ret = -ENOSPC;
--			f2fs_bug_on(sbi, 1);
-+			f2fs_bug_on(sbi, !pinning);
- 			goto out_unlock;
- 		}
- 	}
-@@ -2795,7 +2795,7 @@ static int get_new_segment(struct f2fs_sb_info *sbi,
- out_unlock:
- 	spin_unlock(&free_i->segmap_lock);
- 
--	if (ret == -ENOSPC)
-+	if (ret == -ENOSPC && !pinning)
- 		f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_NO_SEGMENT);
- 	return ret;
- }
-@@ -2868,6 +2868,13 @@ static unsigned int __get_next_segno(struct f2fs_sb_info *sbi, int type)
- 	return curseg->segno;
- }
- 
-+static void reset_curseg_fields(struct curseg_info *curseg)
-+{
-+	curseg->inited = false;
-+	curseg->segno = NULL_SEGNO;
-+	curseg->next_segno = 0;
-+}
-+
- /*
-  * Allocate a current working segment.
-  * This function always allocates a free segment in LFS manner.
-@@ -2886,7 +2893,7 @@ static int new_curseg(struct f2fs_sb_info *sbi, int type, bool new_sec)
- 	ret = get_new_segment(sbi, &segno, new_sec, pinning);
- 	if (ret) {
- 		if (ret == -ENOSPC)
--			curseg->segno = NULL_SEGNO;
-+			reset_curseg_fields(curseg);
- 		return ret;
- 	}
- 
-@@ -3640,13 +3647,6 @@ static void f2fs_randomize_chunk(struct f2fs_sb_info *sbi,
- 		get_random_u32_inclusive(1, sbi->max_fragment_hole);
- }
- 
--static void reset_curseg_fields(struct curseg_info *curseg)
--{
--	curseg->inited = false;
--	curseg->segno = NULL_SEGNO;
--	curseg->next_segno = 0;
--}
--
- int f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
- 		block_t old_blkaddr, block_t *new_blkaddr,
- 		struct f2fs_summary *sum, int type,
--- 
-2.43.0
-
diff --git a/SPECS/kernel-rt/CVE-2025-37860.patch b/SPECS/kernel-rt/CVE-2025-37860.patch
deleted file mode 100644
index 8a8d928d2c..0000000000
--- a/SPECS/kernel-rt/CVE-2025-37860.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 3470106f86c1d32a9bca29ebd195ae374f4f9ff7 Mon Sep 17 00:00:00 2001
-From: Edward Cree <ecree.xilinx@gmail.com>
-Date: Tue, 1 Apr 2025 23:54:39 +0100
-Subject: [PATCH 22/27] sfc: fix NULL dereferences in
- ef100_process_design_param()
-
-Since cited commit, ef100_probe_main() and hence also
- ef100_check_design_params() run before efx->net_dev is created;
- consequently, we cannot netif_set_tso_max_size() or _segs() at this
- point.
-Move those netif calls to ef100_probe_netdev(), and also replace
- netif_err within the design params code with pci_err.
-
-Reported-by: Kyungwook Boo <bookyungwook@gmail.com>
-Fixes: 98ff4c7c8ac7 ("sfc: Separate netdev probe/remove from PCI probe/remove")
-Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
-Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
-Link: https://patch.msgid.link/20250401225439.2401047-1-edward.cree@amd.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
----
- drivers/net/ethernet/sfc/ef100_netdev.c |  7 ++--
- drivers/net/ethernet/sfc/ef100_nic.c    | 47 +++++++++++--------------
- 2 files changed, 24 insertions(+), 30 deletions(-)
-
-diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c
-index 7f7d560cb2b4..3a06e3b1bd6b 100644
---- a/drivers/net/ethernet/sfc/ef100_netdev.c
-+++ b/drivers/net/ethernet/sfc/ef100_netdev.c
-@@ -450,9 +450,9 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data)
- 	net_dev->hw_enc_features |= efx->type->offload_features;
- 	net_dev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_SG |
- 				  NETIF_F_HIGHDMA | NETIF_F_ALL_TSO;
--	netif_set_tso_max_segs(net_dev,
--			       ESE_EF100_DP_GZ_TSO_MAX_HDR_NUM_SEGS_DEFAULT);
--	efx->mdio.dev = net_dev;
-+	nic_data = efx->nic_data;
-+	netif_set_tso_max_size(efx->net_dev, nic_data->tso_max_payload_len);
-+	netif_set_tso_max_segs(efx->net_dev, nic_data->tso_max_payload_num_segs);
- 
- 	rc = efx_ef100_init_datapath_caps(efx);
- 	if (rc < 0)
-@@ -478,7 +478,6 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data)
- 	/* Don't fail init if RSS setup doesn't work. */
- 	efx_mcdi_push_default_indir_table(efx, efx->n_rx_channels);
- 
--	nic_data = efx->nic_data;
- 	rc = ef100_get_mac_address(efx, net_dev->perm_addr, CLIENT_HANDLE_SELF,
- 				   efx->type->is_vf);
- 	if (rc)
-diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c
-index 6da06931187d..5b1bdcac81d9 100644
---- a/drivers/net/ethernet/sfc/ef100_nic.c
-+++ b/drivers/net/ethernet/sfc/ef100_nic.c
-@@ -887,8 +887,7 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 	case ESE_EF100_DP_GZ_TSO_MAX_HDR_NUM_SEGS:
- 		/* We always put HDR_NUM_SEGS=1 in our TSO descriptors */
- 		if (!reader->value) {
--			netif_err(efx, probe, efx->net_dev,
--				  "TSO_MAX_HDR_NUM_SEGS < 1\n");
-+			pci_err(efx->pci_dev, "TSO_MAX_HDR_NUM_SEGS < 1\n");
- 			return -EOPNOTSUPP;
- 		}
- 		return 0;
-@@ -901,32 +900,28 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 		 */
- 		if (!reader->value || reader->value > EFX_MIN_DMAQ_SIZE ||
- 		    EFX_MIN_DMAQ_SIZE % (u32)reader->value) {
--			netif_err(efx, probe, efx->net_dev,
--				  "%s size granularity is %llu, can't guarantee safety\n",
--				  reader->type == ESE_EF100_DP_GZ_RXQ_SIZE_GRANULARITY ? "RXQ" : "TXQ",
--				  reader->value);
-+			pci_err(efx->pci_dev,
-+				"%s size granularity is %llu, can't guarantee safety\n",
-+				reader->type == ESE_EF100_DP_GZ_RXQ_SIZE_GRANULARITY ? "RXQ" : "TXQ",
-+				reader->value);
- 			return -EOPNOTSUPP;
- 		}
- 		return 0;
- 	case ESE_EF100_DP_GZ_TSO_MAX_PAYLOAD_LEN:
- 		nic_data->tso_max_payload_len = min_t(u64, reader->value,
- 						      GSO_LEGACY_MAX_SIZE);
--		netif_set_tso_max_size(efx->net_dev,
--				       nic_data->tso_max_payload_len);
- 		return 0;
- 	case ESE_EF100_DP_GZ_TSO_MAX_PAYLOAD_NUM_SEGS:
- 		nic_data->tso_max_payload_num_segs = min_t(u64, reader->value, 0xffff);
--		netif_set_tso_max_segs(efx->net_dev,
--				       nic_data->tso_max_payload_num_segs);
- 		return 0;
- 	case ESE_EF100_DP_GZ_TSO_MAX_NUM_FRAMES:
- 		nic_data->tso_max_frames = min_t(u64, reader->value, 0xffff);
- 		return 0;
- 	case ESE_EF100_DP_GZ_COMPAT:
- 		if (reader->value) {
--			netif_err(efx, probe, efx->net_dev,
--				  "DP_COMPAT has unknown bits %#llx, driver not compatible with this hw\n",
--				  reader->value);
-+			pci_err(efx->pci_dev,
-+				"DP_COMPAT has unknown bits %#llx, driver not compatible with this hw\n",
-+				reader->value);
- 			return -EOPNOTSUPP;
- 		}
- 		return 0;
-@@ -946,10 +941,10 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 		 * So the value of this shouldn't matter.
- 		 */
- 		if (reader->value != ESE_EF100_DP_GZ_VI_STRIDES_DEFAULT)
--			netif_dbg(efx, probe, efx->net_dev,
--				  "NIC has other than default VI_STRIDES (mask "
--				  "%#llx), early probing might use wrong one\n",
--				  reader->value);
-+			pci_dbg(efx->pci_dev,
-+				"NIC has other than default VI_STRIDES (mask "
-+				"%#llx), early probing might use wrong one\n",
-+				reader->value);
- 		return 0;
- 	case ESE_EF100_DP_GZ_RX_MAX_RUNT:
- 		/* Driver doesn't look at L2_STATUS:LEN_ERR bit, so we don't
-@@ -961,9 +956,9 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 		/* Host interface says "Drivers should ignore design parameters
- 		 * that they do not recognise."
- 		 */
--		netif_dbg(efx, probe, efx->net_dev,
--			  "Ignoring unrecognised design parameter %u\n",
--			  reader->type);
-+		pci_dbg(efx->pci_dev,
-+			"Ignoring unrecognised design parameter %u\n",
-+			reader->type);
- 		return 0;
- 	}
- }
-@@ -999,13 +994,13 @@ static int ef100_check_design_params(struct efx_nic *efx)
- 	 */
- 	if (reader.state != EF100_TLV_TYPE) {
- 		if (reader.state == EF100_TLV_TYPE_CONT)
--			netif_err(efx, probe, efx->net_dev,
--				  "truncated design parameter (incomplete type %u)\n",
--				  reader.type);
-+			pci_err(efx->pci_dev,
-+				"truncated design parameter (incomplete type %u)\n",
-+				reader.type);
- 		else
--			netif_err(efx, probe, efx->net_dev,
--				  "truncated design parameter %u\n",
--				  reader.type);
-+			pci_err(efx->pci_dev,
-+				"truncated design parameter %u\n",
-+				reader.type);
- 		rc = -EIO;
- 	}
- out:
--- 
-2.43.0
-
diff --git a/SPECS/kernel-rt/CVE-2025-38584.patch b/SPECS/kernel-rt/CVE-2025-38584.patch
new file mode 100644
index 0000000000..f51235e56c
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-38584.patch
@@ -0,0 +1,272 @@
+From 65219e96bfcea2cbe917a295ec0884d7d5791966 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sat, 24 May 2025 20:32:20 +0800
+Subject: [PATCH 15/15] padata: Fix pd UAF once and for all
+
+There is a race condition/UAF in padata_reorder that goes back
+to the initial commit.  A reference count is taken at the start
+of the process in padata_do_parallel, and released at the end in
+padata_serial_worker.
+
+This reference count is (and only is) required for padata_replace
+to function correctly.  If padata_replace is never called then
+there is no issue.
+
+In the function padata_reorder which serves as the core of padata,
+as soon as padata is added to queue->serial.list, and the associated
+spin lock released, that padata may be processed and the reference
+count on pd would go away.
+
+Fix this by getting the next padata before the squeue->serial lock
+is released.
+
+In order to make this possible, simplify padata_reorder by only
+calling it once the next padata arrives.
+
+Fixes: 16295bec6398 ("padata: Generic parallelization/serialization interface")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ include/linux/padata.h |   6 +-
+ kernel/padata.c        | 136 +++++++++++------------------------------
+ 2 files changed, 38 insertions(+), 104 deletions(-)
+
+diff --git a/include/linux/padata.h b/include/linux/padata.h
+index 0146daf34430..9213f42178a6 100644
+--- a/include/linux/padata.h
++++ b/include/linux/padata.h
+@@ -90,8 +90,6 @@ struct padata_cpumask {
+  * @processed: Number of already processed objects.
+  * @cpu: Next CPU to be processed.
+  * @cpumask: The cpumasks in use for parallel and serial workers.
+- * @reorder_work: work struct for reordering.
+- * @lock: Reorder lock.
+  */
+ struct parallel_data {
+ 	struct padata_shell		*ps;
+@@ -100,10 +98,8 @@ struct parallel_data {
+ 	refcount_t			refcnt;
+ 	unsigned int			seq_nr;
+ 	unsigned int			processed;
+-	int				cpu;
++	int                             cpu;
+ 	struct padata_cpumask		cpumask;
+-	struct work_struct		reorder_work;
+-	spinlock_t                      ____cacheline_aligned lock;
+ };
+ 
+ /**
+diff --git a/kernel/padata.c b/kernel/padata.c
+index c3810f5bd715..e61bdc248551 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -261,20 +261,17 @@ EXPORT_SYMBOL(padata_do_parallel);
+  *   be parallel processed by another cpu and is not yet present in
+  *   the cpu's reorder queue.
+  */
+-static struct padata_priv *padata_find_next(struct parallel_data *pd,
+-					    bool remove_object)
++static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,
++					    unsigned int processed)
+ {
+ 	struct padata_priv *padata;
+ 	struct padata_list *reorder;
+-	int cpu = pd->cpu;
+ 
+ 	reorder = per_cpu_ptr(pd->reorder_list, cpu);
+ 
+ 	spin_lock(&reorder->lock);
+-	if (list_empty(&reorder->list)) {
+-		spin_unlock(&reorder->lock);
+-		return NULL;
+-	}
++	if (list_empty(&reorder->list))
++		goto notfound;
+ 
+ 	padata = list_entry(reorder->list.next, struct padata_priv, list);
+ 
+@@ -282,101 +279,52 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd,
+ 	 * Checks the rare case where two or more parallel jobs have hashed to
+ 	 * the same CPU and one of the later ones finishes first.
+ 	 */
+-	if (padata->seq_nr != pd->processed) {
+-		spin_unlock(&reorder->lock);
+-		return NULL;
+-	}
+-
+-	if (remove_object) {
+-		list_del_init(&padata->list);
+-		++pd->processed;
+-		/* When sequence wraps around, reset to the first CPU. */
+-		if (unlikely(pd->processed == 0))
+-			pd->cpu = cpumask_first(pd->cpumask.pcpu);
+-		else
+-			pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+-	}
++	if (padata->seq_nr != processed)
++		goto notfound;
+ 
++	list_del_init(&padata->list);
+ 	spin_unlock(&reorder->lock);
+ 	return padata;
++
++notfound:
++	pd->processed = processed;
++	pd->cpu = cpu;
++	spin_unlock(&reorder->lock);
++	return NULL;
+ }
+ 
+-static void padata_reorder(struct parallel_data *pd)
++static void padata_reorder(struct padata_priv *padata)
+ {
++	struct parallel_data *pd = padata->pd;
+ 	struct padata_instance *pinst = pd->ps->pinst;
+-	int cb_cpu;
+-	struct padata_priv *padata;
+-	struct padata_serial_queue *squeue;
+-	struct padata_list *reorder;
++	unsigned int processed;
++	int cpu;
+ 
+-	/*
+-	 * We need to ensure that only one cpu can work on dequeueing of
+-	 * the reorder queue the time. Calculating in which percpu reorder
+-	 * queue the next object will arrive takes some time. A spinlock
+-	 * would be highly contended. Also it is not clear in which order
+-	 * the objects arrive to the reorder queues. So a cpu could wait to
+-	 * get the lock just to notice that there is nothing to do at the
+-	 * moment. Therefore we use a trylock and let the holder of the lock
+-	 * care for all the objects enqueued during the holdtime of the lock.
+-	 */
+-	if (!spin_trylock_bh(&pd->lock))
+-		return;
++	processed = pd->processed;
++	cpu = pd->cpu;
+ 
+-	while (1) {
+-		padata = padata_find_next(pd, true);
++	do {
++		struct padata_serial_queue *squeue;
++		int cb_cpu;
+ 
+-		/*
+-		 * If the next object that needs serialization is parallel
+-		 * processed by another cpu and is still on it's way to the
+-		 * cpu's reorder queue, nothing to do for now.
+-		 */
+-		if (!padata)
+-			break;
++		cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
++		processed++;
+ 
+ 		cb_cpu = padata->cb_cpu;
+ 		squeue = per_cpu_ptr(pd->squeue, cb_cpu);
+ 
+ 		spin_lock(&squeue->serial.lock);
+ 		list_add_tail(&padata->list, &squeue->serial.list);
+-		spin_unlock(&squeue->serial.lock);
+-
+ 		queue_work_on(cb_cpu, pinst->serial_wq, &squeue->work);
+-	}
+ 
+-	spin_unlock_bh(&pd->lock);
+-
+-	/*
+-	 * The next object that needs serialization might have arrived to
+-	 * the reorder queues in the meantime.
+-	 *
+-	 * Ensure reorder queue is read after pd->lock is dropped so we see
+-	 * new objects from another task in padata_do_serial.  Pairs with
+-	 * smp_mb in padata_do_serial.
+-	 */
+-	smp_mb();
+-
+-	reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
+-	if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
+ 		/*
+-		 * Other context(eg. the padata_serial_worker) can finish the request.
+-		 * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
++		 * If the next object that needs serialization is parallel
++		 * processed by another cpu and is still on it's way to the
++		 * cpu's reorder queue, end the loop.
+ 		 */
+-		padata_get_pd(pd);
+-		if (!queue_work(pinst->serial_wq, &pd->reorder_work))
+-			padata_put_pd(pd);
+-	}
+-}
+-
+-static void invoke_padata_reorder(struct work_struct *work)
+-{
+-	struct parallel_data *pd;
+-
+-	local_bh_disable();
+-	pd = container_of(work, struct parallel_data, reorder_work);
+-	padata_reorder(pd);
+-	local_bh_enable();
+-	/* Pairs with putting the reorder_work in the serial_wq */
+-	padata_put_pd(pd);
++		padata = padata_find_next(pd, cpu, processed);
++		spin_unlock(&squeue->serial.lock);
++	} while (padata);
+ }
+ 
+ static void padata_serial_worker(struct work_struct *serial_work)
+@@ -427,6 +375,7 @@ void padata_do_serial(struct padata_priv *padata)
+ 	struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
+ 	struct padata_priv *cur;
+ 	struct list_head *pos;
++	bool gotit = true;
+ 
+ 	spin_lock(&reorder->lock);
+ 	/* Sort in ascending order of sequence number. */
+@@ -436,17 +385,14 @@ void padata_do_serial(struct padata_priv *padata)
+ 		if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
+ 			break;
+ 	}
+-	list_add(&padata->list, pos);
++	if (padata->seq_nr != pd->processed) {
++		gotit = false;
++		list_add(&padata->list, pos);
++	}
+ 	spin_unlock(&reorder->lock);
+ 
+-	/*
+-	 * Ensure the addition to the reorder list is ordered correctly
+-	 * with the trylock of pd->lock in padata_reorder.  Pairs with smp_mb
+-	 * in padata_reorder.
+-	 */
+-	smp_mb();
+-
+-	padata_reorder(pd);
++	if (gotit)
++		padata_reorder(padata);
+ }
+ EXPORT_SYMBOL(padata_do_serial);
+ 
+@@ -643,9 +589,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+ 	padata_init_squeues(pd);
+ 	pd->seq_nr = -1;
+ 	refcount_set(&pd->refcnt, 1);
+-	spin_lock_init(&pd->lock);
+ 	pd->cpu = cpumask_first(pd->cpumask.pcpu);
+-	INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
+ 
+ 	return pd;
+ 
+@@ -1155,12 +1099,6 @@ void padata_free_shell(struct padata_shell *ps)
+ 	if (!ps)
+ 		return;
+ 
+-	/*
+-	 * Wait for all _do_serial calls to finish to avoid touching
+-	 * freed pd's and ps's.
+-	 */
+-	synchronize_rcu();
+-
+ 	mutex_lock(&ps->pinst->lock);
+ 	list_del(&ps->list);
+ 	pd = rcu_dereference_protected(ps->pd, 1);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-38591.patch b/SPECS/kernel-rt/CVE-2025-38591.patch
new file mode 100644
index 0000000000..41b4d40967
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-38591.patch
@@ -0,0 +1,165 @@
+From a40bd4e44ba2ef84d7f780383dd811dc8bf2c025 Mon Sep 17 00:00:00 2001
+From: Paul Chaignon <paul.chaignon@gmail.com>
+Date: Tue, 22 Jul 2025 16:32:32 +0200
+Subject: [PATCH 14/15] bpf: Reject narrower access to pointer ctx fields
+
+The following BPF program, simplified from a syzkaller repro, causes a
+kernel warning:
+
+    r0 = *(u8 *)(r1 + 169);
+    exit;
+
+With pointer field sk being at offset 168 in __sk_buff. This access is
+detected as a narrower read in bpf_skb_is_valid_access because it
+doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
+and later proceeds to bpf_convert_ctx_access. Note that for the
+"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
+is aligned, so the cnt may not be 0 because it matches the
+offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
+the target_size stays 0 and the verifier errors with a kernel warning:
+
+    verifier bug: error during ctx access conversion(1)
+
+This patch fixes that to return a proper "invalid bpf_context access
+off=X size=Y" error on the load instruction.
+
+The same issue affects multiple other fields in context structures that
+allow narrow access. Some other non-affected fields (for sk_msg,
+sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
+consistency.
+
+Note this syzkaller crash was reported in the "Closes" link below, which
+used to be about a different bug, fixed in
+commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
+in insn_def_regno()"). Because syzbot somehow confused the two bugs,
+the new crash and repro didn't get reported to the mailing list.
+
+Fixes: f96da09473b52 ("bpf: simplify narrower ctx access")
+Fixes: 0df1a55afa832 ("bpf: Warn on internal verifier errors")
+Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com
+---
+ kernel/bpf/cgroup.c |  8 ++++----
+ net/core/filter.c   | 20 ++++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
+index c0d606c40195..1ebf40badbf6 100644
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -2418,22 +2418,22 @@ static bool cg_sockopt_is_valid_access(int off, int size,
+ 	}
+ 
+ 	switch (off) {
+-	case offsetof(struct bpf_sockopt, sk):
++	case bpf_ctx_range_ptr(struct bpf_sockopt, sk):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_SOCKET;
+ 		break;
+-	case offsetof(struct bpf_sockopt, optval):
++	case bpf_ctx_range_ptr(struct bpf_sockopt, optval):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_PACKET;
+ 		break;
+-	case offsetof(struct bpf_sockopt, optval_end):
++	case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_PACKET_END;
+ 		break;
+-	case offsetof(struct bpf_sockopt, retval):
++	case bpf_ctx_range(struct bpf_sockopt, retval):
+ 		if (size != size_default)
+ 			return false;
+ 		return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 89ed625e1474..4bf298695bd1 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8652,7 +8652,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		break;
+-	case offsetof(struct __sk_buff, sk):
++	case bpf_ctx_range_ptr(struct __sk_buff, sk):
+ 		if (type == BPF_WRITE || size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL;
+@@ -9229,7 +9229,7 @@ static bool sock_addr_is_valid_access(int off, int size,
+ 				return false;
+ 		}
+ 		break;
+-	case offsetof(struct bpf_sock_addr, sk):
++	case bpf_ctx_range_ptr(struct bpf_sock_addr, sk):
+ 		if (type != BPF_READ)
+ 			return false;
+ 		if (size != sizeof(__u64))
+@@ -9283,17 +9283,17 @@ static bool sock_ops_is_valid_access(int off, int size,
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			break;
+-		case offsetof(struct bpf_sock_ops, sk):
++		case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			info->reg_type = PTR_TO_SOCKET_OR_NULL;
+ 			break;
+-		case offsetof(struct bpf_sock_ops, skb_data):
++		case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			info->reg_type = PTR_TO_PACKET;
+ 			break;
+-		case offsetof(struct bpf_sock_ops, skb_data_end):
++		case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			info->reg_type = PTR_TO_PACKET_END;
+@@ -9302,7 +9302,7 @@ static bool sock_ops_is_valid_access(int off, int size,
+ 			bpf_ctx_record_field_size(info, size_default);
+ 			return bpf_ctx_narrow_access_ok(off, size,
+ 							size_default);
+-		case offsetof(struct bpf_sock_ops, skb_hwtstamp):
++		case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			break;
+@@ -9372,17 +9372,17 @@ static bool sk_msg_is_valid_access(int off, int size,
+ 		return false;
+ 
+ 	switch (off) {
+-	case offsetof(struct sk_msg_md, data):
++	case bpf_ctx_range_ptr(struct sk_msg_md, data):
+ 		info->reg_type = PTR_TO_PACKET;
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		break;
+-	case offsetof(struct sk_msg_md, data_end):
++	case bpf_ctx_range_ptr(struct sk_msg_md, data_end):
+ 		info->reg_type = PTR_TO_PACKET_END;
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		break;
+-	case offsetof(struct sk_msg_md, sk):
++	case bpf_ctx_range_ptr(struct sk_msg_md, sk):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_SOCKET;
+@@ -11595,7 +11595,7 @@ static bool sk_lookup_is_valid_access(int off, int size,
+ 		return false;
+ 
+ 	switch (off) {
+-	case offsetof(struct bpf_sk_lookup, sk):
++	case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
+ 		info->reg_type = PTR_TO_SOCKET_OR_NULL;
+ 		return size == sizeof(__u64);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-38643.patch b/SPECS/kernel-rt/CVE-2025-38643.patch
deleted file mode 100644
index eb4995f0eb..0000000000
--- a/SPECS/kernel-rt/CVE-2025-38643.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 017e825ea4a7bc35b1e481b6ddb03aa67f30bebc Mon Sep 17 00:00:00 2001
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-Date: Thu, 17 Jul 2025 18:25:45 +0200
-Subject: [PATCH 4/4] wifi: cfg80211: Add missing lock in
- cfg80211_check_and_end_cac()
-
-Callers of wdev_chandef() must hold the wiphy mutex.
-
-But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
-Which triggers the warning below with the mesh_peer_connected_dfs
-test from hostapd and not (yet) released mac80211 code changes:
-
-WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
-Modules linked in:
-CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
-Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
-Stack:
- 00000000 00000001 ffffff00 6093267c
- 00000000 6002ec30 6d577c50 60037608
- 00000000 67e8d108 6063717b 00000000
-Call Trace:
- [<6002ec30>] ? _printk+0x0/0x98
- [<6003c2b3>] show_stack+0x10e/0x11a
- [<6002ec30>] ? _printk+0x0/0x98
- [<60037608>] dump_stack_lvl+0x71/0xb8
- [<6063717b>] ? wdev_chandef+0x60/0x165
- [<6003766d>] dump_stack+0x1e/0x20
- [<6005d1b7>] __warn+0x101/0x20f
- [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
- [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
- [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
- [<600b11a2>] ? mark_held_locks+0x5a/0x6e
- [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
- [<60052e53>] ? unblock_signals+0x3a/0xe7
- [<60052f2d>] ? um_set_signals+0x2d/0x43
- [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
- [<607508b2>] ? lock_is_held_type+0x207/0x21f
- [<6063717b>] wdev_chandef+0x60/0x165
- [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
- [<60052f00>] ? um_set_signals+0x0/0x43
- [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
- [<6007e460>] process_scheduled_works+0x3bc/0x60e
- [<6007d0ec>] ? move_linked_works+0x4d/0x81
- [<6007d120>] ? assign_work+0x0/0xaa
- [<6007f81f>] worker_thread+0x220/0x2dc
- [<600786ef>] ? set_pf_worker+0x0/0x57
- [<60087c96>] ? to_kthread+0x0/0x43
- [<6008ab3c>] kthread+0x2d3/0x2e2
- [<6007f5ff>] ? worker_thread+0x0/0x2dc
- [<6006c05b>] ? calculate_sigpending+0x0/0x56
- [<6003b37d>] new_thread_handler+0x4a/0x64
-irq event stamp: 614611
-hardirqs last  enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
-hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
-softirqs last  enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
-softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
-
-Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
-Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
-Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/wireless/reg.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/wireless/reg.c b/net/wireless/reg.c
-index f6846eb0f4b8..69a7f55e9de4 100644
---- a/net/wireless/reg.c
-+++ b/net/wireless/reg.c
-@@ -4234,6 +4234,8 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
- 	struct wireless_dev *wdev;
- 	unsigned int link_id;
- 
-+	wiphy_lock(&rdev->wiphy);
-+
- 	/* If we finished CAC or received radar, we should end any
- 	 * CAC running on the same channels.
- 	 * the check !cfg80211_chandef_dfs_usable contain 2 options:
-@@ -4258,6 +4260,7 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
- 				rdev_end_cac(rdev, wdev->netdev, link_id);
- 		}
- 	}
-+	wiphy_unlock(&rdev->wiphy);
- }
- 
- void regulatory_propagate_dfs_state(struct wiphy *wiphy,
--- 
-2.43.0
-
diff --git a/SPECS/kernel-rt/CVE-2025-38656-2.patch b/SPECS/kernel-rt/CVE-2025-38656-2.patch
new file mode 100644
index 0000000000..5e9f8634fe
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-38656-2.patch
@@ -0,0 +1,36 @@
+From 9ba72bcf0b818bf3577663ad7466d14616e08193 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 1 Jul 2025 13:08:42 -0500
+Subject: [PATCH 13/15] wifi: iwlwifi: Fix error code in
+ iwl_op_mode_dvm_start()
+
+Preserve the error code if iwl_setup_deferred_work() fails.  The current
+code returns ERR_PTR(0) (which is NULL) on this path.  I believe the
+missing error code potentially leads to a use after free involving
+debugfs.
+
+Fixes: 90a0d9f33996 ("iwlwifi: Add missing check for alloc_ordered_workqueue")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/a7a1cd2c-ce01-461a-9afd-dbe535f8df01@sabinyo.mountain
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index bc065c7089f7..a4f6e5a8f3a9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1468,7 +1468,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	/********************
+ 	 * 6. Setup services
+ 	 ********************/
+-	if (iwl_setup_deferred_work(priv))
++	err = iwl_setup_deferred_work(priv);
++	if (err)
+ 		goto out_uninit_drv;
+ 
+ 	iwl_setup_rx_handlers(priv);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-38656.patch b/SPECS/kernel-rt/CVE-2025-38656.patch
new file mode 100644
index 0000000000..f110e3b158
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-38656.patch
@@ -0,0 +1,231 @@
+From 35c49ea77297c97772ea9f1cb47be0508b0176c2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 27 Dec 2024 10:01:04 +0200
+Subject: [PATCH 12/15] wifi: iwlwifi: return ERR_PTR from opmode start()
+
+In order to restrict the retry loops for timeouts, first
+pass the error code up using ERR_PTR(). This of course
+requires all existing functions to be updated accordingly.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241227095718.3fe5031d5784.I7307996c91dac69619ff9c616b8a077423fac19f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 34 ++++++++++++-------
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c  |  2 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c  | 24 +++++++++----
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index b8713ebd7190..bc065c7089f7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1245,7 +1245,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 		STATISTICS_NOTIFICATION,
+ 		REPLY_TX,
+ 	};
+-	int i;
++	int i, err;
+ 
+ 	/************************
+ 	 * 1. Allocating HW data
+@@ -1253,6 +1253,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	hw = iwl_alloc_all();
+ 	if (!hw) {
+ 		pr_err("%s: Cannot allocate network device\n", trans->name);
++		err = -ENOMEM;
+ 		goto out;
+ 	}
+ 
+@@ -1303,8 +1304,10 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 		break;
+ 	}
+ 
+-	if (WARN_ON(!priv->lib))
++	if (WARN_ON(!priv->lib)) {
++		err = -ENODEV;
+ 		goto out_free_hw;
++	}
+ 
+ 	/*
+ 	 * Populate the state variables that the transport layer needs
+@@ -1381,12 +1384,14 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	IWL_INFO(priv, "Detected %s, REV=0x%X\n",
+ 		priv->trans->name, priv->trans->hw_rev);
+ 
+-	if (iwl_trans_start_hw(priv->trans))
++	err = iwl_trans_start_hw(priv->trans);
++	if (err)
+ 		goto out_free_hw;
+ 
+ 	/* Read the EEPROM */
+-	if (iwl_read_eeprom(priv->trans, &priv->eeprom_blob,
+-			    &priv->eeprom_blob_size)) {
++	err = iwl_read_eeprom(priv->trans, &priv->eeprom_blob,
++			      &priv->eeprom_blob_size);
++	if (err) {
+ 		IWL_ERR(priv, "Unable to init EEPROM\n");
+ 		goto out_free_hw;
+ 	}
+@@ -1397,13 +1402,17 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	priv->nvm_data = iwl_parse_eeprom_data(priv->trans, priv->cfg,
+ 					       priv->eeprom_blob,
+ 					       priv->eeprom_blob_size);
+-	if (!priv->nvm_data)
++	if (!priv->nvm_data) {
++		err = -ENOMEM;
+ 		goto out_free_eeprom_blob;
++	}
+ 
+-	if (iwl_nvm_check_version(priv->nvm_data, priv->trans))
++	err = iwl_nvm_check_version(priv->nvm_data, priv->trans);
++	if (err)
+ 		goto out_free_eeprom;
+ 
+-	if (iwl_eeprom_init_hw_params(priv))
++	err = iwl_eeprom_init_hw_params(priv);
++	if (err)
+ 		goto out_free_eeprom;
+ 
+ 	/* extract MAC Address */
+@@ -1450,7 +1459,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 		atomic_set(&priv->queue_stop_count[i], 0);
+ 	}
+ 
+-	if (iwl_init_drv(priv))
++	err = iwl_init_drv(priv);
++	if (err)
+ 		goto out_free_eeprom;
+ 
+ 	/* At this point both hw and priv are initialized. */
+@@ -1486,7 +1496,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	 *
+ 	 * 7. Setup and register with mac80211 and debugfs
+ 	 **************************************************/
+-	if (iwlagn_mac_setup_register(priv, &fw->ucode_capa))
++	err = iwlagn_mac_setup_register(priv, &fw->ucode_capa);
++	if (err)
+ 		goto out_destroy_workqueue;
+ 
+ 	iwl_dbgfs_register(priv, dbgfs_dir);
+@@ -1507,8 +1518,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ out_free_hw:
+ 	ieee80211_free_hw(priv->hw);
+ out:
+-	op_mode = NULL;
+-	return op_mode;
++	return ERR_PTR(err);
+ }
+ 
+ static void iwl_op_mode_dvm_stop(struct iwl_op_mode *op_mode)
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index 754e01688900..982b7ca61f7b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1429,7 +1429,7 @@ _iwl_op_mode_start(struct iwl_drv *drv, struct iwlwifi_opmode_table *op)
+ 		op_mode = ops->start(drv->trans, drv->trans->cfg,
+ 				     &drv->fw, dbgfs_dir);
+ 
+-		if (op_mode)
++		if (!IS_ERR(op_mode))
+ 			return op_mode;
+ 
+ 		if (test_bit(STATUS_TRANS_DEAD, &drv->trans->status))
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index a7dbc0a5ea84..fcfa3060246e 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1287,6 +1287,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	size_t scan_size;
+ 	u32 min_backoff;
+ 	struct iwl_mvm_csme_conn_info *csme_conn_info __maybe_unused;
++	int err;
+ 
+ 	/*
+ 	 * We use IWL_STATION_COUNT_MAX to check the validity of the station
+@@ -1304,7 +1305,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 				iwl_mvm_has_mld_api(fw) ? &iwl_mvm_mld_hw_ops :
+ 				&iwl_mvm_hw_ops);
+ 	if (!hw)
+-		return NULL;
++		return ERR_PTR(-ENOMEM);
+ 
+ 	if (trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_BZ)
+ 		max_agg = 512;
+@@ -1348,8 +1349,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 		trans->rx_mpdu_cmd_hdr_size =
+ 			sizeof(struct iwl_rx_mpdu_res_start);
+ 
+-		if (WARN_ON(trans->num_rx_queues > 1))
++		if (WARN_ON(trans->num_rx_queues > 1)) {
++			err = -EINVAL;
+ 			goto out_free;
++		}
+ 	}
+ 
+ 	mvm->fw_restart = iwlwifi_mod_params.fw_restart ? -1 : 0;
+@@ -1426,8 +1429,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 		iwl_fw_lookup_notif_ver(mvm->fw, LOCATION_GROUP,
+ 					TOF_RANGE_RESPONSE_NOTIF, 5);
+ 	/* we only support up to version 9 */
+-	if (WARN_ON_ONCE(mvm->cmd_ver.range_resp > 9))
++	if (WARN_ON_ONCE(mvm->cmd_ver.range_resp > 9)) {
++		err = -EINVAL;
+ 		goto out_free;
++	}
+ 
+ 	/*
+ 	 * Populate the state variables that the transport layer needs
+@@ -1490,6 +1495,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	mvm->phy_db = iwl_phy_db_init(trans);
+ 	if (!mvm->phy_db) {
+ 		IWL_ERR(mvm, "Cannot init phy_db\n");
++		err = -ENOMEM;
+ 		goto out_free;
+ 	}
+ 
+@@ -1502,8 +1508,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	scan_size = iwl_mvm_scan_size(mvm);
+ 
+ 	mvm->scan_cmd = kmalloc(scan_size, GFP_KERNEL);
+-	if (!mvm->scan_cmd)
++	if (!mvm->scan_cmd) {
++		err = -ENOMEM;
+ 		goto out_free;
++	}
+ 	mvm->scan_cmd_size = scan_size;
+ 
+ 	/* invalidate ids to prevent accidental removal of sta_id 0 */
+@@ -1532,7 +1540,8 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 
+ 	iwl_mvm_mei_scan_filter_init(&mvm->mei_scan_filter);
+ 
+-	if (iwl_mvm_start_get_nvm(mvm)) {
++	err = iwl_mvm_start_get_nvm(mvm);
++	if (err) {
+ 		/*
+ 		 * Getting NVM failed while CSME is the owner, but we are
+ 		 * registered to MEI, we'll get the NVM later when it'll be
+@@ -1545,7 +1554,8 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	}
+ 
+ 
+-	if (iwl_mvm_start_post_nvm(mvm))
++	err = iwl_mvm_start_post_nvm(mvm);
++	if (err)
+ 		goto out_thermal_exit;
+ 
+ 	return op_mode;
+@@ -1565,7 +1575,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	iwl_trans_op_mode_leave(trans);
+ 
+ 	ieee80211_free_hw(mvm->hw);
+-	return NULL;
++	return ERR_PTR(err);
+ }
+ 
+ void iwl_mvm_stop_device(struct iwl_mvm *mvm)
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-39981.patch b/SPECS/kernel-rt/CVE-2025-39981.patch
deleted file mode 100644
index 604d2ef847..0000000000
--- a/SPECS/kernel-rt/CVE-2025-39981.patch
+++ /dev/null
@@ -1,770 +0,0 @@
-From df40aa342d6e076b8800cce0a596d98ea61cc02a Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Mon, 25 Aug 2025 10:03:07 -0400
-Subject: [PATCH] Bluetooth: MGMT: Fix possible UAFs
-
-This attemps to fix possible UAFs caused by struct mgmt_pending being
-freed while still being processed like in the following trace, in order
-to fix mgmt_pending_valid is introduce and use to check if the
-mgmt_pending hasn't been removed from the pending list, on the complete
-callbacks it is used to check and in addtion remove the cmd from the list
-while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
-is left on the list it can still be accessed and freed.
-
-BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
-Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
-
-CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
-Workqueue: hci0 hci_cmd_sync_work
-Call Trace:
- <TASK>
- dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
- print_address_description mm/kasan/report.c:378 [inline]
- print_report+0xca/0x240 mm/kasan/report.c:482
- kasan_report+0x118/0x150 mm/kasan/report.c:595
- mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
- hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
- process_one_work kernel/workqueue.c:3238 [inline]
- process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
- worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
- kthread+0x711/0x8a0 kernel/kthread.c:464
- ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
- ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
- </TASK>
-
-Allocated by task 12210:
- kasan_save_stack mm/kasan/common.c:47 [inline]
- kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
- poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
- __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
- kasan_kmalloc include/linux/kasan.h:260 [inline]
- __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
- kmalloc_noprof include/linux/slab.h:905 [inline]
- kzalloc_noprof include/linux/slab.h:1039 [inline]
- mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
- mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
- __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
- add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
- hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
- hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
- sock_sendmsg_nosec net/socket.c:714 [inline]
- __sock_sendmsg+0x219/0x270 net/socket.c:729
- sock_write_iter+0x258/0x330 net/socket.c:1133
- new_sync_write fs/read_write.c:593 [inline]
- vfs_write+0x5c9/0xb30 fs/read_write.c:686
- ksys_write+0x145/0x250 fs/read_write.c:738
- do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
- do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-
-Freed by task 12221:
- kasan_save_stack mm/kasan/common.c:47 [inline]
- kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
- kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
- poison_slab_object mm/kasan/common.c:247 [inline]
- __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
- kasan_slab_free include/linux/kasan.h:233 [inline]
- slab_free_hook mm/slub.c:2381 [inline]
- slab_free mm/slub.c:4648 [inline]
- kfree+0x18e/0x440 mm/slub.c:4847
- mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
- mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
- __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
- hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
- hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
- hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
- sock_do_ioctl+0xd9/0x300 net/socket.c:1192
- sock_ioctl+0x576/0x790 net/socket.c:1313
- vfs_ioctl fs/ioctl.c:51 [inline]
- __do_sys_ioctl fs/ioctl.c:907 [inline]
- __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
- do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
- do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-
-Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED")
-Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync")
-Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync")
-Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP")
-Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE")
-Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
-Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME")
-Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION")
-Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor")
-Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
-Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING")
-Reported-by: cen zhang <zzzccc427@gmail.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
----
- net/bluetooth/mgmt.c      | 259 ++++++++++++++++++++++++++------------
- net/bluetooth/mgmt_util.c |  46 +++++++
- net/bluetooth/mgmt_util.h |   3 +
- 3 files changed, 231 insertions(+), 77 deletions(-)
-
-diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
-index 563cae4f76b0..bc14b9410bcf 100644
---- a/net/bluetooth/mgmt.c
-+++ b/net/bluetooth/mgmt.c
-@@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
- 	struct mgmt_mode *cp;
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	cp = cmd->param;
-@@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
- 				mgmt_status(err));
- 	}
- 
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_powered_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp;
-+	struct mgmt_mode cp;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
- 
- 	/* Make sure cmd still outstanding. */
--	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
- 		return -ECANCELED;
-+	}
- 
--	cp = cmd->param;
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
- 
- 	BT_DBG("%s", hdev->name);
- 
--	return hci_set_powered_sync(hdev, cp->val);
-+	return hci_set_powered_sync(hdev, cp.val);
- }
- 
- static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
-@@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
- 	bt_dev_dbg(hdev, "err %d", err);
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	hci_dev_lock(hdev);
-@@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
- 	new_settings(hdev, cmd->sk);
- 
- done:
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 	hci_dev_unlock(hdev);
- }
- 
- static int set_discoverable_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	BT_DBG("%s", hdev->name);
- 
- 	return hci_update_discoverable_sync(hdev);
-@@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
- 	bt_dev_dbg(hdev, "err %d", err);
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	hci_dev_lock(hdev);
-@@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
- 	new_settings(hdev, cmd->sk);
- 
- done:
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 
- 	hci_dev_unlock(hdev);
- }
-@@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
- 
- static int set_connectable_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	BT_DBG("%s", hdev->name);
- 
- 	return hci_update_connectable_sync(hdev);
-@@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct cmd_lookup match = { NULL, hdev };
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
--	u8 enable = cp->val;
-+	struct mgmt_mode *cp;
-+	u8 enable;
- 	bool changed;
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
-+	cp = cmd->param;
-+	enable = cp->val;
-+
- 	if (err) {
- 		u8 mgmt_err = mgmt_status(err);
- 
-@@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- 			new_settings(hdev, NULL);
- 		}
- 
--		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
--				     cmd_status_rsp, &mgmt_err);
-+		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
- 		return;
- 	}
- 
-@@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
- 	}
- 
--	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
-+	settings_rsp(cmd, &match);
- 
- 	if (changed)
- 		new_settings(hdev, match.sk);
-@@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- static int set_ssp_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
-+	struct mgmt_mode cp;
- 	bool changed = false;
- 	int err;
- 
--	if (cp->val)
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	if (cp.val)
- 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
- 
--	err = hci_write_ssp_mode_sync(hdev, cp->val);
-+	err = hci_write_ssp_mode_sync(hdev, cp.val);
- 
- 	if (!err && changed)
- 		hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
-@@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
- 
- static void set_le_complete(struct hci_dev *hdev, void *data, int err)
- {
-+	struct mgmt_pending_cmd *cmd = data;
- 	struct cmd_lookup match = { NULL, hdev };
- 	u8 status = mgmt_status(err);
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
--	if (status) {
--		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
--				     &status);
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
- 		return;
-+
-+	if (status) {
-+		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
-+		goto done;
- 	}
- 
--	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
-+	settings_rsp(cmd, &match);
- 
- 	new_settings(hdev, match.sk);
- 
- 	if (match.sk)
- 		sock_put(match.sk);
-+
-+done:
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_le_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
--	u8 val = !!cp->val;
-+	struct mgmt_mode cp;
-+	u8 val;
- 	int err;
- 
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+	val = !!cp.val;
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
- 	if (!val) {
- 		hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
- 
-@@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
- 	u8 status = mgmt_status(err);
--	struct sock *sk = cmd->sk;
-+	struct sock *sk;
-+
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
-+		return;
-+
-+	sk = cmd->sk;
- 
- 	if (status) {
- 		mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
-@@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
- static int set_mesh_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_cp_set_mesh *cp = cmd->param;
--	size_t len = cmd->param_len;
-+	struct mgmt_cp_set_mesh cp;
-+	size_t len;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	len = cmd->param_len;
- 
- 	memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
- 
--	if (cp->enable)
-+	if (cp.enable)
- 		hci_dev_set_flag(hdev, HCI_MESH);
- 	else
- 		hci_dev_clear_flag(hdev, HCI_MESH);
- 
--	hdev->le_scan_interval = __le16_to_cpu(cp->period);
--	hdev->le_scan_window = __le16_to_cpu(cp->window);
-+	hdev->le_scan_interval = __le16_to_cpu(cp.period);
-+	hdev->le_scan_window = __le16_to_cpu(cp.window);
- 
--	len -= sizeof(*cp);
-+	len -= sizeof(cp);
- 
- 	/* If filters don't fit, forward all adv pkts */
- 	if (len <= sizeof(hdev->mesh_ad_types))
--		memcpy(hdev->mesh_ad_types, cp->ad_types, len);
-+		memcpy(hdev->mesh_ad_types, cp.ad_types, len);
- 
- 	hci_update_passive_scan_sync(hdev);
- 	return 0;
-@@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data)
- static void set_name_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_cp_set_local_name *cp = cmd->param;
-+	struct mgmt_cp_set_local_name *cp;
- 	u8 status = mgmt_status(err);
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
-+	cp = cmd->param;
-+
- 	if (status) {
- 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
- 				status);
-@@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
- 			hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
- 	}
- 
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_name_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_cp_set_local_name *cp = cmd->param;
-+	struct mgmt_cp_set_local_name cp;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
- 
- 	if (lmp_bredr_capable(hdev)) {
--		hci_update_name_sync(hdev, cp->name);
-+		hci_update_name_sync(hdev, cp.name);
- 		hci_update_eir_sync(hdev);
- 	}
- 
-@@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
- static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct sk_buff *skb = cmd->skb;
-+	struct sk_buff *skb;
- 	u8 status = mgmt_status(err);
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
--		return;
-+	skb = cmd->skb;
- 
- 	if (!status) {
- 		if (!skb)
-@@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
- 	if (skb && !IS_ERR(skb))
- 		kfree_skb(skb);
- 
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_default_phy_sync(struct hci_dev *hdev, void *data)
-@@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data)
- 	struct mgmt_pending_cmd *cmd = data;
- 	struct mgmt_cp_set_phy_configuration *cp = cmd->param;
- 	struct hci_cp_le_set_default_phy cp_phy;
--	u32 selected_phys = __le32_to_cpu(cp->selected_phys);
-+	u32 selected_phys;
-+
-+	selected_phys = __le32_to_cpu(cp->selected_phys);
- 
- 	memset(&cp_phy, 0, sizeof(cp_phy));
- 
-@@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
- 		goto unlock;
- 	}
- 
--	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
-+	cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
- 			       len);
- 	if (!cmd)
- 		err = -ENOMEM;
-@@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
- {
- 	struct mgmt_rp_add_adv_patterns_monitor rp;
- 	struct mgmt_pending_cmd *cmd = data;
--	struct adv_monitor *monitor = cmd->user_data;
-+	struct adv_monitor *monitor;
-+
-+	/* This is likely the result of hdev being closed and mgmt_index_removed
-+	 * is attempting to clean up any pending command so
-+	 * hci_adv_monitors_clear is about to be called which will take care of
-+	 * freeing the adv_monitor instances.
-+	 */
-+	if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
-+		return;
-+
-+	monitor = cmd->user_data;
- 
- 	hci_dev_lock(hdev);
- 
-@@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
- static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct adv_monitor *monitor = cmd->user_data;
-+	struct adv_monitor *mon;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	mon = cmd->user_data;
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
- 
--	return hci_add_adv_monitor(hdev, monitor);
-+	return hci_add_adv_monitor(hdev, mon);
- }
- 
- static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
-@@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
- 			       status);
- }
- 
--static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
-+static void read_local_oob_data_complete(struct hci_dev *hdev, void *data,
-+					 int err)
- {
- 	struct mgmt_rp_read_local_oob_data mgmt_rp;
- 	size_t rp_size = sizeof(mgmt_rp);
-@@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e
- 	bt_dev_dbg(hdev, "status %d", status);
- 
- 	if (status) {
--		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
-+		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
-+				status);
- 		goto remove;
- 	}
- 
-@@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
--	if (err == -ECANCELED)
--		return;
--
--	if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
--	    cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
--	    cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
- 			  cmd->param, 1);
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 
- 	hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
- 				DISCOVERY_FINDING);
-@@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
- 
- static int start_discovery_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	return hci_start_discovery_sync(hdev);
- }
- 
-@@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
- 	mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
- 			  cmd->param, 1);
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 
- 	if (!err)
- 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
-@@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
- 
- static int stop_discovery_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	return hci_stop_discovery_sync(hdev);
- }
- 
-@@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err)
- 
- static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
- {
-+	struct mgmt_pending_cmd *cmd = data;
- 	struct cmd_lookup match = { NULL, hdev };
- 	u8 instance;
- 	struct adv_info *adv_instance;
- 	u8 status = mgmt_status(err);
- 
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
-+		return;
-+
- 	if (status) {
--		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
--				     cmd_status_rsp, &status);
-+		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
-+		mgmt_pending_free(cmd);
- 		return;
- 	}
- 
-@@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
- 	else
- 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
- 
--	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
--			     &match);
-+	settings_rsp(cmd, &match);
- 
- 	new_settings(hdev, match.sk);
- 
-@@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
- static int set_adv_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
--	u8 val = !!cp->val;
-+	struct mgmt_mode cp;
-+	u8 val;
- 
--	if (cp->val == 0x02)
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	val = !!cp.val;
-+
-+	if (cp.val == 0x02)
- 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
- 	else
- 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
-@@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
- 	u8 status = mgmt_status(err);
- 	u16 eir_len;
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
--		return;
--
- 	if (!status) {
- 		if (!skb)
- 			status = MGMT_STATUS_FAILED;
-@@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
- 		kfree_skb(skb);
- 
- 	kfree(mgmt_rp);
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
-@@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
- 	struct mgmt_pending_cmd *cmd;
- 	int err;
- 
--	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
-+	cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
- 			       cp, sizeof(*cp));
- 	if (!cmd)
- 		return -ENOMEM;
-diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
-index a88a07da3947..aa7b5585cb26 100644
---- a/net/bluetooth/mgmt_util.c
-+++ b/net/bluetooth/mgmt_util.c
-@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
- 	mgmt_pending_free(cmd);
- }
- 
-+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
-+{
-+	struct mgmt_pending_cmd *tmp;
-+
-+	lockdep_assert_held(&hdev->mgmt_pending_lock);
-+
-+	if (!cmd)
-+		return false;
-+
-+	list_for_each_entry(tmp, &hdev->mgmt_pending, list) {
-+		if (cmd == tmp)
-+			return true;
-+	}
-+
-+	return false;
-+}
-+
-+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
-+{
-+	bool listed;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+	listed = __mgmt_pending_listed(hdev, cmd);
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	return listed;
-+}
-+
-+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
-+{
-+	bool listed;
-+
-+	if (!cmd)
-+		return false;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	listed = __mgmt_pending_listed(hdev, cmd);
-+	if (listed)
-+		list_del(&cmd->list);
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	return listed;
-+}
-+
- void mgmt_mesh_foreach(struct hci_dev *hdev,
- 		       void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
- 		       void *data, struct sock *sk)
-diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
-index 024e51dd6937..bcba8c9d8952 100644
---- a/net/bluetooth/mgmt_util.h
-+++ b/net/bluetooth/mgmt_util.h
-@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
- 					  void *data, u16 len);
- void mgmt_pending_free(struct mgmt_pending_cmd *cmd);
- void mgmt_pending_remove(struct mgmt_pending_cmd *cmd);
-+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
-+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
-+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
- void mgmt_mesh_foreach(struct hci_dev *hdev,
- 		       void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
- 		       void *data, struct sock *sk);
--- 
-2.43.0
-
diff --git a/SPECS/kernel-rt/CVE-2025-40064.patch b/SPECS/kernel-rt/CVE-2025-40064.patch
new file mode 100644
index 0000000000..0abf0faa40
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40064.patch
@@ -0,0 +1,207 @@
+From e984bf63dd43d70b190ed665cee74b4d1d9bc44f Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:19 +0000
+Subject: [PATCH 6/8] smc: Fix use-after-free in __pnet_find_base_ndev().
+
+syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
+which was called during connect(). [0]
+
+smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
+down to pnet_find_base_ndev(), where RTNL is held.  Then, UAF happened
+at __pnet_find_base_ndev() when the dev is first used.
+
+This means dev had already been freed before acquiring RTNL in
+pnet_find_base_ndev().
+
+While dev is going away, dst->dev could be swapped with blackhole_netdev,
+and the dev's refcnt by dst will be released.
+
+We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
+
+Also, smc_pnet_find_roce_resource() has the same problem.
+
+Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
+
+[0]:
+BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
+Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609
+
+CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
+ pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
+ smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
+ smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
+ smc_find_ism_device net/smc/af_smc.c:1030 [inline]
+ smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
+ __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
+ smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
+ __sys_connect_file net/socket.c:2086 [inline]
+ __sys_connect+0x313/0x440 net/socket.c:2105
+ __do_sys_connect net/socket.c:2111 [inline]
+ __se_sys_connect net/socket.c:2108 [inline]
+ __x64_sys_connect+0x7a/0x90 net/socket.c:2108
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f47cbf8eba9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
+RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
+RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
+ </TASK>
+
+The buggy address belongs to the physical page:
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
+flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
+raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as freed
+page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
+ prep_new_page mm/page_alloc.c:1859 [inline]
+ get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
+ __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
+ alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
+ ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
+ __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
+ __do_kmalloc_node mm/slub.c:4364 [inline]
+ __kvmalloc_node_noprof+0x6d/0x5f0 mm/slub.c:5067
+ alloc_netdev_mqs+0xa3/0x11b0 net/core/dev.c:11812
+ tun_set_iff+0x532/0xef0 drivers/net/tun.c:2775
+ __tun_chr_ioctl+0x788/0x1df0 drivers/net/tun.c:3085
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:598 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+page last free pid 18610 tgid 18608 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1395 [inline]
+ __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
+ free_large_kmalloc+0x13a/0x1f0 mm/slub.c:4820
+ device_release+0x99/0x1c0 drivers/base/core.c:-1
+ kobject_cleanup lib/kobject.c:689 [inline]
+ kobject_release lib/kobject.c:720 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ kobject_put+0x22b/0x480 lib/kobject.c:737
+ netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11513
+ rtnl_unlock net/core/rtnetlink.c:157 [inline]
+ rtnl_net_unlock include/linux/rtnetlink.h:135 [inline]
+ rtnl_dellink+0x537/0x710 net/core/rtnetlink.c:3563
+ rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6946
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ __sock_sendmsg+0x219/0x270 net/socket.c:729
+ ____sys_sendmsg+0x505/0x830 net/socket.c:2614
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
+ __sys_sendmsg net/socket.c:2700 [inline]
+ __do_sys_sendmsg net/socket.c:2705 [inline]
+ __se_sys_sendmsg net/socket.c:2703 [inline]
+ __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Memory state around the buggy address:
+ ffff888036bac200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888036bac280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+>ffff888036bac300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+                                        ^
+ ffff888036bac380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888036bac400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Fixes: 0afff91c6f5e ("net/smc: add pnetid support")
+Fixes: 1619f770589a ("net/smc: add pnetid support for SMC-D and ISM")
+Reported-by: syzbot+ea28e9d85be2f327b6c6@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68c237c7.050a0220.3c6139.0036.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250916214758.650211-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/smc/smc_pnet.c | 43 ++++++++++++++++++++++---------------------
+ 1 file changed, 22 insertions(+), 21 deletions(-)
+
+diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
+index b391c2ef463f..f2849e030004 100644
+--- a/net/smc/smc_pnet.c
++++ b/net/smc/smc_pnet.c
+@@ -1126,37 +1126,38 @@ static void smc_pnet_find_ism_by_pnetid(struct net_device *ndev,
+  */
+ void smc_pnet_find_roce_resource(struct sock *sk, struct smc_init_info *ini)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
+-
+-	if (!dst)
+-		goto out;
+-	if (!dst->dev)
+-		goto out_rel;
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 
+-	smc_pnet_find_roce_by_pnetid(dst->dev, ini);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	dev_hold(dev);
++	rcu_read_unlock();
+ 
+-out_rel:
+-	dst_release(dst);
+-out:
+-	return;
++	if (dev) {
++		smc_pnet_find_roce_by_pnetid(dev, ini);
++		dev_put(dev);
++	}
+ }
+ 
+ void smc_pnet_find_ism_resource(struct sock *sk, struct smc_init_info *ini)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 
+ 	ini->ism_dev[0] = NULL;
+-	if (!dst)
+-		goto out;
+-	if (!dst->dev)
+-		goto out_rel;
+ 
+-	smc_pnet_find_ism_by_pnetid(dst->dev, ini);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	dev_hold(dev);
++	rcu_read_unlock();
+ 
+-out_rel:
+-	dst_release(dst);
+-out:
+-	return;
++	if (dev) {
++		smc_pnet_find_ism_by_pnetid(dev, ini);
++		dev_put(dev);
++	}
+ }
+ 
+ /* Lookup and apply a pnet table entry to the given ib device.
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40074.patch b/SPECS/kernel-rt/CVE-2025-40074.patch
new file mode 100644
index 0000000000..f0c2dbd16c
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40074.patch
@@ -0,0 +1,103 @@
+From c78bade8fe345c24a18be6315560e83caa4cd232 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:23 +0000
+Subject: [PATCH 5/8] ipv4: start using dst_dev_rcu()
+
+Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.
+
+Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),
+ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-9-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv4/icmp.c        | 6 +++---
+ net/ipv4/ip_fragment.c | 6 ++++--
+ net/ipv4/ipmr.c        | 2 +-
+ net/ipv4/route.c       | 4 ++--
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 508b23204edc..c3c2532d6721 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -318,17 +318,17 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
+ 		return true;
+ 
+ 	/* No rate limit on loopback */
+-	dev = dst_dev(dst);
++	rcu_read_lock();
++	dev = dst_dev_rcu(dst);
+ 	if (dev && (dev->flags & IFF_LOOPBACK))
+ 		goto out;
+ 
+-	rcu_read_lock();
+ 	peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr,
+ 			       l3mdev_master_ifindex_rcu(dev));
+ 	rc = inet_peer_xrlim_allow(peer,
+ 				   READ_ONCE(net->ipv4.sysctl_icmp_ratelimit));
+-	rcu_read_unlock();
+ out:
++	rcu_read_unlock();
+ 	if (!rc)
+ 		__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
+ 	else
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index 183856b0b740..87ca69974598 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -488,13 +488,15 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
+ /* Process an incoming IP datagram fragment. */
+ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user)
+ {
+-	struct net_device *dev = skb->dev ? : skb_dst_dev(skb);
+-	int vif = l3mdev_master_ifindex_rcu(dev);
++	struct net_device *dev;
+ 	struct ipq *qp;
++	int vif;
+ 
+ 	__IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS);
+ 
+ 	/* Lookup (or create) queue header */
++	dev = skb->dev ? : skb_dst_dev_rcu(skb);
++	vif = l3mdev_master_ifindex_rcu(dev);
+ 	qp = ip_find(net, ip_hdr(skb), user, vif);
+ 	if (qp) {
+ 		int ret;
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index de0d9cc7806a..f0294b114824 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1894,7 +1894,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
+ 			goto out_free;
+ 	}
+ 
+-	dev = rt->dst.dev;
++	dev = dst_dev_rcu(&rt->dst);
+ 
+ 	if (skb->len+encap > dst_mtu(&rt->dst) && (ntohs(iph->frag_off) & IP_DF)) {
+ 		/* Do not fragment multicasts. Alas, IPv4 does not
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 8c54a3ecbddf..615e80f76158 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -413,11 +413,11 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
+ 					   const void *daddr)
+ {
+ 	const struct rtable *rt = container_of(dst, struct rtable, dst);
+-	struct net_device *dev = dst_dev(dst);
++	struct net_device *dev;
+ 	struct neighbour *n;
+ 
+ 	rcu_read_lock();
+-
++	dev = dst_dev_rcu(dst);
+ 	if (likely(rt->rt_gw_family == AF_INET)) {
+ 		n = ip_neigh_gw4(dev, rt->rt_gw4);
+ 	} else if (rt->rt_gw_family == AF_INET6) {
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40075-1.patch b/SPECS/kernel-rt/CVE-2025-40075-1.patch
new file mode 100644
index 0000000000..ebd905650d
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40075-1.patch
@@ -0,0 +1,50 @@
+From 5713e8f87ebb86cf78123c967d2fdf6a1c1a04d3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:21 +0000
+Subject: [PATCH 4/8] tcp_metrics: use dst_dev_net_rcu()
+
+Replace three dst_dev() with a lockdep enabled helper.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-7-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv4/tcp_metrics.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
+index 03c068ea27b6..10e86f1008e9 100644
+--- a/net/ipv4/tcp_metrics.c
++++ b/net/ipv4/tcp_metrics.c
+@@ -170,7 +170,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst,
+ 	struct net *net;
+ 
+ 	spin_lock_bh(&tcp_metrics_lock);
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 
+ 	/* While waiting for the spin-lock the cache might have been populated
+ 	 * with this entry and so we have to check again.
+@@ -273,7 +273,7 @@ static struct tcp_metrics_block *__tcp_get_metrics_req(struct request_sock *req,
+ 		return NULL;
+ 	}
+ 
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	hash ^= net_hash_mix(net);
+ 	hash = hash_32(hash, tcp_metrics_hash_log);
+ 
+@@ -318,7 +318,7 @@ static struct tcp_metrics_block *tcp_get_metrics(struct sock *sk,
+ 	else
+ 		return NULL;
+ 
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	hash ^= net_hash_mix(net);
+ 	hash = hash_32(hash, tcp_metrics_hash_log);
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40075.patch b/SPECS/kernel-rt/CVE-2025-40075.patch
new file mode 100644
index 0000000000..84376b1590
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40075.patch
@@ -0,0 +1,105 @@
+From 7649135be0cd3d9c9083b623f086573ae448589c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:16 +0000
+Subject: [PATCH 3/8] net: dst: introduce dst->dev_rcu
+
+Followup of commit 88fe14253e18 ("net: dst: add four helpers
+to annotate data-races around dst->dev").
+
+We want to gradually add explicit RCU protection to dst->dev,
+including lockdep support.
+
+Add an union to alias dst->dev_rcu and dst->dev.
+
+Add dst_dev_net_rcu() helper.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ include/net/dst.h | 16 +++++++++++-----
+ net/core/dst.c    |  2 +-
+ net/ipv4/route.c  |  4 ++--
+ 3 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index e5c9ea188383..e7c1eb69570e 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -24,7 +24,10 @@
+ struct sk_buff;
+ 
+ struct dst_entry {
+-	struct net_device       *dev;
++	union {
++		struct net_device       *dev;
++		struct net_device __rcu *dev_rcu;
++	};
+ 	struct  dst_ops	        *ops;
+ 	unsigned long		_metrics;
+ 	unsigned long           expires;
+@@ -568,9 +571,12 @@ static inline struct net_device *dst_dev(const struct dst_entry *dst)
+ 
+ static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst)
+ {
+-	/* In the future, use rcu_dereference(dst->dev) */
+-	WARN_ON_ONCE(!rcu_read_lock_held());
+-	return READ_ONCE(dst->dev);
++	return rcu_dereference(dst->dev_rcu);
++}
++
++static inline struct net *dst_dev_net_rcu(const struct dst_entry *dst)
++{
++	return dev_net_rcu(dst_dev_rcu(dst));
+ }
+ 
+ static inline struct net_device *skb_dst_dev(const struct sk_buff *skb)
+@@ -590,7 +596,7 @@ static inline struct net *skb_dst_dev_net(const struct sk_buff *skb)
+ 
+ static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb)
+ {
+-	return dev_net_rcu(skb_dst_dev(skb));
++	return dev_net_rcu(skb_dst_dev_rcu(skb));
+ }
+ 
+ struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie);
+diff --git a/net/core/dst.c b/net/core/dst.c
+index 9a0ddef8bee4..8dbb54148c03 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst)
+ 		dst->ops->ifdown(dst, dev);
+ 	WRITE_ONCE(dst->input, dst_discard);
+ 	WRITE_ONCE(dst->output, dst_discard_out);
+-	WRITE_ONCE(dst->dev, blackhole_netdev);
++	rcu_assign_pointer(dst->dev_rcu, blackhole_netdev);
+ 	netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+ 			   GFP_ATOMIC);
+ }
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 96a01eb33653..8c54a3ecbddf 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1025,7 +1025,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
+ 		return;
+ 
+ 	rcu_read_lock();
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	if (mtu < net->ipv4.ip_rt_min_pmtu) {
+ 		lock = true;
+ 		mtu = min(old_mtu, net->ipv4.ip_rt_min_pmtu);
+@@ -1323,7 +1323,7 @@ static unsigned int ipv4_default_advmss(const struct dst_entry *dst)
+ 	struct net *net;
+ 
+ 	rcu_read_lock();
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	advmss = max_t(unsigned int, ipv4_mtu(dst) - header_size,
+ 				   net->ipv4.ip_rt_min_advmss);
+ 	rcu_read_unlock();
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40086-1.patch b/SPECS/kernel-rt/CVE-2025-40086-1.patch
new file mode 100644
index 0000000000..68c0375c1d
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40086-1.patch
@@ -0,0 +1,158 @@
+From 424f106e84506904143f4e175468af2cea445554 Mon Sep 17 00:00:00 2001
+From: Matthew Brost <matthew.brost@intel.com>
+Date: Thu, 9 Oct 2025 04:06:18 -0700
+Subject: [PATCH 8/8] drm/xe: Don't allow evicting of BOs in same VM in array
+ of VM binds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An array of VM binds can potentially evict other buffer objects (BOs)
+within the same VM under certain conditions, which may lead to NULL
+pointer dereferences later in the bind pipeline. To prevent this, clear
+the allow_res_evict flag in the xe_bo_validate call.
+
+v2:
+ - Invert polarity of no_res_evict (Thomas)
+ - Add comment in code explaining issue (Thomas)
+
+Cc: stable@vger.kernel.org
+Reported-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6268
+Fixes: 774b5fa509a9 ("drm/xe: Avoid evicting object of the same vm in none fault mode")
+Fixes: 77f2ef3f16f5 ("drm/xe: Lock all gpuva ops during VM bind IOCTL")
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Tested-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://lore.kernel.org/r/20251009110618.3481870-1-matthew.brost@intel.com
+(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+---
+ drivers/gpu/drm/xe/xe_vm.c       | 36 ++++++++++++++++++++++----------
+ drivers/gpu/drm/xe/xe_vm_types.h |  5 +++++
+ 2 files changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
+index 435a407a59a8..0eb3081ad41f 100644
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -2456,7 +2456,7 @@ static void vm_bind_ioctl_ops_unwind(struct xe_vm *vm,
+ }
+ 
+ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma,
+-				 bool validate)
++				 bool res_evict, bool validate)
+ {
+ 	struct xe_bo *bo = xe_vma_bo(vma);
+ 	struct xe_vm *vm = xe_vma_vm(vma);
+@@ -2467,7 +2467,8 @@ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma,
+ 			err = drm_exec_lock_obj(exec, &bo->ttm.base);
+ 		if (!err && validate)
+ 			err = xe_bo_validate(bo, vm,
+-					     !xe_vm_in_preempt_fence_mode(vm));
++					     !xe_vm_in_preempt_fence_mode(vm) &&
++					     res_evict);
+ 	}
+ 
+ 	return err;
+@@ -2489,15 +2490,24 @@ static int check_ufence(struct xe_vma *vma)
+ }
+ 
+ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+-			    struct xe_vma_op *op)
++			    struct xe_vma_ops *vops, struct xe_vma_op *op)
+ {
+ 	int err = 0;
++	bool res_evict;
++
++	/*
++	 * We only allow evicting a BO within the VM if it is not part of an
++	 * array of binds, as an array of binds can evict another BO within the
++	 * bind.
++	 */
++	res_evict = !(vops->flags & XE_VMA_OPS_ARRAY_OF_BINDS);
+ 
+ 	switch (op->base.op) {
+ 	case DRM_GPUVA_OP_MAP:
+ 		err = vma_lock_and_validate(exec, op->map.vma,
+-					    !xe_vm_in_fault_mode(vm) ||
+-					    op->map.immediate);
++					res_evict,
++					!xe_vm_in_fault_mode(vm) ||
++					op->map.immediate);
+ 		break;
+ 	case DRM_GPUVA_OP_REMAP:
+ 		err = check_ufence(gpuva_to_vma(op->base.remap.unmap->va));
+@@ -2506,11 +2516,13 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+ 
+ 		err = vma_lock_and_validate(exec,
+ 					    gpuva_to_vma(op->base.remap.unmap->va),
+-					    false);
++					    res_evict, false);
+ 		if (!err && op->remap.prev)
+-			err = vma_lock_and_validate(exec, op->remap.prev, true);
++			err = vma_lock_and_validate(exec, op->remap.prev,
++						    res_evict, true);
+ 		if (!err && op->remap.next)
+-			err = vma_lock_and_validate(exec, op->remap.next, true);
++			err = vma_lock_and_validate(exec, op->remap.next,
++						    res_evict, true);
+ 		break;
+ 	case DRM_GPUVA_OP_UNMAP:
+ 		err = check_ufence(gpuva_to_vma(op->base.unmap.va));
+@@ -2519,7 +2531,7 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+ 
+ 		err = vma_lock_and_validate(exec,
+ 					    gpuva_to_vma(op->base.unmap.va),
+-					    false);
++					    res_evict, false);
+ 		break;
+ 	case DRM_GPUVA_OP_PREFETCH:
+ 	{
+@@ -2530,7 +2542,7 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+ 
+ 		err = vma_lock_and_validate(exec,
+ 					    gpuva_to_vma(op->base.prefetch.va),
+-					    false);
++					    res_evict, false);
+ 		if (!err && !xe_vma_has_no_bo(vma))
+ 			err = xe_bo_migrate(xe_vma_bo(vma),
+ 					    region_to_mem_type[region]);
+@@ -2555,7 +2567,7 @@ static int vm_bind_ioctl_ops_lock_and_prep(struct drm_exec *exec,
+ 		return err;
+ 
+ 	list_for_each_entry(op, &vops->list, link) {
+-		err = op_lock_and_prep(exec, vm, op);
++		err = op_lock_and_prep(exec, vm, vops, op);
+ 		if (err)
+ 			return err;
+ 	}
+@@ -3149,6 +3161,8 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
+ 	}
+ 
+ 	xe_vma_ops_init(&vops, vm, q, syncs, num_syncs);
++	if (args->num_binds > 1)
++		vops.flags |= XE_VMA_OPS_ARRAY_OF_BINDS;
+ 	for (i = 0; i < args->num_binds; ++i) {
+ 		u64 range = bind_ops[i].range;
+ 		u64 addr = bind_ops[i].addr;
+diff --git a/drivers/gpu/drm/xe/xe_vm_types.h b/drivers/gpu/drm/xe/xe_vm_types.h
+index a4b4091cfd0d..e4ebbe30c79b 100644
+--- a/drivers/gpu/drm/xe/xe_vm_types.h
++++ b/drivers/gpu/drm/xe/xe_vm_types.h
+@@ -373,6 +373,11 @@ struct xe_vma_ops {
+ 	u32 num_syncs;
+ 	/** @pt_update_ops: page table update operations */
+ 	struct xe_vm_pgtable_update_ops pt_update_ops[XE_MAX_TILES_PER_DEVICE];
++	/** @flag: signify the properties within xe_vma_ops*/
++#define XE_VMA_OPS_FLAG_HAS_SVM_PREFETCH BIT(0)
++#define XE_VMA_OPS_FLAG_MADVISE          BIT(1)
++#define XE_VMA_OPS_ARRAY_OF_BINDS	 BIT(2)
++	u32 flags;
+ #ifdef TEST_VM_OPS_ERROR
+ 	/** @inject_error: inject error to test error handling */
+ 	bool inject_error;
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40086.patch b/SPECS/kernel-rt/CVE-2025-40086.patch
new file mode 100644
index 0000000000..f2118b522f
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40086.patch
@@ -0,0 +1,62 @@
+From 2fbba3ce1c3edd00a587594234da05d682e459a7 Mon Sep 17 00:00:00 2001
+From: Oak Zeng <oak.zeng@intel.com>
+Date: Mon, 2 Dec 2024 21:19:29 -0500
+Subject: [PATCH 7/8] drm/xe: Avoid evicting object of the same vm in none
+ fault mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BO validation during vm_bind could trigger memory eviction when
+system runs under memory pressure. Right now we blindly evict
+BOs of all VMs. This scheme has a problem when system runs in
+none recoverable page fault mode: even though the vm_bind could
+be successful by evicting BOs, the later the rebinding of the
+evicted BOs would fail. So it is better to report an out-of-
+memory failure at vm_bind time than at time of rebinding where
+xekmd currently doesn't have a good mechanism to report error
+to user space.
+
+This patch implemented a scheme to only evict objects of other
+VMs during vm_bind time. Object of the same VM will skip eviction.
+If we failed to find enough memory for vm_bind, we report error
+to user space at vm_bind time.
+
+This scheme is not needed for recoverable page fault mode under
+what we can dynamically fault-in pages on demand.
+
+v1: Use xe_vm_in_preempt_fence_mode instead of stack variable (Thomas)
+
+Signed-off-by: Oak Zeng <oak.zeng@intel.com>
+Suggested-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241203021929.1919730-1-oak.zeng@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+---
+ drivers/gpu/drm/xe/xe_vm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
+index fc5f0e135193..435a407a59a8 100644
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -2459,13 +2459,15 @@ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma,
+ 				 bool validate)
+ {
+ 	struct xe_bo *bo = xe_vma_bo(vma);
++	struct xe_vm *vm = xe_vma_vm(vma);
+ 	int err = 0;
+ 
+ 	if (bo) {
+ 		if (!bo->vm)
+ 			err = drm_exec_lock_obj(exec, &bo->ttm.base);
+ 		if (!err && validate)
+-			err = xe_bo_validate(bo, xe_vma_vm(vma), true);
++			err = xe_bo_validate(bo, vm,
++					     !xe_vm_in_preempt_fence_mode(vm));
+ 	}
+ 
+ 	return err;
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40098.patch b/SPECS/kernel-rt/CVE-2025-40098.patch
new file mode 100644
index 0000000000..bc46d97f98
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40098.patch
@@ -0,0 +1,38 @@
+From 31ca54b3c5b5b8116cdb506799df842603be097b Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Tue, 7 Oct 2025 10:38:31 +0300
+Subject: [PATCH 1/8] ALSA: hda: cs35l41: Fix NULL pointer dereference in
+ cs35l41_get_acpi_mute_state()
+
+Return value of a function acpi_evaluate_dsm() is dereferenced  without
+checking for NULL, but it is usually checked for this function.
+
+acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns
+acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 447106e92a0c ("ALSA: hda: cs35l41: Support mute notifications for CS35L41 HDA")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/pci/hda/cs35l41_hda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c
+index d68bf7591d90..53d213de0ff3 100644
+--- a/sound/pci/hda/cs35l41_hda.c
++++ b/sound/pci/hda/cs35l41_hda.c
+@@ -1375,6 +1375,8 @@ static int cs35l41_get_acpi_mute_state(struct cs35l41_hda *cs35l41, acpi_handle
+ 
+ 	if (cs35l41_dsm_supported(handle, CS35L41_DSM_GET_MUTE)) {
+ 		ret = acpi_evaluate_dsm(handle, &guid, 0, CS35L41_DSM_GET_MUTE, NULL);
++		if (!ret)
++			return -EINVAL;
+ 		mute = *ret->buffer.pointer;
+ 		dev_dbg(cs35l41->dev, "CS35L41_DSM_GET_MUTE: %d\n", mute);
+ 	}
+-- 
+2.34.1
+
diff --git a/SPECS/kernel-rt/CVE-2025-40130.patch b/SPECS/kernel-rt/CVE-2025-40130.patch
new file mode 100644
index 0000000000..f5fd63383f
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40130.patch
@@ -0,0 +1,126 @@
+From 1fa3666422d32324d23972c47b02405b3cca220c Mon Sep 17 00:00:00 2001
+From: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Date: Wed, 17 Sep 2025 17:41:43 +0800
+Subject: [PATCH 11/15] scsi: ufs: core: Fix data race in CPU latency PM QoS
+ request handling
+
+The cpu_latency_qos_add/remove/update_request interfaces lack internal
+synchronization by design, requiring the caller to ensure thread safety.
+The current implementation relies on the 'pm_qos_enabled' flag, which is
+insufficient to prevent concurrent access and cannot serve as a proper
+synchronization mechanism. This has led to data races and list
+corruption issues.
+
+A typical race condition call trace is:
+
+[Thread A]
+ufshcd_pm_qos_exit()
+  --> cpu_latency_qos_remove_request()
+    --> cpu_latency_qos_apply();
+      --> pm_qos_update_target()
+        --> plist_del              <--(1) delete plist node
+    --> memset(req, 0, sizeof(*req));
+  --> hba->pm_qos_enabled = false;
+
+[Thread B]
+ufshcd_devfreq_target
+  --> ufshcd_devfreq_scale
+    --> ufshcd_scale_clks
+      --> ufshcd_pm_qos_update     <--(2) pm_qos_enabled is true
+        --> cpu_latency_qos_update_request
+          --> pm_qos_update_target
+            --> plist_del          <--(3) plist node use-after-free
+
+Introduces a dedicated mutex to serialize PM QoS operations, preventing
+data races and ensuring safe access to PM QoS resources, including sysfs
+interface reads.
+
+Fixes: 2777e73fc154 ("scsi: ufs: core: Add CPU latency QoS support for UFS driver")
+Signed-off-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Huan Tang <tanghuan@vivo.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/ufs/core/ufs-sysfs.c | 2 ++
+ drivers/ufs/core/ufshcd.c    | 9 +++++++++
+ include/ufs/ufshcd.h         | 3 +++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
+index f8397ef3cf8d..5d4f23bb6ab1 100644
+--- a/drivers/ufs/core/ufs-sysfs.c
++++ b/drivers/ufs/core/ufs-sysfs.c
+@@ -426,6 +426,8 @@ static ssize_t pm_qos_enable_show(struct device *dev,
+ {
+ 	struct ufs_hba *hba = dev_get_drvdata(dev);
+ 
++	guard(mutex)(&hba->pm_qos_mutex);
++
+ 	return sysfs_emit(buf, "%d\n", hba->pm_qos_enabled);
+ }
+ 
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index c8c22b95c3ee..1d956ab2f508 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -1023,6 +1023,7 @@ EXPORT_SYMBOL_GPL(ufshcd_is_hba_active);
+  */
+ void ufshcd_pm_qos_init(struct ufs_hba *hba)
+ {
++	guard(mutex)(&hba->pm_qos_mutex);
+ 
+ 	if (hba->pm_qos_enabled)
+ 		return;
+@@ -1039,6 +1040,8 @@ void ufshcd_pm_qos_init(struct ufs_hba *hba)
+  */
+ void ufshcd_pm_qos_exit(struct ufs_hba *hba)
+ {
++	guard(mutex)(&hba->pm_qos_mutex);
++
+ 	if (!hba->pm_qos_enabled)
+ 		return;
+ 
+@@ -1053,6 +1056,8 @@ void ufshcd_pm_qos_exit(struct ufs_hba *hba)
+  */
+ static void ufshcd_pm_qos_update(struct ufs_hba *hba, bool on)
+ {
++	guard(mutex)(&hba->pm_qos_mutex);
++
+ 	if (!hba->pm_qos_enabled)
+ 		return;
+ 
+@@ -10599,6 +10604,10 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
+ 	mutex_init(&hba->ee_ctrl_mutex);
+ 
+ 	mutex_init(&hba->wb_mutex);
++
++	/* Initialize mutex for PM QoS request synchronization */
++	mutex_init(&hba->pm_qos_mutex);
++
+ 	init_rwsem(&hba->clk_scaling_lock);
+ 
+ 	ufshcd_init_clk_gating(hba);
+diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h
+index bdc5564b16fb..143b83a8968c 100644
+--- a/include/ufs/ufshcd.h
++++ b/include/ufs/ufshcd.h
+@@ -968,6 +968,7 @@ enum ufshcd_mcq_opr {
+  * @ufs_rtc_update_work: A work for UFS RTC periodic update
+  * @pm_qos_req: PM QoS request handle
+  * @pm_qos_enabled: flag to check if pm qos is enabled
++ * @pm_qos_mutex: synchronizes PM QoS request and status updates
+  */
+ struct ufs_hba {
+ 	void __iomem *mmio_base;
+@@ -1138,6 +1139,8 @@ struct ufs_hba {
+ 	struct delayed_work ufs_rtc_update_work;
+ 	struct pm_qos_request pm_qos_req;
+ 	bool pm_qos_enabled;
++	/* synchronizes PM QoS request and status updates */
++	struct mutex pm_qos_mutex;
+ };
+ 
+ /**
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40135.patch b/SPECS/kernel-rt/CVE-2025-40135.patch
new file mode 100644
index 0000000000..b5abe69e31
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40135.patch
@@ -0,0 +1,107 @@
+From 18ea99d5d1722719ce866d5b0cf5dc64a73f5f33 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:18 +0000
+Subject: [PATCH 10/15] ipv6: use RCU in ip6_xmit()
+
+Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
+possible UAF.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv6/ip6_output.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index dca8b17bc713..19af5dbbddd1 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -269,35 +269,36 @@ bool ip6_autoflowlabel(struct net *net, const struct sock *sk)
+ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+ 	     __u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority)
+ {
+-	struct net *net = sock_net(sk);
+ 	const struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct in6_addr *first_hop = &fl6->daddr;
+ 	struct dst_entry *dst = skb_dst(skb);
+-	struct net_device *dev = dst->dev;
+ 	struct inet6_dev *idev = ip6_dst_idev(dst);
+ 	struct hop_jumbo_hdr *hop_jumbo;
+ 	int hoplen = sizeof(*hop_jumbo);
++	struct net *net = sock_net(sk);
+ 	unsigned int head_room;
++	struct net_device *dev;
+ 	struct ipv6hdr *hdr;
+ 	u8  proto = fl6->flowi6_proto;
+ 	int seg_len = skb->len;
+-	int hlimit = -1;
++	int ret, hlimit = -1;
+ 	u32 mtu;
+ 
++	rcu_read_lock();
++
++	dev = dst_dev_rcu(dst);
+ 	head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev);
+ 	if (opt)
+ 		head_room += opt->opt_nflen + opt->opt_flen;
+ 
+ 	if (unlikely(head_room > skb_headroom(skb))) {
+-		/* Make sure idev stays alive */
+-		rcu_read_lock();
++		/* idev stays alive while we hold rcu_read_lock(). */
+ 		skb = skb_expand_head(skb, head_room);
+ 		if (!skb) {
+ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+-			rcu_read_unlock();
+-			return -ENOBUFS;
++			ret = -ENOBUFS;
++			goto unlock;
+ 		}
+-		rcu_read_unlock();
+ 	}
+ 
+ 	if (opt) {
+@@ -359,17 +360,21 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+ 		 * skb to its handler for processing
+ 		 */
+ 		skb = l3mdev_ip6_out((struct sock *)sk, skb);
+-		if (unlikely(!skb))
+-			return 0;
++		if (unlikely(!skb)) {
++			ret = 0;
++			goto unlock;
++		}
+ 
+ 		/* hooks should never assume socket lock is held.
+ 		 * we promote our socket to non const
+ 		 */
+-		return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
+-			       net, (struct sock *)sk, skb, NULL, dev,
+-			       dst_output);
++		ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
++			      net, (struct sock *)sk, skb, NULL, dev,
++			      dst_output);
++		goto unlock;
+ 	}
+ 
++	ret = -EMSGSIZE;
+ 	skb->dev = dev;
+ 	/* ipv6_local_error() does not require socket lock,
+ 	 * we promote our socket to non const
+@@ -378,7 +383,9 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+ 
+ 	IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS);
+ 	kfree_skb(skb);
+-	return -EMSGSIZE;
++unlock:
++	rcu_read_unlock();
++	return ret;
+ }
+ EXPORT_SYMBOL(ip6_xmit);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40136.patch b/SPECS/kernel-rt/CVE-2025-40136.patch
new file mode 100644
index 0000000000..defee0aa91
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40136.patch
@@ -0,0 +1,108 @@
+From a7f5eb8a773ffbc3009402171374f1e4c4f3265a Mon Sep 17 00:00:00 2001
+From: Weili Qian <qianweili@huawei.com>
+Date: Thu, 21 Aug 2025 09:38:08 +0800
+Subject: [PATCH 09/15] crypto: hisilicon/qm - request reserved interrupt for
+ virtual function
+
+The device interrupt vector 3 is an error interrupt for
+physical function and a reserved interrupt for virtual function.
+However, the driver has not registered the reserved interrupt for
+virtual function. When allocating interrupts, the number of interrupts
+is allocated based on powers of two, which includes this interrupt.
+When the system enables GICv4 and the virtual function passthrough
+to the virtual machine, releasing the interrupt in the driver
+triggers a warning.
+
+The WARNING report is:
+WARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4
+
+Therefore, register a reserved interrupt for VF and set the
+IRQF_NO_AUTOEN flag to avoid that warning.
+
+Fixes: 3536cc55cada ("crypto: hisilicon/qm - support get device irq information from hardware registers")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ drivers/crypto/hisilicon/qm.c | 38 +++++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 711c29971368..678c81dc1070 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -4587,6 +4587,15 @@ void hisi_qm_reset_done(struct pci_dev *pdev)
+ }
+ EXPORT_SYMBOL_GPL(hisi_qm_reset_done);
+ 
++static irqreturn_t qm_rsvd_irq(int irq, void *data)
++{
++	struct hisi_qm *qm = data;
++
++	dev_info(&qm->pdev->dev, "Reserved interrupt, ignore!\n");
++
++	return IRQ_HANDLED;
++}
++
+ static irqreturn_t qm_abnormal_irq(int irq, void *data)
+ {
+ 	struct hisi_qm *qm = data;
+@@ -4871,7 +4880,7 @@ static void qm_unregister_abnormal_irq(struct hisi_qm *qm)
+ 	struct pci_dev *pdev = qm->pdev;
+ 	u32 irq_vector, val;
+ 
+-	if (qm->fun_type == QM_HW_VF)
++	if (qm->fun_type == QM_HW_VF && qm->ver < QM_HW_V3)
+ 		return;
+ 
+ 	val = qm->cap_tables.qm_cap_table[QM_ABN_IRQ_TYPE_CAP_IDX].cap_val;
+@@ -4888,17 +4897,28 @@ static int qm_register_abnormal_irq(struct hisi_qm *qm)
+ 	u32 irq_vector, val;
+ 	int ret;
+ 
+-	if (qm->fun_type == QM_HW_VF)
+-		return 0;
+-
+ 	val = qm->cap_tables.qm_cap_table[QM_ABN_IRQ_TYPE_CAP_IDX].cap_val;
+ 	if (!((val >> QM_IRQ_TYPE_SHIFT) & QM_ABN_IRQ_TYPE_MASK))
+ 		return 0;
+-
+ 	irq_vector = val & QM_IRQ_VECTOR_MASK;
++
++	/* For VF, this is a reserved interrupt in V3 version. */
++	if (qm->fun_type == QM_HW_VF) {
++		if (qm->ver < QM_HW_V3)
++			return 0;
++
++		ret = request_irq(pci_irq_vector(pdev, irq_vector), qm_rsvd_irq,
++				  IRQF_NO_AUTOEN, qm->dev_name, qm);
++		if (ret) {
++			dev_err(&pdev->dev, "failed to request reserved irq, ret = %d!\n", ret);
++			return ret;
++		}
++		return 0;
++	}
++
+ 	ret = request_irq(pci_irq_vector(pdev, irq_vector), qm_abnormal_irq, 0, qm->dev_name, qm);
+ 	if (ret)
+-		dev_err(&qm->pdev->dev, "failed to request abnormal irq, ret = %d", ret);
++		dev_err(&qm->pdev->dev, "failed to request abnormal irq, ret = %d!\n", ret);
+ 
+ 	return ret;
+ }
+@@ -5237,6 +5257,12 @@ static int hisi_qm_pci_init(struct hisi_qm *qm)
+ 	pci_set_master(pdev);
+ 
+ 	num_vec = qm_get_irq_num(qm);
++	if (!num_vec) {
++		dev_err(dev, "Device irq num is zero!\n");
++		ret = -EINVAL;
++		goto err_get_pci_res;
++	}
++	num_vec = roundup_pow_of_two(num_vec);
+ 	ret = pci_alloc_irq_vectors(pdev, num_vec, num_vec, PCI_IRQ_MSI);
+ 	if (ret < 0) {
+ 		dev_err(dev, "Failed to enable MSI vectors!\n");
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40139.patch b/SPECS/kernel-rt/CVE-2025-40139.patch
new file mode 100644
index 0000000000..1f326702ba
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40139.patch
@@ -0,0 +1,72 @@
+From a10f5084ae6b59513e20205b9c83bceae3141ba7 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:21 +0000
+Subject: [PATCH 08/15] smc: Use __sk_dst_get() and dst_dev_rcu() in
+ smc_clc_prfx_match().
+
+smc_clc_prfx_match() is called from smc_listen_work() and
+not under RCU nor RTNL.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dst_dev_rcu().
+
+Note that the returned value of smc_clc_prfx_match() is not
+used in the caller.
+
+Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250916214758.650211-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/smc/smc_clc.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index c5d11ec59c36..72ed84ab31fc 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -657,26 +657,26 @@ static int smc_clc_prfx_match6_rcu(struct net_device *dev,
+ int smc_clc_prfx_match(struct socket *clcsock,
+ 		       struct smc_clc_msg_proposal_prefix *prop)
+ {
+-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 	int rc;
+ 
+-	if (!dst) {
+-		rc = -ENOTCONN;
+-		goto out;
+-	}
+-	if (!dst->dev) {
++	rcu_read_lock();
++
++	dst = __sk_dst_get(clcsock->sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (!dev) {
+ 		rc = -ENODEV;
+-		goto out_rel;
++		goto out;
+ 	}
+-	rcu_read_lock();
++
+ 	if (!prop->ipv6_prefixes_cnt)
+-		rc = smc_clc_prfx_match4_rcu(dst->dev, prop);
++		rc = smc_clc_prfx_match4_rcu(dev, prop);
+ 	else
+-		rc = smc_clc_prfx_match6_rcu(dst->dev, prop);
+-	rcu_read_unlock();
+-out_rel:
+-	dst_release(dst);
++		rc = smc_clc_prfx_match6_rcu(dev, prop);
+ out:
++	rcu_read_unlock();
++
+ 	return rc;
+ }
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40147.patch b/SPECS/kernel-rt/CVE-2025-40147.patch
new file mode 100644
index 0000000000..e9ae5a45bf
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40147.patch
@@ -0,0 +1,167 @@
+From 6e5d21332473d9bee31d402b0f2435514fe66a4f Mon Sep 17 00:00:00 2001
+From: Han Guangjiang <hanguangjiang@lixiang.com>
+Date: Fri, 5 Sep 2025 18:24:11 +0800
+Subject: [PATCH 07/15] blk-throttle: fix access race during throttle policy
+ activation
+
+On repeated cold boots we occasionally hit a NULL pointer crash in
+blk_should_throtl() when throttling is consulted before the throttle
+policy is fully enabled for the queue. Checking only q->td != NULL is
+insufficient during early initialization, so blkg_to_pd() for the
+throttle policy can still return NULL and blkg_to_tg() becomes NULL,
+which later gets dereferenced.
+
+ Unable to handle kernel NULL pointer dereference
+ at virtual address 0000000000000156
+ ...
+ pc : submit_bio_noacct+0x14c/0x4c8
+ lr : submit_bio_noacct+0x48/0x4c8
+ sp : ffff800087f0b690
+ x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0
+ x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70
+ x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
+ x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff
+ x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c
+ x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60
+ x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002
+ x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500
+ x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a
+ Call trace:
+  submit_bio_noacct+0x14c/0x4c8
+  verity_map+0x178/0x2c8
+  __map_bio+0x228/0x250
+  dm_submit_bio+0x1c4/0x678
+  __submit_bio+0x170/0x230
+  submit_bio_noacct_nocheck+0x16c/0x388
+  submit_bio_noacct+0x16c/0x4c8
+  submit_bio+0xb4/0x210
+  f2fs_submit_read_bio+0x4c/0xf0
+  f2fs_mpage_readpages+0x3b0/0x5f0
+  f2fs_readahead+0x90/0xe8
+
+Tighten blk_throtl_activated() to also require that the throttle policy
+bit is set on the queue:
+
+  return q->td != NULL &&
+         test_bit(blkcg_policy_throtl.plid, q->blkcg_pols);
+
+This prevents blk_should_throtl() from accessing throttle group state
+until policy data has been attached to blkgs.
+
+Fixes: a3166c51702b ("blk-throttle: delay initialization until configuration")
+Co-developed-by: Liang Jie <liangjie@lixiang.com>
+Signed-off-by: Liang Jie <liangjie@lixiang.com>
+Signed-off-by: Han Guangjiang <hanguangjiang@lixiang.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ block/blk-cgroup.c   |  6 ------
+ block/blk-cgroup.h   |  6 ++++++
+ block/blk-throttle.c |  6 +-----
+ block/blk-throttle.h | 18 +++++++++++-------
+ 4 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index 5a5525d10a5e..3f7cb9d891aa 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -110,12 +110,6 @@ static struct cgroup_subsys_state *blkcg_css(void)
+ 	return task_css(current, io_cgrp_id);
+ }
+ 
+-static bool blkcg_policy_enabled(struct request_queue *q,
+-				 const struct blkcg_policy *pol)
+-{
+-	return pol && test_bit(pol->plid, q->blkcg_pols);
+-}
+-
+ static void blkg_free_workfn(struct work_struct *work)
+ {
+ 	struct blkcg_gq *blkg = container_of(work, struct blkcg_gq,
+diff --git a/block/blk-cgroup.h b/block/blk-cgroup.h
+index b9e3265c1eb3..112bf11d0fad 100644
+--- a/block/blk-cgroup.h
++++ b/block/blk-cgroup.h
+@@ -455,6 +455,12 @@ static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio)
+ 		bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio);
+ }
+ 
++static inline bool blkcg_policy_enabled(struct request_queue *q,
++				const struct blkcg_policy *pol)
++{
++	return pol && test_bit(pol->plid, q->blkcg_pols);
++}
++
+ void blk_cgroup_bio_start(struct bio *bio);
+ void blkcg_add_delay(struct blkcg_gq *blkg, u64 now, u64 delta);
+ #else	/* CONFIG_BLK_CGROUP */
+diff --git a/block/blk-throttle.c b/block/blk-throttle.c
+index 6b82fcbd7e77..38aec65be43b 100644
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -1211,17 +1211,13 @@ static int blk_throtl_init(struct gendisk *disk)
+ 	INIT_WORK(&td->dispatch_work, blk_throtl_dispatch_work_fn);
+ 	throtl_service_queue_init(&td->service_queue);
+ 
+-	/*
+-	 * Freeze queue before activating policy, to synchronize with IO path,
+-	 * which is protected by 'q_usage_counter'.
+-	 */
+ 	blk_mq_freeze_queue(disk->queue);
+ 	blk_mq_quiesce_queue(disk->queue);
+ 
+ 	q->td = td;
+ 	td->queue = q;
+ 
+-	/* activate policy */
++	/* activate policy, blk_throtl_activated() will return true */
+ 	ret = blkcg_activate_policy(disk, &blkcg_policy_throtl);
+ 	if (ret) {
+ 		q->td = NULL;
+diff --git a/block/blk-throttle.h b/block/blk-throttle.h
+index 1a36d1278eea..e1b5343cd43f 100644
+--- a/block/blk-throttle.h
++++ b/block/blk-throttle.h
+@@ -154,7 +154,13 @@ void blk_throtl_cancel_bios(struct gendisk *disk);
+ 
+ static inline bool blk_throtl_activated(struct request_queue *q)
+ {
+-	return q->td != NULL;
++	/*
++	 * q->td guarantees that the blk-throttle module is already loaded,
++	 * and the plid of blk-throttle is assigned.
++	 * blkcg_policy_enabled() guarantees that the policy is activated
++	 * in the request_queue.
++	 */
++	return q->td != NULL && blkcg_policy_enabled(q, &blkcg_policy_throtl);
+ }
+ 
+ static inline bool blk_should_throtl(struct bio *bio)
+@@ -162,11 +168,6 @@ static inline bool blk_should_throtl(struct bio *bio)
+ 	struct throtl_grp *tg;
+ 	int rw = bio_data_dir(bio);
+ 
+-	/*
+-	 * This is called under bio_queue_enter(), and it's synchronized with
+-	 * the activation of blk-throtl, which is protected by
+-	 * blk_mq_freeze_queue().
+-	 */
+ 	if (!blk_throtl_activated(bio->bi_bdev->bd_queue))
+ 		return false;
+ 
+@@ -192,7 +193,10 @@ static inline bool blk_should_throtl(struct bio *bio)
+ 
+ static inline bool blk_throtl_bio(struct bio *bio)
+ {
+-
++	/*
++	 * block throttling takes effect if the policy is activated
++	 * in the bio's request_queue.
++	 */
+ 	if (!blk_should_throtl(bio))
+ 		return false;
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40149.patch b/SPECS/kernel-rt/CVE-2025-40149.patch
new file mode 100644
index 0000000000..ad146854d5
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40149.patch
@@ -0,0 +1,61 @@
+From 1a26f422f57cca0823041c8e535aed7551b5a1b1 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:23 +0000
+Subject: [PATCH 06/15] tls: Use __sk_dst_get() and dst_dev_rcu() in
+ get_netdev_for_sock().
+
+get_netdev_for_sock() is called during setsockopt(),
+so not under RCU.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dst_dev_rcu().
+
+Note that the only ->ndo_sk_get_lower_dev() user is
+bond_sk_get_lower_dev(), which uses RCU.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/tls/tls_device.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index dc063c2c7950..62e6b62559e2 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -123,17 +123,19 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx)
+ /* We assume that the socket is already connected */
+ static struct net_device *get_netdev_for_sock(struct sock *sk)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
+-	struct net_device *netdev = NULL;
++	struct net_device *dev, *lowest_dev = NULL;
++	struct dst_entry *dst;
+ 
+-	if (likely(dst)) {
+-		netdev = netdev_sk_get_lowest_dev(dst->dev, sk);
+-		dev_hold(netdev);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (likely(dev)) {
++		lowest_dev = netdev_sk_get_lowest_dev(dev, sk);
++		dev_hold(lowest_dev);
+ 	}
++	rcu_read_unlock();
+ 
+-	dst_release(dst);
+-
+-	return netdev;
++	return lowest_dev;
+ }
+ 
+ static void destroy_record(struct tls_record_info *record)
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40158.patch b/SPECS/kernel-rt/CVE-2025-40158.patch
new file mode 100644
index 0000000000..f6b64288db
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40158.patch
@@ -0,0 +1,114 @@
+From 675f47b6f5b933d55746c0c5cbf5db0316946ece Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:19 +0000
+Subject: [PATCH 05/15] ipv6: use RCU in ip6_output()
+
+Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
+possible UAF.
+
+We can remove rcu_read_lock()/rcu_read_unlock() pairs
+from ip6_finish_output2().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv6/ip6_output.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index f0e5431c2d46..dca8b17bc713 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -60,7 +60,7 @@
+ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+ 	struct dst_entry *dst = skb_dst(skb);
+-	struct net_device *dev = dst->dev;
++	struct net_device *dev = dst_dev_rcu(dst);
+ 	struct inet6_dev *idev = ip6_dst_idev(dst);
+ 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
+ 	const struct in6_addr *daddr, *nexthop;
+@@ -70,15 +70,12 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 
+ 	/* Be paranoid, rather than too clever. */
+ 	if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
+-		/* Make sure idev stays alive */
+-		rcu_read_lock();
++		/* idev stays alive because we hold rcu_read_lock(). */
+ 		skb = skb_expand_head(skb, hh_len);
+ 		if (!skb) {
+ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+-			rcu_read_unlock();
+ 			return -ENOMEM;
+ 		}
+-		rcu_read_unlock();
+ 	}
+ 
+ 	hdr = ipv6_hdr(skb);
+@@ -123,7 +120,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 
+ 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
+ 
+-	rcu_read_lock();
+ 	nexthop = rt6_nexthop(dst_rt6_info(dst), daddr);
+ 	neigh = __ipv6_neigh_lookup_noref(dev, nexthop);
+ 
+@@ -131,7 +127,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 		if (unlikely(!neigh))
+ 			neigh = __neigh_create(&nd_tbl, nexthop, dev, false);
+ 		if (IS_ERR(neigh)) {
+-			rcu_read_unlock();
+ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES);
+ 			kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL);
+ 			return -EINVAL;
+@@ -139,7 +134,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 	}
+ 	sock_confirm_neigh(skb, neigh);
+ 	ret = neigh_output(neigh, skb, false);
+-	rcu_read_unlock();
+ 	return ret;
+ }
+ 
+@@ -232,22 +226,30 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
+ 
+ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+-	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+-	struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
++	struct dst_entry *dst = skb_dst(skb);
++	struct net_device *dev, *indev = skb->dev;
++	struct inet6_dev *idev;
++	int ret;
+ 
+ 	skb->protocol = htons(ETH_P_IPV6);
++	rcu_read_lock();
++	dev = dst_dev_rcu(dst);
++	idev = ip6_dst_idev(dst);
+ 	skb->dev = dev;
+ 
+ 	if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) {
+ 		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
++		rcu_read_unlock();
+ 		kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED);
+ 		return 0;
+ 	}
+ 
+-	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
+-			    net, sk, skb, indev, dev,
+-			    ip6_finish_output,
+-			    !(IP6CB(skb)->flags & IP6SKB_REROUTED));
++	ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
++			   net, sk, skb, indev, dev,
++			   ip6_finish_output,
++			   !(IP6CB(skb)->flags & IP6SKB_REROUTED));
++	rcu_read_unlock();
++	return ret;
+ }
+ EXPORT_SYMBOL(ip6_output);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40164.patch b/SPECS/kernel-rt/CVE-2025-40164.patch
new file mode 100644
index 0000000000..ebde4eed72
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40164.patch
@@ -0,0 +1,72 @@
+From 741d90c0ea551686d62fbe567448d37d8d100535 Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang.zhang@linux.dev>
+Date: Sat, 11 Oct 2025 15:05:18 +0800
+Subject: [PATCH 04/15] usbnet: Fix using smp_processor_id() in preemptible
+ code warnings
+
+Syzbot reported the following warning:
+
+BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
+caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
+CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
+ check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
+ usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
+ usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
+ usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
+ __dev_set_mtu net/core/dev.c:9443 [inline]
+ netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
+ netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
+ dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
+ dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
+ dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
+ sock_do_ioctl+0x19d/0x280 net/socket.c:1204
+ sock_ioctl+0x42f/0x6a0 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl fs/ioctl.c:892 [inline]
+ __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+For historical and portability reasons, the netif_rx() is usually
+run in the softirq or interrupt context, this commit therefore add
+local_bh_disable/enable() protection in the usbnet_resume_rx().
+
+Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change")
+Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Zqiang <qiang.zhang@linux.dev>
+Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 0ff7357c3c91..f1f61d85d949 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -702,6 +702,7 @@ void usbnet_resume_rx(struct usbnet *dev)
+ 	struct sk_buff *skb;
+ 	int num = 0;
+ 
++	local_bh_disable();
+ 	clear_bit(EVENT_RX_PAUSED, &dev->flags);
+ 
+ 	while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) {
+@@ -710,6 +711,7 @@ void usbnet_resume_rx(struct usbnet *dev)
+ 	}
+ 
+ 	tasklet_schedule(&dev->bh);
++	local_bh_enable();
+ 
+ 	netif_dbg(dev, rx_status, dev->net,
+ 		  "paused rx queue disabled, %d skbs requeued\n", num);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40168.patch b/SPECS/kernel-rt/CVE-2025-40168.patch
new file mode 100644
index 0000000000..6365f85725
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40168.patch
@@ -0,0 +1,124 @@
+From 0187287149b8c75e4806b96eac773265b314791e Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:20 +0000
+Subject: [PATCH 01/15] smc: Use __sk_dst_get() and dst_dev_rcu() in in
+ smc_clc_prfx_set().
+
+smc_clc_prfx_set() is called during connect() and not under RCU
+nor RTNL.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
+after kernel_getsockname().
+
+Note that the returned value of smc_clc_prfx_set() is not used
+in the caller.
+
+While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
+not to touch dst there.
+
+Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250916214758.650211-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/smc/smc_clc.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index b3a8053d4ab4..c5d11ec59c36 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -509,10 +509,10 @@ static bool smc_clc_msg_hdr_valid(struct smc_clc_msg_hdr *clcm, bool check_trl)
+ }
+ 
+ /* find ipv4 addr on device and get the prefix len, fill CLC proposal msg */
+-static int smc_clc_prfx_set4_rcu(struct dst_entry *dst, __be32 ipv4,
++static int smc_clc_prfx_set4_rcu(struct net_device *dev, __be32 ipv4,
+ 				 struct smc_clc_msg_proposal_prefix *prop)
+ {
+-	struct in_device *in_dev = __in_dev_get_rcu(dst->dev);
++	struct in_device *in_dev = __in_dev_get_rcu(dev);
+ 	const struct in_ifaddr *ifa;
+ 
+ 	if (!in_dev)
+@@ -530,12 +530,12 @@ static int smc_clc_prfx_set4_rcu(struct dst_entry *dst, __be32 ipv4,
+ }
+ 
+ /* fill CLC proposal msg with ipv6 prefixes from device */
+-static int smc_clc_prfx_set6_rcu(struct dst_entry *dst,
++static int smc_clc_prfx_set6_rcu(struct net_device *dev,
+ 				 struct smc_clc_msg_proposal_prefix *prop,
+ 				 struct smc_clc_ipv6_prefix *ipv6_prfx)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
+-	struct inet6_dev *in6_dev = __in6_dev_get(dst->dev);
++	struct inet6_dev *in6_dev = __in6_dev_get(dev);
+ 	struct inet6_ifaddr *ifa;
+ 	int cnt = 0;
+ 
+@@ -564,41 +564,44 @@ static int smc_clc_prfx_set(struct socket *clcsock,
+ 			    struct smc_clc_msg_proposal_prefix *prop,
+ 			    struct smc_clc_ipv6_prefix *ipv6_prfx)
+ {
+-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
+ 	struct sockaddr_storage addrs;
+ 	struct sockaddr_in6 *addr6;
+ 	struct sockaddr_in *addr;
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 	int rc = -ENOENT;
+ 
+-	if (!dst) {
+-		rc = -ENOTCONN;
+-		goto out;
+-	}
+-	if (!dst->dev) {
+-		rc = -ENODEV;
+-		goto out_rel;
+-	}
+ 	/* get address to which the internal TCP socket is bound */
+ 	if (kernel_getsockname(clcsock, (struct sockaddr *)&addrs) < 0)
+-		goto out_rel;
++		goto out;
++
+ 	/* analyze IP specific data of net_device belonging to TCP socket */
+ 	addr6 = (struct sockaddr_in6 *)&addrs;
++
+ 	rcu_read_lock();
++
++	dst = __sk_dst_get(clcsock->sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (!dev) {
++		rc = -ENODEV;
++		goto out_unlock;
++	}
++
+ 	if (addrs.ss_family == PF_INET) {
+ 		/* IPv4 */
+ 		addr = (struct sockaddr_in *)&addrs;
+-		rc = smc_clc_prfx_set4_rcu(dst, addr->sin_addr.s_addr, prop);
++		rc = smc_clc_prfx_set4_rcu(dev, addr->sin_addr.s_addr, prop);
+ 	} else if (ipv6_addr_v4mapped(&addr6->sin6_addr)) {
+ 		/* mapped IPv4 address - peer is IPv4 only */
+-		rc = smc_clc_prfx_set4_rcu(dst, addr6->sin6_addr.s6_addr32[3],
++		rc = smc_clc_prfx_set4_rcu(dev, addr6->sin6_addr.s6_addr32[3],
+ 					   prop);
+ 	} else {
+ 		/* IPv6 */
+-		rc = smc_clc_prfx_set6_rcu(dst, prop, ipv6_prfx);
++		rc = smc_clc_prfx_set6_rcu(dev, prop, ipv6_prfx);
+ 	}
++
++out_unlock:
+ 	rcu_read_unlock();
+-out_rel:
+-	dst_release(dst);
+ out:
+ 	return rc;
+ }
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/CVE-2025-40170.patch b/SPECS/kernel-rt/CVE-2025-40170.patch
new file mode 100644
index 0000000000..84d3449594
--- /dev/null
+++ b/SPECS/kernel-rt/CVE-2025-40170.patch
@@ -0,0 +1,138 @@
+From 9fd9125f380d8004b8418915725a459518c8501b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:20 +0000
+Subject: [PATCH 02/15] net: use dst_dev_rcu() in sk_setup_caps()
+
+Use RCU to protect accesses to dst->dev from sk_setup_caps()
+and sk_dst_gso_max_size().
+
+Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
+and ip_dst_mtu_maybe_forward().
+
+ip4_dst_hoplimit() can use dst_dev_net_rcu().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ include/net/ip.h        |  6 ++++--
+ include/net/ip6_route.h |  2 +-
+ include/net/route.h     |  2 +-
+ net/core/sock.c         | 16 ++++++++++------
+ 4 files changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 5f0f1215d2f9..c65ca2765e29 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -470,12 +470,14 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
+ 						    bool forwarding)
+ {
+ 	const struct rtable *rt = dst_rtable(dst);
++	const struct net_device *dev;
+ 	unsigned int mtu, res;
+ 	struct net *net;
+ 
+ 	rcu_read_lock();
+ 
+-	net = dev_net_rcu(dst_dev(dst));
++	dev = dst_dev_rcu(dst);
++	net = dev_net_rcu(dev);
+ 	if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) ||
+ 	    ip_mtu_locked(dst) ||
+ 	    !forwarding) {
+@@ -489,7 +491,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
+ 	if (mtu)
+ 		goto out;
+ 
+-	mtu = READ_ONCE(dst_dev(dst)->mtu);
++	mtu = READ_ONCE(dev->mtu);
+ 
+ 	if (unlikely(ip_mtu_locked(dst))) {
+ 		if (rt->rt_uses_gateway && mtu > 576)
+diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
+index 6dbdf60b342f..ede44cde7fe5 100644
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -337,7 +337,7 @@ static inline unsigned int ip6_dst_mtu_maybe_forward(const struct dst_entry *dst
+ 
+ 	mtu = IPV6_MIN_MTU;
+ 	rcu_read_lock();
+-	idev = __in6_dev_get(dst->dev);
++	idev = __in6_dev_get(dst_dev_rcu(dst));
+ 	if (idev)
+ 		mtu = READ_ONCE(idev->cnf.mtu6);
+ 	rcu_read_unlock();
+diff --git a/include/net/route.h b/include/net/route.h
+index 232b7bf55ba2..cbb4d5523062 100644
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -369,7 +369,7 @@ static inline int ip4_dst_hoplimit(const struct dst_entry *dst)
+ 		const struct net *net;
+ 
+ 		rcu_read_lock();
+-		net = dev_net_rcu(dst_dev(dst));
++		net = dst_dev_net_rcu(dst);
+ 		hoplimit = READ_ONCE(net->ipv4.sysctl_ip_default_ttl);
+ 		rcu_read_unlock();
+ 	}
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1781f3a642b4..97cc796a1d33 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2524,7 +2524,7 @@ void sk_free_unlock_clone(struct sock *sk)
+ }
+ EXPORT_SYMBOL_GPL(sk_free_unlock_clone);
+ 
+-static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
++static u32 sk_dst_gso_max_size(struct sock *sk, const struct net_device *dev)
+ {
+ 	bool is_ipv6 = false;
+ 	u32 max_size;
+@@ -2534,8 +2534,8 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
+ 		   !ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr));
+ #endif
+ 	/* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */
+-	max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) :
+-			READ_ONCE(dst_dev(dst)->gso_ipv4_max_size);
++	max_size = is_ipv6 ? READ_ONCE(dev->gso_max_size) :
++			READ_ONCE(dev->gso_ipv4_max_size);
+ 	if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk))
+ 		max_size = GSO_LEGACY_MAX_SIZE;
+ 
+@@ -2544,9 +2544,12 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
+ 
+ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ {
++	const struct net_device *dev;
+ 	u32 max_segs = 1;
+ 
+-	sk->sk_route_caps = dst_dev(dst)->features;
++	rcu_read_lock();
++	dev = dst_dev_rcu(dst);
++	sk->sk_route_caps = dev->features;
+ 	if (sk_is_tcp(sk)) {
+ 		struct inet_connection_sock *icsk = inet_csk(sk);
+ 
+@@ -2562,13 +2565,14 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ 			sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+ 		} else {
+ 			sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
+-			sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst);
++			sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dev);
+ 			/* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */
+-			max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1);
++			max_segs = max_t(u32, READ_ONCE(dev->gso_max_segs), 1);
+ 		}
+ 	}
+ 	sk->sk_gso_max_segs = max_segs;
+ 	sk_dst_set(sk, dst);
++	rcu_read_unlock();
+ }
+ EXPORT_SYMBOL_GPL(sk_setup_caps);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel-rt/config b/SPECS/kernel-rt/config
index f9eec2dec5..d710991fc8 100644
--- a/SPECS/kernel-rt/config
+++ b/SPECS/kernel-rt/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.12.12 Kernel Configuration
+# Linux/x86_64 6.12.59 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -4225,6 +4225,8 @@ CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y
 # CONFIG_DVB_AS102 is not set
 # CONFIG_DVB_B2C2_FLEXCOP_USB is not set
 # CONFIG_DVB_USB_V2 is not set
+CONFIG_DVB_USB=m
+CONFIG_DVB_USB_DW2102=m
 # CONFIG_SMS_USB_DRV is not set
 # CONFIG_DVB_TTUSB_BUDGET is not set
 # CONFIG_DVB_TTUSB_DEC is not set
@@ -5709,7 +5711,8 @@ CONFIG_I2C_HID=m
 #
 # Intel ISH HID support
 #
-# CONFIG_INTEL_ISH_HID is not set
+CONFIG_INTEL_ISH_HID=m
+CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER=m
 # end of Intel ISH HID support
 
 #
@@ -5721,7 +5724,7 @@ CONFIG_I2C_HID=m
 CONFIG_USB_OHCI_LITTLE_ENDIAN=y
 CONFIG_USB_SUPPORT=y
 CONFIG_USB_COMMON=y
-# CONFIG_USB_LED_TRIG is not set
+CONFIG_USB_LED_TRIG=m
 # CONFIG_USB_ULPI_BUS is not set
 # CONFIG_USB_CONN_GPIO is not set
 CONFIG_USB_ARCH_HAS_HCD=y
@@ -5817,12 +5820,18 @@ CONFIG_USBIP_HOST=m
 #
 # USB dual-mode controller drivers
 #
-# CONFIG_USB_CDNS_SUPPORT is not set
-# CONFIG_USB_MUSB_HDRC is not set
-# CONFIG_USB_DWC3 is not set
-# CONFIG_USB_DWC2 is not set
-# CONFIG_USB_CHIPIDEA is not set
-# CONFIG_USB_ISP1760 is not set
+CONFIG_USB_CDNS_SUPPORT=m
+CONFIG_USB_MUSB_HDRC=m
+CONFIG_USB_DWC3=m
+CONFIG_USB_DWC3_ULPI=y
+CONFIG_USB_DWC2=y
+CONFIG_USB_CHIPIDEA=m
+CONFIG_USB_DWC3_DUAL_ROLE=y
+CONFIG_USB_DWC3_PCI=m
+CONFIG_USB_DWC3_HAPS=m
+CONFIG_USB_DWC2_HOST=y
+CONFIG_USB_DWC2_PCI=m
+CONFIG_USB_ISP1760=m
 
 #
 # USB port drivers
@@ -5920,13 +5929,63 @@ CONFIG_USB_SERIAL_OPTION=m
 # end of USB Physical Layer drivers
 
 CONFIG_USB_GADGET=m
-# CONFIG_TYPEC is not set
+CONFIG_TYPEC=m
+CONFIG_TYPEC_UCSI=m
+CONFIG_UCSI_ACPI=m
 # CONFIG_USB_ROLE_SWITCH is not set
+CONFIG_USB_MASS_STORAGE=m
+CONFIG_USB_LIBCOMPOSITE=m
 CONFIG_MMC=m
 CONFIG_MMC_BLOCK=m
 CONFIG_MMC_BLOCK_MINORS=16
 # CONFIG_SDIO_UART is not set
 # CONFIG_MMC_TEST is not set
+CONFIG_USB_F_ACM=m
+CONFIG_USB_F_SS_LB=m
+CONFIG_USB_U_SERIAL=m
+CONFIG_USB_U_ETHER=m
+CONFIG_USB_U_AUDIO=m
+CONFIG_USB_F_SERIAL=m
+CONFIG_USB_F_OBEX=m
+CONFIG_USB_F_NCM=m
+CONFIG_USB_F_ECM=m
+CONFIG_USB_F_PHONET=m
+CONFIG_USB_F_EEM=m
+CONFIG_USB_F_SUBSET=m
+CONFIG_USB_F_RNDIS=m
+CONFIG_USB_F_MASS_STORAGE=m
+CONFIG_USB_F_FS=m
+CONFIG_USB_F_UAC1=m
+CONFIG_USB_F_UAC1_LEGACY=m
+CONFIG_USB_F_UAC2=m
+CONFIG_USB_F_UVC=m
+CONFIG_USB_F_MIDI=m
+CONFIG_USB_F_MIDI2=m
+CONFIG_USB_F_HID=m
+CONFIG_USB_F_PRINTER=m
+CONFIG_USB_F_TCM=m
+CONFIG_USB_CONFIGFS=m
+CONFIG_USB_CONFIGFS_SERIAL=y
+CONFIG_USB_CONFIGFS_ACM=y
+CONFIG_USB_CONFIGFS_OBEX=y
+CONFIG_USB_CONFIGFS_NCM=y
+CONFIG_USB_CONFIGFS_ECM=y
+CONFIG_USB_CONFIGFS_ECM_SUBSET=y
+CONFIG_USB_CONFIGFS_RNDIS=y
+CONFIG_USB_CONFIGFS_EEM=y
+CONFIG_USB_CONFIGFS_PHONET=y
+CONFIG_USB_CONFIGFS_MASS_STORAGE=y
+CONFIG_USB_CONFIGFS_F_LB_SS=y
+CONFIG_USB_CONFIGFS_F_FS=y
+CONFIG_USB_CONFIGFS_F_UAC1=y
+CONFIG_USB_CONFIGFS_F_UAC1_LEGACY=y
+CONFIG_USB_CONFIGFS_F_UAC2=y
+CONFIG_USB_CONFIGFS_F_MIDI=y
+CONFIG_USB_CONFIGFS_F_MIDI2=y
+CONFIG_USB_CONFIGFS_F_HID=y
+CONFIG_USB_CONFIGFS_F_UVC=y
+CONFIG_USB_CONFIGFS_F_PRINTER=y
+CONFIG_USB_CONFIGFS_F_TCM=y
 
 #
 # MMC/SD/SDIO Host Controller Drivers
@@ -6606,7 +6665,7 @@ CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=m
 # DEVFREQ Drivers
 #
 # CONFIG_PM_DEVFREQ_EVENT is not set
-# CONFIG_EXTCON is not set
+CONFIG_EXTCON=y
 # CONFIG_MEMORY is not set
 CONFIG_IIO=m
 CONFIG_IIO_BUFFER=y
diff --git a/SPECS/kernel-rt/kernel-rt.signatures.json b/SPECS/kernel-rt/kernel-rt.signatures.json
index ba65ea2ed4..325a8574d2 100644
--- a/SPECS/kernel-rt/kernel-rt.signatures.json
+++ b/SPECS/kernel-rt/kernel-rt.signatures.json
@@ -1,10 +1,10 @@
 {
  "Signatures": {
   "emt-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "1c9dda2299325ec7b195f9801bf57c13a298d0b4d0fe2cda0319218e1599b710",
+  "config": "f0bfbb38f4ae160bcd641643fd4ff4e47032554b38e483ee6c9236d85c0ea0fc",
   "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
   "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
-  "linux-6.12.55.tar.gz": "c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3"
+  "linux-6.12.59.tar.gz": "93dfe627d321f016291054449a8e4bf9051de19687fbf1a6f584a2b79f8f5d2c"
  }
 }
diff --git a/SPECS/kernel-rt/kernel-rt.spec b/SPECS/kernel-rt/kernel-rt.spec
index ee3e65b7f7..1dab43eee3 100644
--- a/SPECS/kernel-rt/kernel-rt.spec
+++ b/SPECS/kernel-rt/kernel-rt.spec
@@ -1,13 +1,13 @@
 Summary:        Preempt RT Linux Kernel
 Name:           kernel-rt
-Version:        6.12.55
-Release:        2%{?dist}
+Version:        6.12.59
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Intel Corporation
 Distribution:   Edge Microvisor Toolkit
 Group:          System Environment/Kernel
 URL:            https://www.kernel.org/pub/linux/kernel
-Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz
+Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.59.tar.gz
 Source1:        config
 Source3:        sha512hmac-openssl.sh
 Source4:        emt-ca-20211013.pem
@@ -16,512 +16,542 @@ Source6:        cpupower.service
 
 
 # Intel not-upstreamed kernel features
+# d5dc97879a97 Linux 6.12.59
 #sriov
-Patch0:	0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov
-Patch1:	0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov
-Patch2:	0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov
-Patch3:	0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov
-Patch4:	0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov
-Patch5:	0006-drm-i915-SR-IOV-Enabling-and-Support.sriov
-Patch6:	0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov
-Patch7:	0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov
-Patch8:	0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov
-Patch9:	0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov
-Patch10:	0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov
-Patch11:	0012-drm-i915-force-VF-using-v70-GuC-API.sriov
-Patch12:	0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov
-Patch13:	0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov
-Patch14:	0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov
-Patch15:	0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov
-Patch16:	0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov
-Patch17:	0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov
-Patch18:	0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov
-Patch19:	0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov
-Patch20:	0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov
-Patch21:	0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov
-Patch22:	0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov
-Patch23:	0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov
-Patch24:	0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov
-Patch25:	0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov
-Patch26:	0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov
-Patch27:	0028-drm-i915-Re-add-enable_rc6-modparam.sriov
-Patch28:	0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov
-Patch29:	0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov
-Patch30:	0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch
-Patch31:	0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov
-Patch32:	0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov
-Patch33:	0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov
-Patch34:	0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov
-Patch35:	0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov
-Patch36:	0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov
-Patch37:	0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov
-Patch38:	0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov
-Patch39:	0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov
-Patch40:	0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov
-Patch41:	0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov
-Patch42:	0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov
-Patch43:	0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov
-Patch44:	0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov
-Patch45:	0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov
-Patch46:	0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov
-Patch47:	0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov
-Patch48:	0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov
-Patch49:	0001-drm-i915-Fix-logic-for-GUC-Process.sriov
-Patch50:	0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov
-Patch51:	0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov
-Patch52:	0001-i915-Enable-w-a-16026508708.sriov
-Patch53:	0001-virtio-hookup-irq_get_affinity-callback.sriov
-Patch54:	0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov
-Patch55:	0003-virtgpu-don-t-reset-on-shutdown.sriov
-Patch56:	0004-drm-virtio-implement-virtio_gpu_shutdown.sriov
-Patch57:	0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov
-Patch58:	0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov
+Patch0: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov
+Patch1: 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov
+Patch2: 0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov
+Patch3: 0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov
+Patch4: 0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov
+Patch5: 0006-drm-i915-SR-IOV-Enabling-and-Support.sriov
+Patch6: 0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov
+Patch7: 0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov
+Patch8: 0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov
+Patch9: 0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov
+Patch10: 0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov
+Patch11: 0012-drm-i915-force-VF-using-v70-GuC-API.sriov
+Patch12: 0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov
+Patch13: 0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov
+Patch14: 0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov
+Patch15: 0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov
+Patch16: 0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov
+Patch17: 0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov
+Patch18: 0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov
+Patch19: 0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov
+Patch20: 0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov
+Patch21: 0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov
+Patch22: 0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov
+Patch23: 0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov
+Patch24: 0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov
+Patch25: 0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov
+Patch26: 0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov
+Patch27: 0028-drm-i915-Re-add-enable_rc6-modparam.sriov
+Patch28: 0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov
+Patch29: 0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov
+Patch30: 0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch
+Patch31: 0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov
+Patch32: 0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov
+Patch33: 0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov
+Patch34: 0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov
+Patch35: 0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov
+Patch36: 0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov
+Patch37: 0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov
+Patch38: 0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov
+Patch39: 0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov
+Patch40: 0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov
+Patch41: 0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov
+Patch42: 0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov
+Patch43: 0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov
+Patch44: 0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov
+Patch45: 0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov
+Patch46: 0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov
+Patch47: 0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov
+Patch48: 0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov
+Patch49: 0001-drm-i915-Fix-logic-for-GUC-Process.sriov
+Patch50: 0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov
+Patch51: 0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov
+Patch52: 0001-i915-Enable-w-a-16026508708.sriov
+Patch53: 0001-virtio-hookup-irq_get_affinity-callback.sriov
+Patch54: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov
+Patch55: 0003-virtgpu-don-t-reset-on-shutdown.sriov
+Patch56: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov
+Patch57: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov
+Patch58: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov
+Patch59: 0001-drm-i915-Do-not-advertise-about-CCS.sriov
 #security
-Patch59:	0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security
-Patch60:	0002-mei-virtio-virtualization-frontend-driver.security
-Patch61:	0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security
-Patch62:	0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security
-Patch63:	0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security
-Patch64:	0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security
-Patch65:	0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security
-Patch66:	0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security
-Patch67:	0009-INTEL_DII-mei-add-force-wake-workaround-infra.security
-Patch68:	0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security
-Patch69:	0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security
-Patch70:	0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security
-Patch71:	0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security
-Patch72:	0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security
-Patch73:	0015-INTEL_DII-mei-put-force-wake-in-error-flows.security
-Patch74:	0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security
-Patch75:	0017-INTEL_DII-mei-optimize-force-wake-wait.security
-Patch76:	0018-mei-me-apply-GSC-error-supression-to-systems-with.security
-Patch77:	0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security
+Patch60: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security
+Patch61: 0002-mei-virtio-virtualization-frontend-driver.security
+Patch62: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security
+Patch63: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security
+Patch64: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security
+Patch65: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security
+Patch66: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security
+Patch67: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security
+Patch68: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security
+Patch69: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security
+Patch70: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security
+Patch71: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security
+Patch72: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security
+Patch73: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security
+Patch74: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security
+Patch75: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security
+Patch76: 0017-INTEL_DII-mei-optimize-force-wake-wait.security
+Patch77: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security
+Patch78: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security
 #tgpio
-Patch78:	0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio
-Patch79:	0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio
-Patch80:	0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio
-Patch81:	0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio
-Patch82:	0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio
-Patch83:	0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio
-Patch84:	0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio
-Patch85:	0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio
-Patch86:	0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio
-Patch87:	0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio
-Patch88:	0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio
-Patch89:	0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio
-Patch90:	0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio
-Patch91:	0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio
-Patch92:	0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio
-Patch93:	0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio
-Patch94:	0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio
-Patch95:	0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio
-Patch96:	0019-Kernel-Argument-Bypassing-ART-Detection.tgpio
-Patch97:	0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio
-Patch98:	0021-Added-TGPIO-pin-check-before-input-event-read.tgpio
-Patch99:	0022-Added-an-Example-to-adjust-frequency-for-output.tgpio
-Patch100:	0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio
-Patch101:	0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio
-Patch102:	0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio
-Patch103:	0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio
-Patch104:	0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio
-Patch105:	0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio
-Patch106:	0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio
-Patch107:	0030-Added-an-example-to-poll-for-edges.tgpio
-Patch108:	0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio
-Patch109:	0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio
-Patch110:	0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio
-Patch111:	0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio
-Patch112:	0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio
-Patch113:	0036-net-ice-fix-braces-around-scalar-initializer.tgpio
-Patch114:	0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio
-Patch115:	0038-ptp-Enable-preempt-if-it-is-disabled.tgpio
-Patch116:	0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio
-Patch117:	0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio
-Patch118:	0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio
-Patch119:	0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio
-Patch120:	0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio
+Patch79: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio
+Patch80: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio
+Patch81: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio
+Patch82: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio
+Patch83: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio
+Patch84: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio
+Patch85: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio
+Patch86: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio
+Patch87: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio
+Patch88: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio
+Patch89: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio
+Patch90: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio
+Patch91: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio
+Patch92: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio
+Patch93: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio
+Patch94: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio
+Patch95: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio
+Patch96: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio
+Patch97: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio
+Patch98: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio
+Patch99: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio
+Patch100: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio
+Patch101: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio
+Patch102: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio
+Patch103: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio
+Patch104: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio
+Patch105: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio
+Patch106: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio
+Patch107: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio
+Patch108: 0030-Added-an-example-to-poll-for-edges.tgpio
+Patch109: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio
+Patch110: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio
+Patch111: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio
+Patch112: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio
+Patch113: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio
+Patch114: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio
+Patch115: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio
+Patch116: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio
+Patch117: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio
+Patch118: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio
+Patch119: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio
+Patch120: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio
+Patch121: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio
 #edac
-Patch121:	0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac
-Patch122:	0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac
-Patch123:	0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac
-Patch124:	0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac
-Patch125:	0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac
-Patch126:	0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac
-Patch127:	0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac
-Patch128:	0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac
-Patch129:	0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac
-Patch130:	0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac
-Patch131:	0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac
-Patch132:	0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac
-Patch133:	0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac
-Patch134:	0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac
-Patch135:	0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac
-Patch136:	0011-EDAC-ie31200-Break-up-ie31200_probe1.edac
-Patch137:	0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac
-Patch138:	0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac
-Patch139:	0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac
-Patch140:	0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac
-Patch141:	0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac
-Patch142:	0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac
+Patch122: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac
+Patch123: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac
+Patch124: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac
+Patch125: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac
+Patch126: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac
+Patch127: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac
+Patch128: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac
+Patch129: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac
+Patch130: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac
+Patch131: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac
+Patch132: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac
+Patch133: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac
+Patch134: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac
+Patch135: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac
+Patch136: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac
+Patch137: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac
+Patch138: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac
+Patch139: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac
+Patch140: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac
+Patch141: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac
+Patch142: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac
+Patch143: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac
+Patch144: 0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
+Patch145: 0002-EDAC-igen6-Add-polling-support.edac
+Patch146: 0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
+Patch147: 0004-EDAC-igen6-Constify-struct-res_config.edac
+Patch148: 0005-EDAC-igen6-Skip-absent-memory-controllers.edac
+Patch149: 0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
 #tsn
-Patch143:	0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn
-Patch144:	0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn
-Patch145:	0003-net-phy-increase-gpy-loopback-test-delay.tsn
-Patch146:	0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn
-Patch147:	0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn
-Patch148:	0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn
-Patch149:	0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn
-Patch150:	0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn
-Patch151:	0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn
-Patch152:	0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn
-Patch153:	0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn
-Patch154:	0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn
-Patch155:	0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn
-Patch156:	0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn
-Patch157:	0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn
-Patch158:	0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn
-Patch159:	0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn
-Patch160:	0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn
-Patch161:	0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn
-Patch162:	0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn
-Patch163:	0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn
-Patch164:	0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn
-Patch165:	0023-net-phylink-Add-module_exit.tsn
-Patch166:	0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn
-Patch167:	0025-net-sched-taprio-fix-too-early-schedules-switching.tsn
-Patch168:	0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn
-Patch169:	0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn
-Patch170:	0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn
-Patch171:	0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn
-Patch172:	0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn
-Patch173:	0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
-Patch174:	0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
-Patch175:	0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn
-Patch176:	0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn
-Patch177:	0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn
-Patch178:	0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn
-Patch179:	0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn
-Patch180:	0038-taprio-Add-support-for-frame-preemption-offload.tsn
-Patch181:	0039-net-stmmac-set-initial-EEE-policy-configuration.tsn
-Patch182:	0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn
-Patch183:	0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn
-Patch184:	0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn
-Patch185:	0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn
-Patch186:	0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn
-Patch187:	0003-ethtool-Add-support-for-configuring-frame-preemption.tsn
-Patch188:	0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn
-Patch189:	0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn
-Patch190:	0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn
-Patch191:	0007-igc-Add-support-for-setting-frame-preemption-configura.tsn
-Patch192:	0008-igc-Add-support-for-Frame-Preemption-verification.tsn
-Patch193:	0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn
-Patch194:	0010-igc-Optimize-the-packet-buffer-utilization.tsn
-Patch195:	0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn
-Patch196:	0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn
-Patch197:	0013-bpf-add-btf-register-unregister-API.tsn
-Patch198:	0014-net-core-XDP-metadata-BTF-netlink-API.tsn
-Patch199:	0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn
-Patch200:	0016-rtnetlink-Add-return-value-check.tsn
-Patch201:	0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn
-Patch202:	0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn
-Patch203:	0019-igc-Add-BTF-based-metadata-for-XDP.tsn
-Patch204:	0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn
-Patch205:	0021-igc-Take-care-of-DMA-timestamp-rollover.tsn
-Patch206:	0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn
-Patch207:	0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn
-Patch208:	0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn
-Patch209:	0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn
-Patch210:	0026-taprio-Replace-tc_map_to_queue_mask.tsn
-Patch211:	0027-mqprio-Add-support-for-frame-preemption-offload.tsn
-Patch212:	0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn
-Patch213:	0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn
-Patch214:	0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn
-Patch215:	0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn
-Patch216:	0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn
-Patch217:	0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn
-Patch218:	0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn
-Patch219:	0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn
-Patch220:	0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn
-Patch221:	0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn
-Patch222:	0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn
-Patch223:	0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
-Patch224:	0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
-Patch225:	0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn
+Patch150: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn
+Patch151: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn
+Patch152: 0003-net-phy-increase-gpy-loopback-test-delay.tsn
+Patch153: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn
+Patch154: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn
+Patch155: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn
+Patch156: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn
+Patch157: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn
+Patch158: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn
+Patch159: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn
+Patch160: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn
+Patch161: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn
+Patch162: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn
+Patch163: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn
+Patch164: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn
+Patch165: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn
+Patch166: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn
+Patch167: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn
+Patch168: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn
+Patch169: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn
+Patch170: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn
+Patch171: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn
+Patch172: 0023-net-phylink-Add-module_exit.tsn
+Patch173: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn
+Patch174: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn
+Patch175: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn
+Patch176: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn
+Patch177: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn
+Patch178: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn
+Patch179: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn
+Patch180: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
+Patch181: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
+Patch182: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn
+Patch183: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn
+Patch184: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn
+Patch185: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn
+Patch186: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn
+Patch187: 0038-taprio-Add-support-for-frame-preemption-offload.tsn
+Patch188: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn
+Patch189: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn
+Patch190: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn
+Patch191: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn
+Patch192: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn
+Patch193: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn
+Patch194: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn
+Patch195: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn
+Patch196: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn
+Patch197: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn
+Patch198: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn
+Patch199: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn
+Patch200: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn
+Patch201: 0010-igc-Optimize-the-packet-buffer-utilization.tsn
+Patch202: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn
+Patch203: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn
+Patch204: 0013-bpf-add-btf-register-unregister-API.tsn
+Patch205: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn
+Patch206: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn
+Patch207: 0016-rtnetlink-Add-return-value-check.tsn
+Patch208: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn
+Patch209: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn
+Patch210: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn
+Patch211: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn
+Patch212: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn
+Patch213: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn
+Patch214: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn
+Patch215: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn
+Patch216: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn
+Patch217: 0026-taprio-Replace-tc_map_to_queue_mask.tsn
+Patch218: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn
+Patch219: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn
+Patch220: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn
+Patch221: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn
+Patch222: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn
+Patch223: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn
+Patch224: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn
+Patch225: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn
+Patch226: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn
+Patch227: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn
+Patch228: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn
+Patch229: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn
+Patch230: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
+Patch231: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
+Patch232: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn
 #camera
-Patch226:	0001-media-intel-ipu6-remove-buttress-ish-structure.camera
-Patch227:	0001-media-i2c-Add-ar0234-camera-sensor-driver.camera
-Patch228:	0002-media-i2c-add-support-for-lt6911uxe.camera
-Patch229:	0003-INT3472-Support-LT6911UXE.camera
-Patch230:	0004-upstream-Use-module-parameter-to-set-isys-freq.camera
-Patch231:	0005-upstream-Use-module-parameter-to-set-psys-freq.camera
-Patch232:	0006-media-pci-Enable-ISYS-reset.camera
-Patch233:	0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera
-Patch234:	0008-driver-media-i2c-remove-useless-header-file.camera
-Patch235:	0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera
-Patch236:	0010-media-i2c-add-support-for-lt6911uxc.camera
-Patch237:	0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera
-Patch238:	0012-media-pci-intel-psys-driver.camera
-Patch239:	0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera
-Patch240:	0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera
-Patch241:	0002-media-pci-intel-include-psys-driver.camera
-Patch242:	0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera
-Patch243:	0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera
-Patch244:	0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera
-Patch245:	0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera
-Patch246:	0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera
-Patch247:	0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera
-Patch248:	0001-media-pci-update-IPU6-PSYS-driver.camera
-Patch249:	0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera
-Patch250:	0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera
-Patch251:	0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera
-Patch252:	0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
-Patch253:	0006-media-i2c-some-changes-in-lt6911uxe.camera
-Patch254:	0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
-Patch255:	0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera
-Patch256:	0003-media-i2c-remove-unused-func-in-lt6911uxe.camera
-Patch257:	0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
-Patch258:	0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera
-Patch259:	0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera
-Patch260:	0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera
-Patch261:	0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera
-Patch262:	0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera
-Patch263:	0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera
-Patch264:	0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera
-Patch265:	0002-media-pci-Set-the-correct-SOF-for-different-stream.camera
-Patch266:	0003-media-pci-support-imx390-for-6.11.0-rc3.camera
-Patch267:	0004-i2c-media-fix-cov-issue.camera
-Patch268:	0005-mv-ipu-acpi-module-to-linux-drivers.camera
-Patch269:	0006-kernel-enable-VC-support-in-v4l2.camera
-Patch270:	0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera
-Patch271:	0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera
-Patch272:	0009-media-pci-align-params-for-non-MIPI-split-and-split.camera
-Patch273:	0010-media-pci-add-missing-if-for-PDATA.camera
-Patch274:	0011-media-platform-fix-allyesconfig-build-error.camera
-Patch275:	0012-media-pci-refine-PDATA-related-config.camera
-Patch276:	0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera
-Patch277:	0014-media-i2c-add-gmsl-isx031-support.camera
-Patch278:	0015-media-i2c-add-support-for-isx031-max9296.camera
-Patch279:	0016-fix-S4-issue-on-TWL.camera
-Patch280:	0017-code-changes-for-link-frequency-and-sensor-physical.camera
+Patch233: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera
+Patch234: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera
+Patch235: 0002-media-i2c-add-support-for-lt6911uxe.camera
+Patch236: 0003-INT3472-Support-LT6911UXE.camera
+Patch237: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera
+Patch238: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera
+Patch239: 0006-media-pci-Enable-ISYS-reset.camera
+Patch240: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera
+Patch241: 0008-driver-media-i2c-remove-useless-header-file.camera
+Patch242: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera
+Patch243: 0010-media-i2c-add-support-for-lt6911uxc.camera
+Patch244: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera
+Patch245: 0012-media-pci-intel-psys-driver.camera
+Patch246: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera
+Patch247: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera
+Patch248: 0002-media-pci-intel-include-psys-driver.camera
+Patch249: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera
+Patch250: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera
+Patch251: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera
+Patch252: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera
+Patch253: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera
+Patch254: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera
+Patch255: 0001-media-pci-update-IPU6-PSYS-driver.camera
+Patch256: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera
+Patch257: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera
+Patch258: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera
+Patch259: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
+Patch260: 0006-media-i2c-some-changes-in-lt6911uxe.camera
+Patch261: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
+Patch262: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera
+Patch263: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera
+Patch264: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
+Patch265: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera
+Patch266: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera
+Patch267: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera
+Patch268: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera
+Patch269: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera
+Patch270: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera
+Patch271: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera
+Patch272: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera
+Patch273: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera
+Patch274: 0004-i2c-media-fix-cov-issue.camera
+Patch275: 0005-mv-ipu-acpi-module-to-linux-drivers.camera
+Patch276: 0006-kernel-enable-VC-support-in-v4l2.camera
+Patch277: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera
+Patch278: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera
+Patch279: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera
+Patch280: 0010-media-pci-add-missing-if-for-PDATA.camera
+Patch281: 0011-media-platform-fix-allyesconfig-build-error.camera
+Patch282: 0012-media-pci-refine-PDATA-related-config.camera
+Patch283: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera
+Patch284: 0014-media-i2c-add-gmsl-isx031-support.camera
+Patch285: 0015-media-i2c-add-support-for-isx031-max9296.camera
+Patch286: 0016-fix-S4-issue-on-TWL.camera
+Patch287: 0017-code-changes-for-link-frequency-and-sensor-physical.camera
 #wwan
-Patch281:	0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan
-Patch282:	0002-wwan-add-SAHARA-device.wwan
-Patch283:	0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
-Patch284:	0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan
-Patch285:	0005-wwan-add-NMEA-type.wwan
-Patch286:	0006-drivers-bus-mhi-add-FN980-v2-support.wwan
-Patch287:	0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan
-Patch288:	0008-drivers-net-wwan-add-simple-DTR-driver.wwan
-Patch289:	0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan
-Patch290:	0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan
-Patch291:	0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan
-Patch292:	0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan
-Patch293:	0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan
-Patch294:	0005-Revert-wwan-add-NMEA-type.wwan
-Patch295:	0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan
-Patch296:	0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
-Patch297:	0008-Revert-wwan-add-SAHARA-device.wwan
-Patch298:	0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan
+Patch288: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan
+Patch289: 0002-wwan-add-SAHARA-device.wwan
+Patch290: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+Patch291: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan
+Patch292: 0005-wwan-add-NMEA-type.wwan
+Patch293: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan
+Patch294: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan
+Patch295: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan
+Patch296: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan
+Patch297: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan
+Patch298: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan
+Patch299: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan
+Patch300: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan
+Patch301: 0005-Revert-wwan-add-NMEA-type.wwan
+Patch302: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan
+Patch303: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+Patch304: 0008-Revert-wwan-add-SAHARA-device.wwan
+Patch305: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan
 #pmc_core
-Patch299:	0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core
-Patch300:	0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core
-Patch301:	0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core
+Patch306: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core
+Patch307: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core
+Patch308: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core
 #lpss
-Patch302:	0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss
-Patch303:	0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss
-Patch304:	0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss
-Patch305:	0004-spi-intel-Add-protected-and-locked-attributes.lpss
+Patch309: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss
+Patch310: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss
+Patch311: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss
+Patch312: 0004-spi-intel-Add-protected-and-locked-attributes.lpss
 #preempt_rt patches backported
-Patch306:	0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt
-Patch307:	0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
-Patch308:	0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
-Patch309:	0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt
-Patch310:	0004-serial-8250-Switch-to-nbcon-console.rt
-Patch311:	0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt
-Patch312:	0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt
-Patch313:	0007-locking-rt-Add-sparse-annotation-for-RCU.rt
-Patch314:	0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt
-Patch315:	0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt
-Patch316:	0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt
-Patch317:	0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt
-Patch318:	0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt
-Patch319:	0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt
-Patch320:	0014-drm-i915-Drop-the-irqs_disabled-check.rt
-Patch321:	0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt
-Patch322:	0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt
-Patch323:	0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt
-Patch324:	0018-sched-Add-Lazy-preemption-model.rt
-Patch325:	0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt
-Patch326:	0020-sched-x86-Enable-Lazy-preemption.rt
-Patch327:	0021-sched-Add-laziest-preempt-model.rt
-Patch328:	0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt
-Patch329:	0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt
-Patch330:	0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt
-Patch331:	0025-sysfs-Add-sys-kernel-realtime-entry.rt
-Patch332:	0001-serial-8250-enable-original-console-by-default.rt
-Patch333:	0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt
-Patch334:	0002-Revert-scripts-remove-bin2c.rt
-Patch335:	0003-extend-uio-driver-to-supports-msix.rt
-Patch336:	0004-virtio-add-VIRTIO_PMD-support.rt
-Patch337:	0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt
-Patch338:	0006-Add-hypercall-to-access-MSR.rt
-Patch339:	0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt
-Patch340:	0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt
-Patch341:	0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt
-Patch342:	0010-igb-prepare-for-AF_XDP-zero-copy-support.rt
-Patch343:	0011-igb-Introduce-XSK-data-structures-and-helpers.rt
-Patch344:	0012-igb-add-AF_XDP-zero-copy-Rx-support.rt
-Patch345:	0013-igb-add-AF_XDP-zero-copy-Tx-support.rt
-Patch346:	0014-igb-Add-BTF-based-metadata-for-XDP.rt
-Patch347:	0015-ANDROID-trace-power-add-trace_clock_set_parent.rt
-Patch348:	0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt
-Patch349:	0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt
-Patch350:	0018-virtio-fix-VIRTIO_PMD-support.rt
-Patch351:	0019-drm-i915-add-i915-perf-event-capacity.rt
-Patch352:	0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt
+Patch313: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt
+Patch314: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
+Patch315: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
+Patch316: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt
+Patch317: 0004-serial-8250-Switch-to-nbcon-console.rt
+Patch318: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt
+Patch319: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt
+Patch320: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt
+Patch321: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt
+Patch322: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt
+Patch323: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt
+Patch324: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt
+Patch325: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt
+Patch326: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt
+Patch327: 0014-drm-i915-Drop-the-irqs_disabled-check.rt
+Patch328: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt
+Patch329: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt
+Patch330: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt
+Patch331: 0018-sched-Add-Lazy-preemption-model.rt
+Patch332: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt
+Patch333: 0020-sched-x86-Enable-Lazy-preemption.rt
+Patch334: 0021-sched-Add-laziest-preempt-model.rt
+Patch335: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt
+Patch336: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt
+Patch337: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt
+Patch338: 0025-sysfs-Add-sys-kernel-realtime-entry.rt
+Patch339: 0001-serial-8250-enable-original-console-by-default.rt
+Patch340: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt
+Patch341: 0002-Revert-scripts-remove-bin2c.rt
+Patch342: 0003-extend-uio-driver-to-supports-msix.rt
+Patch343: 0004-virtio-add-VIRTIO_PMD-support.rt
+Patch344: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt
+Patch345: 0006-Add-hypercall-to-access-MSR.rt
+Patch346: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt
+Patch347: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt
+Patch348: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt
+Patch349: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt
+Patch350: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt
+Patch351: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt
+Patch352: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt
+Patch353: 0014-igb-Add-BTF-based-metadata-for-XDP.rt
+Patch354: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt
+Patch355: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt
+Patch356: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt
+Patch357: 0018-virtio-fix-VIRTIO_PMD-support.rt
+Patch358: 0019-drm-i915-add-i915-perf-event-capacity.rt
+Patch359: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt
 #drm
-Patch353:	0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm
-Patch354:	0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm
-Patch355:	0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm
-Patch356:	0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm
-Patch357:	0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm
-Patch358:	0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm
-Patch359:	0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm
-Patch360:	0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm
-Patch361:	0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm
-Patch362:	0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm
-Patch363:	0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm
-Patch364:	0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm
-Patch365:	0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm
-Patch366:	0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm
-Patch367:	0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm
-Patch368:	0011-drm-i915-gt-Store-active-CCS-mask.drm
-Patch369:	0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm
-Patch370:	0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm
-Patch371:	0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm
-Patch372:	0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm
-Patch373:	0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm
-Patch374:	0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm
-Patch375:	0001-Remove-unneeded-files.patch
+Patch360: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm
+Patch361: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm
+Patch362: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm
+Patch363: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm
+Patch364: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm
+Patch365: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm
+Patch366: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm
+Patch367: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm
+Patch368: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm
+Patch369: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm
+Patch370: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm
+Patch371: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm
+Patch372: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm
+Patch373: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm
+Patch374: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm
+Patch375: 0011-drm-i915-gt-Store-active-CCS-mask.drm
+Patch376: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm
+Patch377: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm
+Patch378: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm
+Patch379: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm
+Patch380: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm
+Patch381: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm
+Patch382: 0001-Remove-unneeded-files.patch
+Patch383: 0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
 #rapl
-Patch376:	0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl
+Patch384: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl
 #misc
-Patch377:	0001-Add-security.md-file.misc
+Patch385: 0001-Add-security.md-file.misc
 #iommu
-Patch378:	0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu
-Patch379:	0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu
+Patch386: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu
+Patch387: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu
 #emt-drm
-Patch380:	0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch
+Patch388: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch
 #CVE-2025-21709
-Patch381:	CVE-2025-21709.patch
+Patch389: CVE-2025-21709.patch
 #CVE-2025-21817
-Patch382:	CVE-2025-21817.patch
+Patch390: CVE-2025-21817.patch
 #CVE-2025-22104
-Patch383:	CVE-2025-22104.patch
-#CVE-2025-22105
-Patch384:	CVE-2025-22105.patch
-Patch385:	CVE-2025-22105-1.patch
+Patch391: CVE-2025-22104.patch
 #CVE-2025-22108
-Patch386:	CVE-2025-22108.patch
+Patch392: CVE-2025-22108.patch
 #CVE-2025-22111
-Patch387:	CVE-2025-22111.patch
+Patch393: CVE-2025-22111.patch
 #CVE-2025-22116
-Patch388:	CVE-2025-22116.patch
+Patch394: CVE-2025-22116.patch
 #CVE-2025-22117
-Patch389:	CVE-2025-22117.patch
-#CVE-2025-22121
-Patch390:	CVE-2025-22121.patch
-Patch391:	CVE-2025-22121-1.patch
+Patch395: CVE-2025-22117.patch
 #CVE-2025-23131
-Patch392:	CVE-2025-23131.patch
+Patch396: CVE-2025-23131.patch
 #CVE-2025-37746
-Patch393:	CVE-2025-37746.patch
-Patch394:	CVE-2025-37746-1.patch
+Patch397: CVE-2025-37746.patch
+Patch398: CVE-2025-37746-1.patch
 #CVE-2025-37906
-Patch395:	CVE-2025-37906.patch
+Patch399: CVE-2025-37906.patch
 #CVE-2025-38041
-Patch396:	CVE-2025-38041.patch
-Patch397:	CVE-2025-38041-1.patch
-Patch398:	CVE-2025-38041-2.patch
+Patch400: CVE-2025-38041.patch
+Patch401: CVE-2025-38041-1.patch
+Patch402: CVE-2025-38041-2.patch
 #CVE-2025-38029
-Patch399:	CVE-2025-38029.patch
+Patch403: CVE-2025-38029.patch
 #CVE-2025-38311
-Patch400:	CVE-2025-38311.patch
+Patch404: CVE-2025-38311.patch
 #CVE-2025-38248
-Patch401:	CVE-2025-38248.patch
+Patch405: CVE-2025-38248.patch
 #CVE-2025-38234
-Patch402:	CVE-2025-38234.patch
+Patch406: CVE-2025-38234.patch
 #CVE-2025-38207
-Patch403:	CVE-2025-38207.patch
+Patch407: CVE-2025-38207.patch
 #CVE-2025-38137
-Patch404:	CVE-2025-38137.patch
+Patch408: CVE-2025-38137.patch
 #CVE-2025-40325
-Patch405:	CVE-2025-40325.patch
+Patch409: CVE-2025-40325.patch
 #CVE-2025-38284
-Patch406:	CVE-2025-38284.patch
-Patch407:	CVE-2025-38284-1.patch
-Patch408:	CVE-2025-38284-2.patch
+Patch410: CVE-2025-38284.patch
+Patch411: CVE-2025-38284-1.patch
+Patch412: CVE-2025-38284-2.patch
 #CVE-2025-38199
-Patch409:	CVE-2025-38199.patch
+Patch413: CVE-2025-38199.patch
 #CVE-2025-38140
-Patch410:	CVE-2025-38140.patch
+Patch414: CVE-2025-38140.patch
 #CVE-2025-38132
-Patch411:	CVE-2025-38132.patch
-Patch412:	CVE-2025-38132-1.patch
+Patch415: CVE-2025-38132.patch
+Patch416: CVE-2025-38132-1.patch
 #CVE-2025-37743
-Patch413:	CVE-2025-37743.patch
+Patch417: CVE-2025-37743.patch
 #CVE-2025-23132
-Patch414:	CVE-2025-23132.patch
-#CVE-2025-23130
-Patch415:	CVE-2025-23130.patch
-#CVE-2025-23129
-Patch416:	CVE-2025-23129.patch
+Patch418: CVE-2025-23132.patch
 #CVE-2025-22127
-Patch417:	CVE-2025-22127.patch
+Patch419: CVE-2025-22127.patch
 #CVE-2025-22109
-Patch418:	CVE-2025-22109.patch
+Patch420: CVE-2025-22109.patch
 #CVE-2025-21752
-Patch419:	CVE-2025-21752.patch
-Patch420:	CVE-2025-21752-1.patch
-#CVE-2025-37860
-Patch421:	CVE-2025-37860.patch
+Patch421: CVE-2025-21752.patch
+Patch422: CVE-2025-21752-1.patch
 #CVE-2024-58095
-Patch422:	CVE-2024-58095.patch
+Patch423: CVE-2024-58095.patch
 #CVE-2024-58094
-Patch423:	CVE-2024-58094.patch
-#CVE-2024-57995
-Patch424:	CVE-2024-57995.patch
+Patch424: CVE-2024-58094.patch
 #CVE-2024-52560
-Patch425:	CVE-2024-52560.patch
-Patch426:	CVE-2024-52560-1.patch
+Patch425: CVE-2024-52560.patch
+Patch426: CVE-2024-52560-1.patch
 #CVE-2025-38621
-Patch427:	CVE-2025-38621.patch
+Patch427: CVE-2025-38621.patch
 #CVE-2025-38627
-Patch428:	CVE-2025-38627.patch
-#CVE-2025-38643
-Patch429:	CVE-2025-38643.patch
+Patch428: CVE-2025-38627.patch
 #CVE-2025-39789
-Patch430:	CVE-2025-39789.patch
+Patch429: CVE-2025-39789.patch
 #CVE-2025-39764
-Patch431:	CVE-2025-39764.patch
+Patch430: CVE-2025-39764.patch
 #CVE-2025-39745
-Patch432:	CVE-2025-39745.patch
+Patch431: CVE-2025-39745.patch
 #CVE-2025-39677
-Patch433:	CVE-2025-39677.patch
+Patch432: CVE-2025-39677.patch
 #CVE-2025-39933
-Patch434:	CVE-2025-39933.patch
+Patch433: CVE-2025-39933.patch
 #CVE-2025-39833
-Patch435:	CVE-2025-39833.patch
+Patch434: CVE-2025-39833.patch
 #CVE-2025-39925
-Patch436:	CVE-2025-39925.patch
+Patch435: CVE-2025-39925.patch
 #CVE-2025-39905
-Patch437:	CVE-2025-39905.patch
+Patch436: CVE-2025-39905.patch
 #CVE-2025-39859
-Patch438:	CVE-2025-39859.patch
+Patch437: CVE-2025-39859.patch
 #CVE-2025-39910
-Patch439:	CVE-2025-39910.patch
-#CVE-2025-39981
-Patch440:	CVE-2025-39981.patch
+Patch438: CVE-2025-39910.patch
+#CVE-2025-40098
+Patch439: CVE-2025-40098.patch
+#CVE-2025-40075
+Patch440: CVE-2025-40075.patch
+Patch441: CVE-2025-40075-1.patch
+#CVE-2025-40074
+Patch442: CVE-2025-40074.patch
+#CVE-2025-40064
+Patch443: CVE-2025-40064.patch
+#CVE-2025-40086
+Patch444: CVE-2025-40086.patch
+Patch445: CVE-2025-40086-1.patch
+#CVE-2025-40168
+Patch446: CVE-2025-40168.patch
+#CVE-2025-40170
+Patch447: CVE-2025-40170.patch
+#CVE-2025-40164
+Patch448: CVE-2025-40164.patch
+#CVE-2025-40158
+Patch449: CVE-2025-40158.patch
+#CVE-2025-40149
+Patch450: CVE-2025-40149.patch
+#CVE-2025-40147
+Patch451: CVE-2025-40147.patch
+#CVE-2025-40139
+Patch452: CVE-2025-40139.patch
+#CVE-2025-40136
+Patch453: CVE-2025-40136.patch
+#CVE-2025-40135
+Patch454: CVE-2025-40135.patch
+#CVE-2025-40130
+Patch455: CVE-2025-40130.patch
+#CVE-2025-38656
+Patch456: CVE-2025-38656.patch
+Patch457: CVE-2025-38656-2.patch
+#CVE-2025-38591
+Patch458: CVE-2025-38591.patch
+#CVE-2025-38584
+Patch459: CVE-2025-38584.patch
 # CVE Patches
 
 %global security_hardening none
@@ -670,8 +700,8 @@ manipulation of eBPF programs and maps.
 
 %prep
 %define _default_patch_flags -p1 --fuzz=3 --force
-%setup -q -n linux-6.12.55
-%autosetup -p1 -n linux-6.12.55
+%setup -q -n linux-6.12.59
+%autosetup -p1 -n linux-6.12.59
 # %patch 0 -p1
 make mrproper
 
@@ -943,6 +973,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Thu Dec 11 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.59-1
+- Update kernel to 6.12.59
+
 * Thu Nov 27 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.55-2
 - Update audio and virtio gpu kernel config
 
diff --git a/SPECS/kernel-rt/series b/SPECS/kernel-rt/series
index 38b1f51a3e..c7ca87714b 100644
--- a/SPECS/kernel-rt/series
+++ b/SPECS/kernel-rt/series
@@ -1,5 +1,5 @@
-# Series file for v6.12.55 linux kernel
-# 4fc43debf5047 Linux 6.12.55
+# Series file for v6.12.59 linux kernel
+# d5dc97879a97 Linux 6.12.59
 #sriov
 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov
 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov
@@ -60,6 +60,7 @@
 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov
 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov
 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov
+0001-drm-i915-Do-not-advertise-about-CCS.sriov
 #security
 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security
 0002-mei-virtio-virtualization-frontend-driver.security
@@ -147,6 +148,12 @@
 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac
 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac
 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac
+0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
+0002-EDAC-igen6-Add-polling-support.edac
+0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
+0004-EDAC-igen6-Constify-struct-res_config.edac
+0005-EDAC-igen6-Skip-absent-memory-controllers.edac
+0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
 #tsn
 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn
 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn
@@ -387,6 +394,7 @@
 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm
 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm
 0001-Remove-unneeded-files.patch
+0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
 #rapl
 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl
 #misc
@@ -405,10 +413,6 @@ CVE-2025-21817.patch
 #CVE-2025-22104
 CVE-2025-22104.patch
 
-#CVE-2025-22105
-CVE-2025-22105.patch
-CVE-2025-22105-1.patch
-
 #CVE-2025-22108
 CVE-2025-22108.patch
 
@@ -421,10 +425,6 @@ CVE-2025-22116.patch
 #CVE-2025-22117
 CVE-2025-22117.patch
 
-#CVE-2025-22121
-CVE-2025-22121.patch
-CVE-2025-22121-1.patch
-
 #CVE-2025-23131
 CVE-2025-23131.patch
 
@@ -482,12 +482,6 @@ CVE-2025-37743.patch
 #CVE-2025-23132
 CVE-2025-23132.patch
 
-#CVE-2025-23130
-CVE-2025-23130.patch
-
-#CVE-2025-23129
-CVE-2025-23129.patch
-
 #CVE-2025-22127
 CVE-2025-22127.patch
 
@@ -498,18 +492,12 @@ CVE-2025-22109.patch
 CVE-2025-21752.patch
 CVE-2025-21752-1.patch
 
-#CVE-2025-37860
-CVE-2025-37860.patch
-
 #CVE-2024-58095
 CVE-2024-58095.patch
 
 #CVE-2024-58094
 CVE-2024-58094.patch
 
-#CVE-2024-57995
-CVE-2024-57995.patch
-
 #CVE-2024-52560
 CVE-2024-52560.patch
 CVE-2024-52560-1.patch
@@ -520,9 +508,6 @@ CVE-2025-38621.patch
 #CVE-2025-38627
 CVE-2025-38627.patch
 
-#CVE-2025-38643
-CVE-2025-38643.patch
-
 #CVE-2025-39789
 CVE-2025-39789.patch
 
@@ -553,5 +538,59 @@ CVE-2025-39859.patch
 #CVE-2025-39910
 CVE-2025-39910.patch
 
-#CVE-2025-39981
-CVE-2025-39981.patch
+#CVE-2025-40098
+CVE-2025-40098.patch
+
+#CVE-2025-40075
+CVE-2025-40075.patch
+CVE-2025-40075-1.patch
+
+#CVE-2025-40074
+CVE-2025-40074.patch
+
+#CVE-2025-40064
+CVE-2025-40064.patch
+
+#CVE-2025-40086
+CVE-2025-40086.patch
+CVE-2025-40086-1.patch
+
+#CVE-2025-40168
+CVE-2025-40168.patch
+
+#CVE-2025-40170
+CVE-2025-40170.patch
+
+#CVE-2025-40164
+CVE-2025-40164.patch
+
+#CVE-2025-40158
+CVE-2025-40158.patch
+
+#CVE-2025-40149
+CVE-2025-40149.patch
+
+#CVE-2025-40147
+CVE-2025-40147.patch
+
+#CVE-2025-40139
+CVE-2025-40139.patch
+
+#CVE-2025-40136
+CVE-2025-40136.patch
+
+#CVE-2025-40135
+CVE-2025-40135.patch
+
+#CVE-2025-40130
+CVE-2025-40130.patch
+
+#CVE-2025-38656
+CVE-2025-38656.patch
+CVE-2025-38656-2.patch
+
+#CVE-2025-38591
+CVE-2025-38591.patch
+
+#CVE-2025-38584
+CVE-2025-38584.patch
diff --git a/SPECS/kernel/0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac b/SPECS/kernel/0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
new file mode 100644
index 0000000000..bb155c4a22
--- /dev/null
+++ b/SPECS/kernel/0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
@@ -0,0 +1,59 @@
+From 4384532f29b08a758e951581980b6a1428c950f0 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Wed, 6 Nov 2024 11:35:45 +0000
+Subject: [PATCH 1/6] EDAC/igen6: Initialize edac_op_state according to the
+ configuration data
+
+Currently, igen6_edac sets edac_op_state to EDAC_OPSTATE_NMI, while the
+driver also supports memory errors reported from Machine Check. Initialize
+edac_op_state to the correct value according to the configuration data
+that the driver probed.
+
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/all/20241106114024.941659-2-orange@aiven.io
+---
+ drivers/edac/igen6_edac.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 28a168cc569385..0524b83c8ab335 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -1389,6 +1389,15 @@ static void unregister_err_handler(void)
+ 	unregister_nmi_handler(NMI_SERR, IGEN6_NMI_NAME);
+ }
+ 
++static void opstate_set(struct res_config *cfg)
++{
++	/* Set the mode according to the configuration data. */
++	if (cfg->machine_check)
++		edac_op_state = EDAC_OPSTATE_INT;
++	else
++		edac_op_state = EDAC_OPSTATE_NMI;
++}
++
+ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ 	u64 mchbar;
+@@ -1406,6 +1415,8 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	if (rc)
+ 		goto fail;
+ 
++	opstate_set(res_cfg);
++
+ 	for (i = 0; i < res_cfg->num_imc; i++) {
+ 		rc = igen6_register_mci(i, mchbar, pdev);
+ 		if (rc)
+@@ -1489,8 +1500,6 @@ static int __init igen6_init(void)
+ 	if (owner && strncmp(owner, EDAC_MOD_STR, sizeof(EDAC_MOD_STR)))
+ 		return -EBUSY;
+ 
+-	edac_op_state = EDAC_OPSTATE_NMI;
+-
+ 	rc = pci_register_driver(&igen6_driver);
+ 	if (rc)
+ 		return rc;
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0001-drm-i915-Do-not-advertise-about-CCS.sriov b/SPECS/kernel/0001-drm-i915-Do-not-advertise-about-CCS.sriov
new file mode 100644
index 0000000000..0bb5c07446
--- /dev/null
+++ b/SPECS/kernel/0001-drm-i915-Do-not-advertise-about-CCS.sriov
@@ -0,0 +1,39 @@
+From 1e5d5fbf3f18d0c4b534c431fa71c065ee048a63 Mon Sep 17 00:00:00 2001
+From: "Zawawi, Muhammad Zul Husni" <muhammad.zul.husni.zawawi@intel.com>
+Date: Thu, 20 Nov 2025 15:27:35 +0800
+Subject: [PATCH] drm/i915: Do not advertise about CCS
+
+Do not advertise CCS is available for
+selected platforms (DG1,TGL,ADL-S/P)
+as CCS is not actually functional on those.
+
+Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
+Signed-off-by: Zawawi, Muhammad Zul Husni <muhammad.zul.husni.zawawi@intel.com>
+---
+ drivers/gpu/drm/i915/i915_query.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
+index 7c6669cc4c96..72201c8d9ecd 100644
+--- a/drivers/gpu/drm/i915/i915_query.c
++++ b/drivers/gpu/drm/i915/i915_query.c
+@@ -159,6 +159,16 @@ query_engine_info(struct drm_i915_private *i915,
+ 	info_ptr = &query_ptr->engines[0];
+ 
+ 	for_each_uabi_engine(engine, i915) {
++		/* Do not advertise CCS is available for selected platforms
++		 * as CCS is not actually functional on those.
++		 */
++		if ((INTEL_INFO(i915)->platform == INTEL_DG1 ||
++				INTEL_INFO(i915)->platform == INTEL_TIGERLAKE ||
++				INTEL_INFO(i915)->platform == INTEL_ALDERLAKE_S ||
++				INTEL_INFO(i915)->platform == INTEL_ALDERLAKE_P) &&
++				engine->uabi_class == I915_ENGINE_CLASS_COMPUTE)
++			continue;
++
+ 		info.engine.engine_class = engine->uabi_class;
+ 		info.engine.engine_instance = engine->uabi_instance;
+ 		info.flags = I915_ENGINE_INFO_HAS_LOGICAL_INSTANCE;
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm b/SPECS/kernel/0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
new file mode 100644
index 0000000000..03ecdf9d52
--- /dev/null
+++ b/SPECS/kernel/0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
@@ -0,0 +1,37 @@
+From 22bfa1d0a8bacb0b9a80e92f5e6920ff4204c7bc Mon Sep 17 00:00:00 2001
+From: "Mazlan, Hazwan Arif" <hazwan.arif.mazlan@intel.com>
+Date: Tue, 4 Nov 2025 13:22:44 +0800
+Subject: [PATCH] i915/gt: Upgrade GuC 70.44.1 => 70.49.4
+
+FW Upstream: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
+FW Upstream commit: 20251021&id=20cf22e50252d63cfd0d06b5026c21b7a77ad821
+
+Signed-off-by: Mazlan, Hazwan Arif <hazwan.arif.mazlan@intel.com>
+---
+ drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c b/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c
+index 86afc6d175c48..5005b45f0dace 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_uc_fw.c
+@@ -88,12 +88,12 @@ void intel_uc_fw_change_status(struct intel_uc_fw *uc_fw,
+  * security fixes, etc. to be enabled.
+  */
+ #define INTEL_GUC_FIRMWARE_DEFS(fw_def, guc_maj, guc_mmp) \
+-	fw_def(METEORLAKE,   0, guc_maj(mtl,  70, 44, 1)) \
+-	fw_def(DG2,          0, guc_maj(dg2,  70, 44, 1)) \
+-	fw_def(ALDERLAKE_P,  0, guc_maj(adlp, 70, 44, 1)) \
++	fw_def(METEORLAKE,   0, guc_maj(mtl,  70, 49, 4)) \
++	fw_def(DG2,          0, guc_maj(dg2,  70, 49, 4)) \
++	fw_def(ALDERLAKE_P,  0, guc_maj(adlp, 70, 49, 4)) \
+ 	fw_def(ALDERLAKE_P,  0, guc_mmp(adlp, 70, 1, 1)) \
+ 	fw_def(ALDERLAKE_P,  0, guc_mmp(adlp, 69, 0, 3)) \
+-	fw_def(ALDERLAKE_S,  0, guc_maj(tgl,  70, 44, 1)) \
++	fw_def(ALDERLAKE_S,  0, guc_maj(tgl,  70, 49, 4)) \
+ 	fw_def(ALDERLAKE_S,  0, guc_mmp(tgl,  70, 1, 1)) \
+ 	fw_def(ALDERLAKE_S,  0, guc_mmp(tgl,  69, 0, 3)) \
+ 	fw_def(DG1,          0, guc_maj(dg1,  70, 5, 1)) \
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0002-EDAC-igen6-Add-polling-support.edac b/SPECS/kernel/0002-EDAC-igen6-Add-polling-support.edac
new file mode 100644
index 0000000000..0dfea740e0
--- /dev/null
+++ b/SPECS/kernel/0002-EDAC-igen6-Add-polling-support.edac
@@ -0,0 +1,93 @@
+From c008b6393fbc6d5b748162907dc84e260c7b1922 Mon Sep 17 00:00:00 2001
+From: Orange Kao <orange@aiven.io>
+Date: Wed, 6 Nov 2024 11:35:46 +0000
+Subject: [PATCH 2/6] EDAC/igen6: Add polling support
+
+Some PCs with Intel N100 (with PCI device 8086:461c, DID_ADL_N_SKU4)
+experienced issues with error interrupts not working, even with the
+following configuration in the BIOS.
+
+    In-Band ECC Support: Enabled
+    In-Band ECC Operation Mode: 2 (make all requests protected and
+                                   ignore range checks)
+    IBECC Error Injection Control: Inject Correctable Error on insertion
+                                   counter
+    Error Injection Insertion Count: 251658240 (0xf000000)
+
+Add polling mode support for these machines to ensure that memory error
+events are handled.
+
+Signed-off-by: Orange Kao <orange@aiven.io>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Link: https://lore.kernel.org/all/20241106114024.941659-3-orange@aiven.io
+---
+ drivers/edac/igen6_edac.c | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 0524b83c8ab335..da89cb0d4df42c 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -1209,6 +1209,20 @@ static int igen6_pci_setup(struct pci_dev *pdev, u64 *mchbar)
+ 	return -ENODEV;
+ }
+ 
++static void igen6_check(struct mem_ctl_info *mci)
++{
++	struct igen6_imc *imc = mci->pvt_info;
++	u64 ecclog;
++
++	/* errsts_clear() isn't NMI-safe. Delay it in the IRQ context */
++	ecclog = ecclog_read_and_clear(imc);
++	if (!ecclog)
++		return;
++
++	if (!ecclog_gen_pool_add(imc->mc, ecclog))
++		irq_work_queue(&ecclog_irq_work);
++}
++
+ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ {
+ 	struct edac_mc_layer layers[2];
+@@ -1250,6 +1264,8 @@ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ 	mci->edac_cap = EDAC_FLAG_SECDED;
+ 	mci->mod_name = EDAC_MOD_STR;
+ 	mci->dev_name = pci_name(pdev);
++	if (edac_op_state == EDAC_OPSTATE_POLL)
++		mci->edac_check = igen6_check;
+ 	mci->pvt_info = &igen6_pvt->imc[mc];
+ 
+ 	imc = mci->pvt_info;
+@@ -1389,8 +1405,18 @@ static void unregister_err_handler(void)
+ 	unregister_nmi_handler(NMI_SERR, IGEN6_NMI_NAME);
+ }
+ 
+-static void opstate_set(struct res_config *cfg)
++static void opstate_set(struct res_config *cfg, const struct pci_device_id *ent)
+ {
++	/*
++	 * Quirk: Certain SoCs' error reporting interrupts don't work.
++	 *        Force polling mode for them to ensure that memory error
++	 *        events can be handled.
++	 */
++	if (ent->device == DID_ADL_N_SKU4) {
++		edac_op_state = EDAC_OPSTATE_POLL;
++		return;
++	}
++
+ 	/* Set the mode according to the configuration data. */
+ 	if (cfg->machine_check)
+ 		edac_op_state = EDAC_OPSTATE_INT;
+@@ -1415,7 +1441,7 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 	if (rc)
+ 		goto fail;
+ 
+-	opstate_set(res_cfg);
++	opstate_set(res_cfg, ent);
+ 
+ 	for (i = 0; i < res_cfg->num_imc; i++) {
+ 		rc = igen6_register_mci(i, mchbar, pdev);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac b/SPECS/kernel/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
new file mode 100644
index 0000000000..a29eec1fe3
--- /dev/null
+++ b/SPECS/kernel/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
@@ -0,0 +1,61 @@
+From 22e60a53039e0f951345db05219e78e18f3f0870 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Wed, 12 Feb 2025 16:33:54 +0800
+Subject: [PATCH 3/6] EDAC/igen6: Fix the flood of invalid error reports
+
+The ECC_ERROR_LOG register of certain SoCs may contain the invalid value
+~0, which results in a flood of invalid error reports in polling mode.
+
+Fix the flood of invalid error reports by skipping the invalid ECC error
+log value ~0.
+
+Fixes: e14232afa944 ("EDAC/igen6: Add polling support")
+Reported-by: Ramses <ramses@well-founded.dev>
+Closes: https://lore.kernel.org/all/OISL8Rv--F-9@well-founded.dev/
+Tested-by: Ramses <ramses@well-founded.dev>
+Reported-by: John <therealgraysky@proton.me>
+Closes: https://lore.kernel.org/all/p5YcxOE6M3Ncxpn2-Ia_wCt61EM4LwIiN3LroQvT_-G2jMrFDSOW5k2A9D8UUzD2toGpQBN1eI0sL5dSKnkO8iteZegLoQEj-DwQaMhGx4A=@proton.me/
+Tested-by: John <therealgraysky@proton.me>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20250212083354.31919-1-qiuxu.zhuo@intel.com
+---
+ drivers/edac/igen6_edac.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index da89cb0d4df42c..4c54de702156a4 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -816,13 +816,22 @@ static u64 ecclog_read_and_clear(struct igen6_imc *imc)
+ {
+ 	u64 ecclog = readq(imc->window + ECC_ERROR_LOG_OFFSET);
+ 
+-	if (ecclog & (ECC_ERROR_LOG_CE | ECC_ERROR_LOG_UE)) {
+-		/* Clear CE/UE bits by writing 1s */
+-		writeq(ecclog, imc->window + ECC_ERROR_LOG_OFFSET);
+-		return ecclog;
+-	}
++	/*
++	 * Quirk: The ECC_ERROR_LOG register of certain SoCs may contain
++	 *        the invalid value ~0. This will result in a flood of invalid
++	 *        error reports in polling mode. Skip it.
++	 */
++	if (ecclog == ~0)
++		return 0;
+ 
+-	return 0;
++	/* Neither a CE nor a UE. Skip it.*/
++	if (!(ecclog & (ECC_ERROR_LOG_CE | ECC_ERROR_LOG_UE)))
++		return 0;
++
++	/* Clear CE/UE bits by writing 1s */
++	writeq(ecclog, imc->window + ECC_ERROR_LOG_OFFSET);
++
++	return ecclog;
+ }
+ 
+ static void errsts_clear(struct igen6_imc *imc)
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan b/SPECS/kernel/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
index a3ea64e517..c6cf6f0f5f 100644
--- a/SPECS/kernel/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+++ b/SPECS/kernel/0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
@@ -23,11 +23,11 @@ Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
  drivers/bus/mhi/host/pm.c       | 3 ++-
  2 files changed, 3 insertions(+), 2 deletions(-)
 
-diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h
-index d057e877932e3..304870cb7611e 100644
+Index: b/drivers/bus/mhi/host/internal.h
+===================================================================
 --- a/drivers/bus/mhi/host/internal.h
 +++ b/drivers/bus/mhi/host/internal.h
-@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI_EE_MAX];
+@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI
  
  #define MHI_IN_PBL(ee) (ee == MHI_EE_PBL || ee == MHI_EE_PTHRU || \
  			ee == MHI_EE_EDL)
@@ -36,16 +36,16 @@ index d057e877932e3..304870cb7611e 100644
  #define MHI_FW_LOAD_CAPABLE(ee) (ee == MHI_EE_PBL || ee == MHI_EE_EDL)
  #define MHI_IN_MISSION_MODE(ee) (ee == MHI_EE_AMSS || ee == MHI_EE_WFW || \
  				 ee == MHI_EE_FP)
-diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c
-index 11c0e751f2239..a69d21075e98a 100644
+Index: b/drivers/bus/mhi/host/pm.c
+===================================================================
 --- a/drivers/bus/mhi/host/pm.c
 +++ b/drivers/bus/mhi/host/pm.c
-@@ -1263,10 +1263,11 @@ int mhi_sync_power_up(struct mhi_controller *mhi_cntrl)
+@@ -1279,10 +1279,11 @@ int mhi_sync_power_up(struct mhi_control
  		mhi_cntrl->ready_timeout_ms : mhi_cntrl->timeout_ms;
  	wait_event_timeout(mhi_cntrl->state_event,
  			   MHI_IN_MISSION_MODE(mhi_cntrl->ee) ||
 +			   mhi_cntrl->ee == MHI_EE_SBL ||
- 			   MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state),
+ 			   MHI_PM_FATAL_ERROR(mhi_cntrl->pm_state),
  			   msecs_to_jiffies(timeout_ms));
  
 -	ret = (MHI_IN_MISSION_MODE(mhi_cntrl->ee)) ? 0 : -ETIMEDOUT;
@@ -53,6 +53,3 @@ index 11c0e751f2239..a69d21075e98a 100644
  	if (ret)
  		mhi_power_down(mhi_cntrl, false);
  
--- 
-2.25.1
-
diff --git a/SPECS/kernel/0004-EDAC-igen6-Constify-struct-res_config.edac b/SPECS/kernel/0004-EDAC-igen6-Constify-struct-res_config.edac
new file mode 100644
index 0000000000..1eb9359c2b
--- /dev/null
+++ b/SPECS/kernel/0004-EDAC-igen6-Constify-struct-res_config.edac
@@ -0,0 +1,128 @@
+From c9cf3881dd7a5eaa109433910b2c6af77a80ce7e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 31 Jan 2025 21:27:02 +0100
+Subject: [PATCH 4/6] EDAC/igen6: Constify struct res_config
+
+The res_config structs are not modified in this driver.
+
+Constifying these structures moves some data to a read-only section, so
+increase overall security, especially when the structure holds some function
+pointers.
+
+On a x86_64, with allmodconfig, as an example:
+
+  Before:
+  ======
+     text	   data	    bss	    dec	    hex	filename
+    36777	   2479	   4304	  43560	   aa28	drivers/edac/igen6_edac.o
+
+  After:
+  =====
+     text	   data	    bss	    dec	    hex	filename
+    37297	   1959	   4304	  43560	   aa28	drivers/edac/igen6_edac.o
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Link: https://lore.kernel.org/r/a06153870951a64b438e76adf97d440e02c1a1fc.1738355198.git.christophe.jaillet@wanadoo.fr
+---
+ drivers/edac/igen6_edac.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 4c54de702156a4..f1f996894a8fc3 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -126,7 +126,7 @@
+ #define MEM_SLICE_HASH_MASK(v)		(GET_BITFIELD(v, 6, 19) << 6)
+ #define MEM_SLICE_HASH_LSB_MASK_BIT(v)	GET_BITFIELD(v, 24, 26)
+ 
+-static struct res_config {
++static const struct res_config {
+ 	bool machine_check;
+ 	int num_imc;
+ 	u32 imc_base;
+@@ -478,7 +478,7 @@ static u64 rpl_p_err_addr(u64 ecclog)
+ 	return ECC_ERROR_LOG_ADDR45(ecclog);
+ }
+ 
+-static struct res_config ehl_cfg = {
++static const struct res_config ehl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xdc00,
+@@ -488,7 +488,7 @@ static struct res_config ehl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config icl_cfg = {
++static const struct res_config icl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xd800,
+@@ -498,7 +498,7 @@ static struct res_config icl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config tgl_cfg = {
++static const struct res_config tgl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0x5000,
+@@ -512,7 +512,7 @@ static struct res_config tgl_cfg = {
+ 	.err_addr_to_imc_addr	= tgl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config adl_cfg = {
++static const struct res_config adl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -523,7 +523,7 @@ static struct res_config adl_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config adl_n_cfg = {
++static const struct res_config adl_n_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 1,
+ 	.imc_base		= 0xd800,
+@@ -534,7 +534,7 @@ static struct res_config adl_n_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config rpl_p_cfg = {
++static const struct res_config rpl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -546,7 +546,7 @@ static struct res_config rpl_p_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config mtl_ps_cfg = {
++static const struct res_config mtl_ps_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -557,7 +557,7 @@ static struct res_config mtl_ps_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static struct res_config mtl_p_cfg = {
++static const struct res_config mtl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -1414,7 +1414,7 @@ static void unregister_err_handler(void)
+ 	unregister_nmi_handler(NMI_SERR, IGEN6_NMI_NAME);
+ }
+ 
+-static void opstate_set(struct res_config *cfg, const struct pci_device_id *ent)
++static void opstate_set(const struct res_config *cfg, const struct pci_device_id *ent)
+ {
+ 	/*
+ 	 * Quirk: Certain SoCs' error reporting interrupts don't work.
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0005-EDAC-igen6-Skip-absent-memory-controllers.edac b/SPECS/kernel/0005-EDAC-igen6-Skip-absent-memory-controllers.edac
new file mode 100644
index 0000000000..ede566998f
--- /dev/null
+++ b/SPECS/kernel/0005-EDAC-igen6-Skip-absent-memory-controllers.edac
@@ -0,0 +1,154 @@
+From e0bff20645871be982bce78d3ae11dbad92af0e7 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Tue, 8 Apr 2025 21:24:53 +0800
+Subject: [PATCH 5/6] EDAC/igen6: Skip absent memory controllers
+
+Some BIOS versions may fuse off certain memory controllers and set the
+registers of these absent memory controllers to ~0. The current igen6_edac
+mistakenly enumerates these absent memory controllers and registers them
+with the EDAC core.
+
+Skip the absent memory controllers to avoid mistakenly enumerating them.
+
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20250408132455.489046-2-qiuxu.zhuo@intel.com
+---
+ drivers/edac/igen6_edac.c | 78 +++++++++++++++++++++++++++++++--------
+ 1 file changed, 62 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index f1f996894a8fc3..19e6a55a2fbb61 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -128,6 +128,7 @@
+ 
+ static const struct res_config {
+ 	bool machine_check;
++	/* The number of present memory controllers. */
+ 	int num_imc;
+ 	u32 imc_base;
+ 	u32 cmf_base;
+@@ -1232,23 +1233,21 @@ static void igen6_check(struct mem_ctl_info *mci)
+ 		irq_work_queue(&ecclog_irq_work);
+ }
+ 
+-static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
++/* Check whether the memory controller is absent. */
++static bool igen6_imc_absent(void __iomem *window)
++{
++	return readl(window + MAD_INTER_CHANNEL_OFFSET) == ~0;
++}
++
++static int igen6_register_mci(int mc, void __iomem *window, struct pci_dev *pdev)
+ {
+ 	struct edac_mc_layer layers[2];
+ 	struct mem_ctl_info *mci;
+ 	struct igen6_imc *imc;
+-	void __iomem *window;
+ 	int rc;
+ 
+ 	edac_dbg(2, "\n");
+ 
+-	mchbar += mc * MCHBAR_SIZE;
+-	window = ioremap(mchbar, MCHBAR_SIZE);
+-	if (!window) {
+-		igen6_printk(KERN_ERR, "Failed to ioremap 0x%llx\n", mchbar);
+-		return -ENODEV;
+-	}
+-
+ 	layers[0].type = EDAC_MC_LAYER_CHANNEL;
+ 	layers[0].size = NUM_CHANNELS;
+ 	layers[0].is_virt_csrow = false;
+@@ -1314,7 +1313,6 @@ static int igen6_register_mci(int mc, u64 mchbar, struct pci_dev *pdev)
+ fail2:
+ 	edac_mc_free(mci);
+ fail:
+-	iounmap(window);
+ 	return rc;
+ }
+ 
+@@ -1340,6 +1338,56 @@ static void igen6_unregister_mcis(void)
+ 	}
+ }
+ 
++static int igen6_register_mcis(struct pci_dev *pdev, u64 mchbar)
++{
++	void __iomem *window;
++	int lmc, pmc, rc;
++	u64 base;
++
++	for (lmc = 0, pmc = 0; pmc < NUM_IMC; pmc++) {
++		base   = mchbar + pmc * MCHBAR_SIZE;
++		window = ioremap(base, MCHBAR_SIZE);
++		if (!window) {
++			igen6_printk(KERN_ERR, "Failed to ioremap 0x%llx for mc%d\n", base, pmc);
++			rc = -ENOMEM;
++			goto out_unregister_mcis;
++		}
++
++		if (igen6_imc_absent(window)) {
++			iounmap(window);
++			edac_dbg(2, "Skip absent mc%d\n", pmc);
++			continue;
++		}
++
++		rc = igen6_register_mci(lmc, window, pdev);
++		if (rc)
++			goto out_iounmap;
++
++		/* Done, if all present MCs are detected and registered. */
++		if (++lmc >= res_cfg->num_imc)
++			break;
++	}
++
++	if (!lmc) {
++		igen6_printk(KERN_ERR, "No mc found.\n");
++		return -ENODEV;
++	}
++
++	if (lmc < res_cfg->num_imc)
++		igen6_printk(KERN_WARNING, "Expected %d mcs, but only %d detected.",
++			     res_cfg->num_imc, lmc);
++
++	return 0;
++
++out_iounmap:
++	iounmap(window);
++
++out_unregister_mcis:
++	igen6_unregister_mcis();
++
++	return rc;
++}
++
+ static int igen6_mem_slice_setup(u64 mchbar)
+ {
+ 	struct igen6_imc *imc = &igen6_pvt->imc[0];
+@@ -1436,7 +1484,7 @@ static void opstate_set(const struct res_config *cfg, const struct pci_device_id
+ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ 	u64 mchbar;
+-	int i, rc;
++	int rc;
+ 
+ 	edac_dbg(2, "\n");
+ 
+@@ -1452,11 +1500,9 @@ static int igen6_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ 
+ 	opstate_set(res_cfg, ent);
+ 
+-	for (i = 0; i < res_cfg->num_imc; i++) {
+-		rc = igen6_register_mci(i, mchbar, pdev);
+-		if (rc)
+-			goto fail2;
+-	}
++	rc = igen6_register_mcis(pdev, mchbar);
++	if (rc)
++		goto fail;
+ 
+ 	if (res_cfg->num_imc > 1) {
+ 		rc = igen6_mem_slice_setup(mchbar);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac b/SPECS/kernel/0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
new file mode 100644
index 0000000000..f6a14ffacc
--- /dev/null
+++ b/SPECS/kernel/0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
@@ -0,0 +1,154 @@
+From 292e6af510a558ecd012343f11ef200ecc800bf3 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Thu, 19 Jun 2025 00:23:06 +0800
+Subject: [PATCH 6/6] EDAC/igen6: Fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A kernel panic was reported with the following kernel log:
+
+  EDAC igen6: Expected 2 mcs, but only 1 detected.
+  BUG: unable to handle page fault for address: 000000000000d570
+  ...
+  Hardware name: Notebook V54x_6x_TU/V54x_6x_TU, BIOS Dasharo (coreboot+UEFI) v0.9.0 07/17/2024
+  RIP: e030:ecclog_handler+0x7e/0xf0 [igen6_edac]
+  ...
+  igen6_probe+0x2a0/0x343 [igen6_edac]
+  ...
+  igen6_init+0xc5/0xff0 [igen6_edac]
+  ...
+
+This issue occurred because one memory controller was disabled by
+the BIOS but the igen6_edac driver still checked all the memory
+controllers, including this absent one, to identify the source of
+the error. Accessing the null MMIO for the absent memory controller
+resulted in the oops above.
+
+Fix this issue by reverting the configuration structure to non-const
+and updating the field 'res_cfg->num_imc' to reflect the number of
+detected memory controllers.
+
+Fixes: 20e190b1c1fd ("EDAC/igen6: Skip absent memory controllers")
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Closes: https://lore.kernel.org/all/aFFN7RlXkaK_loQb@mail-itl/
+Suggested-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Link: https://lore.kernel.org/r/20250618162307.1523736-1-qiuxu.zhuo@intel.com
+---
+ drivers/edac/igen6_edac.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c
+index 19e6a55a2fbb61..4b343fea285122 100644
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -126,7 +126,7 @@
+ #define MEM_SLICE_HASH_MASK(v)		(GET_BITFIELD(v, 6, 19) << 6)
+ #define MEM_SLICE_HASH_LSB_MASK_BIT(v)	GET_BITFIELD(v, 24, 26)
+ 
+-static const struct res_config {
++static struct res_config {
+ 	bool machine_check;
+ 	/* The number of present memory controllers. */
+ 	int num_imc;
+@@ -479,7 +479,7 @@ static u64 rpl_p_err_addr(u64 ecclog)
+ 	return ECC_ERROR_LOG_ADDR45(ecclog);
+ }
+ 
+-static const struct res_config ehl_cfg = {
++static struct res_config ehl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xdc00,
+@@ -489,7 +489,7 @@ static const struct res_config ehl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config icl_cfg = {
++static struct res_config icl_cfg = {
+ 	.num_imc		= 1,
+ 	.imc_base		= 0x5000,
+ 	.ibecc_base		= 0xd800,
+@@ -499,7 +499,7 @@ static const struct res_config icl_cfg = {
+ 	.err_addr_to_imc_addr	= ehl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config tgl_cfg = {
++static struct res_config tgl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0x5000,
+@@ -513,7 +513,7 @@ static const struct res_config tgl_cfg = {
+ 	.err_addr_to_imc_addr	= tgl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config adl_cfg = {
++static struct res_config adl_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -524,7 +524,7 @@ static const struct res_config adl_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config adl_n_cfg = {
++static struct res_config adl_n_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 1,
+ 	.imc_base		= 0xd800,
+@@ -535,7 +535,7 @@ static const struct res_config adl_n_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config rpl_p_cfg = {
++static struct res_config rpl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -547,7 +547,7 @@ static const struct res_config rpl_p_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config mtl_ps_cfg = {
++static struct res_config mtl_ps_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -558,7 +558,7 @@ static const struct res_config mtl_ps_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct res_config mtl_p_cfg = {
++static struct res_config mtl_p_cfg = {
+ 	.machine_check		= true,
+ 	.num_imc		= 2,
+ 	.imc_base		= 0xd800,
+@@ -569,7 +569,7 @@ static const struct res_config mtl_p_cfg = {
+ 	.err_addr_to_imc_addr	= adl_err_addr_to_imc_addr,
+ };
+ 
+-static const struct pci_device_id igen6_pci_tbl[] = {
++static struct pci_device_id igen6_pci_tbl[] = {
+ 	{ PCI_VDEVICE(INTEL, DID_EHL_SKU5), (kernel_ulong_t)&ehl_cfg },
+ 	{ PCI_VDEVICE(INTEL, DID_EHL_SKU6), (kernel_ulong_t)&ehl_cfg },
+ 	{ PCI_VDEVICE(INTEL, DID_EHL_SKU7), (kernel_ulong_t)&ehl_cfg },
+@@ -1373,9 +1373,11 @@ static int igen6_register_mcis(struct pci_dev *pdev, u64 mchbar)
+ 		return -ENODEV;
+ 	}
+ 
+-	if (lmc < res_cfg->num_imc)
++	if (lmc < res_cfg->num_imc) {
+ 		igen6_printk(KERN_WARNING, "Expected %d mcs, but only %d detected.",
+ 			     res_cfg->num_imc, lmc);
++		res_cfg->num_imc = lmc;
++	}
+ 
+ 	return 0;
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan b/SPECS/kernel/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
index dc98c07bbe..66ca2d21b5 100644
--- a/SPECS/kernel/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+++ b/SPECS/kernel/0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
@@ -9,11 +9,11 @@ This reverts commit 32f346ee23bcf98937fab2356321563d1640c839.
  drivers/bus/mhi/host/pm.c       | 3 +--
  2 files changed, 2 insertions(+), 3 deletions(-)
 
-diff --git a/drivers/bus/mhi/host/internal.h b/drivers/bus/mhi/host/internal.h
-index 304870cb7611e..d057e877932e3 100644
+Index: b/drivers/bus/mhi/host/internal.h
+===================================================================
 --- a/drivers/bus/mhi/host/internal.h
 +++ b/drivers/bus/mhi/host/internal.h
-@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI_EE_MAX];
+@@ -67,7 +67,7 @@ extern const char * const mhi_ee_str[MHI
  
  #define MHI_IN_PBL(ee) (ee == MHI_EE_PBL || ee == MHI_EE_PTHRU || \
  			ee == MHI_EE_EDL)
@@ -22,16 +22,16 @@ index 304870cb7611e..d057e877932e3 100644
  #define MHI_FW_LOAD_CAPABLE(ee) (ee == MHI_EE_PBL || ee == MHI_EE_EDL)
  #define MHI_IN_MISSION_MODE(ee) (ee == MHI_EE_AMSS || ee == MHI_EE_WFW || \
  				 ee == MHI_EE_FP)
-diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c
-index a69d21075e98a..11c0e751f2239 100644
+Index: b/drivers/bus/mhi/host/pm.c
+===================================================================
 --- a/drivers/bus/mhi/host/pm.c
 +++ b/drivers/bus/mhi/host/pm.c
-@@ -1263,11 +1263,10 @@ int mhi_sync_power_up(struct mhi_controller *mhi_cntrl)
+@@ -1279,11 +1279,10 @@ int mhi_sync_power_up(struct mhi_control
  		mhi_cntrl->ready_timeout_ms : mhi_cntrl->timeout_ms;
  	wait_event_timeout(mhi_cntrl->state_event,
  			   MHI_IN_MISSION_MODE(mhi_cntrl->ee) ||
 -			   mhi_cntrl->ee == MHI_EE_SBL ||
- 			   MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state),
+ 			   MHI_PM_FATAL_ERROR(mhi_cntrl->pm_state),
  			   msecs_to_jiffies(timeout_ms));
  
 -	ret = (MHI_IN_MISSION_MODE(mhi_cntrl->ee) || mhi_cntrl->ee == MHI_EE_SBL) ? 0 : -ETIMEDOUT;
@@ -39,6 +39,3 @@ index a69d21075e98a..11c0e751f2239 100644
  	if (ret)
  		mhi_power_down(mhi_cntrl, false);
  
--- 
-2.25.1
-
diff --git a/SPECS/kernel/CVE-2024-57995.patch b/SPECS/kernel/CVE-2024-57995.patch
deleted file mode 100644
index adfc02f8ea..0000000000
--- a/SPECS/kernel/CVE-2024-57995.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From dc03b5a4900e8f87da9c82098fbc47adbad1dd65 Mon Sep 17 00:00:00 2001
-From: Aditya Kumar Singh <quic_adisi@quicinc.com>
-Date: Tue, 10 Dec 2024 10:56:33 +0530
-Subject: [PATCH 25/27] wifi: ath12k: fix read pointer after free in
- ath12k_mac_assign_vif_to_vdev()
-
-In ath12k_mac_assign_vif_to_vdev(), if arvif is created on a different
-radio, it gets deleted from that radio through a call to
-ath12k_mac_unassign_link_vif(). This action frees the arvif pointer.
-Subsequently, there is a check involving arvif, which will result in a
-read-after-free scenario.
-
-Fix this by moving this check after arvif is again assigned via call to
-ath12k_mac_assign_link_vif().
-
-Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
-
-Closes: https://scan5.scan.coverity.com/#/project-view/63541/10063?selectedIssue=1636423
-Fixes: b5068bc9180d ("wifi: ath12k: Cache vdev configs before vdev create")
-Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
-Acked-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
-Acked-by: Kalle Valo <kvalo@kernel.org>
-Link: https://patch.msgid.link/20241210-read_after_free-v1-1-969f69c7d66c@quicinc.com
-Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
----
- drivers/net/wireless/ath/ath12k/mac.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
-index 7e902f63ce9a..f61e130ce5ab 100644
---- a/drivers/net/wireless/ath/ath12k/mac.c
-+++ b/drivers/net/wireless/ath/ath12k/mac.c
-@@ -6735,15 +6735,15 @@ static struct ath12k *ath12k_mac_assign_vif_to_vdev(struct ieee80211_hw *hw,
- 
- 	mutex_lock(&ar->conf_mutex);
- 
--	if (arvif->is_created)
--		goto flush;
--
- 	if (vif->type == NL80211_IFTYPE_AP &&
- 	    ar->num_peers > (ar->max_num_peers - 1)) {
- 		ath12k_warn(ab, "failed to create vdev due to insufficient peer entry resource in firmware\n");
- 		goto unlock;
- 	}
- 
-+	if (arvif->is_created)
-+		goto flush;
-+
- 	if (ar->num_created_vdevs > (TARGET_NUM_VDEVS - 1)) {
- 		ath12k_warn(ab, "failed to create vdev, reached max vdev limit %d\n",
- 			    TARGET_NUM_VDEVS);
--- 
-2.43.0
-
diff --git a/SPECS/kernel/CVE-2025-22105-1.patch b/SPECS/kernel/CVE-2025-22105-1.patch
deleted file mode 100644
index 0529cb2919..0000000000
--- a/SPECS/kernel/CVE-2025-22105-1.patch
+++ /dev/null
@@ -1,141 +0,0 @@
-From 2ad91123cc24d7ff8afa247fbddc5ff6c09300f3 Mon Sep 17 00:00:00 2001
-From: Wang Liang <wangliang74@huawei.com>
-Date: Fri, 21 Mar 2025 12:48:52 +0800
-Subject: [PATCH 2/2] bonding: check xdp prog when set bond mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Following operations can trigger a warning[1]:
-
-    ip netns add ns1
-    ip netns exec ns1 ip link add bond0 type bond mode balance-rr
-    ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
-    ip netns exec ns1 ip link set bond0 type bond mode broadcast
-    ip netns del ns1
-
-When delete the namespace, dev_xdp_uninstall() is called to remove xdp
-program on bond dev, and bond_xdp_set() will check the bond mode. If bond
-mode is changed after attaching xdp program, the warning may occur.
-
-Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
-with xdp program attached is not good. Add check for xdp program when set
-bond mode.
-
-    [1]
-    ------------[ cut here ]------------
-    WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
-    Modules linked in:
-    CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
-    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
-    Workqueue: netns cleanup_net
-    RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
-    Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
-    RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
-    RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
-    RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
-    RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
-    R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
-    R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
-    FS:  0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
-    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-    CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
-    Call Trace:
-     <TASK>
-     ? __warn+0x83/0x130
-     ? unregister_netdevice_many_notify+0x8d9/0x930
-     ? report_bug+0x18e/0x1a0
-     ? handle_bug+0x54/0x90
-     ? exc_invalid_op+0x18/0x70
-     ? asm_exc_invalid_op+0x1a/0x20
-     ? unregister_netdevice_many_notify+0x8d9/0x930
-     ? bond_net_exit_batch_rtnl+0x5c/0x90
-     cleanup_net+0x237/0x3d0
-     process_one_work+0x163/0x390
-     worker_thread+0x293/0x3b0
-     ? __pfx_worker_thread+0x10/0x10
-     kthread+0xec/0x1e0
-     ? __pfx_kthread+0x10/0x10
-     ? __pfx_kthread+0x10/0x10
-     ret_from_fork+0x2f/0x50
-     ? __pfx_kthread+0x10/0x10
-     ret_from_fork_asm+0x1a/0x30
-     </TASK>
-    ---[ end trace 0000000000000000 ]---
-
-Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
-Signed-off-by: Wang Liang <wangliang74@huawei.com>
-Acked-by: Jussi Maki <joamaki@gmail.com>
-Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
-Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
-Link: https://patch.msgid.link/20250321044852.1086551-1-wangliang74@huawei.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
----
- drivers/net/bonding/bond_main.c    | 8 ++++----
- drivers/net/bonding/bond_options.c | 3 +++
- include/net/bonding.h              | 1 +
- 3 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index 56a55151b545..6c1909153806 100644
---- a/drivers/net/bonding/bond_main.c
-+++ b/drivers/net/bonding/bond_main.c
-@@ -322,9 +322,9 @@ static bool bond_sk_check(struct bonding *bond)
- 	}
- }
- 
--static bool bond_xdp_check(struct bonding *bond)
-+bool bond_xdp_check(struct bonding *bond, int mode)
- {
--	switch (BOND_MODE(bond)) {
-+	switch (mode) {
- 	case BOND_MODE_ROUNDROBIN:
- 	case BOND_MODE_ACTIVEBACKUP:
- 		return true;
-@@ -1928,7 +1928,7 @@ void bond_xdp_set_features(struct net_device *bond_dev)
- 
- 	ASSERT_RTNL();
- 
--	if (!bond_xdp_check(bond) || !bond_has_slaves(bond)) {
-+	if (!bond_xdp_check(bond, BOND_MODE(bond)) || !bond_has_slaves(bond)) {
- 		xdp_clear_features_flag(bond_dev);
- 		return;
- 	}
-@@ -5690,7 +5690,7 @@ static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
- 
- 	ASSERT_RTNL();
- 
--	if (!bond_xdp_check(bond)) {
-+	if (!bond_xdp_check(bond, BOND_MODE(bond))) {
- 		BOND_NL_ERR(dev, extack,
- 			    "No native XDP support for the current bonding mode");
- 		return -EOPNOTSUPP;
-diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
-index d1b095af253b..91893c29b899 100644
---- a/drivers/net/bonding/bond_options.c
-+++ b/drivers/net/bonding/bond_options.c
-@@ -868,6 +868,9 @@ static bool bond_set_xfrm_features(struct bonding *bond)
- static int bond_option_mode_set(struct bonding *bond,
- 				const struct bond_opt_value *newval)
- {
-+	if (bond->xdp_prog && !bond_xdp_check(bond, newval->value))
-+		return -EOPNOTSUPP;
-+
- 	if (!bond_mode_uses_arp(newval->value)) {
- 		if (bond->params.arp_interval) {
- 			netdev_dbg(bond->dev, "%s mode is incompatible with arp monitoring, start mii monitoring\n",
-diff --git a/include/net/bonding.h b/include/net/bonding.h
-index 8bb5f016969f..95f67b308c19 100644
---- a/include/net/bonding.h
-+++ b/include/net/bonding.h
-@@ -695,6 +695,7 @@ void bond_debug_register(struct bonding *bond);
- void bond_debug_unregister(struct bonding *bond);
- void bond_debug_reregister(struct bonding *bond);
- const char *bond_mode_name(int mode);
-+bool bond_xdp_check(struct bonding *bond, int mode);
- void bond_setup(struct net_device *bond_dev);
- unsigned int bond_get_num_tx_queues(void);
- int bond_netlink_init(void);
--- 
-2.25.1
-
diff --git a/SPECS/kernel/CVE-2025-22105.patch b/SPECS/kernel/CVE-2025-22105.patch
deleted file mode 100644
index 034bcc04fe..0000000000
--- a/SPECS/kernel/CVE-2025-22105.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 3a156e6b6ce88b058cafaba691db7b4d2cdbe75a Mon Sep 17 00:00:00 2001
-From: Hangbin Liu <liuhangbin@gmail.com>
-Date: Mon, 21 Oct 2024 03:12:10 +0000
-Subject: [PATCH 1/2] bonding: return detailed error when loading native XDP
- fails
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bonding only supports native XDP for specific modes, which can lead to
-confusion for users regarding why XDP loads successfully at times and
-fails at others. This patch enhances error handling by returning detailed
-error messages, providing users with clearer insights into the specific
-reasons for the failure when loading native XDP.
-
-Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
-Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
-Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
-Link: https://patch.msgid.link/20241021031211.814-2-liuhangbin@gmail.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
----
- drivers/net/bonding/bond_main.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
-index 4d73abae503d..56a55151b545 100644
---- a/drivers/net/bonding/bond_main.c
-+++ b/drivers/net/bonding/bond_main.c
-@@ -5690,8 +5690,11 @@ static int bond_xdp_set(struct net_device *dev, struct bpf_prog *prog,
- 
- 	ASSERT_RTNL();
- 
--	if (!bond_xdp_check(bond))
-+	if (!bond_xdp_check(bond)) {
-+		BOND_NL_ERR(dev, extack,
-+			    "No native XDP support for the current bonding mode");
- 		return -EOPNOTSUPP;
-+	}
- 
- 	old_prog = bond->xdp_prog;
- 	bond->xdp_prog = prog;
--- 
-2.25.1
-
diff --git a/SPECS/kernel/CVE-2025-22121-1.patch b/SPECS/kernel/CVE-2025-22121-1.patch
deleted file mode 100644
index 8b3a84f382..0000000000
--- a/SPECS/kernel/CVE-2025-22121-1.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From 22f2cf997cf0ca600a12b5d4999620c5e8c4bc83 Mon Sep 17 00:00:00 2001
-From: Ye Bin <yebin10@huawei.com>
-Date: Sat, 8 Feb 2025 14:31:41 +0800
-Subject: [PATCH 2/2] ext4: fix out-of-bound read in
- ext4_xattr_inode_dec_ref_all()
-
-There's issue as follows:
-BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
-Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
-
-CPU: 3 PID: 15172 Comm: syz-executor.0
-Call Trace:
- __dump_stack lib/dump_stack.c:82 [inline]
- dump_stack+0xbe/0xfd lib/dump_stack.c:123
- print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
- __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
- kasan_report+0x3a/0x50 mm/kasan/report.c:585
- ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
- ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
- ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
- evict+0x39f/0x880 fs/inode.c:622
- iput_final fs/inode.c:1746 [inline]
- iput fs/inode.c:1772 [inline]
- iput+0x525/0x6c0 fs/inode.c:1758
- ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
- ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
- mount_bdev+0x355/0x410 fs/super.c:1446
- legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
- vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
- do_new_mount fs/namespace.c:2983 [inline]
- path_mount+0x119a/0x1ad0 fs/namespace.c:3316
- do_mount+0xfc/0x110 fs/namespace.c:3329
- __do_sys_mount fs/namespace.c:3540 [inline]
- __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
- do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
- entry_SYSCALL_64_after_hwframe+0x67/0xd1
-
-Memory state around the buggy address:
- ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
->ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-                   ^
- ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
- ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-
-Above issue happens as ext4_xattr_delete_inode() isn't check xattr
-is valid if xattr is in inode.
-To solve above issue call xattr_check_inode() check if xattr if valid
-in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
-so that there is no divergent verification.
-
-Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
-Signed-off-by: Ye Bin <yebin10@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://patch.msgid.link/20250208063141.1539283-3-yebin@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- fs/ext4/inode.c |  5 +++++
- fs/ext4/xattr.c | 26 +-------------------------
- fs/ext4/xattr.h |  7 +++++++
- 3 files changed, 13 insertions(+), 25 deletions(-)
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index ffa6aa55a1a7..1ee5216c2e95 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -4650,6 +4650,11 @@ static inline int ext4_iget_extra_inode(struct inode *inode,
- 	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
- 		int err;
- 
-+		err = xattr_check_inode(inode, IHDR(inode, raw_inode),
-+					ITAIL(inode, raw_inode));
-+		if (err)
-+			return err;
-+
- 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
- 		err = ext4_find_inline_data_nolock(inode);
- 		if (!err && ext4_has_inline_data(inode))
-diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 7cdece4ea6fa..8ced9beba2f7 100644
---- a/fs/ext4/xattr.c
-+++ b/fs/ext4/xattr.c
-@@ -308,7 +308,7 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh,
- 	__ext4_xattr_check_block((inode), (bh),  __func__, __LINE__)
- 
- 
--static inline int
-+int
- __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
- 			 void *end, const char *function, unsigned int line)
- {
-@@ -316,9 +316,6 @@ __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
- 			    function, line);
- }
- 
--#define xattr_check_inode(inode, header, end) \
--	__xattr_check_inode((inode), (header), (end), __func__, __LINE__)
--
- static int
- xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry,
- 		 void *end, int name_index, const char *name, int sorted)
-@@ -650,9 +647,6 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
- 	end = ITAIL(inode, raw_inode);
--	error = xattr_check_inode(inode, header, end);
--	if (error)
--		goto cleanup;
- 	entry = IFIRST(header);
- 	error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
- 	if (error)
-@@ -783,7 +777,6 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
- 	struct ext4_xattr_ibody_header *header;
- 	struct ext4_inode *raw_inode;
- 	struct ext4_iloc iloc;
--	void *end;
- 	int error;
- 
- 	if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR))
-@@ -793,14 +786,9 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
- 		return error;
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
--	end = ITAIL(inode, raw_inode);
--	error = xattr_check_inode(inode, header, end);
--	if (error)
--		goto cleanup;
- 	error = ext4_xattr_list_entries(dentry, IFIRST(header),
- 					buffer, buffer_size);
- 
--cleanup:
- 	brelse(iloc.bh);
- 	return error;
- }
-@@ -868,7 +856,6 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
- 	struct ext4_xattr_ibody_header *header;
- 	struct ext4_xattr_entry *entry;
- 	qsize_t ea_inode_refs = 0;
--	void *end;
- 	int ret;
- 
- 	lockdep_assert_held_read(&EXT4_I(inode)->xattr_sem);
-@@ -879,10 +866,6 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
- 			goto out;
- 		raw_inode = ext4_raw_inode(&iloc);
- 		header = IHDR(inode, raw_inode);
--		end = ITAIL(inode, raw_inode);
--		ret = xattr_check_inode(inode, header, end);
--		if (ret)
--			goto out;
- 
- 		for (entry = IFIRST(header); !IS_LAST_ENTRY(entry);
- 		     entry = EXT4_XATTR_NEXT(entry))
-@@ -2246,9 +2229,6 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
- 	is->s.here = is->s.first;
- 	is->s.end = ITAIL(inode, raw_inode);
- 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
--		error = xattr_check_inode(inode, header, is->s.end);
--		if (error)
--			return error;
- 		/* Find the named attribute. */
- 		error = xattr_find_entry(inode, &is->s.here, is->s.end,
- 					 i->name_index, i->name, 0);
-@@ -2799,10 +2779,6 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
- 	min_offs = end - base;
- 	total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- 
--	error = xattr_check_inode(inode, header, end);
--	if (error)
--		goto cleanup;
--
- 	ifree = ext4_xattr_free_space(base, &min_offs, base, &total_ino);
- 	if (ifree >= isize_diff)
- 		goto shift;
-diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
-index 5197f17ffd9a..1fedf44d4fb6 100644
---- a/fs/ext4/xattr.h
-+++ b/fs/ext4/xattr.h
-@@ -209,6 +209,13 @@ extern int ext4_xattr_ibody_set(handle_t *handle, struct inode *inode,
- extern struct mb_cache *ext4_xattr_create_cache(void);
- extern void ext4_xattr_destroy_cache(struct mb_cache *);
- 
-+extern int
-+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
-+		    void *end, const char *function, unsigned int line);
-+
-+#define xattr_check_inode(inode, header, end) \
-+	__xattr_check_inode((inode), (header), (end), __func__, __LINE__)
-+
- #ifdef CONFIG_EXT4_FS_SECURITY
- extern int ext4_init_security(handle_t *handle, struct inode *inode,
- 			      struct inode *dir, const struct qstr *qstr);
--- 
-2.25.1
-
diff --git a/SPECS/kernel/CVE-2025-22121.patch b/SPECS/kernel/CVE-2025-22121.patch
deleted file mode 100644
index b8878b0d71..0000000000
--- a/SPECS/kernel/CVE-2025-22121.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 77065730b4067c145d50e315e64b6f1992bd0546 Mon Sep 17 00:00:00 2001
-From: Ye Bin <yebin10@huawei.com>
-Date: Sat, 8 Feb 2025 14:31:40 +0800
-Subject: [PATCH 1/2] ext4: introduce ITAIL helper
-
-Introduce ITAIL helper to get the bound of xattr in inode.
-
-Signed-off-by: Ye Bin <yebin10@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://patch.msgid.link/20250208063141.1539283-2-yebin@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
----
- fs/ext4/xattr.c | 10 +++++-----
- fs/ext4/xattr.h |  3 +++
- 2 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
-index 6ff94cdf1515..7cdece4ea6fa 100644
---- a/fs/ext4/xattr.c
-+++ b/fs/ext4/xattr.c
-@@ -649,7 +649,7 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
- 		return error;
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
--	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	end = ITAIL(inode, raw_inode);
- 	error = xattr_check_inode(inode, header, end);
- 	if (error)
- 		goto cleanup;
-@@ -793,7 +793,7 @@ ext4_xattr_ibody_list(struct dentry *dentry, char *buffer, size_t buffer_size)
- 		return error;
- 	raw_inode = ext4_raw_inode(&iloc);
- 	header = IHDR(inode, raw_inode);
--	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	end = ITAIL(inode, raw_inode);
- 	error = xattr_check_inode(inode, header, end);
- 	if (error)
- 		goto cleanup;
-@@ -879,7 +879,7 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
- 			goto out;
- 		raw_inode = ext4_raw_inode(&iloc);
- 		header = IHDR(inode, raw_inode);
--		end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+		end = ITAIL(inode, raw_inode);
- 		ret = xattr_check_inode(inode, header, end);
- 		if (ret)
- 			goto out;
-@@ -2244,7 +2244,7 @@ int ext4_xattr_ibody_find(struct inode *inode, struct ext4_xattr_info *i,
- 	header = IHDR(inode, raw_inode);
- 	is->s.base = is->s.first = IFIRST(header);
- 	is->s.here = is->s.first;
--	is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	is->s.end = ITAIL(inode, raw_inode);
- 	if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
- 		error = xattr_check_inode(inode, header, is->s.end);
- 		if (error)
-@@ -2795,7 +2795,7 @@ int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
- 	 */
- 
- 	base = IFIRST(header);
--	end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
-+	end = ITAIL(inode, raw_inode);
- 	min_offs = end - base;
- 	total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- 
-diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
-index b25c2d7b5f99..5197f17ffd9a 100644
---- a/fs/ext4/xattr.h
-+++ b/fs/ext4/xattr.h
-@@ -67,6 +67,9 @@ struct ext4_xattr_entry {
- 		((void *)raw_inode + \
- 		EXT4_GOOD_OLD_INODE_SIZE + \
- 		EXT4_I(inode)->i_extra_isize))
-+#define ITAIL(inode, raw_inode) \
-+	((void *)(raw_inode) + \
-+	 EXT4_SB((inode)->i_sb)->s_inode_size)
- #define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
- 
- /*
--- 
-2.25.1
-
diff --git a/SPECS/kernel/CVE-2025-23129.patch b/SPECS/kernel/CVE-2025-23129.patch
deleted file mode 100644
index fb60b46e19..0000000000
--- a/SPECS/kernel/CVE-2025-23129.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 3c9c3377f96f5c7cb389f28c25d21e242b95846e Mon Sep 17 00:00:00 2001
-From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-Date: Tue, 25 Feb 2025 11:04:45 +0530
-Subject: [PATCH 16/27] wifi: ath11k: Clear affinity hint before calling
- ath11k_pcic_free_irq() in error path
-
-If a shared IRQ is used by the driver due to platform limitation, then the
-IRQ affinity hint is set right after the allocation of IRQ vectors in
-ath11k_pci_alloc_msi(). This does no harm unless one of the functions
-requesting the IRQ fails and attempt to free the IRQ. This results in the
-below warning:
-
-WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c
-Call trace:
- free_irq+0x278/0x29c
- ath11k_pcic_free_irq+0x70/0x10c [ath11k]
- ath11k_pci_probe+0x800/0x820 [ath11k_pci]
- local_pci_probe+0x40/0xbc
-
-The warning is due to not clearing the affinity hint before freeing the
-IRQs.
-
-So to fix this issue, clear the IRQ affinity hint before calling
-ath11k_pcic_free_irq() in the error path. The affinity will be cleared once
-again further down the error path due to code organization, but that does
-no harm.
-
-Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
-
-Cc: Baochen Qiang <quic_bqiang@quicinc.com>
-Fixes: 39564b475ac5 ("wifi: ath11k: fix boot failure with one MSI vector")
-Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
-Link: https://patch.msgid.link/20250225053447.16824-2-manivannan.sadhasivam@linaro.org
-Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
----
- drivers/net/wireless/ath/ath11k/pci.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
-index 6ebfa5d02e2e..c1d576ff77fa 100644
---- a/drivers/net/wireless/ath/ath11k/pci.c
-+++ b/drivers/net/wireless/ath/ath11k/pci.c
-@@ -936,6 +936,8 @@ static int ath11k_pci_probe(struct pci_dev *pdev,
- 	return 0;
- 
- err_free_irq:
-+	/* __free_irq() expects the caller to have cleared the affinity hint */
-+	ath11k_pci_set_irq_affinity_hint(ab_pci, NULL);
- 	ath11k_pcic_free_irq(ab);
- 
- err_ce_free:
--- 
-2.43.0
-
diff --git a/SPECS/kernel/CVE-2025-23130.patch b/SPECS/kernel/CVE-2025-23130.patch
deleted file mode 100644
index 2eb241e816..0000000000
--- a/SPECS/kernel/CVE-2025-23130.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From 1c0ac623e1fbb056350f04efb184950a725aba18 Mon Sep 17 00:00:00 2001
-From: Chao Yu <chao@kernel.org>
-Date: Tue, 11 Feb 2025 14:36:57 +0800
-Subject: [PATCH 15/27] f2fs: fix to avoid panic once fallocation fails for
- pinfile
-
-syzbot reports a f2fs bug as below:
-
-------------[ cut here ]------------
-kernel BUG at fs/f2fs/segment.c:2746!
-CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
-RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
-RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
-Call Trace:
- <TASK>
- __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
- f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
- f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
- f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
- f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940
- vfs_fallocate+0x569/0x6e0 fs/open.c:327
- do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885
- __do_sys_ioctl fs/ioctl.c:904 [inline]
- __se_sys_ioctl+0x80/0x170 fs/ioctl.c:892
- do_syscall_x64 arch/x86/entry/common.c:52 [inline]
- do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-
-Concurrent pinfile allocation may run out of free section, result in
-panic in get_new_segment(), let's expand pin_sem lock coverage to
-include f2fs_gc(), so that we can make sure to reclaim enough free
-space for following allocation.
-
-In addition, do below changes to enhance error path handling:
-- call f2fs_bug_on() only in non-pinfile allocation path in
-get_new_segment().
-- call reset_curseg_fields() to reset all fields of curseg in
-new_curseg()
-
-Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
-Reported-by: syzbot+15669ec8c35ddf6c3d43@syzkaller.appspotmail.com
-Closes: https://lore.kernel.org/linux-f2fs-devel/675cd64e.050a0220.37aaf.00bb.GAE@google.com
-Signed-off-by: Chao Yu <chao@kernel.org>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
----
- fs/f2fs/file.c    |  8 +++++---
- fs/f2fs/segment.c | 20 ++++++++++----------
- 2 files changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
-index d9037e74631c..38dbc105fbe5 100644
---- a/fs/f2fs/file.c
-+++ b/fs/f2fs/file.c
-@@ -1828,18 +1828,20 @@ static int f2fs_expand_inode_data(struct inode *inode, loff_t offset,
- 
- 		map.m_len = sec_blks;
- next_alloc:
-+		f2fs_down_write(&sbi->pin_sem);
-+
- 		if (has_not_enough_free_secs(sbi, 0, f2fs_sb_has_blkzoned(sbi) ?
- 			ZONED_PIN_SEC_REQUIRED_COUNT :
- 			GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) {
- 			f2fs_down_write(&sbi->gc_lock);
- 			stat_inc_gc_call_count(sbi, FOREGROUND);
- 			err = f2fs_gc(sbi, &gc_control);
--			if (err && err != -ENODATA)
-+			if (err && err != -ENODATA) {
-+				f2fs_up_write(&sbi->pin_sem);
- 				goto out_err;
-+			}
- 		}
- 
--		f2fs_down_write(&sbi->pin_sem);
--
- 		err = f2fs_allocate_pinning_section(sbi);
- 		if (err) {
- 			f2fs_up_write(&sbi->pin_sem);
-diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
-index e48b5e2efea2..8ac6206110a1 100644
---- a/fs/f2fs/segment.c
-+++ b/fs/f2fs/segment.c
-@@ -2749,7 +2749,7 @@ static int get_new_segment(struct f2fs_sb_info *sbi,
- 							MAIN_SECS(sbi));
- 		if (secno >= MAIN_SECS(sbi)) {
- 			ret = -ENOSPC;
--			f2fs_bug_on(sbi, 1);
-+			f2fs_bug_on(sbi, !pinning);
- 			goto out_unlock;
- 		}
- 	}
-@@ -2795,7 +2795,7 @@ static int get_new_segment(struct f2fs_sb_info *sbi,
- out_unlock:
- 	spin_unlock(&free_i->segmap_lock);
- 
--	if (ret == -ENOSPC)
-+	if (ret == -ENOSPC && !pinning)
- 		f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_NO_SEGMENT);
- 	return ret;
- }
-@@ -2868,6 +2868,13 @@ static unsigned int __get_next_segno(struct f2fs_sb_info *sbi, int type)
- 	return curseg->segno;
- }
- 
-+static void reset_curseg_fields(struct curseg_info *curseg)
-+{
-+	curseg->inited = false;
-+	curseg->segno = NULL_SEGNO;
-+	curseg->next_segno = 0;
-+}
-+
- /*
-  * Allocate a current working segment.
-  * This function always allocates a free segment in LFS manner.
-@@ -2886,7 +2893,7 @@ static int new_curseg(struct f2fs_sb_info *sbi, int type, bool new_sec)
- 	ret = get_new_segment(sbi, &segno, new_sec, pinning);
- 	if (ret) {
- 		if (ret == -ENOSPC)
--			curseg->segno = NULL_SEGNO;
-+			reset_curseg_fields(curseg);
- 		return ret;
- 	}
- 
-@@ -3640,13 +3647,6 @@ static void f2fs_randomize_chunk(struct f2fs_sb_info *sbi,
- 		get_random_u32_inclusive(1, sbi->max_fragment_hole);
- }
- 
--static void reset_curseg_fields(struct curseg_info *curseg)
--{
--	curseg->inited = false;
--	curseg->segno = NULL_SEGNO;
--	curseg->next_segno = 0;
--}
--
- int f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
- 		block_t old_blkaddr, block_t *new_blkaddr,
- 		struct f2fs_summary *sum, int type,
--- 
-2.43.0
-
diff --git a/SPECS/kernel/CVE-2025-37860.patch b/SPECS/kernel/CVE-2025-37860.patch
deleted file mode 100644
index 8a8d928d2c..0000000000
--- a/SPECS/kernel/CVE-2025-37860.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 3470106f86c1d32a9bca29ebd195ae374f4f9ff7 Mon Sep 17 00:00:00 2001
-From: Edward Cree <ecree.xilinx@gmail.com>
-Date: Tue, 1 Apr 2025 23:54:39 +0100
-Subject: [PATCH 22/27] sfc: fix NULL dereferences in
- ef100_process_design_param()
-
-Since cited commit, ef100_probe_main() and hence also
- ef100_check_design_params() run before efx->net_dev is created;
- consequently, we cannot netif_set_tso_max_size() or _segs() at this
- point.
-Move those netif calls to ef100_probe_netdev(), and also replace
- netif_err within the design params code with pci_err.
-
-Reported-by: Kyungwook Boo <bookyungwook@gmail.com>
-Fixes: 98ff4c7c8ac7 ("sfc: Separate netdev probe/remove from PCI probe/remove")
-Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
-Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
-Link: https://patch.msgid.link/20250401225439.2401047-1-edward.cree@amd.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
----
- drivers/net/ethernet/sfc/ef100_netdev.c |  7 ++--
- drivers/net/ethernet/sfc/ef100_nic.c    | 47 +++++++++++--------------
- 2 files changed, 24 insertions(+), 30 deletions(-)
-
-diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c
-index 7f7d560cb2b4..3a06e3b1bd6b 100644
---- a/drivers/net/ethernet/sfc/ef100_netdev.c
-+++ b/drivers/net/ethernet/sfc/ef100_netdev.c
-@@ -450,9 +450,9 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data)
- 	net_dev->hw_enc_features |= efx->type->offload_features;
- 	net_dev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_SG |
- 				  NETIF_F_HIGHDMA | NETIF_F_ALL_TSO;
--	netif_set_tso_max_segs(net_dev,
--			       ESE_EF100_DP_GZ_TSO_MAX_HDR_NUM_SEGS_DEFAULT);
--	efx->mdio.dev = net_dev;
-+	nic_data = efx->nic_data;
-+	netif_set_tso_max_size(efx->net_dev, nic_data->tso_max_payload_len);
-+	netif_set_tso_max_segs(efx->net_dev, nic_data->tso_max_payload_num_segs);
- 
- 	rc = efx_ef100_init_datapath_caps(efx);
- 	if (rc < 0)
-@@ -478,7 +478,6 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data)
- 	/* Don't fail init if RSS setup doesn't work. */
- 	efx_mcdi_push_default_indir_table(efx, efx->n_rx_channels);
- 
--	nic_data = efx->nic_data;
- 	rc = ef100_get_mac_address(efx, net_dev->perm_addr, CLIENT_HANDLE_SELF,
- 				   efx->type->is_vf);
- 	if (rc)
-diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c
-index 6da06931187d..5b1bdcac81d9 100644
---- a/drivers/net/ethernet/sfc/ef100_nic.c
-+++ b/drivers/net/ethernet/sfc/ef100_nic.c
-@@ -887,8 +887,7 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 	case ESE_EF100_DP_GZ_TSO_MAX_HDR_NUM_SEGS:
- 		/* We always put HDR_NUM_SEGS=1 in our TSO descriptors */
- 		if (!reader->value) {
--			netif_err(efx, probe, efx->net_dev,
--				  "TSO_MAX_HDR_NUM_SEGS < 1\n");
-+			pci_err(efx->pci_dev, "TSO_MAX_HDR_NUM_SEGS < 1\n");
- 			return -EOPNOTSUPP;
- 		}
- 		return 0;
-@@ -901,32 +900,28 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 		 */
- 		if (!reader->value || reader->value > EFX_MIN_DMAQ_SIZE ||
- 		    EFX_MIN_DMAQ_SIZE % (u32)reader->value) {
--			netif_err(efx, probe, efx->net_dev,
--				  "%s size granularity is %llu, can't guarantee safety\n",
--				  reader->type == ESE_EF100_DP_GZ_RXQ_SIZE_GRANULARITY ? "RXQ" : "TXQ",
--				  reader->value);
-+			pci_err(efx->pci_dev,
-+				"%s size granularity is %llu, can't guarantee safety\n",
-+				reader->type == ESE_EF100_DP_GZ_RXQ_SIZE_GRANULARITY ? "RXQ" : "TXQ",
-+				reader->value);
- 			return -EOPNOTSUPP;
- 		}
- 		return 0;
- 	case ESE_EF100_DP_GZ_TSO_MAX_PAYLOAD_LEN:
- 		nic_data->tso_max_payload_len = min_t(u64, reader->value,
- 						      GSO_LEGACY_MAX_SIZE);
--		netif_set_tso_max_size(efx->net_dev,
--				       nic_data->tso_max_payload_len);
- 		return 0;
- 	case ESE_EF100_DP_GZ_TSO_MAX_PAYLOAD_NUM_SEGS:
- 		nic_data->tso_max_payload_num_segs = min_t(u64, reader->value, 0xffff);
--		netif_set_tso_max_segs(efx->net_dev,
--				       nic_data->tso_max_payload_num_segs);
- 		return 0;
- 	case ESE_EF100_DP_GZ_TSO_MAX_NUM_FRAMES:
- 		nic_data->tso_max_frames = min_t(u64, reader->value, 0xffff);
- 		return 0;
- 	case ESE_EF100_DP_GZ_COMPAT:
- 		if (reader->value) {
--			netif_err(efx, probe, efx->net_dev,
--				  "DP_COMPAT has unknown bits %#llx, driver not compatible with this hw\n",
--				  reader->value);
-+			pci_err(efx->pci_dev,
-+				"DP_COMPAT has unknown bits %#llx, driver not compatible with this hw\n",
-+				reader->value);
- 			return -EOPNOTSUPP;
- 		}
- 		return 0;
-@@ -946,10 +941,10 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 		 * So the value of this shouldn't matter.
- 		 */
- 		if (reader->value != ESE_EF100_DP_GZ_VI_STRIDES_DEFAULT)
--			netif_dbg(efx, probe, efx->net_dev,
--				  "NIC has other than default VI_STRIDES (mask "
--				  "%#llx), early probing might use wrong one\n",
--				  reader->value);
-+			pci_dbg(efx->pci_dev,
-+				"NIC has other than default VI_STRIDES (mask "
-+				"%#llx), early probing might use wrong one\n",
-+				reader->value);
- 		return 0;
- 	case ESE_EF100_DP_GZ_RX_MAX_RUNT:
- 		/* Driver doesn't look at L2_STATUS:LEN_ERR bit, so we don't
-@@ -961,9 +956,9 @@ static int ef100_process_design_param(struct efx_nic *efx,
- 		/* Host interface says "Drivers should ignore design parameters
- 		 * that they do not recognise."
- 		 */
--		netif_dbg(efx, probe, efx->net_dev,
--			  "Ignoring unrecognised design parameter %u\n",
--			  reader->type);
-+		pci_dbg(efx->pci_dev,
-+			"Ignoring unrecognised design parameter %u\n",
-+			reader->type);
- 		return 0;
- 	}
- }
-@@ -999,13 +994,13 @@ static int ef100_check_design_params(struct efx_nic *efx)
- 	 */
- 	if (reader.state != EF100_TLV_TYPE) {
- 		if (reader.state == EF100_TLV_TYPE_CONT)
--			netif_err(efx, probe, efx->net_dev,
--				  "truncated design parameter (incomplete type %u)\n",
--				  reader.type);
-+			pci_err(efx->pci_dev,
-+				"truncated design parameter (incomplete type %u)\n",
-+				reader.type);
- 		else
--			netif_err(efx, probe, efx->net_dev,
--				  "truncated design parameter %u\n",
--				  reader.type);
-+			pci_err(efx->pci_dev,
-+				"truncated design parameter %u\n",
-+				reader.type);
- 		rc = -EIO;
- 	}
- out:
--- 
-2.43.0
-
diff --git a/SPECS/kernel/CVE-2025-38584.patch b/SPECS/kernel/CVE-2025-38584.patch
new file mode 100644
index 0000000000..f51235e56c
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-38584.patch
@@ -0,0 +1,272 @@
+From 65219e96bfcea2cbe917a295ec0884d7d5791966 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sat, 24 May 2025 20:32:20 +0800
+Subject: [PATCH 15/15] padata: Fix pd UAF once and for all
+
+There is a race condition/UAF in padata_reorder that goes back
+to the initial commit.  A reference count is taken at the start
+of the process in padata_do_parallel, and released at the end in
+padata_serial_worker.
+
+This reference count is (and only is) required for padata_replace
+to function correctly.  If padata_replace is never called then
+there is no issue.
+
+In the function padata_reorder which serves as the core of padata,
+as soon as padata is added to queue->serial.list, and the associated
+spin lock released, that padata may be processed and the reference
+count on pd would go away.
+
+Fix this by getting the next padata before the squeue->serial lock
+is released.
+
+In order to make this possible, simplify padata_reorder by only
+calling it once the next padata arrives.
+
+Fixes: 16295bec6398 ("padata: Generic parallelization/serialization interface")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ include/linux/padata.h |   6 +-
+ kernel/padata.c        | 136 +++++++++++------------------------------
+ 2 files changed, 38 insertions(+), 104 deletions(-)
+
+diff --git a/include/linux/padata.h b/include/linux/padata.h
+index 0146daf34430..9213f42178a6 100644
+--- a/include/linux/padata.h
++++ b/include/linux/padata.h
+@@ -90,8 +90,6 @@ struct padata_cpumask {
+  * @processed: Number of already processed objects.
+  * @cpu: Next CPU to be processed.
+  * @cpumask: The cpumasks in use for parallel and serial workers.
+- * @reorder_work: work struct for reordering.
+- * @lock: Reorder lock.
+  */
+ struct parallel_data {
+ 	struct padata_shell		*ps;
+@@ -100,10 +98,8 @@ struct parallel_data {
+ 	refcount_t			refcnt;
+ 	unsigned int			seq_nr;
+ 	unsigned int			processed;
+-	int				cpu;
++	int                             cpu;
+ 	struct padata_cpumask		cpumask;
+-	struct work_struct		reorder_work;
+-	spinlock_t                      ____cacheline_aligned lock;
+ };
+ 
+ /**
+diff --git a/kernel/padata.c b/kernel/padata.c
+index c3810f5bd715..e61bdc248551 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -261,20 +261,17 @@ EXPORT_SYMBOL(padata_do_parallel);
+  *   be parallel processed by another cpu and is not yet present in
+  *   the cpu's reorder queue.
+  */
+-static struct padata_priv *padata_find_next(struct parallel_data *pd,
+-					    bool remove_object)
++static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,
++					    unsigned int processed)
+ {
+ 	struct padata_priv *padata;
+ 	struct padata_list *reorder;
+-	int cpu = pd->cpu;
+ 
+ 	reorder = per_cpu_ptr(pd->reorder_list, cpu);
+ 
+ 	spin_lock(&reorder->lock);
+-	if (list_empty(&reorder->list)) {
+-		spin_unlock(&reorder->lock);
+-		return NULL;
+-	}
++	if (list_empty(&reorder->list))
++		goto notfound;
+ 
+ 	padata = list_entry(reorder->list.next, struct padata_priv, list);
+ 
+@@ -282,101 +279,52 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd,
+ 	 * Checks the rare case where two or more parallel jobs have hashed to
+ 	 * the same CPU and one of the later ones finishes first.
+ 	 */
+-	if (padata->seq_nr != pd->processed) {
+-		spin_unlock(&reorder->lock);
+-		return NULL;
+-	}
+-
+-	if (remove_object) {
+-		list_del_init(&padata->list);
+-		++pd->processed;
+-		/* When sequence wraps around, reset to the first CPU. */
+-		if (unlikely(pd->processed == 0))
+-			pd->cpu = cpumask_first(pd->cpumask.pcpu);
+-		else
+-			pd->cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
+-	}
++	if (padata->seq_nr != processed)
++		goto notfound;
+ 
++	list_del_init(&padata->list);
+ 	spin_unlock(&reorder->lock);
+ 	return padata;
++
++notfound:
++	pd->processed = processed;
++	pd->cpu = cpu;
++	spin_unlock(&reorder->lock);
++	return NULL;
+ }
+ 
+-static void padata_reorder(struct parallel_data *pd)
++static void padata_reorder(struct padata_priv *padata)
+ {
++	struct parallel_data *pd = padata->pd;
+ 	struct padata_instance *pinst = pd->ps->pinst;
+-	int cb_cpu;
+-	struct padata_priv *padata;
+-	struct padata_serial_queue *squeue;
+-	struct padata_list *reorder;
++	unsigned int processed;
++	int cpu;
+ 
+-	/*
+-	 * We need to ensure that only one cpu can work on dequeueing of
+-	 * the reorder queue the time. Calculating in which percpu reorder
+-	 * queue the next object will arrive takes some time. A spinlock
+-	 * would be highly contended. Also it is not clear in which order
+-	 * the objects arrive to the reorder queues. So a cpu could wait to
+-	 * get the lock just to notice that there is nothing to do at the
+-	 * moment. Therefore we use a trylock and let the holder of the lock
+-	 * care for all the objects enqueued during the holdtime of the lock.
+-	 */
+-	if (!spin_trylock_bh(&pd->lock))
+-		return;
++	processed = pd->processed;
++	cpu = pd->cpu;
+ 
+-	while (1) {
+-		padata = padata_find_next(pd, true);
++	do {
++		struct padata_serial_queue *squeue;
++		int cb_cpu;
+ 
+-		/*
+-		 * If the next object that needs serialization is parallel
+-		 * processed by another cpu and is still on it's way to the
+-		 * cpu's reorder queue, nothing to do for now.
+-		 */
+-		if (!padata)
+-			break;
++		cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu, -1, false);
++		processed++;
+ 
+ 		cb_cpu = padata->cb_cpu;
+ 		squeue = per_cpu_ptr(pd->squeue, cb_cpu);
+ 
+ 		spin_lock(&squeue->serial.lock);
+ 		list_add_tail(&padata->list, &squeue->serial.list);
+-		spin_unlock(&squeue->serial.lock);
+-
+ 		queue_work_on(cb_cpu, pinst->serial_wq, &squeue->work);
+-	}
+ 
+-	spin_unlock_bh(&pd->lock);
+-
+-	/*
+-	 * The next object that needs serialization might have arrived to
+-	 * the reorder queues in the meantime.
+-	 *
+-	 * Ensure reorder queue is read after pd->lock is dropped so we see
+-	 * new objects from another task in padata_do_serial.  Pairs with
+-	 * smp_mb in padata_do_serial.
+-	 */
+-	smp_mb();
+-
+-	reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
+-	if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
+ 		/*
+-		 * Other context(eg. the padata_serial_worker) can finish the request.
+-		 * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
++		 * If the next object that needs serialization is parallel
++		 * processed by another cpu and is still on it's way to the
++		 * cpu's reorder queue, end the loop.
+ 		 */
+-		padata_get_pd(pd);
+-		if (!queue_work(pinst->serial_wq, &pd->reorder_work))
+-			padata_put_pd(pd);
+-	}
+-}
+-
+-static void invoke_padata_reorder(struct work_struct *work)
+-{
+-	struct parallel_data *pd;
+-
+-	local_bh_disable();
+-	pd = container_of(work, struct parallel_data, reorder_work);
+-	padata_reorder(pd);
+-	local_bh_enable();
+-	/* Pairs with putting the reorder_work in the serial_wq */
+-	padata_put_pd(pd);
++		padata = padata_find_next(pd, cpu, processed);
++		spin_unlock(&squeue->serial.lock);
++	} while (padata);
+ }
+ 
+ static void padata_serial_worker(struct work_struct *serial_work)
+@@ -427,6 +375,7 @@ void padata_do_serial(struct padata_priv *padata)
+ 	struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
+ 	struct padata_priv *cur;
+ 	struct list_head *pos;
++	bool gotit = true;
+ 
+ 	spin_lock(&reorder->lock);
+ 	/* Sort in ascending order of sequence number. */
+@@ -436,17 +385,14 @@ void padata_do_serial(struct padata_priv *padata)
+ 		if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
+ 			break;
+ 	}
+-	list_add(&padata->list, pos);
++	if (padata->seq_nr != pd->processed) {
++		gotit = false;
++		list_add(&padata->list, pos);
++	}
+ 	spin_unlock(&reorder->lock);
+ 
+-	/*
+-	 * Ensure the addition to the reorder list is ordered correctly
+-	 * with the trylock of pd->lock in padata_reorder.  Pairs with smp_mb
+-	 * in padata_reorder.
+-	 */
+-	smp_mb();
+-
+-	padata_reorder(pd);
++	if (gotit)
++		padata_reorder(padata);
+ }
+ EXPORT_SYMBOL(padata_do_serial);
+ 
+@@ -643,9 +589,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+ 	padata_init_squeues(pd);
+ 	pd->seq_nr = -1;
+ 	refcount_set(&pd->refcnt, 1);
+-	spin_lock_init(&pd->lock);
+ 	pd->cpu = cpumask_first(pd->cpumask.pcpu);
+-	INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
+ 
+ 	return pd;
+ 
+@@ -1155,12 +1099,6 @@ void padata_free_shell(struct padata_shell *ps)
+ 	if (!ps)
+ 		return;
+ 
+-	/*
+-	 * Wait for all _do_serial calls to finish to avoid touching
+-	 * freed pd's and ps's.
+-	 */
+-	synchronize_rcu();
+-
+ 	mutex_lock(&ps->pinst->lock);
+ 	list_del(&ps->list);
+ 	pd = rcu_dereference_protected(ps->pd, 1);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-38591.patch b/SPECS/kernel/CVE-2025-38591.patch
new file mode 100644
index 0000000000..41b4d40967
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-38591.patch
@@ -0,0 +1,165 @@
+From a40bd4e44ba2ef84d7f780383dd811dc8bf2c025 Mon Sep 17 00:00:00 2001
+From: Paul Chaignon <paul.chaignon@gmail.com>
+Date: Tue, 22 Jul 2025 16:32:32 +0200
+Subject: [PATCH 14/15] bpf: Reject narrower access to pointer ctx fields
+
+The following BPF program, simplified from a syzkaller repro, causes a
+kernel warning:
+
+    r0 = *(u8 *)(r1 + 169);
+    exit;
+
+With pointer field sk being at offset 168 in __sk_buff. This access is
+detected as a narrower read in bpf_skb_is_valid_access because it
+doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed
+and later proceeds to bpf_convert_ctx_access. Note that for the
+"is_narrower_load" case in the convert_ctx_accesses(), the insn->off
+is aligned, so the cnt may not be 0 because it matches the
+offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,
+the target_size stays 0 and the verifier errors with a kernel warning:
+
+    verifier bug: error during ctx access conversion(1)
+
+This patch fixes that to return a proper "invalid bpf_context access
+off=X size=Y" error on the load instruction.
+
+The same issue affects multiple other fields in context structures that
+allow narrow access. Some other non-affected fields (for sk_msg,
+sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for
+consistency.
+
+Note this syzkaller crash was reported in the "Closes" link below, which
+used to be about a different bug, fixed in
+commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions
+in insn_def_regno()"). Because syzbot somehow confused the two bugs,
+the new crash and repro didn't get reported to the mailing list.
+
+Fixes: f96da09473b52 ("bpf: simplify narrower ctx access")
+Fixes: 0df1a55afa832 ("bpf: Warn on internal verifier errors")
+Reported-by: syzbot+0ef84a7bdf5301d4cbec@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0ef84a7bdf5301d4cbec
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://patch.msgid.link/3b8dcee67ff4296903351a974ddd9c4dca768b64.1753194596.git.paul.chaignon@gmail.com
+---
+ kernel/bpf/cgroup.c |  8 ++++----
+ net/core/filter.c   | 20 ++++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
+index c0d606c40195..1ebf40badbf6 100644
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -2418,22 +2418,22 @@ static bool cg_sockopt_is_valid_access(int off, int size,
+ 	}
+ 
+ 	switch (off) {
+-	case offsetof(struct bpf_sockopt, sk):
++	case bpf_ctx_range_ptr(struct bpf_sockopt, sk):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_SOCKET;
+ 		break;
+-	case offsetof(struct bpf_sockopt, optval):
++	case bpf_ctx_range_ptr(struct bpf_sockopt, optval):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_PACKET;
+ 		break;
+-	case offsetof(struct bpf_sockopt, optval_end):
++	case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_PACKET_END;
+ 		break;
+-	case offsetof(struct bpf_sockopt, retval):
++	case bpf_ctx_range(struct bpf_sockopt, retval):
+ 		if (size != size_default)
+ 			return false;
+ 		return prog->expected_attach_type == BPF_CGROUP_GETSOCKOPT;
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 89ed625e1474..4bf298695bd1 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8652,7 +8652,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		break;
+-	case offsetof(struct __sk_buff, sk):
++	case bpf_ctx_range_ptr(struct __sk_buff, sk):
+ 		if (type == BPF_WRITE || size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL;
+@@ -9229,7 +9229,7 @@ static bool sock_addr_is_valid_access(int off, int size,
+ 				return false;
+ 		}
+ 		break;
+-	case offsetof(struct bpf_sock_addr, sk):
++	case bpf_ctx_range_ptr(struct bpf_sock_addr, sk):
+ 		if (type != BPF_READ)
+ 			return false;
+ 		if (size != sizeof(__u64))
+@@ -9283,17 +9283,17 @@ static bool sock_ops_is_valid_access(int off, int size,
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			break;
+-		case offsetof(struct bpf_sock_ops, sk):
++		case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			info->reg_type = PTR_TO_SOCKET_OR_NULL;
+ 			break;
+-		case offsetof(struct bpf_sock_ops, skb_data):
++		case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			info->reg_type = PTR_TO_PACKET;
+ 			break;
+-		case offsetof(struct bpf_sock_ops, skb_data_end):
++		case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			info->reg_type = PTR_TO_PACKET_END;
+@@ -9302,7 +9302,7 @@ static bool sock_ops_is_valid_access(int off, int size,
+ 			bpf_ctx_record_field_size(info, size_default);
+ 			return bpf_ctx_narrow_access_ok(off, size,
+ 							size_default);
+-		case offsetof(struct bpf_sock_ops, skb_hwtstamp):
++		case bpf_ctx_range(struct bpf_sock_ops, skb_hwtstamp):
+ 			if (size != sizeof(__u64))
+ 				return false;
+ 			break;
+@@ -9372,17 +9372,17 @@ static bool sk_msg_is_valid_access(int off, int size,
+ 		return false;
+ 
+ 	switch (off) {
+-	case offsetof(struct sk_msg_md, data):
++	case bpf_ctx_range_ptr(struct sk_msg_md, data):
+ 		info->reg_type = PTR_TO_PACKET;
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		break;
+-	case offsetof(struct sk_msg_md, data_end):
++	case bpf_ctx_range_ptr(struct sk_msg_md, data_end):
+ 		info->reg_type = PTR_TO_PACKET_END;
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		break;
+-	case offsetof(struct sk_msg_md, sk):
++	case bpf_ctx_range_ptr(struct sk_msg_md, sk):
+ 		if (size != sizeof(__u64))
+ 			return false;
+ 		info->reg_type = PTR_TO_SOCKET;
+@@ -11595,7 +11595,7 @@ static bool sk_lookup_is_valid_access(int off, int size,
+ 		return false;
+ 
+ 	switch (off) {
+-	case offsetof(struct bpf_sk_lookup, sk):
++	case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
+ 		info->reg_type = PTR_TO_SOCKET_OR_NULL;
+ 		return size == sizeof(__u64);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-38643.patch b/SPECS/kernel/CVE-2025-38643.patch
deleted file mode 100644
index eb4995f0eb..0000000000
--- a/SPECS/kernel/CVE-2025-38643.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 017e825ea4a7bc35b1e481b6ddb03aa67f30bebc Mon Sep 17 00:00:00 2001
-From: Alexander Wetzel <Alexander@wetzel-home.de>
-Date: Thu, 17 Jul 2025 18:25:45 +0200
-Subject: [PATCH 4/4] wifi: cfg80211: Add missing lock in
- cfg80211_check_and_end_cac()
-
-Callers of wdev_chandef() must hold the wiphy mutex.
-
-But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
-Which triggers the warning below with the mesh_peer_connected_dfs
-test from hostapd and not (yet) released mac80211 code changes:
-
-WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
-Modules linked in:
-CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
-Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
-Stack:
- 00000000 00000001 ffffff00 6093267c
- 00000000 6002ec30 6d577c50 60037608
- 00000000 67e8d108 6063717b 00000000
-Call Trace:
- [<6002ec30>] ? _printk+0x0/0x98
- [<6003c2b3>] show_stack+0x10e/0x11a
- [<6002ec30>] ? _printk+0x0/0x98
- [<60037608>] dump_stack_lvl+0x71/0xb8
- [<6063717b>] ? wdev_chandef+0x60/0x165
- [<6003766d>] dump_stack+0x1e/0x20
- [<6005d1b7>] __warn+0x101/0x20f
- [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
- [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
- [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
- [<600b11a2>] ? mark_held_locks+0x5a/0x6e
- [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
- [<60052e53>] ? unblock_signals+0x3a/0xe7
- [<60052f2d>] ? um_set_signals+0x2d/0x43
- [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
- [<607508b2>] ? lock_is_held_type+0x207/0x21f
- [<6063717b>] wdev_chandef+0x60/0x165
- [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
- [<60052f00>] ? um_set_signals+0x0/0x43
- [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
- [<6007e460>] process_scheduled_works+0x3bc/0x60e
- [<6007d0ec>] ? move_linked_works+0x4d/0x81
- [<6007d120>] ? assign_work+0x0/0xaa
- [<6007f81f>] worker_thread+0x220/0x2dc
- [<600786ef>] ? set_pf_worker+0x0/0x57
- [<60087c96>] ? to_kthread+0x0/0x43
- [<6008ab3c>] kthread+0x2d3/0x2e2
- [<6007f5ff>] ? worker_thread+0x0/0x2dc
- [<6006c05b>] ? calculate_sigpending+0x0/0x56
- [<6003b37d>] new_thread_handler+0x4a/0x64
-irq event stamp: 614611
-hardirqs last  enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
-hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
-softirqs last  enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
-softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
-
-Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
-Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
-Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/wireless/reg.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/wireless/reg.c b/net/wireless/reg.c
-index f6846eb0f4b8..69a7f55e9de4 100644
---- a/net/wireless/reg.c
-+++ b/net/wireless/reg.c
-@@ -4234,6 +4234,8 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
- 	struct wireless_dev *wdev;
- 	unsigned int link_id;
- 
-+	wiphy_lock(&rdev->wiphy);
-+
- 	/* If we finished CAC or received radar, we should end any
- 	 * CAC running on the same channels.
- 	 * the check !cfg80211_chandef_dfs_usable contain 2 options:
-@@ -4258,6 +4260,7 @@ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
- 				rdev_end_cac(rdev, wdev->netdev, link_id);
- 		}
- 	}
-+	wiphy_unlock(&rdev->wiphy);
- }
- 
- void regulatory_propagate_dfs_state(struct wiphy *wiphy,
--- 
-2.43.0
-
diff --git a/SPECS/kernel/CVE-2025-38656-2.patch b/SPECS/kernel/CVE-2025-38656-2.patch
new file mode 100644
index 0000000000..5e9f8634fe
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-38656-2.patch
@@ -0,0 +1,36 @@
+From 9ba72bcf0b818bf3577663ad7466d14616e08193 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Tue, 1 Jul 2025 13:08:42 -0500
+Subject: [PATCH 13/15] wifi: iwlwifi: Fix error code in
+ iwl_op_mode_dvm_start()
+
+Preserve the error code if iwl_setup_deferred_work() fails.  The current
+code returns ERR_PTR(0) (which is NULL) on this path.  I believe the
+missing error code potentially leads to a use after free involving
+debugfs.
+
+Fixes: 90a0d9f33996 ("iwlwifi: Add missing check for alloc_ordered_workqueue")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/a7a1cd2c-ce01-461a-9afd-dbe535f8df01@sabinyo.mountain
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index bc065c7089f7..a4f6e5a8f3a9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1468,7 +1468,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	/********************
+ 	 * 6. Setup services
+ 	 ********************/
+-	if (iwl_setup_deferred_work(priv))
++	err = iwl_setup_deferred_work(priv);
++	if (err)
+ 		goto out_uninit_drv;
+ 
+ 	iwl_setup_rx_handlers(priv);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-38656.patch b/SPECS/kernel/CVE-2025-38656.patch
new file mode 100644
index 0000000000..f110e3b158
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-38656.patch
@@ -0,0 +1,231 @@
+From 35c49ea77297c97772ea9f1cb47be0508b0176c2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 27 Dec 2024 10:01:04 +0200
+Subject: [PATCH 12/15] wifi: iwlwifi: return ERR_PTR from opmode start()
+
+In order to restrict the retry loops for timeouts, first
+pass the error code up using ERR_PTR(). This of course
+requires all existing functions to be updated accordingly.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241227095718.3fe5031d5784.I7307996c91dac69619ff9c616b8a077423fac19f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 34 ++++++++++++-------
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c  |  2 +-
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c  | 24 +++++++++----
+ 3 files changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index b8713ebd7190..bc065c7089f7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1245,7 +1245,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 		STATISTICS_NOTIFICATION,
+ 		REPLY_TX,
+ 	};
+-	int i;
++	int i, err;
+ 
+ 	/************************
+ 	 * 1. Allocating HW data
+@@ -1253,6 +1253,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	hw = iwl_alloc_all();
+ 	if (!hw) {
+ 		pr_err("%s: Cannot allocate network device\n", trans->name);
++		err = -ENOMEM;
+ 		goto out;
+ 	}
+ 
+@@ -1303,8 +1304,10 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 		break;
+ 	}
+ 
+-	if (WARN_ON(!priv->lib))
++	if (WARN_ON(!priv->lib)) {
++		err = -ENODEV;
+ 		goto out_free_hw;
++	}
+ 
+ 	/*
+ 	 * Populate the state variables that the transport layer needs
+@@ -1381,12 +1384,14 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	IWL_INFO(priv, "Detected %s, REV=0x%X\n",
+ 		priv->trans->name, priv->trans->hw_rev);
+ 
+-	if (iwl_trans_start_hw(priv->trans))
++	err = iwl_trans_start_hw(priv->trans);
++	if (err)
+ 		goto out_free_hw;
+ 
+ 	/* Read the EEPROM */
+-	if (iwl_read_eeprom(priv->trans, &priv->eeprom_blob,
+-			    &priv->eeprom_blob_size)) {
++	err = iwl_read_eeprom(priv->trans, &priv->eeprom_blob,
++			      &priv->eeprom_blob_size);
++	if (err) {
+ 		IWL_ERR(priv, "Unable to init EEPROM\n");
+ 		goto out_free_hw;
+ 	}
+@@ -1397,13 +1402,17 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	priv->nvm_data = iwl_parse_eeprom_data(priv->trans, priv->cfg,
+ 					       priv->eeprom_blob,
+ 					       priv->eeprom_blob_size);
+-	if (!priv->nvm_data)
++	if (!priv->nvm_data) {
++		err = -ENOMEM;
+ 		goto out_free_eeprom_blob;
++	}
+ 
+-	if (iwl_nvm_check_version(priv->nvm_data, priv->trans))
++	err = iwl_nvm_check_version(priv->nvm_data, priv->trans);
++	if (err)
+ 		goto out_free_eeprom;
+ 
+-	if (iwl_eeprom_init_hw_params(priv))
++	err = iwl_eeprom_init_hw_params(priv);
++	if (err)
+ 		goto out_free_eeprom;
+ 
+ 	/* extract MAC Address */
+@@ -1450,7 +1459,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 		atomic_set(&priv->queue_stop_count[i], 0);
+ 	}
+ 
+-	if (iwl_init_drv(priv))
++	err = iwl_init_drv(priv);
++	if (err)
+ 		goto out_free_eeprom;
+ 
+ 	/* At this point both hw and priv are initialized. */
+@@ -1486,7 +1496,8 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ 	 *
+ 	 * 7. Setup and register with mac80211 and debugfs
+ 	 **************************************************/
+-	if (iwlagn_mac_setup_register(priv, &fw->ucode_capa))
++	err = iwlagn_mac_setup_register(priv, &fw->ucode_capa);
++	if (err)
+ 		goto out_destroy_workqueue;
+ 
+ 	iwl_dbgfs_register(priv, dbgfs_dir);
+@@ -1507,8 +1518,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+ out_free_hw:
+ 	ieee80211_free_hw(priv->hw);
+ out:
+-	op_mode = NULL;
+-	return op_mode;
++	return ERR_PTR(err);
+ }
+ 
+ static void iwl_op_mode_dvm_stop(struct iwl_op_mode *op_mode)
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index 754e01688900..982b7ca61f7b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1429,7 +1429,7 @@ _iwl_op_mode_start(struct iwl_drv *drv, struct iwlwifi_opmode_table *op)
+ 		op_mode = ops->start(drv->trans, drv->trans->cfg,
+ 				     &drv->fw, dbgfs_dir);
+ 
+-		if (op_mode)
++		if (!IS_ERR(op_mode))
+ 			return op_mode;
+ 
+ 		if (test_bit(STATUS_TRANS_DEAD, &drv->trans->status))
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index a7dbc0a5ea84..fcfa3060246e 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1287,6 +1287,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	size_t scan_size;
+ 	u32 min_backoff;
+ 	struct iwl_mvm_csme_conn_info *csme_conn_info __maybe_unused;
++	int err;
+ 
+ 	/*
+ 	 * We use IWL_STATION_COUNT_MAX to check the validity of the station
+@@ -1304,7 +1305,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 				iwl_mvm_has_mld_api(fw) ? &iwl_mvm_mld_hw_ops :
+ 				&iwl_mvm_hw_ops);
+ 	if (!hw)
+-		return NULL;
++		return ERR_PTR(-ENOMEM);
+ 
+ 	if (trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_BZ)
+ 		max_agg = 512;
+@@ -1348,8 +1349,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 		trans->rx_mpdu_cmd_hdr_size =
+ 			sizeof(struct iwl_rx_mpdu_res_start);
+ 
+-		if (WARN_ON(trans->num_rx_queues > 1))
++		if (WARN_ON(trans->num_rx_queues > 1)) {
++			err = -EINVAL;
+ 			goto out_free;
++		}
+ 	}
+ 
+ 	mvm->fw_restart = iwlwifi_mod_params.fw_restart ? -1 : 0;
+@@ -1426,8 +1429,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 		iwl_fw_lookup_notif_ver(mvm->fw, LOCATION_GROUP,
+ 					TOF_RANGE_RESPONSE_NOTIF, 5);
+ 	/* we only support up to version 9 */
+-	if (WARN_ON_ONCE(mvm->cmd_ver.range_resp > 9))
++	if (WARN_ON_ONCE(mvm->cmd_ver.range_resp > 9)) {
++		err = -EINVAL;
+ 		goto out_free;
++	}
+ 
+ 	/*
+ 	 * Populate the state variables that the transport layer needs
+@@ -1490,6 +1495,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	mvm->phy_db = iwl_phy_db_init(trans);
+ 	if (!mvm->phy_db) {
+ 		IWL_ERR(mvm, "Cannot init phy_db\n");
++		err = -ENOMEM;
+ 		goto out_free;
+ 	}
+ 
+@@ -1502,8 +1508,10 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	scan_size = iwl_mvm_scan_size(mvm);
+ 
+ 	mvm->scan_cmd = kmalloc(scan_size, GFP_KERNEL);
+-	if (!mvm->scan_cmd)
++	if (!mvm->scan_cmd) {
++		err = -ENOMEM;
+ 		goto out_free;
++	}
+ 	mvm->scan_cmd_size = scan_size;
+ 
+ 	/* invalidate ids to prevent accidental removal of sta_id 0 */
+@@ -1532,7 +1540,8 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 
+ 	iwl_mvm_mei_scan_filter_init(&mvm->mei_scan_filter);
+ 
+-	if (iwl_mvm_start_get_nvm(mvm)) {
++	err = iwl_mvm_start_get_nvm(mvm);
++	if (err) {
+ 		/*
+ 		 * Getting NVM failed while CSME is the owner, but we are
+ 		 * registered to MEI, we'll get the NVM later when it'll be
+@@ -1545,7 +1554,8 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	}
+ 
+ 
+-	if (iwl_mvm_start_post_nvm(mvm))
++	err = iwl_mvm_start_post_nvm(mvm);
++	if (err)
+ 		goto out_thermal_exit;
+ 
+ 	return op_mode;
+@@ -1565,7 +1575,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ 	iwl_trans_op_mode_leave(trans);
+ 
+ 	ieee80211_free_hw(mvm->hw);
+-	return NULL;
++	return ERR_PTR(err);
+ }
+ 
+ void iwl_mvm_stop_device(struct iwl_mvm *mvm)
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-39981.patch b/SPECS/kernel/CVE-2025-39981.patch
deleted file mode 100644
index 604d2ef847..0000000000
--- a/SPECS/kernel/CVE-2025-39981.patch
+++ /dev/null
@@ -1,770 +0,0 @@
-From df40aa342d6e076b8800cce0a596d98ea61cc02a Mon Sep 17 00:00:00 2001
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Date: Mon, 25 Aug 2025 10:03:07 -0400
-Subject: [PATCH] Bluetooth: MGMT: Fix possible UAFs
-
-This attemps to fix possible UAFs caused by struct mgmt_pending being
-freed while still being processed like in the following trace, in order
-to fix mgmt_pending_valid is introduce and use to check if the
-mgmt_pending hasn't been removed from the pending list, on the complete
-callbacks it is used to check and in addtion remove the cmd from the list
-while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd
-is left on the list it can still be accessed and freed.
-
-BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
-Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55
-
-CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
-Workqueue: hci0 hci_cmd_sync_work
-Call Trace:
- <TASK>
- dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
- print_address_description mm/kasan/report.c:378 [inline]
- print_report+0xca/0x240 mm/kasan/report.c:482
- kasan_report+0x118/0x150 mm/kasan/report.c:595
- mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223
- hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332
- process_one_work kernel/workqueue.c:3238 [inline]
- process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
- worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
- kthread+0x711/0x8a0 kernel/kthread.c:464
- ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
- ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245
- </TASK>
-
-Allocated by task 12210:
- kasan_save_stack mm/kasan/common.c:47 [inline]
- kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
- poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
- __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
- kasan_kmalloc include/linux/kasan.h:260 [inline]
- __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364
- kmalloc_noprof include/linux/slab.h:905 [inline]
- kzalloc_noprof include/linux/slab.h:1039 [inline]
- mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
- mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
- __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247
- add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364
- hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
- hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
- sock_sendmsg_nosec net/socket.c:714 [inline]
- __sock_sendmsg+0x219/0x270 net/socket.c:729
- sock_write_iter+0x258/0x330 net/socket.c:1133
- new_sync_write fs/read_write.c:593 [inline]
- vfs_write+0x5c9/0xb30 fs/read_write.c:686
- ksys_write+0x145/0x250 fs/read_write.c:738
- do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
- do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-
-Freed by task 12221:
- kasan_save_stack mm/kasan/common.c:47 [inline]
- kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
- kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
- poison_slab_object mm/kasan/common.c:247 [inline]
- __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
- kasan_slab_free include/linux/kasan.h:233 [inline]
- slab_free_hook mm/slub.c:2381 [inline]
- slab_free mm/slub.c:4648 [inline]
- kfree+0x18e/0x440 mm/slub.c:4847
- mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
- mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
- __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444
- hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290
- hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
- hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526
- sock_do_ioctl+0xd9/0x300 net/socket.c:1192
- sock_ioctl+0x576/0x790 net/socket.c:1313
- vfs_ioctl fs/ioctl.c:51 [inline]
- __do_sys_ioctl fs/ioctl.c:907 [inline]
- __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
- do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
- do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-
-Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED")
-Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync")
-Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync")
-Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP")
-Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE")
-Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
-Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME")
-Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION")
-Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor")
-Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY")
-Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING")
-Reported-by: cen zhang <zzzccc427@gmail.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
----
- net/bluetooth/mgmt.c      | 259 ++++++++++++++++++++++++++------------
- net/bluetooth/mgmt_util.c |  46 +++++++
- net/bluetooth/mgmt_util.h |   3 +
- 3 files changed, 231 insertions(+), 77 deletions(-)
-
-diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
-index 563cae4f76b0..bc14b9410bcf 100644
---- a/net/bluetooth/mgmt.c
-+++ b/net/bluetooth/mgmt.c
-@@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
- 	struct mgmt_mode *cp;
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	cp = cmd->param;
-@@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err)
- 				mgmt_status(err));
- 	}
- 
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_powered_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp;
-+	struct mgmt_mode cp;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
- 
- 	/* Make sure cmd still outstanding. */
--	if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev))
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
- 		return -ECANCELED;
-+	}
- 
--	cp = cmd->param;
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
- 
- 	BT_DBG("%s", hdev->name);
- 
--	return hci_set_powered_sync(hdev, cp->val);
-+	return hci_set_powered_sync(hdev, cp.val);
- }
- 
- static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
-@@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
- 	bt_dev_dbg(hdev, "err %d", err);
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	hci_dev_lock(hdev);
-@@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
- 	new_settings(hdev, cmd->sk);
- 
- done:
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 	hci_dev_unlock(hdev);
- }
- 
- static int set_discoverable_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	BT_DBG("%s", hdev->name);
- 
- 	return hci_update_discoverable_sync(hdev);
-@@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
- 	bt_dev_dbg(hdev, "err %d", err);
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	hci_dev_lock(hdev);
-@@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
- 	new_settings(hdev, cmd->sk);
- 
- done:
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 
- 	hci_dev_unlock(hdev);
- }
-@@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev,
- 
- static int set_connectable_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	BT_DBG("%s", hdev->name);
- 
- 	return hci_update_connectable_sync(hdev);
-@@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct cmd_lookup match = { NULL, hdev };
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
--	u8 enable = cp->val;
-+	struct mgmt_mode *cp;
-+	u8 enable;
- 	bool changed;
- 
- 	/* Make sure cmd still outstanding. */
--	if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
-+	cp = cmd->param;
-+	enable = cp->val;
-+
- 	if (err) {
- 		u8 mgmt_err = mgmt_status(err);
- 
-@@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- 			new_settings(hdev, NULL);
- 		}
- 
--		mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
--				     cmd_status_rsp, &mgmt_err);
-+		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
- 		return;
- 	}
- 
-@@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- 		changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
- 	}
- 
--	mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
-+	settings_rsp(cmd, &match);
- 
- 	if (changed)
- 		new_settings(hdev, match.sk);
-@@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
- static int set_ssp_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
-+	struct mgmt_mode cp;
- 	bool changed = false;
- 	int err;
- 
--	if (cp->val)
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	if (cp.val)
- 		changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED);
- 
--	err = hci_write_ssp_mode_sync(hdev, cp->val);
-+	err = hci_write_ssp_mode_sync(hdev, cp.val);
- 
- 	if (!err && changed)
- 		hci_dev_clear_flag(hdev, HCI_SSP_ENABLED);
-@@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
- 
- static void set_le_complete(struct hci_dev *hdev, void *data, int err)
- {
-+	struct mgmt_pending_cmd *cmd = data;
- 	struct cmd_lookup match = { NULL, hdev };
- 	u8 status = mgmt_status(err);
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
--	if (status) {
--		mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
--				     &status);
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
- 		return;
-+
-+	if (status) {
-+		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
-+		goto done;
- 	}
- 
--	mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
-+	settings_rsp(cmd, &match);
- 
- 	new_settings(hdev, match.sk);
- 
- 	if (match.sk)
- 		sock_put(match.sk);
-+
-+done:
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_le_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
--	u8 val = !!cp->val;
-+	struct mgmt_mode cp;
-+	u8 val;
- 	int err;
- 
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+	val = !!cp.val;
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
- 	if (!val) {
- 		hci_clear_adv_instance_sync(hdev, NULL, 0x00, true);
- 
-@@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
- 	u8 status = mgmt_status(err);
--	struct sock *sk = cmd->sk;
-+	struct sock *sk;
-+
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
-+		return;
-+
-+	sk = cmd->sk;
- 
- 	if (status) {
- 		mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
-@@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
- static int set_mesh_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_cp_set_mesh *cp = cmd->param;
--	size_t len = cmd->param_len;
-+	struct mgmt_cp_set_mesh cp;
-+	size_t len;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	len = cmd->param_len;
- 
- 	memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types));
- 
--	if (cp->enable)
-+	if (cp.enable)
- 		hci_dev_set_flag(hdev, HCI_MESH);
- 	else
- 		hci_dev_clear_flag(hdev, HCI_MESH);
- 
--	hdev->le_scan_interval = __le16_to_cpu(cp->period);
--	hdev->le_scan_window = __le16_to_cpu(cp->window);
-+	hdev->le_scan_interval = __le16_to_cpu(cp.period);
-+	hdev->le_scan_window = __le16_to_cpu(cp.window);
- 
--	len -= sizeof(*cp);
-+	len -= sizeof(cp);
- 
- 	/* If filters don't fit, forward all adv pkts */
- 	if (len <= sizeof(hdev->mesh_ad_types))
--		memcpy(hdev->mesh_ad_types, cp->ad_types, len);
-+		memcpy(hdev->mesh_ad_types, cp.ad_types, len);
- 
- 	hci_update_passive_scan_sync(hdev);
- 	return 0;
-@@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data)
- static void set_name_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_cp_set_local_name *cp = cmd->param;
-+	struct mgmt_cp_set_local_name *cp;
- 	u8 status = mgmt_status(err);
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
-+	cp = cmd->param;
-+
- 	if (status) {
- 		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME,
- 				status);
-@@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err)
- 			hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL);
- 	}
- 
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_name_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_cp_set_local_name *cp = cmd->param;
-+	struct mgmt_cp_set_local_name cp;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
- 
- 	if (lmp_bredr_capable(hdev)) {
--		hci_update_name_sync(hdev, cp->name);
-+		hci_update_name_sync(hdev, cp.name);
- 		hci_update_eir_sync(hdev);
- 	}
- 
-@@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip)
- static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct sk_buff *skb = cmd->skb;
-+	struct sk_buff *skb;
- 	u8 status = mgmt_status(err);
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev))
--		return;
-+	skb = cmd->skb;
- 
- 	if (!status) {
- 		if (!skb)
-@@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err)
- 	if (skb && !IS_ERR(skb))
- 		kfree_skb(skb);
- 
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int set_default_phy_sync(struct hci_dev *hdev, void *data)
-@@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data)
- 	struct mgmt_pending_cmd *cmd = data;
- 	struct mgmt_cp_set_phy_configuration *cp = cmd->param;
- 	struct hci_cp_le_set_default_phy cp_phy;
--	u32 selected_phys = __le32_to_cpu(cp->selected_phys);
-+	u32 selected_phys;
-+
-+	selected_phys = __le32_to_cpu(cp->selected_phys);
- 
- 	memset(&cp_phy, 0, sizeof(cp_phy));
- 
-@@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev,
- 		goto unlock;
- 	}
- 
--	cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
-+	cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data,
- 			       len);
- 	if (!cmd)
- 		err = -ENOMEM;
-@@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
- {
- 	struct mgmt_rp_add_adv_patterns_monitor rp;
- 	struct mgmt_pending_cmd *cmd = data;
--	struct adv_monitor *monitor = cmd->user_data;
-+	struct adv_monitor *monitor;
-+
-+	/* This is likely the result of hdev being closed and mgmt_index_removed
-+	 * is attempting to clean up any pending command so
-+	 * hci_adv_monitors_clear is about to be called which will take care of
-+	 * freeing the adv_monitor instances.
-+	 */
-+	if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd))
-+		return;
-+
-+	monitor = cmd->user_data;
- 
- 	hci_dev_lock(hdev);
- 
-@@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
- static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct adv_monitor *monitor = cmd->user_data;
-+	struct adv_monitor *mon;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	mon = cmd->user_data;
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
- 
--	return hci_add_adv_monitor(hdev, monitor);
-+	return hci_add_adv_monitor(hdev, mon);
- }
- 
- static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
-@@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
- 			       status);
- }
- 
--static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err)
-+static void read_local_oob_data_complete(struct hci_dev *hdev, void *data,
-+					 int err)
- {
- 	struct mgmt_rp_read_local_oob_data mgmt_rp;
- 	size_t rp_size = sizeof(mgmt_rp);
-@@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e
- 	bt_dev_dbg(hdev, "status %d", status);
- 
- 	if (status) {
--		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status);
-+		mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA,
-+				status);
- 		goto remove;
- 	}
- 
-@@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
--	if (err == -ECANCELED)
--		return;
--
--	if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) &&
--	    cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) &&
--	    cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
- 			  cmd->param, 1);
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 
- 	hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED:
- 				DISCOVERY_FINDING);
-@@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
- 
- static int start_discovery_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	return hci_start_discovery_sync(hdev);
- }
- 
-@@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
- {
- 	struct mgmt_pending_cmd *cmd = data;
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev))
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd))
- 		return;
- 
- 	bt_dev_dbg(hdev, "err %d", err);
- 
- 	mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
- 			  cmd->param, 1);
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- 
- 	if (!err)
- 		hci_discovery_set_state(hdev, DISCOVERY_STOPPED);
-@@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
- 
- static int stop_discovery_sync(struct hci_dev *hdev, void *data)
- {
-+	if (!mgmt_pending_listed(hdev, data))
-+		return -ECANCELED;
-+
- 	return hci_stop_discovery_sync(hdev);
- }
- 
-@@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err)
- 
- static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
- {
-+	struct mgmt_pending_cmd *cmd = data;
- 	struct cmd_lookup match = { NULL, hdev };
- 	u8 instance;
- 	struct adv_info *adv_instance;
- 	u8 status = mgmt_status(err);
- 
-+	if (err == -ECANCELED || !mgmt_pending_valid(hdev, data))
-+		return;
-+
- 	if (status) {
--		mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
--				     cmd_status_rsp, &status);
-+		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status);
-+		mgmt_pending_free(cmd);
- 		return;
- 	}
- 
-@@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
- 	else
- 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);
- 
--	mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
--			     &match);
-+	settings_rsp(cmd, &match);
- 
- 	new_settings(hdev, match.sk);
- 
-@@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
- static int set_adv_sync(struct hci_dev *hdev, void *data)
- {
- 	struct mgmt_pending_cmd *cmd = data;
--	struct mgmt_mode *cp = cmd->param;
--	u8 val = !!cp->val;
-+	struct mgmt_mode cp;
-+	u8 val;
- 
--	if (cp->val == 0x02)
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	if (!__mgmt_pending_listed(hdev, cmd)) {
-+		mutex_unlock(&hdev->mgmt_pending_lock);
-+		return -ECANCELED;
-+	}
-+
-+	memcpy(&cp, cmd->param, sizeof(cp));
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	val = !!cp.val;
-+
-+	if (cp.val == 0x02)
- 		hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
- 	else
- 		hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE);
-@@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
- 	u8 status = mgmt_status(err);
- 	u16 eir_len;
- 
--	if (err == -ECANCELED ||
--	    cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev))
--		return;
--
- 	if (!status) {
- 		if (!skb)
- 			status = MGMT_STATUS_FAILED;
-@@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data,
- 		kfree_skb(skb);
- 
- 	kfree(mgmt_rp);
--	mgmt_pending_remove(cmd);
-+	mgmt_pending_free(cmd);
- }
- 
- static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
-@@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk,
- 	struct mgmt_pending_cmd *cmd;
- 	int err;
- 
--	cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
-+	cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev,
- 			       cp, sizeof(*cp));
- 	if (!cmd)
- 		return -ENOMEM;
-diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
-index a88a07da3947..aa7b5585cb26 100644
---- a/net/bluetooth/mgmt_util.c
-+++ b/net/bluetooth/mgmt_util.c
-@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
- 	mgmt_pending_free(cmd);
- }
- 
-+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
-+{
-+	struct mgmt_pending_cmd *tmp;
-+
-+	lockdep_assert_held(&hdev->mgmt_pending_lock);
-+
-+	if (!cmd)
-+		return false;
-+
-+	list_for_each_entry(tmp, &hdev->mgmt_pending, list) {
-+		if (cmd == tmp)
-+			return true;
-+	}
-+
-+	return false;
-+}
-+
-+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
-+{
-+	bool listed;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+	listed = __mgmt_pending_listed(hdev, cmd);
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	return listed;
-+}
-+
-+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd)
-+{
-+	bool listed;
-+
-+	if (!cmd)
-+		return false;
-+
-+	mutex_lock(&hdev->mgmt_pending_lock);
-+
-+	listed = __mgmt_pending_listed(hdev, cmd);
-+	if (listed)
-+		list_del(&cmd->list);
-+
-+	mutex_unlock(&hdev->mgmt_pending_lock);
-+
-+	return listed;
-+}
-+
- void mgmt_mesh_foreach(struct hci_dev *hdev,
- 		       void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
- 		       void *data, struct sock *sk)
-diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
-index 024e51dd6937..bcba8c9d8952 100644
---- a/net/bluetooth/mgmt_util.h
-+++ b/net/bluetooth/mgmt_util.h
-@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
- 					  void *data, u16 len);
- void mgmt_pending_free(struct mgmt_pending_cmd *cmd);
- void mgmt_pending_remove(struct mgmt_pending_cmd *cmd);
-+bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
-+bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
-+bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd);
- void mgmt_mesh_foreach(struct hci_dev *hdev,
- 		       void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data),
- 		       void *data, struct sock *sk);
--- 
-2.43.0
-
diff --git a/SPECS/kernel/CVE-2025-40064.patch b/SPECS/kernel/CVE-2025-40064.patch
new file mode 100644
index 0000000000..0abf0faa40
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40064.patch
@@ -0,0 +1,207 @@
+From e984bf63dd43d70b190ed665cee74b4d1d9bc44f Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:19 +0000
+Subject: [PATCH 6/8] smc: Fix use-after-free in __pnet_find_base_ndev().
+
+syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
+which was called during connect(). [0]
+
+smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
+down to pnet_find_base_ndev(), where RTNL is held.  Then, UAF happened
+at __pnet_find_base_ndev() when the dev is first used.
+
+This means dev had already been freed before acquiring RTNL in
+pnet_find_base_ndev().
+
+While dev is going away, dst->dev could be swapped with blackhole_netdev,
+and the dev's refcnt by dst will be released.
+
+We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
+
+Also, smc_pnet_find_roce_resource() has the same problem.
+
+Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
+
+[0]:
+BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
+Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609
+
+CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
+ pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
+ smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
+ smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
+ smc_find_ism_device net/smc/af_smc.c:1030 [inline]
+ smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
+ __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
+ smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
+ __sys_connect_file net/socket.c:2086 [inline]
+ __sys_connect+0x313/0x440 net/socket.c:2105
+ __do_sys_connect net/socket.c:2111 [inline]
+ __se_sys_connect net/socket.c:2108 [inline]
+ __x64_sys_connect+0x7a/0x90 net/socket.c:2108
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f47cbf8eba9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
+RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
+RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
+ </TASK>
+
+The buggy address belongs to the physical page:
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
+flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
+raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as freed
+page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
+ prep_new_page mm/page_alloc.c:1859 [inline]
+ get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
+ __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
+ alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
+ ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
+ __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
+ __do_kmalloc_node mm/slub.c:4364 [inline]
+ __kvmalloc_node_noprof+0x6d/0x5f0 mm/slub.c:5067
+ alloc_netdev_mqs+0xa3/0x11b0 net/core/dev.c:11812
+ tun_set_iff+0x532/0xef0 drivers/net/tun.c:2775
+ __tun_chr_ioctl+0x788/0x1df0 drivers/net/tun.c:3085
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:598 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:584
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+page last free pid 18610 tgid 18608 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1395 [inline]
+ __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
+ free_large_kmalloc+0x13a/0x1f0 mm/slub.c:4820
+ device_release+0x99/0x1c0 drivers/base/core.c:-1
+ kobject_cleanup lib/kobject.c:689 [inline]
+ kobject_release lib/kobject.c:720 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ kobject_put+0x22b/0x480 lib/kobject.c:737
+ netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11513
+ rtnl_unlock net/core/rtnetlink.c:157 [inline]
+ rtnl_net_unlock include/linux/rtnetlink.h:135 [inline]
+ rtnl_dellink+0x537/0x710 net/core/rtnetlink.c:3563
+ rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6946
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ __sock_sendmsg+0x219/0x270 net/socket.c:729
+ ____sys_sendmsg+0x505/0x830 net/socket.c:2614
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
+ __sys_sendmsg net/socket.c:2700 [inline]
+ __do_sys_sendmsg net/socket.c:2705 [inline]
+ __se_sys_sendmsg net/socket.c:2703 [inline]
+ __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Memory state around the buggy address:
+ ffff888036bac200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888036bac280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+>ffff888036bac300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+                                        ^
+ ffff888036bac380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888036bac400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Fixes: 0afff91c6f5e ("net/smc: add pnetid support")
+Fixes: 1619f770589a ("net/smc: add pnetid support for SMC-D and ISM")
+Reported-by: syzbot+ea28e9d85be2f327b6c6@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68c237c7.050a0220.3c6139.0036.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250916214758.650211-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/smc/smc_pnet.c | 43 ++++++++++++++++++++++---------------------
+ 1 file changed, 22 insertions(+), 21 deletions(-)
+
+diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
+index b391c2ef463f..f2849e030004 100644
+--- a/net/smc/smc_pnet.c
++++ b/net/smc/smc_pnet.c
+@@ -1126,37 +1126,38 @@ static void smc_pnet_find_ism_by_pnetid(struct net_device *ndev,
+  */
+ void smc_pnet_find_roce_resource(struct sock *sk, struct smc_init_info *ini)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
+-
+-	if (!dst)
+-		goto out;
+-	if (!dst->dev)
+-		goto out_rel;
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 
+-	smc_pnet_find_roce_by_pnetid(dst->dev, ini);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	dev_hold(dev);
++	rcu_read_unlock();
+ 
+-out_rel:
+-	dst_release(dst);
+-out:
+-	return;
++	if (dev) {
++		smc_pnet_find_roce_by_pnetid(dev, ini);
++		dev_put(dev);
++	}
+ }
+ 
+ void smc_pnet_find_ism_resource(struct sock *sk, struct smc_init_info *ini)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 
+ 	ini->ism_dev[0] = NULL;
+-	if (!dst)
+-		goto out;
+-	if (!dst->dev)
+-		goto out_rel;
+ 
+-	smc_pnet_find_ism_by_pnetid(dst->dev, ini);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	dev_hold(dev);
++	rcu_read_unlock();
+ 
+-out_rel:
+-	dst_release(dst);
+-out:
+-	return;
++	if (dev) {
++		smc_pnet_find_ism_by_pnetid(dev, ini);
++		dev_put(dev);
++	}
+ }
+ 
+ /* Lookup and apply a pnet table entry to the given ib device.
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40074.patch b/SPECS/kernel/CVE-2025-40074.patch
new file mode 100644
index 0000000000..f0c2dbd16c
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40074.patch
@@ -0,0 +1,103 @@
+From c78bade8fe345c24a18be6315560e83caa4cd232 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:23 +0000
+Subject: [PATCH 5/8] ipv4: start using dst_dev_rcu()
+
+Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.
+
+Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),
+ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-9-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv4/icmp.c        | 6 +++---
+ net/ipv4/ip_fragment.c | 6 ++++--
+ net/ipv4/ipmr.c        | 2 +-
+ net/ipv4/route.c       | 4 ++--
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index 508b23204edc..c3c2532d6721 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -318,17 +318,17 @@ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
+ 		return true;
+ 
+ 	/* No rate limit on loopback */
+-	dev = dst_dev(dst);
++	rcu_read_lock();
++	dev = dst_dev_rcu(dst);
+ 	if (dev && (dev->flags & IFF_LOOPBACK))
+ 		goto out;
+ 
+-	rcu_read_lock();
+ 	peer = inet_getpeer_v4(net->ipv4.peers, fl4->daddr,
+ 			       l3mdev_master_ifindex_rcu(dev));
+ 	rc = inet_peer_xrlim_allow(peer,
+ 				   READ_ONCE(net->ipv4.sysctl_icmp_ratelimit));
+-	rcu_read_unlock();
+ out:
++	rcu_read_unlock();
+ 	if (!rc)
+ 		__ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
+ 	else
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index 183856b0b740..87ca69974598 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -488,13 +488,15 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
+ /* Process an incoming IP datagram fragment. */
+ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user)
+ {
+-	struct net_device *dev = skb->dev ? : skb_dst_dev(skb);
+-	int vif = l3mdev_master_ifindex_rcu(dev);
++	struct net_device *dev;
+ 	struct ipq *qp;
++	int vif;
+ 
+ 	__IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS);
+ 
+ 	/* Lookup (or create) queue header */
++	dev = skb->dev ? : skb_dst_dev_rcu(skb);
++	vif = l3mdev_master_ifindex_rcu(dev);
+ 	qp = ip_find(net, ip_hdr(skb), user, vif);
+ 	if (qp) {
+ 		int ret;
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index de0d9cc7806a..f0294b114824 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -1894,7 +1894,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
+ 			goto out_free;
+ 	}
+ 
+-	dev = rt->dst.dev;
++	dev = dst_dev_rcu(&rt->dst);
+ 
+ 	if (skb->len+encap > dst_mtu(&rt->dst) && (ntohs(iph->frag_off) & IP_DF)) {
+ 		/* Do not fragment multicasts. Alas, IPv4 does not
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 8c54a3ecbddf..615e80f76158 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -413,11 +413,11 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
+ 					   const void *daddr)
+ {
+ 	const struct rtable *rt = container_of(dst, struct rtable, dst);
+-	struct net_device *dev = dst_dev(dst);
++	struct net_device *dev;
+ 	struct neighbour *n;
+ 
+ 	rcu_read_lock();
+-
++	dev = dst_dev_rcu(dst);
+ 	if (likely(rt->rt_gw_family == AF_INET)) {
+ 		n = ip_neigh_gw4(dev, rt->rt_gw4);
+ 	} else if (rt->rt_gw_family == AF_INET6) {
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40075-1.patch b/SPECS/kernel/CVE-2025-40075-1.patch
new file mode 100644
index 0000000000..ebd905650d
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40075-1.patch
@@ -0,0 +1,50 @@
+From 5713e8f87ebb86cf78123c967d2fdf6a1c1a04d3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:21 +0000
+Subject: [PATCH 4/8] tcp_metrics: use dst_dev_net_rcu()
+
+Replace three dst_dev() with a lockdep enabled helper.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-7-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv4/tcp_metrics.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
+index 03c068ea27b6..10e86f1008e9 100644
+--- a/net/ipv4/tcp_metrics.c
++++ b/net/ipv4/tcp_metrics.c
+@@ -170,7 +170,7 @@ static struct tcp_metrics_block *tcpm_new(struct dst_entry *dst,
+ 	struct net *net;
+ 
+ 	spin_lock_bh(&tcp_metrics_lock);
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 
+ 	/* While waiting for the spin-lock the cache might have been populated
+ 	 * with this entry and so we have to check again.
+@@ -273,7 +273,7 @@ static struct tcp_metrics_block *__tcp_get_metrics_req(struct request_sock *req,
+ 		return NULL;
+ 	}
+ 
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	hash ^= net_hash_mix(net);
+ 	hash = hash_32(hash, tcp_metrics_hash_log);
+ 
+@@ -318,7 +318,7 @@ static struct tcp_metrics_block *tcp_get_metrics(struct sock *sk,
+ 	else
+ 		return NULL;
+ 
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	hash ^= net_hash_mix(net);
+ 	hash = hash_32(hash, tcp_metrics_hash_log);
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40075.patch b/SPECS/kernel/CVE-2025-40075.patch
new file mode 100644
index 0000000000..84376b1590
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40075.patch
@@ -0,0 +1,105 @@
+From 7649135be0cd3d9c9083b623f086573ae448589c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:16 +0000
+Subject: [PATCH 3/8] net: dst: introduce dst->dev_rcu
+
+Followup of commit 88fe14253e18 ("net: dst: add four helpers
+to annotate data-races around dst->dev").
+
+We want to gradually add explicit RCU protection to dst->dev,
+including lockdep support.
+
+Add an union to alias dst->dev_rcu and dst->dev.
+
+Add dst_dev_net_rcu() helper.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ include/net/dst.h | 16 +++++++++++-----
+ net/core/dst.c    |  2 +-
+ net/ipv4/route.c  |  4 ++--
+ 3 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/dst.h b/include/net/dst.h
+index e5c9ea188383..e7c1eb69570e 100644
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -24,7 +24,10 @@
+ struct sk_buff;
+ 
+ struct dst_entry {
+-	struct net_device       *dev;
++	union {
++		struct net_device       *dev;
++		struct net_device __rcu *dev_rcu;
++	};
+ 	struct  dst_ops	        *ops;
+ 	unsigned long		_metrics;
+ 	unsigned long           expires;
+@@ -568,9 +571,12 @@ static inline struct net_device *dst_dev(const struct dst_entry *dst)
+ 
+ static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst)
+ {
+-	/* In the future, use rcu_dereference(dst->dev) */
+-	WARN_ON_ONCE(!rcu_read_lock_held());
+-	return READ_ONCE(dst->dev);
++	return rcu_dereference(dst->dev_rcu);
++}
++
++static inline struct net *dst_dev_net_rcu(const struct dst_entry *dst)
++{
++	return dev_net_rcu(dst_dev_rcu(dst));
+ }
+ 
+ static inline struct net_device *skb_dst_dev(const struct sk_buff *skb)
+@@ -590,7 +596,7 @@ static inline struct net *skb_dst_dev_net(const struct sk_buff *skb)
+ 
+ static inline struct net *skb_dst_dev_net_rcu(const struct sk_buff *skb)
+ {
+-	return dev_net_rcu(skb_dst_dev(skb));
++	return dev_net_rcu(skb_dst_dev_rcu(skb));
+ }
+ 
+ struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie);
+diff --git a/net/core/dst.c b/net/core/dst.c
+index 9a0ddef8bee4..8dbb54148c03 100644
+--- a/net/core/dst.c
++++ b/net/core/dst.c
+@@ -150,7 +150,7 @@ void dst_dev_put(struct dst_entry *dst)
+ 		dst->ops->ifdown(dst, dev);
+ 	WRITE_ONCE(dst->input, dst_discard);
+ 	WRITE_ONCE(dst->output, dst_discard_out);
+-	WRITE_ONCE(dst->dev, blackhole_netdev);
++	rcu_assign_pointer(dst->dev_rcu, blackhole_netdev);
+ 	netdev_ref_replace(dev, blackhole_netdev, &dst->dev_tracker,
+ 			   GFP_ATOMIC);
+ }
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 96a01eb33653..8c54a3ecbddf 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1025,7 +1025,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
+ 		return;
+ 
+ 	rcu_read_lock();
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	if (mtu < net->ipv4.ip_rt_min_pmtu) {
+ 		lock = true;
+ 		mtu = min(old_mtu, net->ipv4.ip_rt_min_pmtu);
+@@ -1323,7 +1323,7 @@ static unsigned int ipv4_default_advmss(const struct dst_entry *dst)
+ 	struct net *net;
+ 
+ 	rcu_read_lock();
+-	net = dev_net_rcu(dst_dev(dst));
++	net = dst_dev_net_rcu(dst);
+ 	advmss = max_t(unsigned int, ipv4_mtu(dst) - header_size,
+ 				   net->ipv4.ip_rt_min_advmss);
+ 	rcu_read_unlock();
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40086-1.patch b/SPECS/kernel/CVE-2025-40086-1.patch
new file mode 100644
index 0000000000..68c0375c1d
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40086-1.patch
@@ -0,0 +1,158 @@
+From 424f106e84506904143f4e175468af2cea445554 Mon Sep 17 00:00:00 2001
+From: Matthew Brost <matthew.brost@intel.com>
+Date: Thu, 9 Oct 2025 04:06:18 -0700
+Subject: [PATCH 8/8] drm/xe: Don't allow evicting of BOs in same VM in array
+ of VM binds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An array of VM binds can potentially evict other buffer objects (BOs)
+within the same VM under certain conditions, which may lead to NULL
+pointer dereferences later in the bind pipeline. To prevent this, clear
+the allow_res_evict flag in the xe_bo_validate call.
+
+v2:
+ - Invert polarity of no_res_evict (Thomas)
+ - Add comment in code explaining issue (Thomas)
+
+Cc: stable@vger.kernel.org
+Reported-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6268
+Fixes: 774b5fa509a9 ("drm/xe: Avoid evicting object of the same vm in none fault mode")
+Fixes: 77f2ef3f16f5 ("drm/xe: Lock all gpuva ops during VM bind IOCTL")
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Tested-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://lore.kernel.org/r/20251009110618.3481870-1-matthew.brost@intel.com
+(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+---
+ drivers/gpu/drm/xe/xe_vm.c       | 36 ++++++++++++++++++++++----------
+ drivers/gpu/drm/xe/xe_vm_types.h |  5 +++++
+ 2 files changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
+index 435a407a59a8..0eb3081ad41f 100644
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -2456,7 +2456,7 @@ static void vm_bind_ioctl_ops_unwind(struct xe_vm *vm,
+ }
+ 
+ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma,
+-				 bool validate)
++				 bool res_evict, bool validate)
+ {
+ 	struct xe_bo *bo = xe_vma_bo(vma);
+ 	struct xe_vm *vm = xe_vma_vm(vma);
+@@ -2467,7 +2467,8 @@ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma,
+ 			err = drm_exec_lock_obj(exec, &bo->ttm.base);
+ 		if (!err && validate)
+ 			err = xe_bo_validate(bo, vm,
+-					     !xe_vm_in_preempt_fence_mode(vm));
++					     !xe_vm_in_preempt_fence_mode(vm) &&
++					     res_evict);
+ 	}
+ 
+ 	return err;
+@@ -2489,15 +2490,24 @@ static int check_ufence(struct xe_vma *vma)
+ }
+ 
+ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+-			    struct xe_vma_op *op)
++			    struct xe_vma_ops *vops, struct xe_vma_op *op)
+ {
+ 	int err = 0;
++	bool res_evict;
++
++	/*
++	 * We only allow evicting a BO within the VM if it is not part of an
++	 * array of binds, as an array of binds can evict another BO within the
++	 * bind.
++	 */
++	res_evict = !(vops->flags & XE_VMA_OPS_ARRAY_OF_BINDS);
+ 
+ 	switch (op->base.op) {
+ 	case DRM_GPUVA_OP_MAP:
+ 		err = vma_lock_and_validate(exec, op->map.vma,
+-					    !xe_vm_in_fault_mode(vm) ||
+-					    op->map.immediate);
++					res_evict,
++					!xe_vm_in_fault_mode(vm) ||
++					op->map.immediate);
+ 		break;
+ 	case DRM_GPUVA_OP_REMAP:
+ 		err = check_ufence(gpuva_to_vma(op->base.remap.unmap->va));
+@@ -2506,11 +2516,13 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+ 
+ 		err = vma_lock_and_validate(exec,
+ 					    gpuva_to_vma(op->base.remap.unmap->va),
+-					    false);
++					    res_evict, false);
+ 		if (!err && op->remap.prev)
+-			err = vma_lock_and_validate(exec, op->remap.prev, true);
++			err = vma_lock_and_validate(exec, op->remap.prev,
++						    res_evict, true);
+ 		if (!err && op->remap.next)
+-			err = vma_lock_and_validate(exec, op->remap.next, true);
++			err = vma_lock_and_validate(exec, op->remap.next,
++						    res_evict, true);
+ 		break;
+ 	case DRM_GPUVA_OP_UNMAP:
+ 		err = check_ufence(gpuva_to_vma(op->base.unmap.va));
+@@ -2519,7 +2531,7 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+ 
+ 		err = vma_lock_and_validate(exec,
+ 					    gpuva_to_vma(op->base.unmap.va),
+-					    false);
++					    res_evict, false);
+ 		break;
+ 	case DRM_GPUVA_OP_PREFETCH:
+ 	{
+@@ -2530,7 +2542,7 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm,
+ 
+ 		err = vma_lock_and_validate(exec,
+ 					    gpuva_to_vma(op->base.prefetch.va),
+-					    false);
++					    res_evict, false);
+ 		if (!err && !xe_vma_has_no_bo(vma))
+ 			err = xe_bo_migrate(xe_vma_bo(vma),
+ 					    region_to_mem_type[region]);
+@@ -2555,7 +2567,7 @@ static int vm_bind_ioctl_ops_lock_and_prep(struct drm_exec *exec,
+ 		return err;
+ 
+ 	list_for_each_entry(op, &vops->list, link) {
+-		err = op_lock_and_prep(exec, vm, op);
++		err = op_lock_and_prep(exec, vm, vops, op);
+ 		if (err)
+ 			return err;
+ 	}
+@@ -3149,6 +3161,8 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
+ 	}
+ 
+ 	xe_vma_ops_init(&vops, vm, q, syncs, num_syncs);
++	if (args->num_binds > 1)
++		vops.flags |= XE_VMA_OPS_ARRAY_OF_BINDS;
+ 	for (i = 0; i < args->num_binds; ++i) {
+ 		u64 range = bind_ops[i].range;
+ 		u64 addr = bind_ops[i].addr;
+diff --git a/drivers/gpu/drm/xe/xe_vm_types.h b/drivers/gpu/drm/xe/xe_vm_types.h
+index a4b4091cfd0d..e4ebbe30c79b 100644
+--- a/drivers/gpu/drm/xe/xe_vm_types.h
++++ b/drivers/gpu/drm/xe/xe_vm_types.h
+@@ -373,6 +373,11 @@ struct xe_vma_ops {
+ 	u32 num_syncs;
+ 	/** @pt_update_ops: page table update operations */
+ 	struct xe_vm_pgtable_update_ops pt_update_ops[XE_MAX_TILES_PER_DEVICE];
++	/** @flag: signify the properties within xe_vma_ops*/
++#define XE_VMA_OPS_FLAG_HAS_SVM_PREFETCH BIT(0)
++#define XE_VMA_OPS_FLAG_MADVISE          BIT(1)
++#define XE_VMA_OPS_ARRAY_OF_BINDS	 BIT(2)
++	u32 flags;
+ #ifdef TEST_VM_OPS_ERROR
+ 	/** @inject_error: inject error to test error handling */
+ 	bool inject_error;
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40086.patch b/SPECS/kernel/CVE-2025-40086.patch
new file mode 100644
index 0000000000..f2118b522f
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40086.patch
@@ -0,0 +1,62 @@
+From 2fbba3ce1c3edd00a587594234da05d682e459a7 Mon Sep 17 00:00:00 2001
+From: Oak Zeng <oak.zeng@intel.com>
+Date: Mon, 2 Dec 2024 21:19:29 -0500
+Subject: [PATCH 7/8] drm/xe: Avoid evicting object of the same vm in none
+ fault mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BO validation during vm_bind could trigger memory eviction when
+system runs under memory pressure. Right now we blindly evict
+BOs of all VMs. This scheme has a problem when system runs in
+none recoverable page fault mode: even though the vm_bind could
+be successful by evicting BOs, the later the rebinding of the
+evicted BOs would fail. So it is better to report an out-of-
+memory failure at vm_bind time than at time of rebinding where
+xekmd currently doesn't have a good mechanism to report error
+to user space.
+
+This patch implemented a scheme to only evict objects of other
+VMs during vm_bind time. Object of the same VM will skip eviction.
+If we failed to find enough memory for vm_bind, we report error
+to user space at vm_bind time.
+
+This scheme is not needed for recoverable page fault mode under
+what we can dynamically fault-in pages on demand.
+
+v1: Use xe_vm_in_preempt_fence_mode instead of stack variable (Thomas)
+
+Signed-off-by: Oak Zeng <oak.zeng@intel.com>
+Suggested-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241203021929.1919730-1-oak.zeng@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+---
+ drivers/gpu/drm/xe/xe_vm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
+index fc5f0e135193..435a407a59a8 100644
+--- a/drivers/gpu/drm/xe/xe_vm.c
++++ b/drivers/gpu/drm/xe/xe_vm.c
+@@ -2459,13 +2459,15 @@ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma,
+ 				 bool validate)
+ {
+ 	struct xe_bo *bo = xe_vma_bo(vma);
++	struct xe_vm *vm = xe_vma_vm(vma);
+ 	int err = 0;
+ 
+ 	if (bo) {
+ 		if (!bo->vm)
+ 			err = drm_exec_lock_obj(exec, &bo->ttm.base);
+ 		if (!err && validate)
+-			err = xe_bo_validate(bo, xe_vma_vm(vma), true);
++			err = xe_bo_validate(bo, vm,
++					     !xe_vm_in_preempt_fence_mode(vm));
+ 	}
+ 
+ 	return err;
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40098.patch b/SPECS/kernel/CVE-2025-40098.patch
new file mode 100644
index 0000000000..bc46d97f98
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40098.patch
@@ -0,0 +1,38 @@
+From 31ca54b3c5b5b8116cdb506799df842603be097b Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Tue, 7 Oct 2025 10:38:31 +0300
+Subject: [PATCH 1/8] ALSA: hda: cs35l41: Fix NULL pointer dereference in
+ cs35l41_get_acpi_mute_state()
+
+Return value of a function acpi_evaluate_dsm() is dereferenced  without
+checking for NULL, but it is usually checked for this function.
+
+acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns
+acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 447106e92a0c ("ALSA: hda: cs35l41: Support mute notifications for CS35L41 HDA")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/pci/hda/cs35l41_hda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/cs35l41_hda.c b/sound/pci/hda/cs35l41_hda.c
+index d68bf7591d90..53d213de0ff3 100644
+--- a/sound/pci/hda/cs35l41_hda.c
++++ b/sound/pci/hda/cs35l41_hda.c
+@@ -1375,6 +1375,8 @@ static int cs35l41_get_acpi_mute_state(struct cs35l41_hda *cs35l41, acpi_handle
+ 
+ 	if (cs35l41_dsm_supported(handle, CS35L41_DSM_GET_MUTE)) {
+ 		ret = acpi_evaluate_dsm(handle, &guid, 0, CS35L41_DSM_GET_MUTE, NULL);
++		if (!ret)
++			return -EINVAL;
+ 		mute = *ret->buffer.pointer;
+ 		dev_dbg(cs35l41->dev, "CS35L41_DSM_GET_MUTE: %d\n", mute);
+ 	}
+-- 
+2.34.1
+
diff --git a/SPECS/kernel/CVE-2025-40130.patch b/SPECS/kernel/CVE-2025-40130.patch
new file mode 100644
index 0000000000..f5fd63383f
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40130.patch
@@ -0,0 +1,126 @@
+From 1fa3666422d32324d23972c47b02405b3cca220c Mon Sep 17 00:00:00 2001
+From: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Date: Wed, 17 Sep 2025 17:41:43 +0800
+Subject: [PATCH 11/15] scsi: ufs: core: Fix data race in CPU latency PM QoS
+ request handling
+
+The cpu_latency_qos_add/remove/update_request interfaces lack internal
+synchronization by design, requiring the caller to ensure thread safety.
+The current implementation relies on the 'pm_qos_enabled' flag, which is
+insufficient to prevent concurrent access and cannot serve as a proper
+synchronization mechanism. This has led to data races and list
+corruption issues.
+
+A typical race condition call trace is:
+
+[Thread A]
+ufshcd_pm_qos_exit()
+  --> cpu_latency_qos_remove_request()
+    --> cpu_latency_qos_apply();
+      --> pm_qos_update_target()
+        --> plist_del              <--(1) delete plist node
+    --> memset(req, 0, sizeof(*req));
+  --> hba->pm_qos_enabled = false;
+
+[Thread B]
+ufshcd_devfreq_target
+  --> ufshcd_devfreq_scale
+    --> ufshcd_scale_clks
+      --> ufshcd_pm_qos_update     <--(2) pm_qos_enabled is true
+        --> cpu_latency_qos_update_request
+          --> pm_qos_update_target
+            --> plist_del          <--(3) plist node use-after-free
+
+Introduces a dedicated mutex to serialize PM QoS operations, preventing
+data races and ensuring safe access to PM QoS resources, including sysfs
+interface reads.
+
+Fixes: 2777e73fc154 ("scsi: ufs: core: Add CPU latency QoS support for UFS driver")
+Signed-off-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Huan Tang <tanghuan@vivo.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/ufs/core/ufs-sysfs.c | 2 ++
+ drivers/ufs/core/ufshcd.c    | 9 +++++++++
+ include/ufs/ufshcd.h         | 3 +++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
+index f8397ef3cf8d..5d4f23bb6ab1 100644
+--- a/drivers/ufs/core/ufs-sysfs.c
++++ b/drivers/ufs/core/ufs-sysfs.c
+@@ -426,6 +426,8 @@ static ssize_t pm_qos_enable_show(struct device *dev,
+ {
+ 	struct ufs_hba *hba = dev_get_drvdata(dev);
+ 
++	guard(mutex)(&hba->pm_qos_mutex);
++
+ 	return sysfs_emit(buf, "%d\n", hba->pm_qos_enabled);
+ }
+ 
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index c8c22b95c3ee..1d956ab2f508 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -1023,6 +1023,7 @@ EXPORT_SYMBOL_GPL(ufshcd_is_hba_active);
+  */
+ void ufshcd_pm_qos_init(struct ufs_hba *hba)
+ {
++	guard(mutex)(&hba->pm_qos_mutex);
+ 
+ 	if (hba->pm_qos_enabled)
+ 		return;
+@@ -1039,6 +1040,8 @@ void ufshcd_pm_qos_init(struct ufs_hba *hba)
+  */
+ void ufshcd_pm_qos_exit(struct ufs_hba *hba)
+ {
++	guard(mutex)(&hba->pm_qos_mutex);
++
+ 	if (!hba->pm_qos_enabled)
+ 		return;
+ 
+@@ -1053,6 +1056,8 @@ void ufshcd_pm_qos_exit(struct ufs_hba *hba)
+  */
+ static void ufshcd_pm_qos_update(struct ufs_hba *hba, bool on)
+ {
++	guard(mutex)(&hba->pm_qos_mutex);
++
+ 	if (!hba->pm_qos_enabled)
+ 		return;
+ 
+@@ -10599,6 +10604,10 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
+ 	mutex_init(&hba->ee_ctrl_mutex);
+ 
+ 	mutex_init(&hba->wb_mutex);
++
++	/* Initialize mutex for PM QoS request synchronization */
++	mutex_init(&hba->pm_qos_mutex);
++
+ 	init_rwsem(&hba->clk_scaling_lock);
+ 
+ 	ufshcd_init_clk_gating(hba);
+diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h
+index bdc5564b16fb..143b83a8968c 100644
+--- a/include/ufs/ufshcd.h
++++ b/include/ufs/ufshcd.h
+@@ -968,6 +968,7 @@ enum ufshcd_mcq_opr {
+  * @ufs_rtc_update_work: A work for UFS RTC periodic update
+  * @pm_qos_req: PM QoS request handle
+  * @pm_qos_enabled: flag to check if pm qos is enabled
++ * @pm_qos_mutex: synchronizes PM QoS request and status updates
+  */
+ struct ufs_hba {
+ 	void __iomem *mmio_base;
+@@ -1138,6 +1139,8 @@ struct ufs_hba {
+ 	struct delayed_work ufs_rtc_update_work;
+ 	struct pm_qos_request pm_qos_req;
+ 	bool pm_qos_enabled;
++	/* synchronizes PM QoS request and status updates */
++	struct mutex pm_qos_mutex;
+ };
+ 
+ /**
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40135.patch b/SPECS/kernel/CVE-2025-40135.patch
new file mode 100644
index 0000000000..b5abe69e31
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40135.patch
@@ -0,0 +1,107 @@
+From 18ea99d5d1722719ce866d5b0cf5dc64a73f5f33 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:18 +0000
+Subject: [PATCH 10/15] ipv6: use RCU in ip6_xmit()
+
+Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
+possible UAF.
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv6/ip6_output.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index dca8b17bc713..19af5dbbddd1 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -269,35 +269,36 @@ bool ip6_autoflowlabel(struct net *net, const struct sock *sk)
+ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+ 	     __u32 mark, struct ipv6_txoptions *opt, int tclass, u32 priority)
+ {
+-	struct net *net = sock_net(sk);
+ 	const struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct in6_addr *first_hop = &fl6->daddr;
+ 	struct dst_entry *dst = skb_dst(skb);
+-	struct net_device *dev = dst->dev;
+ 	struct inet6_dev *idev = ip6_dst_idev(dst);
+ 	struct hop_jumbo_hdr *hop_jumbo;
+ 	int hoplen = sizeof(*hop_jumbo);
++	struct net *net = sock_net(sk);
+ 	unsigned int head_room;
++	struct net_device *dev;
+ 	struct ipv6hdr *hdr;
+ 	u8  proto = fl6->flowi6_proto;
+ 	int seg_len = skb->len;
+-	int hlimit = -1;
++	int ret, hlimit = -1;
+ 	u32 mtu;
+ 
++	rcu_read_lock();
++
++	dev = dst_dev_rcu(dst);
+ 	head_room = sizeof(struct ipv6hdr) + hoplen + LL_RESERVED_SPACE(dev);
+ 	if (opt)
+ 		head_room += opt->opt_nflen + opt->opt_flen;
+ 
+ 	if (unlikely(head_room > skb_headroom(skb))) {
+-		/* Make sure idev stays alive */
+-		rcu_read_lock();
++		/* idev stays alive while we hold rcu_read_lock(). */
+ 		skb = skb_expand_head(skb, head_room);
+ 		if (!skb) {
+ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+-			rcu_read_unlock();
+-			return -ENOBUFS;
++			ret = -ENOBUFS;
++			goto unlock;
+ 		}
+-		rcu_read_unlock();
+ 	}
+ 
+ 	if (opt) {
+@@ -359,17 +360,21 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+ 		 * skb to its handler for processing
+ 		 */
+ 		skb = l3mdev_ip6_out((struct sock *)sk, skb);
+-		if (unlikely(!skb))
+-			return 0;
++		if (unlikely(!skb)) {
++			ret = 0;
++			goto unlock;
++		}
+ 
+ 		/* hooks should never assume socket lock is held.
+ 		 * we promote our socket to non const
+ 		 */
+-		return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
+-			       net, (struct sock *)sk, skb, NULL, dev,
+-			       dst_output);
++		ret = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
++			      net, (struct sock *)sk, skb, NULL, dev,
++			      dst_output);
++		goto unlock;
+ 	}
+ 
++	ret = -EMSGSIZE;
+ 	skb->dev = dev;
+ 	/* ipv6_local_error() does not require socket lock,
+ 	 * we promote our socket to non const
+@@ -378,7 +383,9 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
+ 
+ 	IP6_INC_STATS(net, idev, IPSTATS_MIB_FRAGFAILS);
+ 	kfree_skb(skb);
+-	return -EMSGSIZE;
++unlock:
++	rcu_read_unlock();
++	return ret;
+ }
+ EXPORT_SYMBOL(ip6_xmit);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40136.patch b/SPECS/kernel/CVE-2025-40136.patch
new file mode 100644
index 0000000000..defee0aa91
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40136.patch
@@ -0,0 +1,108 @@
+From a7f5eb8a773ffbc3009402171374f1e4c4f3265a Mon Sep 17 00:00:00 2001
+From: Weili Qian <qianweili@huawei.com>
+Date: Thu, 21 Aug 2025 09:38:08 +0800
+Subject: [PATCH 09/15] crypto: hisilicon/qm - request reserved interrupt for
+ virtual function
+
+The device interrupt vector 3 is an error interrupt for
+physical function and a reserved interrupt for virtual function.
+However, the driver has not registered the reserved interrupt for
+virtual function. When allocating interrupts, the number of interrupts
+is allocated based on powers of two, which includes this interrupt.
+When the system enables GICv4 and the virtual function passthrough
+to the virtual machine, releasing the interrupt in the driver
+triggers a warning.
+
+The WARNING report is:
+WARNING: CPU: 62 PID: 14889 at arch/arm64/kvm/vgic/vgic-its.c:852 its_free_ite+0x94/0xb4
+
+Therefore, register a reserved interrupt for VF and set the
+IRQF_NO_AUTOEN flag to avoid that warning.
+
+Fixes: 3536cc55cada ("crypto: hisilicon/qm - support get device irq information from hardware registers")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ drivers/crypto/hisilicon/qm.c | 38 +++++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 711c29971368..678c81dc1070 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -4587,6 +4587,15 @@ void hisi_qm_reset_done(struct pci_dev *pdev)
+ }
+ EXPORT_SYMBOL_GPL(hisi_qm_reset_done);
+ 
++static irqreturn_t qm_rsvd_irq(int irq, void *data)
++{
++	struct hisi_qm *qm = data;
++
++	dev_info(&qm->pdev->dev, "Reserved interrupt, ignore!\n");
++
++	return IRQ_HANDLED;
++}
++
+ static irqreturn_t qm_abnormal_irq(int irq, void *data)
+ {
+ 	struct hisi_qm *qm = data;
+@@ -4871,7 +4880,7 @@ static void qm_unregister_abnormal_irq(struct hisi_qm *qm)
+ 	struct pci_dev *pdev = qm->pdev;
+ 	u32 irq_vector, val;
+ 
+-	if (qm->fun_type == QM_HW_VF)
++	if (qm->fun_type == QM_HW_VF && qm->ver < QM_HW_V3)
+ 		return;
+ 
+ 	val = qm->cap_tables.qm_cap_table[QM_ABN_IRQ_TYPE_CAP_IDX].cap_val;
+@@ -4888,17 +4897,28 @@ static int qm_register_abnormal_irq(struct hisi_qm *qm)
+ 	u32 irq_vector, val;
+ 	int ret;
+ 
+-	if (qm->fun_type == QM_HW_VF)
+-		return 0;
+-
+ 	val = qm->cap_tables.qm_cap_table[QM_ABN_IRQ_TYPE_CAP_IDX].cap_val;
+ 	if (!((val >> QM_IRQ_TYPE_SHIFT) & QM_ABN_IRQ_TYPE_MASK))
+ 		return 0;
+-
+ 	irq_vector = val & QM_IRQ_VECTOR_MASK;
++
++	/* For VF, this is a reserved interrupt in V3 version. */
++	if (qm->fun_type == QM_HW_VF) {
++		if (qm->ver < QM_HW_V3)
++			return 0;
++
++		ret = request_irq(pci_irq_vector(pdev, irq_vector), qm_rsvd_irq,
++				  IRQF_NO_AUTOEN, qm->dev_name, qm);
++		if (ret) {
++			dev_err(&pdev->dev, "failed to request reserved irq, ret = %d!\n", ret);
++			return ret;
++		}
++		return 0;
++	}
++
+ 	ret = request_irq(pci_irq_vector(pdev, irq_vector), qm_abnormal_irq, 0, qm->dev_name, qm);
+ 	if (ret)
+-		dev_err(&qm->pdev->dev, "failed to request abnormal irq, ret = %d", ret);
++		dev_err(&qm->pdev->dev, "failed to request abnormal irq, ret = %d!\n", ret);
+ 
+ 	return ret;
+ }
+@@ -5237,6 +5257,12 @@ static int hisi_qm_pci_init(struct hisi_qm *qm)
+ 	pci_set_master(pdev);
+ 
+ 	num_vec = qm_get_irq_num(qm);
++	if (!num_vec) {
++		dev_err(dev, "Device irq num is zero!\n");
++		ret = -EINVAL;
++		goto err_get_pci_res;
++	}
++	num_vec = roundup_pow_of_two(num_vec);
+ 	ret = pci_alloc_irq_vectors(pdev, num_vec, num_vec, PCI_IRQ_MSI);
+ 	if (ret < 0) {
+ 		dev_err(dev, "Failed to enable MSI vectors!\n");
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40139.patch b/SPECS/kernel/CVE-2025-40139.patch
new file mode 100644
index 0000000000..1f326702ba
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40139.patch
@@ -0,0 +1,72 @@
+From a10f5084ae6b59513e20205b9c83bceae3141ba7 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:21 +0000
+Subject: [PATCH 08/15] smc: Use __sk_dst_get() and dst_dev_rcu() in
+ smc_clc_prfx_match().
+
+smc_clc_prfx_match() is called from smc_listen_work() and
+not under RCU nor RTNL.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dst_dev_rcu().
+
+Note that the returned value of smc_clc_prfx_match() is not
+used in the caller.
+
+Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250916214758.650211-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/smc/smc_clc.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index c5d11ec59c36..72ed84ab31fc 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -657,26 +657,26 @@ static int smc_clc_prfx_match6_rcu(struct net_device *dev,
+ int smc_clc_prfx_match(struct socket *clcsock,
+ 		       struct smc_clc_msg_proposal_prefix *prop)
+ {
+-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 	int rc;
+ 
+-	if (!dst) {
+-		rc = -ENOTCONN;
+-		goto out;
+-	}
+-	if (!dst->dev) {
++	rcu_read_lock();
++
++	dst = __sk_dst_get(clcsock->sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (!dev) {
+ 		rc = -ENODEV;
+-		goto out_rel;
++		goto out;
+ 	}
+-	rcu_read_lock();
++
+ 	if (!prop->ipv6_prefixes_cnt)
+-		rc = smc_clc_prfx_match4_rcu(dst->dev, prop);
++		rc = smc_clc_prfx_match4_rcu(dev, prop);
+ 	else
+-		rc = smc_clc_prfx_match6_rcu(dst->dev, prop);
+-	rcu_read_unlock();
+-out_rel:
+-	dst_release(dst);
++		rc = smc_clc_prfx_match6_rcu(dev, prop);
+ out:
++	rcu_read_unlock();
++
+ 	return rc;
+ }
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40147.patch b/SPECS/kernel/CVE-2025-40147.patch
new file mode 100644
index 0000000000..e9ae5a45bf
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40147.patch
@@ -0,0 +1,167 @@
+From 6e5d21332473d9bee31d402b0f2435514fe66a4f Mon Sep 17 00:00:00 2001
+From: Han Guangjiang <hanguangjiang@lixiang.com>
+Date: Fri, 5 Sep 2025 18:24:11 +0800
+Subject: [PATCH 07/15] blk-throttle: fix access race during throttle policy
+ activation
+
+On repeated cold boots we occasionally hit a NULL pointer crash in
+blk_should_throtl() when throttling is consulted before the throttle
+policy is fully enabled for the queue. Checking only q->td != NULL is
+insufficient during early initialization, so blkg_to_pd() for the
+throttle policy can still return NULL and blkg_to_tg() becomes NULL,
+which later gets dereferenced.
+
+ Unable to handle kernel NULL pointer dereference
+ at virtual address 0000000000000156
+ ...
+ pc : submit_bio_noacct+0x14c/0x4c8
+ lr : submit_bio_noacct+0x48/0x4c8
+ sp : ffff800087f0b690
+ x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0
+ x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70
+ x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
+ x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff
+ x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c
+ x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60
+ x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002
+ x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500
+ x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a
+ Call trace:
+  submit_bio_noacct+0x14c/0x4c8
+  verity_map+0x178/0x2c8
+  __map_bio+0x228/0x250
+  dm_submit_bio+0x1c4/0x678
+  __submit_bio+0x170/0x230
+  submit_bio_noacct_nocheck+0x16c/0x388
+  submit_bio_noacct+0x16c/0x4c8
+  submit_bio+0xb4/0x210
+  f2fs_submit_read_bio+0x4c/0xf0
+  f2fs_mpage_readpages+0x3b0/0x5f0
+  f2fs_readahead+0x90/0xe8
+
+Tighten blk_throtl_activated() to also require that the throttle policy
+bit is set on the queue:
+
+  return q->td != NULL &&
+         test_bit(blkcg_policy_throtl.plid, q->blkcg_pols);
+
+This prevents blk_should_throtl() from accessing throttle group state
+until policy data has been attached to blkgs.
+
+Fixes: a3166c51702b ("blk-throttle: delay initialization until configuration")
+Co-developed-by: Liang Jie <liangjie@lixiang.com>
+Signed-off-by: Liang Jie <liangjie@lixiang.com>
+Signed-off-by: Han Guangjiang <hanguangjiang@lixiang.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+---
+ block/blk-cgroup.c   |  6 ------
+ block/blk-cgroup.h   |  6 ++++++
+ block/blk-throttle.c |  6 +-----
+ block/blk-throttle.h | 18 +++++++++++-------
+ 4 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index 5a5525d10a5e..3f7cb9d891aa 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -110,12 +110,6 @@ static struct cgroup_subsys_state *blkcg_css(void)
+ 	return task_css(current, io_cgrp_id);
+ }
+ 
+-static bool blkcg_policy_enabled(struct request_queue *q,
+-				 const struct blkcg_policy *pol)
+-{
+-	return pol && test_bit(pol->plid, q->blkcg_pols);
+-}
+-
+ static void blkg_free_workfn(struct work_struct *work)
+ {
+ 	struct blkcg_gq *blkg = container_of(work, struct blkcg_gq,
+diff --git a/block/blk-cgroup.h b/block/blk-cgroup.h
+index b9e3265c1eb3..112bf11d0fad 100644
+--- a/block/blk-cgroup.h
++++ b/block/blk-cgroup.h
+@@ -455,6 +455,12 @@ static inline bool blk_cgroup_mergeable(struct request *rq, struct bio *bio)
+ 		bio_issue_as_root_blkg(rq->bio) == bio_issue_as_root_blkg(bio);
+ }
+ 
++static inline bool blkcg_policy_enabled(struct request_queue *q,
++				const struct blkcg_policy *pol)
++{
++	return pol && test_bit(pol->plid, q->blkcg_pols);
++}
++
+ void blk_cgroup_bio_start(struct bio *bio);
+ void blkcg_add_delay(struct blkcg_gq *blkg, u64 now, u64 delta);
+ #else	/* CONFIG_BLK_CGROUP */
+diff --git a/block/blk-throttle.c b/block/blk-throttle.c
+index 6b82fcbd7e77..38aec65be43b 100644
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -1211,17 +1211,13 @@ static int blk_throtl_init(struct gendisk *disk)
+ 	INIT_WORK(&td->dispatch_work, blk_throtl_dispatch_work_fn);
+ 	throtl_service_queue_init(&td->service_queue);
+ 
+-	/*
+-	 * Freeze queue before activating policy, to synchronize with IO path,
+-	 * which is protected by 'q_usage_counter'.
+-	 */
+ 	blk_mq_freeze_queue(disk->queue);
+ 	blk_mq_quiesce_queue(disk->queue);
+ 
+ 	q->td = td;
+ 	td->queue = q;
+ 
+-	/* activate policy */
++	/* activate policy, blk_throtl_activated() will return true */
+ 	ret = blkcg_activate_policy(disk, &blkcg_policy_throtl);
+ 	if (ret) {
+ 		q->td = NULL;
+diff --git a/block/blk-throttle.h b/block/blk-throttle.h
+index 1a36d1278eea..e1b5343cd43f 100644
+--- a/block/blk-throttle.h
++++ b/block/blk-throttle.h
+@@ -154,7 +154,13 @@ void blk_throtl_cancel_bios(struct gendisk *disk);
+ 
+ static inline bool blk_throtl_activated(struct request_queue *q)
+ {
+-	return q->td != NULL;
++	/*
++	 * q->td guarantees that the blk-throttle module is already loaded,
++	 * and the plid of blk-throttle is assigned.
++	 * blkcg_policy_enabled() guarantees that the policy is activated
++	 * in the request_queue.
++	 */
++	return q->td != NULL && blkcg_policy_enabled(q, &blkcg_policy_throtl);
+ }
+ 
+ static inline bool blk_should_throtl(struct bio *bio)
+@@ -162,11 +168,6 @@ static inline bool blk_should_throtl(struct bio *bio)
+ 	struct throtl_grp *tg;
+ 	int rw = bio_data_dir(bio);
+ 
+-	/*
+-	 * This is called under bio_queue_enter(), and it's synchronized with
+-	 * the activation of blk-throtl, which is protected by
+-	 * blk_mq_freeze_queue().
+-	 */
+ 	if (!blk_throtl_activated(bio->bi_bdev->bd_queue))
+ 		return false;
+ 
+@@ -192,7 +193,10 @@ static inline bool blk_should_throtl(struct bio *bio)
+ 
+ static inline bool blk_throtl_bio(struct bio *bio)
+ {
+-
++	/*
++	 * block throttling takes effect if the policy is activated
++	 * in the bio's request_queue.
++	 */
+ 	if (!blk_should_throtl(bio))
+ 		return false;
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40149.patch b/SPECS/kernel/CVE-2025-40149.patch
new file mode 100644
index 0000000000..ad146854d5
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40149.patch
@@ -0,0 +1,61 @@
+From 1a26f422f57cca0823041c8e535aed7551b5a1b1 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:23 +0000
+Subject: [PATCH 06/15] tls: Use __sk_dst_get() and dst_dev_rcu() in
+ get_netdev_for_sock().
+
+get_netdev_for_sock() is called during setsockopt(),
+so not under RCU.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dst_dev_rcu().
+
+Note that the only ->ndo_sk_get_lower_dev() user is
+bond_sk_get_lower_dev(), which uses RCU.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/tls/tls_device.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index dc063c2c7950..62e6b62559e2 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -123,17 +123,19 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx)
+ /* We assume that the socket is already connected */
+ static struct net_device *get_netdev_for_sock(struct sock *sk)
+ {
+-	struct dst_entry *dst = sk_dst_get(sk);
+-	struct net_device *netdev = NULL;
++	struct net_device *dev, *lowest_dev = NULL;
++	struct dst_entry *dst;
+ 
+-	if (likely(dst)) {
+-		netdev = netdev_sk_get_lowest_dev(dst->dev, sk);
+-		dev_hold(netdev);
++	rcu_read_lock();
++	dst = __sk_dst_get(sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (likely(dev)) {
++		lowest_dev = netdev_sk_get_lowest_dev(dev, sk);
++		dev_hold(lowest_dev);
+ 	}
++	rcu_read_unlock();
+ 
+-	dst_release(dst);
+-
+-	return netdev;
++	return lowest_dev;
+ }
+ 
+ static void destroy_record(struct tls_record_info *record)
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40158.patch b/SPECS/kernel/CVE-2025-40158.patch
new file mode 100644
index 0000000000..f6b64288db
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40158.patch
@@ -0,0 +1,114 @@
+From 675f47b6f5b933d55746c0c5cbf5db0316946ece Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:19 +0000
+Subject: [PATCH 05/15] ipv6: use RCU in ip6_output()
+
+Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
+possible UAF.
+
+We can remove rcu_read_lock()/rcu_read_unlock() pairs
+from ip6_finish_output2().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-5-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/ipv6/ip6_output.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index f0e5431c2d46..dca8b17bc713 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -60,7 +60,7 @@
+ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+ 	struct dst_entry *dst = skb_dst(skb);
+-	struct net_device *dev = dst->dev;
++	struct net_device *dev = dst_dev_rcu(dst);
+ 	struct inet6_dev *idev = ip6_dst_idev(dst);
+ 	unsigned int hh_len = LL_RESERVED_SPACE(dev);
+ 	const struct in6_addr *daddr, *nexthop;
+@@ -70,15 +70,12 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 
+ 	/* Be paranoid, rather than too clever. */
+ 	if (unlikely(hh_len > skb_headroom(skb)) && dev->header_ops) {
+-		/* Make sure idev stays alive */
+-		rcu_read_lock();
++		/* idev stays alive because we hold rcu_read_lock(). */
+ 		skb = skb_expand_head(skb, hh_len);
+ 		if (!skb) {
+ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
+-			rcu_read_unlock();
+ 			return -ENOMEM;
+ 		}
+-		rcu_read_unlock();
+ 	}
+ 
+ 	hdr = ipv6_hdr(skb);
+@@ -123,7 +120,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 
+ 	IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
+ 
+-	rcu_read_lock();
+ 	nexthop = rt6_nexthop(dst_rt6_info(dst), daddr);
+ 	neigh = __ipv6_neigh_lookup_noref(dev, nexthop);
+ 
+@@ -131,7 +127,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 		if (unlikely(!neigh))
+ 			neigh = __neigh_create(&nd_tbl, nexthop, dev, false);
+ 		if (IS_ERR(neigh)) {
+-			rcu_read_unlock();
+ 			IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTNOROUTES);
+ 			kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_CREATEFAIL);
+ 			return -EINVAL;
+@@ -139,7 +134,6 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *
+ 	}
+ 	sock_confirm_neigh(skb, neigh);
+ 	ret = neigh_output(neigh, skb, false);
+-	rcu_read_unlock();
+ 	return ret;
+ }
+ 
+@@ -232,22 +226,30 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
+ 
+ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+-	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+-	struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
++	struct dst_entry *dst = skb_dst(skb);
++	struct net_device *dev, *indev = skb->dev;
++	struct inet6_dev *idev;
++	int ret;
+ 
+ 	skb->protocol = htons(ETH_P_IPV6);
++	rcu_read_lock();
++	dev = dst_dev_rcu(dst);
++	idev = ip6_dst_idev(dst);
+ 	skb->dev = dev;
+ 
+ 	if (unlikely(!idev || READ_ONCE(idev->cnf.disable_ipv6))) {
+ 		IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS);
++		rcu_read_unlock();
+ 		kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED);
+ 		return 0;
+ 	}
+ 
+-	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
+-			    net, sk, skb, indev, dev,
+-			    ip6_finish_output,
+-			    !(IP6CB(skb)->flags & IP6SKB_REROUTED));
++	ret = NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
++			   net, sk, skb, indev, dev,
++			   ip6_finish_output,
++			   !(IP6CB(skb)->flags & IP6SKB_REROUTED));
++	rcu_read_unlock();
++	return ret;
+ }
+ EXPORT_SYMBOL(ip6_output);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40164.patch b/SPECS/kernel/CVE-2025-40164.patch
new file mode 100644
index 0000000000..ebde4eed72
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40164.patch
@@ -0,0 +1,72 @@
+From 741d90c0ea551686d62fbe567448d37d8d100535 Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang.zhang@linux.dev>
+Date: Sat, 11 Oct 2025 15:05:18 +0800
+Subject: [PATCH 04/15] usbnet: Fix using smp_processor_id() in preemptible
+ code warnings
+
+Syzbot reported the following warning:
+
+BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
+caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
+CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
+ check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
+ usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
+ usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
+ usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
+ __dev_set_mtu net/core/dev.c:9443 [inline]
+ netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
+ netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
+ dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
+ dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
+ dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
+ sock_do_ioctl+0x19d/0x280 net/socket.c:1204
+ sock_ioctl+0x42f/0x6a0 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl fs/ioctl.c:892 [inline]
+ __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+For historical and portability reasons, the netif_rx() is usually
+run in the softirq or interrupt context, this commit therefore add
+local_bh_disable/enable() protection in the usbnet_resume_rx().
+
+Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change")
+Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Zqiang <qiang.zhang@linux.dev>
+Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+---
+ drivers/net/usb/usbnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 0ff7357c3c91..f1f61d85d949 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -702,6 +702,7 @@ void usbnet_resume_rx(struct usbnet *dev)
+ 	struct sk_buff *skb;
+ 	int num = 0;
+ 
++	local_bh_disable();
+ 	clear_bit(EVENT_RX_PAUSED, &dev->flags);
+ 
+ 	while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) {
+@@ -710,6 +711,7 @@ void usbnet_resume_rx(struct usbnet *dev)
+ 	}
+ 
+ 	tasklet_schedule(&dev->bh);
++	local_bh_enable();
+ 
+ 	netif_dbg(dev, rx_status, dev->net,
+ 		  "paused rx queue disabled, %d skbs requeued\n", num);
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40168.patch b/SPECS/kernel/CVE-2025-40168.patch
new file mode 100644
index 0000000000..6365f85725
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40168.patch
@@ -0,0 +1,124 @@
+From 0187287149b8c75e4806b96eac773265b314791e Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@google.com>
+Date: Tue, 16 Sep 2025 21:47:20 +0000
+Subject: [PATCH 01/15] smc: Use __sk_dst_get() and dst_dev_rcu() in in
+ smc_clc_prfx_set().
+
+smc_clc_prfx_set() is called during connect() and not under RCU
+nor RTNL.
+
+Using sk_dst_get(sk)->dev could trigger UAF.
+
+Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
+after kernel_getsockname().
+
+Note that the returned value of smc_clc_prfx_set() is not used
+in the caller.
+
+While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
+not to touch dst there.
+
+Fixes: a046d57da19f ("smc: CLC handshake (incl. preparation steps)")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250916214758.650211-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ net/smc/smc_clc.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index b3a8053d4ab4..c5d11ec59c36 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -509,10 +509,10 @@ static bool smc_clc_msg_hdr_valid(struct smc_clc_msg_hdr *clcm, bool check_trl)
+ }
+ 
+ /* find ipv4 addr on device and get the prefix len, fill CLC proposal msg */
+-static int smc_clc_prfx_set4_rcu(struct dst_entry *dst, __be32 ipv4,
++static int smc_clc_prfx_set4_rcu(struct net_device *dev, __be32 ipv4,
+ 				 struct smc_clc_msg_proposal_prefix *prop)
+ {
+-	struct in_device *in_dev = __in_dev_get_rcu(dst->dev);
++	struct in_device *in_dev = __in_dev_get_rcu(dev);
+ 	const struct in_ifaddr *ifa;
+ 
+ 	if (!in_dev)
+@@ -530,12 +530,12 @@ static int smc_clc_prfx_set4_rcu(struct dst_entry *dst, __be32 ipv4,
+ }
+ 
+ /* fill CLC proposal msg with ipv6 prefixes from device */
+-static int smc_clc_prfx_set6_rcu(struct dst_entry *dst,
++static int smc_clc_prfx_set6_rcu(struct net_device *dev,
+ 				 struct smc_clc_msg_proposal_prefix *prop,
+ 				 struct smc_clc_ipv6_prefix *ipv6_prfx)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
+-	struct inet6_dev *in6_dev = __in6_dev_get(dst->dev);
++	struct inet6_dev *in6_dev = __in6_dev_get(dev);
+ 	struct inet6_ifaddr *ifa;
+ 	int cnt = 0;
+ 
+@@ -564,41 +564,44 @@ static int smc_clc_prfx_set(struct socket *clcsock,
+ 			    struct smc_clc_msg_proposal_prefix *prop,
+ 			    struct smc_clc_ipv6_prefix *ipv6_prfx)
+ {
+-	struct dst_entry *dst = sk_dst_get(clcsock->sk);
+ 	struct sockaddr_storage addrs;
+ 	struct sockaddr_in6 *addr6;
+ 	struct sockaddr_in *addr;
++	struct net_device *dev;
++	struct dst_entry *dst;
+ 	int rc = -ENOENT;
+ 
+-	if (!dst) {
+-		rc = -ENOTCONN;
+-		goto out;
+-	}
+-	if (!dst->dev) {
+-		rc = -ENODEV;
+-		goto out_rel;
+-	}
+ 	/* get address to which the internal TCP socket is bound */
+ 	if (kernel_getsockname(clcsock, (struct sockaddr *)&addrs) < 0)
+-		goto out_rel;
++		goto out;
++
+ 	/* analyze IP specific data of net_device belonging to TCP socket */
+ 	addr6 = (struct sockaddr_in6 *)&addrs;
++
+ 	rcu_read_lock();
++
++	dst = __sk_dst_get(clcsock->sk);
++	dev = dst ? dst_dev_rcu(dst) : NULL;
++	if (!dev) {
++		rc = -ENODEV;
++		goto out_unlock;
++	}
++
+ 	if (addrs.ss_family == PF_INET) {
+ 		/* IPv4 */
+ 		addr = (struct sockaddr_in *)&addrs;
+-		rc = smc_clc_prfx_set4_rcu(dst, addr->sin_addr.s_addr, prop);
++		rc = smc_clc_prfx_set4_rcu(dev, addr->sin_addr.s_addr, prop);
+ 	} else if (ipv6_addr_v4mapped(&addr6->sin6_addr)) {
+ 		/* mapped IPv4 address - peer is IPv4 only */
+-		rc = smc_clc_prfx_set4_rcu(dst, addr6->sin6_addr.s6_addr32[3],
++		rc = smc_clc_prfx_set4_rcu(dev, addr6->sin6_addr.s6_addr32[3],
+ 					   prop);
+ 	} else {
+ 		/* IPv6 */
+-		rc = smc_clc_prfx_set6_rcu(dst, prop, ipv6_prfx);
++		rc = smc_clc_prfx_set6_rcu(dev, prop, ipv6_prfx);
+ 	}
++
++out_unlock:
+ 	rcu_read_unlock();
+-out_rel:
+-	dst_release(dst);
+ out:
+ 	return rc;
+ }
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/CVE-2025-40170.patch b/SPECS/kernel/CVE-2025-40170.patch
new file mode 100644
index 0000000000..84d3449594
--- /dev/null
+++ b/SPECS/kernel/CVE-2025-40170.patch
@@ -0,0 +1,138 @@
+From 9fd9125f380d8004b8418915725a459518c8501b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Aug 2025 19:58:20 +0000
+Subject: [PATCH 02/15] net: use dst_dev_rcu() in sk_setup_caps()
+
+Use RCU to protect accesses to dst->dev from sk_setup_caps()
+and sk_dst_gso_max_size().
+
+Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
+and ip_dst_mtu_maybe_forward().
+
+ip4_dst_hoplimit() can use dst_dev_net_rcu().
+
+Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ include/net/ip.h        |  6 ++++--
+ include/net/ip6_route.h |  2 +-
+ include/net/route.h     |  2 +-
+ net/core/sock.c         | 16 ++++++++++------
+ 4 files changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 5f0f1215d2f9..c65ca2765e29 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -470,12 +470,14 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
+ 						    bool forwarding)
+ {
+ 	const struct rtable *rt = dst_rtable(dst);
++	const struct net_device *dev;
+ 	unsigned int mtu, res;
+ 	struct net *net;
+ 
+ 	rcu_read_lock();
+ 
+-	net = dev_net_rcu(dst_dev(dst));
++	dev = dst_dev_rcu(dst);
++	net = dev_net_rcu(dev);
+ 	if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) ||
+ 	    ip_mtu_locked(dst) ||
+ 	    !forwarding) {
+@@ -489,7 +491,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
+ 	if (mtu)
+ 		goto out;
+ 
+-	mtu = READ_ONCE(dst_dev(dst)->mtu);
++	mtu = READ_ONCE(dev->mtu);
+ 
+ 	if (unlikely(ip_mtu_locked(dst))) {
+ 		if (rt->rt_uses_gateway && mtu > 576)
+diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
+index 6dbdf60b342f..ede44cde7fe5 100644
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -337,7 +337,7 @@ static inline unsigned int ip6_dst_mtu_maybe_forward(const struct dst_entry *dst
+ 
+ 	mtu = IPV6_MIN_MTU;
+ 	rcu_read_lock();
+-	idev = __in6_dev_get(dst->dev);
++	idev = __in6_dev_get(dst_dev_rcu(dst));
+ 	if (idev)
+ 		mtu = READ_ONCE(idev->cnf.mtu6);
+ 	rcu_read_unlock();
+diff --git a/include/net/route.h b/include/net/route.h
+index 232b7bf55ba2..cbb4d5523062 100644
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -369,7 +369,7 @@ static inline int ip4_dst_hoplimit(const struct dst_entry *dst)
+ 		const struct net *net;
+ 
+ 		rcu_read_lock();
+-		net = dev_net_rcu(dst_dev(dst));
++		net = dst_dev_net_rcu(dst);
+ 		hoplimit = READ_ONCE(net->ipv4.sysctl_ip_default_ttl);
+ 		rcu_read_unlock();
+ 	}
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1781f3a642b4..97cc796a1d33 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2524,7 +2524,7 @@ void sk_free_unlock_clone(struct sock *sk)
+ }
+ EXPORT_SYMBOL_GPL(sk_free_unlock_clone);
+ 
+-static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
++static u32 sk_dst_gso_max_size(struct sock *sk, const struct net_device *dev)
+ {
+ 	bool is_ipv6 = false;
+ 	u32 max_size;
+@@ -2534,8 +2534,8 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
+ 		   !ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr));
+ #endif
+ 	/* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */
+-	max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) :
+-			READ_ONCE(dst_dev(dst)->gso_ipv4_max_size);
++	max_size = is_ipv6 ? READ_ONCE(dev->gso_max_size) :
++			READ_ONCE(dev->gso_ipv4_max_size);
+ 	if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk))
+ 		max_size = GSO_LEGACY_MAX_SIZE;
+ 
+@@ -2544,9 +2544,12 @@ static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
+ 
+ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ {
++	const struct net_device *dev;
+ 	u32 max_segs = 1;
+ 
+-	sk->sk_route_caps = dst_dev(dst)->features;
++	rcu_read_lock();
++	dev = dst_dev_rcu(dst);
++	sk->sk_route_caps = dev->features;
+ 	if (sk_is_tcp(sk)) {
+ 		struct inet_connection_sock *icsk = inet_csk(sk);
+ 
+@@ -2562,13 +2565,14 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
+ 			sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+ 		} else {
+ 			sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
+-			sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst);
++			sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dev);
+ 			/* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */
+-			max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1);
++			max_segs = max_t(u32, READ_ONCE(dev->gso_max_segs), 1);
+ 		}
+ 	}
+ 	sk->sk_gso_max_segs = max_segs;
+ 	sk_dst_set(sk, dst);
++	rcu_read_unlock();
+ }
+ EXPORT_SYMBOL_GPL(sk_setup_caps);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/kernel/config b/SPECS/kernel/config
index 01cb18a940..8672bc021e 100644
--- a/SPECS/kernel/config
+++ b/SPECS/kernel/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.12.12 Kernel Configuration
+# Linux/x86_64 6.12.59 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -4208,6 +4208,8 @@ CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y
 # CONFIG_DVB_AS102 is not set
 # CONFIG_DVB_B2C2_FLEXCOP_USB is not set
 # CONFIG_DVB_USB_V2 is not set
+CONFIG_DVB_USB=m
+CONFIG_DVB_USB_DW2102=m
 # CONFIG_SMS_USB_DRV is not set
 # CONFIG_DVB_TTUSB_BUDGET is not set
 # CONFIG_DVB_TTUSB_DEC is not set
@@ -5667,7 +5669,8 @@ CONFIG_I2C_HID=m
 #
 # Intel ISH HID support
 #
-# CONFIG_INTEL_ISH_HID is not set
+CONFIG_INTEL_ISH_HID=m
+CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER=m
 # end of Intel ISH HID support
 
 #
@@ -5679,7 +5682,7 @@ CONFIG_I2C_HID=m
 CONFIG_USB_OHCI_LITTLE_ENDIAN=y
 CONFIG_USB_SUPPORT=y
 CONFIG_USB_COMMON=y
-# CONFIG_USB_LED_TRIG is not set
+CONFIG_USB_LED_TRIG=m
 # CONFIG_USB_ULPI_BUS is not set
 # CONFIG_USB_CONN_GPIO is not set
 CONFIG_USB_ARCH_HAS_HCD=y
@@ -5775,12 +5778,18 @@ CONFIG_USBIP_HOST=m
 #
 # USB dual-mode controller drivers
 #
-# CONFIG_USB_CDNS_SUPPORT is not set
-# CONFIG_USB_MUSB_HDRC is not set
-# CONFIG_USB_DWC3 is not set
-# CONFIG_USB_DWC2 is not set
-# CONFIG_USB_CHIPIDEA is not set
-# CONFIG_USB_ISP1760 is not set
+CONFIG_USB_CDNS_SUPPORT=m
+CONFIG_USB_MUSB_HDRC=m
+CONFIG_USB_DWC3=m
+CONFIG_USB_DWC3_ULPI=y
+CONFIG_USB_DWC2=y
+CONFIG_USB_CHIPIDEA=m
+CONFIG_USB_DWC3_DUAL_ROLE=y
+CONFIG_USB_DWC3_PCI=m
+CONFIG_USB_DWC3_HAPS=m
+CONFIG_USB_DWC2_HOST=y
+CONFIG_USB_DWC2_PCI=m
+CONFIG_USB_ISP1760=m
 
 #
 # USB port drivers
@@ -5878,13 +5887,63 @@ CONFIG_USB_SERIAL_OPTION=m
 # end of USB Physical Layer drivers
 
 CONFIG_USB_GADGET=m
-# CONFIG_TYPEC is not set
+CONFIG_TYPEC=m
+CONFIG_TYPEC_UCSI=m
+CONFIG_UCSI_ACPI=m
 # CONFIG_USB_ROLE_SWITCH is not set
+CONFIG_USB_MASS_STORAGE=m
+CONFIG_USB_LIBCOMPOSITE=m
 CONFIG_MMC=m
 CONFIG_MMC_BLOCK=m
 CONFIG_MMC_BLOCK_MINORS=16
 # CONFIG_SDIO_UART is not set
 # CONFIG_MMC_TEST is not set
+CONFIG_USB_F_ACM=m
+CONFIG_USB_F_SS_LB=m
+CONFIG_USB_U_SERIAL=m
+CONFIG_USB_U_ETHER=m
+CONFIG_USB_U_AUDIO=m
+CONFIG_USB_F_SERIAL=m
+CONFIG_USB_F_OBEX=m
+CONFIG_USB_F_NCM=m
+CONFIG_USB_F_ECM=m
+CONFIG_USB_F_PHONET=m
+CONFIG_USB_F_EEM=m
+CONFIG_USB_F_SUBSET=m
+CONFIG_USB_F_RNDIS=m
+CONFIG_USB_F_MASS_STORAGE=m
+CONFIG_USB_F_FS=m
+CONFIG_USB_F_UAC1=m
+CONFIG_USB_F_UAC1_LEGACY=m
+CONFIG_USB_F_UAC2=m
+CONFIG_USB_F_UVC=m
+CONFIG_USB_F_MIDI=m
+CONFIG_USB_F_MIDI2=m
+CONFIG_USB_F_HID=m
+CONFIG_USB_F_PRINTER=m
+CONFIG_USB_F_TCM=m
+CONFIG_USB_CONFIGFS=m
+CONFIG_USB_CONFIGFS_SERIAL=y
+CONFIG_USB_CONFIGFS_ACM=y
+CONFIG_USB_CONFIGFS_OBEX=y
+CONFIG_USB_CONFIGFS_NCM=y
+CONFIG_USB_CONFIGFS_ECM=y
+CONFIG_USB_CONFIGFS_ECM_SUBSET=y
+CONFIG_USB_CONFIGFS_RNDIS=y
+CONFIG_USB_CONFIGFS_EEM=y
+CONFIG_USB_CONFIGFS_PHONET=y
+CONFIG_USB_CONFIGFS_MASS_STORAGE=y
+CONFIG_USB_CONFIGFS_F_LB_SS=y
+CONFIG_USB_CONFIGFS_F_FS=y
+CONFIG_USB_CONFIGFS_F_UAC1=y
+CONFIG_USB_CONFIGFS_F_UAC1_LEGACY=y
+CONFIG_USB_CONFIGFS_F_UAC2=y
+CONFIG_USB_CONFIGFS_F_MIDI=y
+CONFIG_USB_CONFIGFS_F_MIDI2=y
+CONFIG_USB_CONFIGFS_F_HID=y
+CONFIG_USB_CONFIGFS_F_UVC=y
+CONFIG_USB_CONFIGFS_F_PRINTER=y
+CONFIG_USB_CONFIGFS_F_TCM=y
 
 #
 # MMC/SD/SDIO Host Controller Drivers
@@ -6633,7 +6692,7 @@ CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=m
 # DEVFREQ Drivers
 #
 # CONFIG_PM_DEVFREQ_EVENT is not set
-# CONFIG_EXTCON is not set
+CONFIG_EXTCON=y
 # CONFIG_MEMORY is not set
 CONFIG_IIO=m
 CONFIG_IIO_BUFFER=y
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
index d0b0c66a34..9b486331e9 100644
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@@ -12,8 +12,8 @@
 
 Summary:        Unified Kernel Image
 Name:           kernel-uki
-Version:        6.12.55
-Release:        2%{?dist}
+Version:        6.12.59
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Intel Corporation
 Distribution:   Edge Microvisor Toolkit
@@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Thu Dec 11 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.59-1
+- Update kernel to 6.12.59
+
 * Thu Nov 27 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.55-2
 - Update audio and virtio gpu kernel config
 
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index 3bed1feedc..33dbecab57 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -1,10 +1,10 @@
 {
  "Signatures": {
   "emt-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "d9f35686354bc05fa332b5bd8aadc2f04c50f73a8c4347eb81862f5eac31deda",
+  "config": "5bbbd1c7e85f23c634d342e969450ee5b86992a354ae73c0729ce0dcbe75961d",
   "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
   "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
-  "linux-6.12.55.tar.gz": "c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3"
+  "linux-6.12.59.tar.gz": "93dfe627d321f016291054449a8e4bf9051de19687fbf1a6f584a2b79f8f5d2c"
  }
 }
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index 931f77ee7b..2d1622666c 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -1,13 +1,13 @@
 Summary:        Linux Kernel
 Name:           kernel
-Version:        6.12.55
-Release:        2%{?dist}
+Version:        6.12.59
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Intel Corporation
 Distribution:   Edge Microvisor Toolkit
 Group:          System Environment/Kernel
 URL:            https://www.kernel.org/pub/linux/kernel
-Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz
+Source0:        https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.59.tar.gz
 Source1:        config
 Source3:        sha512hmac-openssl.sh
 Source4:        emt-ca-20211013.pem
@@ -16,515 +16,544 @@ Source6:        cpupower.service
 
 
 # Intel not-upstreamed kernel features
+# d5dc97879a97 Linux 6.12.59
 #sriov
-Patch0:	0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov
-Patch1:	0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov
-Patch2:	0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov
-Patch3:	0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov
-Patch4:	0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov
-Patch5:	0006-drm-i915-SR-IOV-Enabling-and-Support.sriov
-Patch6:	0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov
-Patch7:	0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov
-Patch8:	0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov
-Patch9:	0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov
-Patch10:	0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov
-Patch11:	0012-drm-i915-force-VF-using-v70-GuC-API.sriov
-Patch12:	0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov
-Patch13:	0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov
-Patch14:	0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov
-Patch15:	0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov
-Patch16:	0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov
-Patch17:	0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov
-Patch18:	0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov
-Patch19:	0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov
-Patch20:	0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov
-Patch21:	0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov
-Patch22:	0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov
-Patch23:	0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov
-Patch24:	0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov
-Patch25:	0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov
-Patch26:	0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov
-Patch27:	0028-drm-i915-Re-add-enable_rc6-modparam.sriov
-Patch28:	0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov
-Patch29:	0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov
-Patch30:	0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch
-Patch31:	0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov
-Patch32:	0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov
-Patch33:	0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov
-Patch34:	0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov
-Patch35:	0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov
-Patch36:	0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov
-Patch37:	0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov
-Patch38:	0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov
-Patch39:	0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov
-Patch40:	0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov
-Patch41:	0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov
-Patch42:	0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov
-Patch43:	0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov
-Patch44:	0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov
-Patch45:	0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov
-Patch46:	0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov
-Patch47:	0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov
-Patch48:	0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov
-Patch49:	0001-drm-i915-Fix-logic-for-GUC-Process.sriov
-Patch50:	0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov
-Patch51:	0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov
-Patch52:	0001-i915-Enable-w-a-16026508708.sriov
-Patch53:	0001-virtio-hookup-irq_get_affinity-callback.sriov
-Patch54:	0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov
-Patch55:	0003-virtgpu-don-t-reset-on-shutdown.sriov
-Patch56:	0004-drm-virtio-implement-virtio_gpu_shutdown.sriov
-Patch57:	0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov
-Patch58:	0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov
+Patch0: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov
+Patch1: 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov
+Patch2: 0003-drm-i915-guc-Define-MAX_DWORDS-for-CTB-HXG-Message.sriov
+Patch3: 0004-drm-i915-call-taint_for_CI-on-FLR-failure.sriov
+Patch4: 0005-drm-i915-huc-load-HuC-via-non-POR-GSC-engine-flow.sriov
+Patch5: 0006-drm-i915-SR-IOV-Enabling-and-Support.sriov
+Patch6: 0007-Revert-drm-i915-move-platform_engine_mask-and-memory.sriov
+Patch7: 0008-drm-i915-gt-Enable-the-early-register-to-working-win.sriov
+Patch8: 0009-drm-i915-gt-Modify-the-adls-mocs-table-same-as-tgl-m.sriov
+Patch9: 0010-drm-i915-Bypass-gem_set_tiling-and-gem_get_tiling.sriov
+Patch10: 0011-drm-i915-enable-CCS-on-DG1-and-TGL-for-testing.sriov
+Patch11: 0012-drm-i915-force-VF-using-v70-GuC-API.sriov
+Patch12: 0013-drm-i915-fix-regression-on-sriov-vf-failures-due-to-.sriov
+Patch13: 0014-drm-i915-add-null-pointer-protection-inside-intel_fb.sriov
+Patch14: 0015-drm-i915-use-the-original-Wa_14010685332-for-PCH_ADP.sriov
+Patch15: 0016-drm-i915-fix-bitmap-clear-API-region-start-issue.sriov
+Patch16: 0017-drm-i915-iov-Expose-early-runtime-registers-for-MTL.sriov
+Patch17: 0018-drm-i915-gt-fix-empty-workaround-list-access-issue.sriov
+Patch18: 0019-drm-i915-mtl-Add-module-parameter-override-for-Wa_16.sriov
+Patch19: 0020-drm-i915-mtl-Provide-user-the-option-to-disable-ccs.sriov
+Patch20: 0021-drm-i915-mtl-Turn-on-Wa_16019325821-Wa_14019159160-b.sriov
+Patch21: 0022-drm-i915-pf-Use-GPU-to-set-PTE-owner.sriov
+Patch22: 0023-drm-i915-pf-Use-GPU-to-set-PTE-owner-on-platforms-wi.sriov
+Patch23: 0024-drm-i915-access-ddc-pointer-only-if-it-is-available.sriov
+Patch24: 0025-drm-i915-guc-Upgrade-GuC-fw-version-to-70.20.0.sriov
+Patch25: 0026-drm-i915-iov-Adding-runtime-reg-for-MTL-HuC-status.sriov
+Patch26: 0027-drm-i915-guc-Upgrade-GuC-fw-version-to-70.29.2.sriov
+Patch27: 0028-drm-i915-Re-add-enable_rc6-modparam.sriov
+Patch28: 0032-drm-virtio-freeze-and-restore-hooks-to-support-suspe.sriov
+Patch29: 0033-drm-virtio-save-and-restore-virtio_gpu_objects.sriov
+Patch30: 0001-drm-virtio-Use-drm_gem_plane_helper_prepare_fb.patch
+Patch31: 0034-drm-i915-pf-Introduce-i915_ggtt_save_ptes-and-i915_g.sriov
+Patch32: 0035-drm-i915-iov-Introduce-VFs-shadow-copy-of-GGTT-on-PF.sriov
+Patch33: 0036-drm-i915-iov-Shadow-GGTT-mock-selftestes.sriov
+Patch34: 0037-drm-i915-gt-Don-t-support-GGTT-save-restore-via-BAR-.sriov
+Patch35: 0038-drm-i915-pf-Add-helpers-for-saving-loading-GGTT-stat.sriov
+Patch36: 0039-drm-i915-pf-Handle-VF-pause-complete-notification.sriov
+Patch37: 0040-drm-i915-pf-Allow-to-save-restore-GuC-VF-state.sriov
+Patch38: 0041-drm-i915-pf-Save-and-restore-VFs-state-during-S2idle.sriov
+Patch39: 0042-drm-i915-pf-Skip-VF-save-restore-on-S2idle-S3-S4-if-.sriov
+Patch40: 0043-drm-i915-pf-Start-use-shadow-GGTT-to-save-restore-du.sriov
+Patch41: 0044-drm-i915-pf-Export-API-to-be-used-by-i915-vfio-pci.sriov
+Patch42: 0045-drm-i915-iov-Flag-which-tells-whether-PAUSE-is-in-pr.sriov
+Patch43: 0046-drm-i915-iov-Remember-run-state-on-suspend-and-resto.sriov
+Patch44: 0047-drm-i915-pf-Pause-VF-before-restore-GuC-state-after-.sriov
+Patch45: 0048-drm-i915-iov-fix-i915-sriov-build-issue.sriov
+Patch46: 0001-drm-i915-CTB-TLB-invalidation-fix-on-VM.sriov
+Patch47: 0002-vfio-i915-Add-vfio_pci-driver-for-Intel-graphics.sriov
+Patch48: 0003-drm-i915-guc-Upgrade-GuC-fw-version-to-70.36.0.sriov
+Patch49: 0001-drm-i915-Fix-logic-for-GUC-Process.sriov
+Patch50: 0001-vfio-i915-Add-support-for-MMIO-save-restore.sriov
+Patch51: 0002-drm-i915-SR-IOV-Save-Restore-Feature-support.sriov
+Patch52: 0001-i915-Enable-w-a-16026508708.sriov
+Patch53: 0001-virtio-hookup-irq_get_affinity-callback.sriov
+Patch54: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov
+Patch55: 0003-virtgpu-don-t-reset-on-shutdown.sriov
+Patch56: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov
+Patch57: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov
+Patch58: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov
+Patch59: 0001-drm-i915-Do-not-advertise-about-CCS.sriov
 #security
-Patch59:	0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security
-Patch60:	0002-mei-virtio-virtualization-frontend-driver.security
-Patch61:	0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security
-Patch62:	0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security
-Patch63:	0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security
-Patch64:	0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security
-Patch65:	0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security
-Patch66:	0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security
-Patch67:	0009-INTEL_DII-mei-add-force-wake-workaround-infra.security
-Patch68:	0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security
-Patch69:	0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security
-Patch70:	0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security
-Patch71:	0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security
-Patch72:	0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security
-Patch73:	0015-INTEL_DII-mei-put-force-wake-in-error-flows.security
-Patch74:	0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security
-Patch75:	0017-INTEL_DII-mei-optimize-force-wake-wait.security
-Patch76:	0018-mei-me-apply-GSC-error-supression-to-systems-with.security
-Patch77:	0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security
+Patch60: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security
+Patch61: 0002-mei-virtio-virtualization-frontend-driver.security
+Patch62: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security
+Patch63: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security
+Patch64: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security
+Patch65: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security
+Patch66: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security
+Patch67: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security
+Patch68: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security
+Patch69: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security
+Patch70: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security
+Patch71: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security
+Patch72: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security
+Patch73: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security
+Patch74: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security
+Patch75: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security
+Patch76: 0017-INTEL_DII-mei-optimize-force-wake-wait.security
+Patch77: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security
+Patch78: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security
 #tgpio
-Patch78:	0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio
-Patch79:	0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio
-Patch80:	0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio
-Patch81:	0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio
-Patch82:	0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio
-Patch83:	0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio
-Patch84:	0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio
-Patch85:	0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio
-Patch86:	0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio
-Patch87:	0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio
-Patch88:	0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio
-Patch89:	0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio
-Patch90:	0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio
-Patch91:	0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio
-Patch92:	0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio
-Patch93:	0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio
-Patch94:	0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio
-Patch95:	0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio
-Patch96:	0019-Kernel-Argument-Bypassing-ART-Detection.tgpio
-Patch97:	0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio
-Patch98:	0021-Added-TGPIO-pin-check-before-input-event-read.tgpio
-Patch99:	0022-Added-an-Example-to-adjust-frequency-for-output.tgpio
-Patch100:	0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio
-Patch101:	0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio
-Patch102:	0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio
-Patch103:	0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio
-Patch104:	0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio
-Patch105:	0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio
-Patch106:	0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio
-Patch107:	0030-Added-an-example-to-poll-for-edges.tgpio
-Patch108:	0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio
-Patch109:	0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio
-Patch110:	0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio
-Patch111:	0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio
-Patch112:	0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio
-Patch113:	0036-net-ice-fix-braces-around-scalar-initializer.tgpio
-Patch114:	0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio
-Patch115:	0038-ptp-Enable-preempt-if-it-is-disabled.tgpio
-Patch116:	0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio
-Patch117:	0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio
-Patch118:	0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio
-Patch119:	0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio
-Patch120:	0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio
+Patch79: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio
+Patch80: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio
+Patch81: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio
+Patch82: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio
+Patch83: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio
+Patch84: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio
+Patch85: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio
+Patch86: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio
+Patch87: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio
+Patch88: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio
+Patch89: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio
+Patch90: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio
+Patch91: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio
+Patch92: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio
+Patch93: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio
+Patch94: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio
+Patch95: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio
+Patch96: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio
+Patch97: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio
+Patch98: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio
+Patch99: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio
+Patch100: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio
+Patch101: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio
+Patch102: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio
+Patch103: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio
+Patch104: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio
+Patch105: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio
+Patch106: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio
+Patch107: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio
+Patch108: 0030-Added-an-example-to-poll-for-edges.tgpio
+Patch109: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio
+Patch110: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio
+Patch111: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio
+Patch112: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio
+Patch113: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio
+Patch114: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio
+Patch115: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio
+Patch116: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio
+Patch117: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio
+Patch118: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio
+Patch119: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio
+Patch120: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio
+Patch121: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio
 #edac
-Patch121:	0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac
-Patch122:	0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac
-Patch123:	0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac
-Patch124:	0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac
-Patch125:	0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac
-Patch126:	0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac
-Patch127:	0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac
-Patch128:	0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac
-Patch129:	0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac
-Patch130:	0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac
-Patch131:	0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac
-Patch132:	0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac
-Patch133:	0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac
-Patch134:	0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac
-Patch135:	0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac
-Patch136:	0011-EDAC-ie31200-Break-up-ie31200_probe1.edac
-Patch137:	0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac
-Patch138:	0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac
-Patch139:	0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac
-Patch140:	0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac
-Patch141:	0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac
-Patch142:	0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac
+Patch122: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac
+Patch123: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac
+Patch124: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac
+Patch125: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac
+Patch126: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac
+Patch127: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac
+Patch128: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac
+Patch129: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac
+Patch130: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac
+Patch131: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac
+Patch132: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac
+Patch133: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac
+Patch134: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac
+Patch135: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac
+Patch136: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac
+Patch137: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac
+Patch138: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac
+Patch139: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac
+Patch140: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac
+Patch141: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac
+Patch142: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac
+Patch143: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac
+Patch144: 0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
+Patch145: 0002-EDAC-igen6-Add-polling-support.edac
+Patch146: 0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
+Patch147: 0004-EDAC-igen6-Constify-struct-res_config.edac
+Patch148: 0005-EDAC-igen6-Skip-absent-memory-controllers.edac
+Patch149: 0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
 #tsn
-Patch143:	0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn
-Patch144:	0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn
-Patch145:	0003-net-phy-increase-gpy-loopback-test-delay.tsn
-Patch146:	0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn
-Patch147:	0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn
-Patch148:	0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn
-Patch149:	0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn
-Patch150:	0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn
-Patch151:	0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn
-Patch152:	0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn
-Patch153:	0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn
-Patch154:	0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn
-Patch155:	0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn
-Patch156:	0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn
-Patch157:	0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn
-Patch158:	0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn
-Patch159:	0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn
-Patch160:	0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn
-Patch161:	0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn
-Patch162:	0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn
-Patch163:	0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn
-Patch164:	0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn
-Patch165:	0023-net-phylink-Add-module_exit.tsn
-Patch166:	0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn
-Patch167:	0025-net-sched-taprio-fix-too-early-schedules-switching.tsn
-Patch168:	0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn
-Patch169:	0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn
-Patch170:	0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn
-Patch171:	0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn
-Patch172:	0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn
-Patch173:	0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
-Patch174:	0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
-Patch175:	0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn
-Patch176:	0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn
-Patch177:	0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn
-Patch178:	0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn
-Patch179:	0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn
-Patch180:	0038-taprio-Add-support-for-frame-preemption-offload.tsn
-Patch181:	0039-net-stmmac-set-initial-EEE-policy-configuration.tsn
-Patch182:	0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn
-Patch183:	0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn
-Patch184:	0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn
-Patch185:	0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn
-Patch186:	0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn
-Patch187:	0003-ethtool-Add-support-for-configuring-frame-preemption.tsn
-Patch188:	0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn
-Patch189:	0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn
-Patch190:	0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn
-Patch191:	0007-igc-Add-support-for-setting-frame-preemption-configura.tsn
-Patch192:	0008-igc-Add-support-for-Frame-Preemption-verification.tsn
-Patch193:	0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn
-Patch194:	0010-igc-Optimize-the-packet-buffer-utilization.tsn
-Patch195:	0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn
-Patch196:	0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn
-Patch197:	0013-bpf-add-btf-register-unregister-API.tsn
-Patch198:	0014-net-core-XDP-metadata-BTF-netlink-API.tsn
-Patch199:	0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn
-Patch200:	0016-rtnetlink-Add-return-value-check.tsn
-Patch201:	0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn
-Patch202:	0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn
-Patch203:	0019-igc-Add-BTF-based-metadata-for-XDP.tsn
-Patch204:	0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn
-Patch205:	0021-igc-Take-care-of-DMA-timestamp-rollover.tsn
-Patch206:	0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn
-Patch207:	0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn
-Patch208:	0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn
-Patch209:	0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn
-Patch210:	0026-taprio-Replace-tc_map_to_queue_mask.tsn
-Patch211:	0027-mqprio-Add-support-for-frame-preemption-offload.tsn
-Patch212:	0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn
-Patch213:	0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn
-Patch214:	0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn
-Patch215:	0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn
-Patch216:	0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn
-Patch217:	0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn
-Patch218:	0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn
-Patch219:	0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn
-Patch220:	0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn
-Patch221:	0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn
-Patch222:	0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn
-Patch223:	0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
-Patch224:	0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
-Patch225:	0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn
+Patch150: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn
+Patch151: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn
+Patch152: 0003-net-phy-increase-gpy-loopback-test-delay.tsn
+Patch153: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn
+Patch154: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn
+Patch155: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn
+Patch156: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn
+Patch157: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn
+Patch158: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn
+Patch159: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn
+Patch160: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn
+Patch161: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn
+Patch162: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn
+Patch163: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn
+Patch164: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn
+Patch165: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn
+Patch166: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn
+Patch167: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn
+Patch168: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn
+Patch169: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn
+Patch170: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn
+Patch171: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn
+Patch172: 0023-net-phylink-Add-module_exit.tsn
+Patch173: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn
+Patch174: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn
+Patch175: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn
+Patch176: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn
+Patch177: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn
+Patch178: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn
+Patch179: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn
+Patch180: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
+Patch181: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
+Patch182: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn
+Patch183: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn
+Patch184: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn
+Patch185: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn
+Patch186: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn
+Patch187: 0038-taprio-Add-support-for-frame-preemption-offload.tsn
+Patch188: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn
+Patch189: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn
+Patch190: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn
+Patch191: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn
+Patch192: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn
+Patch193: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn
+Patch194: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn
+Patch195: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn
+Patch196: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn
+Patch197: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn
+Patch198: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn
+Patch199: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn
+Patch200: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn
+Patch201: 0010-igc-Optimize-the-packet-buffer-utilization.tsn
+Patch202: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn
+Patch203: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn
+Patch204: 0013-bpf-add-btf-register-unregister-API.tsn
+Patch205: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn
+Patch206: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn
+Patch207: 0016-rtnetlink-Add-return-value-check.tsn
+Patch208: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn
+Patch209: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn
+Patch210: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn
+Patch211: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn
+Patch212: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn
+Patch213: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn
+Patch214: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn
+Patch215: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn
+Patch216: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn
+Patch217: 0026-taprio-Replace-tc_map_to_queue_mask.tsn
+Patch218: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn
+Patch219: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn
+Patch220: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn
+Patch221: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn
+Patch222: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn
+Patch223: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn
+Patch224: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn
+Patch225: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn
+Patch226: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn
+Patch227: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn
+Patch228: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn
+Patch229: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn
+Patch230: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn
+Patch231: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn
+Patch232: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn
 #camera
-Patch226:	0001-media-intel-ipu6-remove-buttress-ish-structure.camera
-Patch227:	0001-media-i2c-Add-ar0234-camera-sensor-driver.camera
-Patch228:	0002-media-i2c-add-support-for-lt6911uxe.camera
-Patch229:	0003-INT3472-Support-LT6911UXE.camera
-Patch230:	0004-upstream-Use-module-parameter-to-set-isys-freq.camera
-Patch231:	0005-upstream-Use-module-parameter-to-set-psys-freq.camera
-Patch232:	0006-media-pci-Enable-ISYS-reset.camera
-Patch233:	0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera
-Patch234:	0008-driver-media-i2c-remove-useless-header-file.camera
-Patch235:	0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera
-Patch236:	0010-media-i2c-add-support-for-lt6911uxc.camera
-Patch237:	0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera
-Patch238:	0012-media-pci-intel-psys-driver.camera
-Patch239:	0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera
-Patch240:	0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera
-Patch241:	0002-media-pci-intel-include-psys-driver.camera
-Patch242:	0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera
-Patch243:	0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera
-Patch244:	0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera
-Patch245:	0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera
-Patch246:	0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera
-Patch247:	0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera
-Patch248:	0001-media-pci-update-IPU6-PSYS-driver.camera
-Patch249:	0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera
-Patch250:	0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera
-Patch251:	0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera
-Patch252:	0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
-Patch253:	0006-media-i2c-some-changes-in-lt6911uxe.camera
-Patch254:	0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
-Patch255:	0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera
-Patch256:	0003-media-i2c-remove-unused-func-in-lt6911uxe.camera
-Patch257:	0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
-Patch258:	0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera
-Patch259:	0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera
-Patch260:	0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera
-Patch261:	0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera
-Patch262:	0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera
-Patch263:	0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera
-Patch264:	0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera
-Patch265:	0002-media-pci-Set-the-correct-SOF-for-different-stream.camera
-Patch266:	0003-media-pci-support-imx390-for-6.11.0-rc3.camera
-Patch267:	0004-i2c-media-fix-cov-issue.camera
-Patch268:	0005-mv-ipu-acpi-module-to-linux-drivers.camera
-Patch269:	0006-kernel-enable-VC-support-in-v4l2.camera
-Patch270:	0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera
-Patch271:	0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera
-Patch272:	0009-media-pci-align-params-for-non-MIPI-split-and-split.camera
-Patch273:	0010-media-pci-add-missing-if-for-PDATA.camera
-Patch274:	0011-media-platform-fix-allyesconfig-build-error.camera
-Patch275:	0012-media-pci-refine-PDATA-related-config.camera
-Patch276:	0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera
-Patch277:	0014-media-i2c-add-gmsl-isx031-support.camera
-Patch278:	0015-media-i2c-add-support-for-isx031-max9296.camera
-Patch279:	0016-fix-S4-issue-on-TWL.camera
-Patch280:	0017-code-changes-for-link-frequency-and-sensor-physical.camera
+Patch233: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera
+Patch234: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera
+Patch235: 0002-media-i2c-add-support-for-lt6911uxe.camera
+Patch236: 0003-INT3472-Support-LT6911UXE.camera
+Patch237: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera
+Patch238: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera
+Patch239: 0006-media-pci-Enable-ISYS-reset.camera
+Patch240: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera
+Patch241: 0008-driver-media-i2c-remove-useless-header-file.camera
+Patch242: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera
+Patch243: 0010-media-i2c-add-support-for-lt6911uxc.camera
+Patch244: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera
+Patch245: 0012-media-pci-intel-psys-driver.camera
+Patch246: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera
+Patch247: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera
+Patch248: 0002-media-pci-intel-include-psys-driver.camera
+Patch249: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera
+Patch250: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera
+Patch251: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera
+Patch252: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera
+Patch253: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera
+Patch254: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera
+Patch255: 0001-media-pci-update-IPU6-PSYS-driver.camera
+Patch256: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera
+Patch257: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera
+Patch258: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera
+Patch259: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
+Patch260: 0006-media-i2c-some-changes-in-lt6911uxe.camera
+Patch261: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
+Patch262: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera
+Patch263: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera
+Patch264: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera
+Patch265: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera
+Patch266: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera
+Patch267: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera
+Patch268: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera
+Patch269: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera
+Patch270: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera
+Patch271: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera
+Patch272: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera
+Patch273: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera
+Patch274: 0004-i2c-media-fix-cov-issue.camera
+Patch275: 0005-mv-ipu-acpi-module-to-linux-drivers.camera
+Patch276: 0006-kernel-enable-VC-support-in-v4l2.camera
+Patch277: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera
+Patch278: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera
+Patch279: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera
+Patch280: 0010-media-pci-add-missing-if-for-PDATA.camera
+Patch281: 0011-media-platform-fix-allyesconfig-build-error.camera
+Patch282: 0012-media-pci-refine-PDATA-related-config.camera
+Patch283: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera
+Patch284: 0014-media-i2c-add-gmsl-isx031-support.camera
+Patch285: 0015-media-i2c-add-support-for-isx031-max9296.camera
+Patch286: 0016-fix-S4-issue-on-TWL.camera
+Patch287: 0017-code-changes-for-link-frequency-and-sensor-physical.camera
 #wwan
-Patch281:	0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan
-Patch282:	0002-wwan-add-SAHARA-device.wwan
-Patch283:	0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
-Patch284:	0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan
-Patch285:	0005-wwan-add-NMEA-type.wwan
-Patch286:	0006-drivers-bus-mhi-add-FN980-v2-support.wwan
-Patch287:	0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan
-Patch288:	0008-drivers-net-wwan-add-simple-DTR-driver.wwan
-Patch289:	0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan
-Patch290:	0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan
-Patch291:	0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan
-Patch292:	0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan
-Patch293:	0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan
-Patch294:	0005-Revert-wwan-add-NMEA-type.wwan
-Patch295:	0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan
-Patch296:	0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
-Patch297:	0008-Revert-wwan-add-SAHARA-device.wwan
-Patch298:	0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan
+Patch288: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan
+Patch289: 0002-wwan-add-SAHARA-device.wwan
+Patch290: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+Patch291: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan
+Patch292: 0005-wwan-add-NMEA-type.wwan
+Patch293: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan
+Patch294: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan
+Patch295: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan
+Patch296: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan
+Patch297: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan
+Patch298: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan
+Patch299: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan
+Patch300: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan
+Patch301: 0005-Revert-wwan-add-NMEA-type.wwan
+Patch302: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan
+Patch303: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan
+Patch304: 0008-Revert-wwan-add-SAHARA-device.wwan
+Patch305: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan
 #pmc_core
-Patch299:	0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core
-Patch300:	0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core
-Patch301:	0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core
+Patch306: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core
+Patch307: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core
+Patch308: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core
 #lpss
-Patch302:	0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss
-Patch303:	0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss
-Patch304:	0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss
-Patch305:	0004-spi-intel-Add-protected-and-locked-attributes.lpss
+Patch309: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss
+Patch310: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss
+Patch311: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss
+Patch312: 0004-spi-intel-Add-protected-and-locked-attributes.lpss
 #preempt_rt patches backported
-Patch306:	0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt
-Patch307:	0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
-Patch308:	0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
-Patch309:	0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt
-Patch310:	0004-serial-8250-Switch-to-nbcon-console.rt
-Patch311:	0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt
-Patch312:	0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt
-Patch313:	0007-locking-rt-Add-sparse-annotation-for-RCU.rt
-Patch314:	0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt
-Patch315:	0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt
-Patch316:	0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt
-Patch317:	0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt
-Patch318:	0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt
-Patch319:	0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt
-Patch320:	0014-drm-i915-Drop-the-irqs_disabled-check.rt
-Patch321:	0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt
-Patch322:	0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt
-Patch323:	0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt
-Patch324:	0018-sched-Add-Lazy-preemption-model.rt
-Patch325:	0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt
-Patch326:	0020-sched-x86-Enable-Lazy-preemption.rt
-Patch327:	0021-sched-Add-laziest-preempt-model.rt
-Patch328:	0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt
-Patch329:	0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt
-Patch330:	0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt
-Patch331:	0025-sysfs-Add-sys-kernel-realtime-entry.rt
-Patch332:	0001-serial-8250-enable-original-console-by-default.rt
-Patch333:	0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt
-Patch334:	0002-Revert-scripts-remove-bin2c.rt
-Patch335:	0003-extend-uio-driver-to-supports-msix.rt
-Patch336:	0004-virtio-add-VIRTIO_PMD-support.rt
-Patch337:	0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt
-Patch338:	0006-Add-hypercall-to-access-MSR.rt
-Patch339:	0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt
-Patch340:	0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt
-Patch341:	0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt
-Patch342:	0010-igb-prepare-for-AF_XDP-zero-copy-support.rt
-Patch343:	0011-igb-Introduce-XSK-data-structures-and-helpers.rt
-Patch344:	0012-igb-add-AF_XDP-zero-copy-Rx-support.rt
-Patch345:	0013-igb-add-AF_XDP-zero-copy-Tx-support.rt
-Patch346:	0014-igb-Add-BTF-based-metadata-for-XDP.rt
-Patch347:	0015-ANDROID-trace-power-add-trace_clock_set_parent.rt
-Patch348:	0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt
-Patch349:	0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt
-Patch350:	0018-virtio-fix-VIRTIO_PMD-support.rt
-Patch351:	0019-drm-i915-add-i915-perf-event-capacity.rt
-Patch352:	0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt
+Patch313: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt
+Patch314: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
+Patch315: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt
+Patch316: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt
+Patch317: 0004-serial-8250-Switch-to-nbcon-console.rt
+Patch318: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt
+Patch319: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt
+Patch320: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt
+Patch321: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt
+Patch322: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt
+Patch323: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt
+Patch324: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt
+Patch325: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt
+Patch326: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt
+Patch327: 0014-drm-i915-Drop-the-irqs_disabled-check.rt
+Patch328: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt
+Patch329: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt
+Patch330: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt
+Patch331: 0018-sched-Add-Lazy-preemption-model.rt
+Patch332: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt
+Patch333: 0020-sched-x86-Enable-Lazy-preemption.rt
+Patch334: 0021-sched-Add-laziest-preempt-model.rt
+Patch335: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt
+Patch336: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt
+Patch337: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt
+Patch338: 0025-sysfs-Add-sys-kernel-realtime-entry.rt
+Patch339: 0001-serial-8250-enable-original-console-by-default.rt
+Patch340: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt
+Patch341: 0002-Revert-scripts-remove-bin2c.rt
+Patch342: 0003-extend-uio-driver-to-supports-msix.rt
+Patch343: 0004-virtio-add-VIRTIO_PMD-support.rt
+Patch344: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt
+Patch345: 0006-Add-hypercall-to-access-MSR.rt
+Patch346: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt
+Patch347: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt
+Patch348: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt
+Patch349: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt
+Patch350: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt
+Patch351: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt
+Patch352: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt
+Patch353: 0014-igb-Add-BTF-based-metadata-for-XDP.rt
+Patch354: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt
+Patch355: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt
+Patch356: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt
+Patch357: 0018-virtio-fix-VIRTIO_PMD-support.rt
+Patch358: 0019-drm-i915-add-i915-perf-event-capacity.rt
+Patch359: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt
 #drm
-Patch353:	0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm
-Patch354:	0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm
-Patch355:	0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm
-Patch356:	0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm
-Patch357:	0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm
-Patch358:	0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm
-Patch359:	0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm
-Patch360:	0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm
-Patch361:	0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm
-Patch362:	0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm
-Patch363:	0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm
-Patch364:	0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm
-Patch365:	0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm
-Patch366:	0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm
-Patch367:	0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm
-Patch368:	0011-drm-i915-gt-Store-active-CCS-mask.drm
-Patch369:	0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm
-Patch370:	0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm
-Patch371:	0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm
-Patch372:	0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm
-Patch373:	0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm
-Patch374:	0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm
-Patch375:	0001-Remove-unneeded-files.patch
+Patch360: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm
+Patch361: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm
+Patch362: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm
+Patch363: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm
+Patch364: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm
+Patch365: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm
+Patch366: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm
+Patch367: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm
+Patch368: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm
+Patch369: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm
+Patch370: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm
+Patch371: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm
+Patch372: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm
+Patch373: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm
+Patch374: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm
+Patch375: 0011-drm-i915-gt-Store-active-CCS-mask.drm
+Patch376: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm
+Patch377: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm
+Patch378: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm
+Patch379: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm
+Patch380: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm
+Patch381: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm
+Patch382: 0001-Remove-unneeded-files.patch
+Patch383: 0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
 #rapl
-Patch376:	0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl
+Patch384: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl
 #misc
-Patch377:	0001-Add-security.md-file.misc
+Patch385: 0001-Add-security.md-file.misc
 #iommu
-Patch378:	0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu
-Patch379:	0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu
+Patch386: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu
+Patch387: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu
 #emt-drm
-Patch380:	0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch
+Patch388: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch
 #CVE-2025-21709
-Patch381:	CVE-2025-21709.patch
+Patch389: CVE-2025-21709.patch
 #CVE-2025-21817
-Patch382:	CVE-2025-21817.patch
+Patch390: CVE-2025-21817.patch
 #CVE-2025-22104
-Patch383:	CVE-2025-22104.patch
-#CVE-2025-22105
-Patch384:	CVE-2025-22105.patch
-Patch385:	CVE-2025-22105-1.patch
+Patch391: CVE-2025-22104.patch
 #CVE-2025-22108
-Patch386:	CVE-2025-22108.patch
+Patch392: CVE-2025-22108.patch
 #CVE-2025-22111
-Patch387:	CVE-2025-22111.patch
+Patch393: CVE-2025-22111.patch
 #CVE-2025-22116
-Patch388:	CVE-2025-22116.patch
+Patch394: CVE-2025-22116.patch
 #CVE-2025-22117
-Patch389:	CVE-2025-22117.patch
-#CVE-2025-22121
-Patch390:	CVE-2025-22121.patch
-Patch391:	CVE-2025-22121-1.patch
+Patch395: CVE-2025-22117.patch
 #CVE-2025-23131
-Patch392:	CVE-2025-23131.patch
+Patch396: CVE-2025-23131.patch
 #CVE-2025-37746
-Patch393:	CVE-2025-37746.patch
-Patch394:	CVE-2025-37746-1.patch
+Patch397: CVE-2025-37746.patch
+Patch398: CVE-2025-37746-1.patch
 #CVE-2025-37906
-Patch395:	CVE-2025-37906.patch
+Patch399: CVE-2025-37906.patch
 #CVE-2025-38041
-Patch396:	CVE-2025-38041.patch
-Patch397:	CVE-2025-38041-1.patch
-Patch398:	CVE-2025-38041-2.patch
+Patch400: CVE-2025-38041.patch
+Patch401: CVE-2025-38041-1.patch
+Patch402: CVE-2025-38041-2.patch
 #CVE-2025-38029
-Patch399:	CVE-2025-38029.patch
+Patch403: CVE-2025-38029.patch
 #CVE-2025-38311
-Patch400:	CVE-2025-38311.patch
+Patch404: CVE-2025-38311.patch
 #CVE-2025-38248
-Patch401:	CVE-2025-38248.patch
+Patch405: CVE-2025-38248.patch
 #CVE-2025-38234
-Patch402:	CVE-2025-38234.patch
+Patch406: CVE-2025-38234.patch
 #CVE-2025-38207
-Patch403:	CVE-2025-38207.patch
+Patch407: CVE-2025-38207.patch
 #CVE-2025-38137
-Patch404:	CVE-2025-38137.patch
+Patch408: CVE-2025-38137.patch
 #CVE-2025-40325
-Patch405:	CVE-2025-40325.patch
+Patch409: CVE-2025-40325.patch
 #CVE-2025-38284
-Patch406:	CVE-2025-38284.patch
-Patch407:	CVE-2025-38284-1.patch
-Patch408:	CVE-2025-38284-2.patch
+Patch410: CVE-2025-38284.patch
+Patch411: CVE-2025-38284-1.patch
+Patch412: CVE-2025-38284-2.patch
 #CVE-2025-38199
-Patch409:	CVE-2025-38199.patch
+Patch413: CVE-2025-38199.patch
 #CVE-2025-38140
-Patch410:	CVE-2025-38140.patch
+Patch414: CVE-2025-38140.patch
 #CVE-2025-38132
-Patch411:	CVE-2025-38132.patch
-Patch412:	CVE-2025-38132-1.patch
+Patch415: CVE-2025-38132.patch
+Patch416: CVE-2025-38132-1.patch
 #CVE-2025-37743
-Patch413:	CVE-2025-37743.patch
+Patch417: CVE-2025-37743.patch
 #CVE-2025-23132
-Patch414:	CVE-2025-23132.patch
-#CVE-2025-23130
-Patch415:	CVE-2025-23130.patch
-#CVE-2025-23129
-Patch416:	CVE-2025-23129.patch
+Patch418: CVE-2025-23132.patch
 #CVE-2025-22127
-Patch417:	CVE-2025-22127.patch
+Patch419: CVE-2025-22127.patch
 #CVE-2025-22109
-Patch418:	CVE-2025-22109.patch
+Patch420: CVE-2025-22109.patch
 #CVE-2025-21752
-Patch419:	CVE-2025-21752.patch
-Patch420:	CVE-2025-21752-1.patch
-#CVE-2025-37860
-Patch421:	CVE-2025-37860.patch
+Patch421: CVE-2025-21752.patch
+Patch422: CVE-2025-21752-1.patch
 #CVE-2024-58095
-Patch422:	CVE-2024-58095.patch
+Patch423: CVE-2024-58095.patch
 #CVE-2024-58094
-Patch423:	CVE-2024-58094.patch
-#CVE-2024-57995
-Patch424:	CVE-2024-57995.patch
+Patch424: CVE-2024-58094.patch
 #CVE-2024-52560
-Patch425:	CVE-2024-52560.patch
-Patch426:	CVE-2024-52560-1.patch
+Patch425: CVE-2024-52560.patch
+Patch426: CVE-2024-52560-1.patch
 #CVE-2025-38621
-Patch427:	CVE-2025-38621.patch
+Patch427: CVE-2025-38621.patch
 #CVE-2025-38627
-Patch428:	CVE-2025-38627.patch
-#CVE-2025-38643
-Patch429:	CVE-2025-38643.patch
+Patch428: CVE-2025-38627.patch
 #CVE-2025-39789
-Patch430:	CVE-2025-39789.patch
+Patch429: CVE-2025-39789.patch
 #CVE-2025-39764
-Patch431:	CVE-2025-39764.patch
+Patch430: CVE-2025-39764.patch
 #CVE-2025-39745
-Patch432:	CVE-2025-39745.patch
+Patch431: CVE-2025-39745.patch
 #CVE-2025-39677
-Patch433:	CVE-2025-39677.patch
+Patch432: CVE-2025-39677.patch
 #CVE-2025-39933
-Patch434:	CVE-2025-39933.patch
+Patch433: CVE-2025-39933.patch
 #CVE-2025-39833
-Patch435:	CVE-2025-39833.patch
+Patch434: CVE-2025-39833.patch
 #CVE-2025-39925
-Patch436:	CVE-2025-39925.patch
+Patch435: CVE-2025-39925.patch
 #CVE-2025-39905
-Patch437:	CVE-2025-39905.patch
+Patch436: CVE-2025-39905.patch
 #CVE-2025-39859
-Patch438:	CVE-2025-39859.patch
+Patch437: CVE-2025-39859.patch
 #CVE-2025-39910
-Patch439:	CVE-2025-39910.patch
-#CVE-2025-39981
-Patch440:	CVE-2025-39981.patch
+Patch438: CVE-2025-39910.patch
+#CVE-2025-40098
+Patch439: CVE-2025-40098.patch
+#CVE-2025-40075
+Patch440: CVE-2025-40075.patch
+Patch441: CVE-2025-40075-1.patch
+#CVE-2025-40074
+Patch442: CVE-2025-40074.patch
+#CVE-2025-40064
+Patch443: CVE-2025-40064.patch
+#CVE-2025-40086
+Patch444: CVE-2025-40086.patch
+Patch445: CVE-2025-40086-1.patch
+#CVE-2025-40168
+Patch446: CVE-2025-40168.patch
+#CVE-2025-40170
+Patch447: CVE-2025-40170.patch
+#CVE-2025-40164
+Patch448: CVE-2025-40164.patch
+#CVE-2025-40158
+Patch449: CVE-2025-40158.patch
+#CVE-2025-40149
+Patch450: CVE-2025-40149.patch
+#CVE-2025-40147
+Patch451: CVE-2025-40147.patch
+#CVE-2025-40139
+Patch452: CVE-2025-40139.patch
+#CVE-2025-40136
+Patch453: CVE-2025-40136.patch
+#CVE-2025-40135
+Patch454: CVE-2025-40135.patch
+#CVE-2025-40130
+Patch455: CVE-2025-40130.patch
+#CVE-2025-38656
+Patch456: CVE-2025-38656.patch
+Patch457: CVE-2025-38656-2.patch
+#CVE-2025-38591
+Patch458: CVE-2025-38591.patch
+#CVE-2025-38584
+Patch459: CVE-2025-38584.patch
 # CVE Patches
 
-
 %global security_hardening none
 %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
 %global mstflintver 4.28.0
@@ -672,8 +701,8 @@ manipulation of eBPF programs and maps.
 
 %prep
 %define _default_patch_flags -p1 --fuzz=3 --force
-%setup -q -n linux-6.12.55
-%autosetup -p1 -n linux-6.12.55
+%setup -q -n linux-6.12.59
+%autosetup -p1 -n linux-6.12.59
 # %patch 0 -p1
 make mrproper
 
@@ -919,6 +948,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Thu Dec 11 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.59-1
+- Update kernel to 6.12.59
+
 * Thu Nov 27 2025 Lishan Liu <lishan.liu@intel.com> - 6.12.55-2
 - Update audio and virtio gpu kernel config
 
diff --git a/SPECS/kernel/series b/SPECS/kernel/series
index 38b1f51a3e..c7ca87714b 100644
--- a/SPECS/kernel/series
+++ b/SPECS/kernel/series
@@ -1,5 +1,5 @@
-# Series file for v6.12.55 linux kernel
-# 4fc43debf5047 Linux 6.12.55
+# Series file for v6.12.59 linux kernel
+# d5dc97879a97 Linux 6.12.59
 #sriov
 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov
 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov
@@ -60,6 +60,7 @@
 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov
 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov
 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov
+0001-drm-i915-Do-not-advertise-about-CCS.sriov
 #security
 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security
 0002-mei-virtio-virtualization-frontend-driver.security
@@ -147,6 +148,12 @@
 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac
 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac
 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac
+0001-EDAC-igen6-Initialize-edac_op_state-according-to-the-.edac
+0002-EDAC-igen6-Add-polling-support.edac
+0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.edac
+0004-EDAC-igen6-Constify-struct-res_config.edac
+0005-EDAC-igen6-Skip-absent-memory-controllers.edac
+0006-EDAC-igen6-Fix-NULL-pointer-dereference.edac
 #tsn
 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn
 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn
@@ -387,6 +394,7 @@
 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm
 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm
 0001-Remove-unneeded-files.patch
+0001-i915-gt-Upgrade-GuC-70.44.1-70.49.4.drm
 #rapl
 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl
 #misc
@@ -405,10 +413,6 @@ CVE-2025-21817.patch
 #CVE-2025-22104
 CVE-2025-22104.patch
 
-#CVE-2025-22105
-CVE-2025-22105.patch
-CVE-2025-22105-1.patch
-
 #CVE-2025-22108
 CVE-2025-22108.patch
 
@@ -421,10 +425,6 @@ CVE-2025-22116.patch
 #CVE-2025-22117
 CVE-2025-22117.patch
 
-#CVE-2025-22121
-CVE-2025-22121.patch
-CVE-2025-22121-1.patch
-
 #CVE-2025-23131
 CVE-2025-23131.patch
 
@@ -482,12 +482,6 @@ CVE-2025-37743.patch
 #CVE-2025-23132
 CVE-2025-23132.patch
 
-#CVE-2025-23130
-CVE-2025-23130.patch
-
-#CVE-2025-23129
-CVE-2025-23129.patch
-
 #CVE-2025-22127
 CVE-2025-22127.patch
 
@@ -498,18 +492,12 @@ CVE-2025-22109.patch
 CVE-2025-21752.patch
 CVE-2025-21752-1.patch
 
-#CVE-2025-37860
-CVE-2025-37860.patch
-
 #CVE-2024-58095
 CVE-2024-58095.patch
 
 #CVE-2024-58094
 CVE-2024-58094.patch
 
-#CVE-2024-57995
-CVE-2024-57995.patch
-
 #CVE-2024-52560
 CVE-2024-52560.patch
 CVE-2024-52560-1.patch
@@ -520,9 +508,6 @@ CVE-2025-38621.patch
 #CVE-2025-38627
 CVE-2025-38627.patch
 
-#CVE-2025-38643
-CVE-2025-38643.patch
-
 #CVE-2025-39789
 CVE-2025-39789.patch
 
@@ -553,5 +538,59 @@ CVE-2025-39859.patch
 #CVE-2025-39910
 CVE-2025-39910.patch
 
-#CVE-2025-39981
-CVE-2025-39981.patch
+#CVE-2025-40098
+CVE-2025-40098.patch
+
+#CVE-2025-40075
+CVE-2025-40075.patch
+CVE-2025-40075-1.patch
+
+#CVE-2025-40074
+CVE-2025-40074.patch
+
+#CVE-2025-40064
+CVE-2025-40064.patch
+
+#CVE-2025-40086
+CVE-2025-40086.patch
+CVE-2025-40086-1.patch
+
+#CVE-2025-40168
+CVE-2025-40168.patch
+
+#CVE-2025-40170
+CVE-2025-40170.patch
+
+#CVE-2025-40164
+CVE-2025-40164.patch
+
+#CVE-2025-40158
+CVE-2025-40158.patch
+
+#CVE-2025-40149
+CVE-2025-40149.patch
+
+#CVE-2025-40147
+CVE-2025-40147.patch
+
+#CVE-2025-40139
+CVE-2025-40139.patch
+
+#CVE-2025-40136
+CVE-2025-40136.patch
+
+#CVE-2025-40135
+CVE-2025-40135.patch
+
+#CVE-2025-40130
+CVE-2025-40130.patch
+
+#CVE-2025-38656
+CVE-2025-38656.patch
+CVE-2025-38656-2.patch
+
+#CVE-2025-38591
+CVE-2025-38591.patch
+
+#CVE-2025-38584
+CVE-2025-38584.patch
diff --git a/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec b/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec
index 8a09be185f..975cf0668d 100644
--- a/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec
+++ b/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec
@@ -10,7 +10,7 @@
 Summary:        nvidia gpu driver kernel module for data center devices
 Name:           nvidia-data-center-driver
 Version:        570.133.20
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        Public Domain
 Source0:        https://us.download.nvidia.com/tesla/%{version}/NVIDIA-Linux-x86_64-%{version}.run
 Vendor:         Intel Corporation
@@ -51,6 +51,9 @@ make INSTALL_MOD_PATH=%{buildroot} modules_install
 /sbin/depmod -a
 
 %changelog
+* Thu Dec 11 2025 Lishan Liu <lishan.liu@intel.com> - 570.133.20-13
+- Bump release to rebuild
+
 * Thu Nov 27 2025 Lishan Liu <lishan.liu@intel.com> - 570.133.20-12
 - Bump release to rebuild
 
diff --git a/cgmanifest.json b/cgmanifest.json
index 05d22dbd81..01badaffdd 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -8471,8 +8471,8 @@
         "type": "other",
         "other": {
           "name": "kernel",
-          "version": "6.12.55",
-          "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz"
+          "version": "6.12.59",
+          "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.59.tar.gz"
         }
       }
     },
@@ -8501,8 +8501,8 @@
         "type": "other",
         "other": {
           "name": "kernel-headers",
-          "version": "6.12.55",
-          "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz"
+          "version": "6.12.59",
+          "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.59.tar.gz"
         }
       }
     },
@@ -8541,8 +8541,8 @@
         "type": "other",
         "other": {
           "name": "kernel-rt",
-          "version": "6.12.55",
-          "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz"
+          "version": "6.12.59",
+          "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.59.tar.gz"
         }
       }
     },
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 5f3cc476b2..d213519610 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.emt3.x86_64.rpm
-kernel-headers-6.12.55-2.emt3.noarch.rpm
+kernel-headers-6.12.59-1.emt3.noarch.rpm
 glibc-2.38-12.emt3.x86_64.rpm
 glibc-devel-2.38-12.emt3.x86_64.rpm
 glibc-i18n-2.38-12.emt3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 6d9b990535..798dfef099 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -150,8 +150,8 @@ intltool-0.51.0-7.emt3.noarch.rpm
 itstool-2.0.7-1.emt3.noarch.rpm
 kbd-2.2.0-2.emt3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.emt3.x86_64.rpm
-kernel-cross-headers-6.12.55-2.emt3.noarch.rpm
-kernel-headers-6.12.55-2.emt3.noarch.rpm
+kernel-cross-headers-6.12.59-1.emt3.noarch.rpm
+kernel-headers-6.12.59-1.emt3.noarch.rpm
 kmod-30-1.emt3.x86_64.rpm
 kmod-debuginfo-30-1.emt3.x86_64.rpm
 kmod-devel-30-1.emt3.x86_64.rpm
diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile
index e1a4eb4e69..ae8be7e443 100644
--- a/toolkit/scripts/toolchain/container/Dockerfile
+++ b/toolkit/scripts/toolchain/container/Dockerfile
@@ -63,7 +63,7 @@ RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolch
 # Disable downloading from remote sources by default. The 'toolchain-local-wget-list' generated for the above line will download from $(SOURCE_URL)
 # The 'toolchain-remote-wget-list' is still available and can be used as an alternate to $(SOURCE_URL) if desired.
 #RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0
-RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.55-emt-251024T084840Z.tar.gz -O lts-v6.12.55-emt-251024T084840Z.tar.gz --directory-prefix=$LFS/sources; exit 0
+RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.59-emt-251202T195146Z -O lts-v6.12.59-emt-251202T195146Z --directory-prefix=$LFS/sources; exit 0
 USER root
 
 RUN mkdir -pv $LFS/{etc,var} $LFS/usr/{bin,lib,sbin} && \
diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums
index 86aeaef63d..746bf7de6f 100644
--- a/toolkit/scripts/toolchain/container/toolchain-sha256sums
+++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums
@@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898  gmp-6.3.0.tar.
 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab  grep-3.11.tar.xz
 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13  groff-1.23.0.tar.gz
 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057  gzip-1.13.tar.xz
-c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3  linux-6.12.55.tar.gz
+93dfe627d321f016291054449a8e4bf9051de19687fbf1a6f584a2b79f8f5d2c  linux-6.12.59.tar.gz
 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0  libarchive-3.7.1.tar.gz
 f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb  libcap-2.69.tar.xz
 b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0  libpipeline-1.5.7.tar.gz
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
index 35da43e5dd..33c5183c9e 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
@@ -86,9 +86,9 @@ rm -rf gcc-13.2.0
 
 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete
 
-KERNEL_VERSION="6.12.55"
+KERNEL_VERSION="6.12.59"
 echo Linux-${KERNEL_VERSION} API Headers
-tar xf linux-6.12.55.tar.gz
+tar xf linux-6.12.59.tar.gz
 pushd linux-${KERNEL_VERSION}
 make mrproper
 make headers