Merging debian version 6.1.85-1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

16 files changed, 543 insertions, 510 deletions

diff --git a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch b/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
deleted file mode 100644
index 258ab6ea4..000000000
--- a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From: Yuxuan Hu <20373622@buaa.edu.cn>
-Date: Wed, 3 Jan 2024 17:10:43 +0800
-Subject: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=567c0411dc3b424fc7bd1e6109726d7ba32d4f73
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22099
-
-[ Upstream commit 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 ]
-
-During our fuzz testing of the connection and disconnection process at the
-RFCOMM layer, we discovered this bug. By comparing the packets from a
-normal connection and disconnection process with the testcase that
-triggered a KASAN report. We analyzed the cause of this bug as follows:
-
-1. In the packets captured during a normal connection, the host sends a
-`Read Encryption Key Size` type of `HCI_CMD` packet
-(Command Opcode: 0x1408) to the controller to inquire the length of
-encryption key.After receiving this packet, the controller immediately
-replies with a Command Completepacket (Event Code: 0x0e) to return the
-Encryption Key Size.
-
-2. In our fuzz test case, the timing of the controller's response to this
-packet was delayed to an unexpected point: after the RFCOMM and L2CAP
-layers had disconnected but before the HCI layer had disconnected.
-
-3. After receiving the Encryption Key Size Response at the time described
-in point 2, the host still called the rfcomm_check_security function.
-However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`
-had already been released, and when the function executed
-`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,
-specifically when accessing `conn->hcon`, a null-ptr-deref error occurred.
-
-To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling
-rfcomm_recv_frame in rfcomm_process_rx.
-
-Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bluetooth/rfcomm/core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
-index 8d6fce9005bd..4f54c7df3a94 100644
---- a/net/bluetooth/rfcomm/core.c
-+++ b/net/bluetooth/rfcomm/core.c
-@@ -1937,7 +1937,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
- 	/* Get data directly from socket receive queue without copying it. */
- 	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
- 		skb_orphan(skb);
--		if (!skb_linearize(skb)) {
-+		if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) {
- 			s = rfcomm_recv_frame(s, skb);
- 			if (!s)
- 				break;
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
new file mode 100644
index 000000000..5e77d7985
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
@@ -0,0 +1,198 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 11 Apr 2024 09:26:49 +0200
+Subject: Revert "scsi: core: Add struct for args to execution functions"
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=d1e620297a84caac1cd67615f4f4f6901527ca2b
+
+This reverts commit cf33e6ca12d814e1be2263cb76960d0019d7fb94 which is
+commit d0949565811f0896c1c7e781ab2ad99d34273fdf upstream.
+
+It is known to cause problems and has asked to be dropped.
+
+Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Ewan D. Milne <emilne@redhat.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Reported-by: John David Anglin <dave.anglin@bell.net>
+Reported-by: Cyril Brulebois <kibi@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c    | 52 ++++++++++++++++++++------------------
+ include/scsi/scsi_device.h | 51 ++++++++++---------------------------
+ 2 files changed, 41 insertions(+), 62 deletions(-)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index edd296f950a3..5c5954b78585 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -185,37 +185,39 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
+ 	__scsi_queue_insert(cmd, reason, true);
+ }
+ 
++
+ /**
+- * scsi_execute_cmd - insert request and wait for the result
+- * @sdev:	scsi_device
++ * __scsi_execute - insert request and wait for the result
++ * @sdev:	scsi device
+  * @cmd:	scsi command
+- * @opf:	block layer request cmd_flags
++ * @data_direction: data direction
+  * @buffer:	data buffer
+  * @bufflen:	len of buffer
++ * @sense:	optional sense buffer
++ * @sshdr:	optional decoded sense header
+  * @timeout:	request timeout in HZ
+  * @retries:	number of times to retry request
+- * @args:	Optional args. See struct definition for field descriptions
++ * @flags:	flags for ->cmd_flags
++ * @rq_flags:	flags for ->rq_flags
++ * @resid:	optional residual length
+  *
+  * Returns the scsi_cmnd result field if a command was executed, or a negative
+  * Linux error code if we didn't get that far.
+  */
+-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+-		     blk_opf_t opf, void *buffer, unsigned int bufflen,
+-		     int timeout, int retries,
+-		     const struct scsi_exec_args *args)
++int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
++		 int data_direction, void *buffer, unsigned bufflen,
++		 unsigned char *sense, struct scsi_sense_hdr *sshdr,
++		 int timeout, int retries, blk_opf_t flags,
++		 req_flags_t rq_flags, int *resid)
+ {
+-	static const struct scsi_exec_args default_args;
+ 	struct request *req;
+ 	struct scsi_cmnd *scmd;
+ 	int ret;
+ 
+-	if (!args)
+-		args = &default_args;
+-	else if (WARN_ON_ONCE(args->sense &&
+-			      args->sense_len != SCSI_SENSE_BUFFERSIZE))
+-		return -EINVAL;
+-
+-	req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags);
++	req = scsi_alloc_request(sdev->request_queue,
++			data_direction == DMA_TO_DEVICE ?
++			REQ_OP_DRV_OUT : REQ_OP_DRV_IN,
++			rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0);
+ 	if (IS_ERR(req))
+ 		return PTR_ERR(req);
+ 
+@@ -230,7 +232,8 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+ 	memcpy(scmd->cmnd, cmd, scmd->cmd_len);
+ 	scmd->allowed = retries;
+ 	req->timeout = timeout;
+-	req->rq_flags |= RQF_QUIET;
++	req->cmd_flags |= flags;
++	req->rq_flags |= rq_flags | RQF_QUIET;
+ 
+ 	/*
+ 	 * head injection *required* here otherwise quiesce won't work
+@@ -246,21 +249,20 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+ 	if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen))
+ 		memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len);
+ 
+-	if (args->resid)
+-		*args->resid = scmd->resid_len;
+-	if (args->sense)
+-		memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
+-	if (args->sshdr)
++	if (resid)
++		*resid = scmd->resid_len;
++	if (sense && scmd->sense_len)
++		memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
++	if (sshdr)
+ 		scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len,
+-				     args->sshdr);
+-
++				     sshdr);
+ 	ret = scmd->result;
+  out:
+ 	blk_mq_free_request(req);
+ 
+ 	return ret;
+ }
+-EXPORT_SYMBOL(scsi_execute_cmd);
++EXPORT_SYMBOL(__scsi_execute);
+ 
+ /*
+  * Wake up the error handler if necessary. Avoid as follows that the error
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index b407807cc669..d2751ed536df 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -479,51 +479,28 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
+ extern int scsi_is_sdev_device(const struct device *);
+ extern int scsi_is_target_device(const struct device *);
+ extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
+-
+-/* Optional arguments to scsi_execute_cmd */
+-struct scsi_exec_args {
+-	unsigned char *sense;		/* sense buffer */
+-	unsigned int sense_len;		/* sense buffer len */
+-	struct scsi_sense_hdr *sshdr;	/* decoded sense header */
+-	blk_mq_req_flags_t req_flags;	/* BLK_MQ_REQ flags */
+-	int *resid;			/* residual length */
+-};
+-
+-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+-		     blk_opf_t opf, void *buffer, unsigned int bufflen,
+-		     int timeout, int retries,
+-		     const struct scsi_exec_args *args);
+-
++extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
++			int data_direction, void *buffer, unsigned bufflen,
++			unsigned char *sense, struct scsi_sense_hdr *sshdr,
++			int timeout, int retries, blk_opf_t flags,
++			req_flags_t rq_flags, int *resid);
+ /* Make sure any sense buffer is the correct size. */
+-#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense,	\
+-		     _sshdr, _timeout, _retries, _flags, _rq_flags,	\
+-		     _resid)						\
++#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense,	\
++		     sshdr, timeout, retries, flags, rq_flags, resid)	\
+ ({									\
+-	scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ?	\
+-			 REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags,	\
+-			 _buffer, _bufflen, _timeout, _retries,	\
+-			 &(struct scsi_exec_args) {			\
+-				.sense = _sense,			\
+-				.sshdr = _sshdr,			\
+-				.req_flags = _rq_flags & RQF_PM  ?	\
+-						BLK_MQ_REQ_PM : 0,	\
+-				.resid = _resid,			\
+-			 });						\
++	BUILD_BUG_ON((sense) != NULL &&					\
++		     sizeof(sense) != SCSI_SENSE_BUFFERSIZE);		\
++	__scsi_execute(sdev, cmd, data_direction, buffer, bufflen,	\
++		       sense, sshdr, timeout, retries, flags, rq_flags,	\
++		       resid);						\
+ })
+-
+ static inline int scsi_execute_req(struct scsi_device *sdev,
+ 	const unsigned char *cmd, int data_direction, void *buffer,
+ 	unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,
+ 	int retries, int *resid)
+ {
+-	return scsi_execute_cmd(sdev, cmd,
+-				data_direction == DMA_TO_DEVICE ?
+-				REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer,
+-				bufflen, timeout, retries,
+-				&(struct scsi_exec_args) {
+-					.sshdr = sshdr,
+-					.resid = resid,
+-				});
++	return scsi_execute(sdev, cmd, data_direction, buffer,
++		bufflen, NULL, sshdr, timeout, retries,  0, 0, resid);
+ }
+ extern void sdev_disable_disk_events(struct scsi_device *sdev);
+ extern void sdev_enable_disk_events(struct scsi_device *sdev);
+-- 
+2.43.0
+
diff --git a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
new file mode 100644
index 000000000..2b03fad36
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
@@ -0,0 +1,125 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 11 Apr 2024 09:24:48 +0200
+Subject: Revert "scsi: sd: usb_storage: uas: Access media prior to querying
+ device properties"
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=fc7309d7c76e446d7804fcc075da53694cecd755
+Bug-Debian: https://bugs.debian.org/1068675
+
+This reverts commit b73dd5f9997279715cd450ee8ca599aaff2eabb9 which is
+commit 321da3dc1f3c92a12e3c5da934090d2992a8814c upstream.
+
+It is known to cause problems and has asked to be dropped.
+
+Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Ewan D. Milne <emilne@redhat.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Reported-by: John David Anglin <dave.anglin@bell.net>
+Reported-by: Cyril Brulebois <kibi@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c              | 26 +-------------------------
+ drivers/usb/storage/scsiglue.c |  7 -------
+ drivers/usb/storage/uas.c      |  7 -------
+ include/scsi/scsi_device.h     |  1 -
+ 4 files changed, 1 insertion(+), 40 deletions(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index f32236c3f81c..ad619f7c7418 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3286,24 +3286,6 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
+ 	return true;
+ }
+ 
+-static void sd_read_block_zero(struct scsi_disk *sdkp)
+-{
+-	unsigned int buf_len = sdkp->device->sector_size;
+-	char *buffer, cmd[10] = { };
+-
+-	buffer = kmalloc(buf_len, GFP_KERNEL);
+-	if (!buffer)
+-		return;
+-
+-	cmd[0] = READ_10;
+-	put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
+-	put_unaligned_be16(1, &cmd[7]);	/* Transfer 1 logical block */
+-
+-	scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len,
+-			 SD_TIMEOUT, sdkp->max_retries, NULL);
+-	kfree(buffer);
+-}
+-
+ /**
+  *	sd_revalidate_disk - called the first time a new disk is seen,
+  *	performs disk spin up, read_capacity, etc.
+@@ -3343,13 +3325,7 @@ static int sd_revalidate_disk(struct gendisk *disk)
+ 	 */
+ 	if (sdkp->media_present) {
+ 		sd_read_capacity(sdkp, buffer);
+-		/*
+-		 * Some USB/UAS devices return generic values for mode pages
+-		 * until the media has been accessed. Trigger a READ operation
+-		 * to force the device to populate mode pages.
+-		 */
+-		if (sdp->read_before_ms)
+-			sd_read_block_zero(sdkp);
++
+ 		/*
+ 		 * set the default to rotational.  All non-rotational devices
+ 		 * support the block characteristics VPD page, which will
+diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
+index 12cf9940e5b6..c54e9805da53 100644
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -179,13 +179,6 @@ static int slave_configure(struct scsi_device *sdev)
+ 		 */
+ 		sdev->use_192_bytes_for_3f = 1;
+ 
+-		/*
+-		 * Some devices report generic values until the media has been
+-		 * accessed. Force a READ(10) prior to querying device
+-		 * characteristics.
+-		 */
+-		sdev->read_before_ms = 1;
+-
+ 		/*
+ 		 * Some devices don't like MODE SENSE with page=0x3f,
+ 		 * which is the command used for checking if a device
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index af619efe8eab..ee5621bdb11e 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -876,13 +876,6 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ 	if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+ 		sdev->guess_capacity = 1;
+ 
+-	/*
+-	 * Some devices report generic values until the media has been
+-	 * accessed. Force a READ(10) prior to querying device
+-	 * characteristics.
+-	 */
+-	sdev->read_before_ms = 1;
+-
+ 	/*
+ 	 * Some devices don't like MODE SENSE with page=0x3f,
+ 	 * which is the command used for checking if a device
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index a64713fe5264..b407807cc669 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -204,7 +204,6 @@ struct scsi_device {
+ 	unsigned use_10_for_rw:1; /* first try 10-byte read / write */
+ 	unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
+ 	unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
+-	unsigned read_before_ms:1;	/* perform a READ before MODE SENSE */
+ 	unsigned no_report_opcodes:1;	/* no REPORT SUPPORTED OPERATION CODES */
+ 	unsigned no_write_same:1;	/* no WRITE SAME command */
+ 	unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
+-- 
+2.43.0
+
diff --git a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch b/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
deleted file mode 100644
index f5cc88309..000000000
--- a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Chun-Yi Lee <jlee@suse.com>
-Date: Tue, 5 Mar 2024 16:20:48 +0800
-Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=74ca3ef68d2f449bc848c0a814cefc487bf755fa
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-6270
-
-[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ]
-
-This patch is against CVE-2023-6270. The description of cve is:
-
-  A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
-  kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
-  `struct net_device`, and a use-after-free can be triggered by racing
-  between the free on the struct and the access through the `skbtxq`
-  global queue. This could lead to a denial of service condition or
-  potential code execution.
-
-In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
-code is finished. But the net_device ifp will still be used in
-later tx()->dev_queue_xmit() in kthread. Which means that the
-dev_put(ifp) should NOT be called in the success path of skb
-initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
-use-after-free because the net_device is freed.
-
-This patch removed the dev_put(ifp) in the success path in
-aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
-
-Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
-Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
-Signed-off-by: Chun-Yi Lee <jlee@suse.com>
-Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/block/aoe/aoecmd.c | 12 ++++++------
- drivers/block/aoe/aoenet.c |  1 +
- 2 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
-index d7317425be51..cc9077b588d7 100644
---- a/drivers/block/aoe/aoecmd.c
-+++ b/drivers/block/aoe/aoecmd.c
-@@ -419,13 +419,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
- 	rcu_read_lock();
- 	for_each_netdev_rcu(&init_net, ifp) {
- 		dev_hold(ifp);
--		if (!is_aoe_netif(ifp))
--			goto cont;
-+		if (!is_aoe_netif(ifp)) {
-+			dev_put(ifp);
-+			continue;
-+		}
- 
- 		skb = new_skb(sizeof *h + sizeof *ch);
- 		if (skb == NULL) {
- 			printk(KERN_INFO "aoe: skb alloc failure\n");
--			goto cont;
-+			dev_put(ifp);
-+			continue;
- 		}
- 		skb_put(skb, sizeof *h + sizeof *ch);
- 		skb->dev = ifp;
-@@ -440,9 +443,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
- 		h->major = cpu_to_be16(aoemajor);
- 		h->minor = aoeminor;
- 		h->cmd = AOECMD_CFG;
--
--cont:
--		dev_put(ifp);
- 	}
- 	rcu_read_unlock();
- }
-diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
-index 63773a90581d..1e66c7a188a1 100644
---- a/drivers/block/aoe/aoenet.c
-+++ b/drivers/block/aoe/aoenet.c
-@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock)
- 			pr_warn("aoe: packet could not be sent on %s.  %s\n",
- 				ifp ? ifp->name : "netif",
- 				"consider increasing tx_queue_len");
-+		dev_put(ifp);
- 		spin_lock_irq(&txlock);
- 	}
- 	return 0;
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch b/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch
deleted file mode 100644
index 009af084b..000000000
--- a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Oleksandr Tymoshenko <ovt@google.com>
-Date: Sat, 23 Mar 2024 06:33:33 +0000
-Subject: efi: fix panic in kdump kernel
-Origin: https://git.kernel.org/linus/62b71cd73d41ddac6b1760402bbe8c4932e23531
-
-Check if get_next_variable() is actually valid pointer before
-calling it. In kdump kernel this method is set to NULL that causes
-panic during the kexec-ed kernel boot.
-
-Tested with QEMU and OVMF firmware.
-
-Fixes: bad267f9e18f ("efi: verify that variable services are supported")
-Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
----
- drivers/firmware/efi/efi.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index 8859fb0b006d..fdf07dd6f459 100644
---- a/drivers/firmware/efi/efi.c
-+++ b/drivers/firmware/efi/efi.c
-@@ -203,6 +203,8 @@ static bool generic_ops_supported(void)
- 
- 	name_size = sizeof(name);
- 
-+	if (!efi.get_next_variable)
-+		return false;
- 	status = efi.get_next_variable(&name_size, &name, &guid);
- 	if (status == EFI_UNSUPPORTED)
- 		return false;
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch b/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch
deleted file mode 100644
index 402582b17..000000000
--- a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Ard Biesheuvel <ardb@kernel.org>
-Date: Tue, 26 Mar 2024 11:15:25 +0100
-Subject: efi/libstub: Cast away type warning in use of max()
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git/commit?id=07263d8a5a2cea66a3f10d930fea60ce49c7dc3b
-
-Add a missing (u64) cast to alloc_min, which is passed into
-efi_random_alloc() as unsigned long, while efi_physical_addr_t is u64.
-
-Fixes: 3cb4a4827596abc82e ("efi/libstub: fix efi_random_alloc() ...")
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
----
- drivers/firmware/efi/libstub/randomalloc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c
-index 7e1852859550..fa81528150fe 100644
---- a/drivers/firmware/efi/libstub/randomalloc.c
-+++ b/drivers/firmware/efi/libstub/randomalloc.c
-@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size,
- 			continue;
- 		}
- 
--		target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align;
-+		target = round_up(max(md->phys_addr, (u64)alloc_min), align) + target_slot * align;
- 		pages = size / EFI_PAGE_SIZE;
- 
- 		status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS,
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch b/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch
deleted file mode 100644
index d5590f5db..000000000
--- a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: =?UTF-8?q?KONDO=20KAZUMA=28=E8=BF=91=E8=97=A4=E3=80=80=E5=92=8C?=
- =?UTF-8?q?=E7=9C=9F=29?= <kazuma-kondo@nec.com>
-Date: Fri, 22 Mar 2024 10:47:02 +0000
-Subject: efi/libstub: fix efi_random_alloc() to allocate memory at alloc_min
- or higher address
-Origin: https://git.kernel.org/linus/3cb4a4827596abc82e55b80364f509d0fefc3051
-
-Following warning is sometimes observed while booting my servers:
-  [    3.594838] DMA: preallocated 4096 KiB GFP_KERNEL pool for atomic allocations
-  [    3.602918] swapper/0: page allocation failure: order:10, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0-1
-  ...
-  [    3.851862] DMA: preallocated 1024 KiB GFP_KERNEL|GFP_DMA pool for atomic allocation
-
-If 'nokaslr' boot option is set, the warning always happens.
-
-On x86, ZONE_DMA is small zone at the first 16MB of physical address
-space. When this problem happens, most of that space seems to be used by
-decompressed kernel. Thereby, there is not enough space at DMA_ZONE to
-meet the request of DMA pool allocation.
-
-The commit 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below
-LOAD_PHYSICAL_ADDR") tried to fix this problem by introducing lower
-bound of allocation.
-
-But the fix is not complete.
-
-efi_random_alloc() allocates pages by following steps.
-1. Count total available slots ('total_slots')
-2. Select a slot ('target_slot') to allocate randomly
-3. Calculate a starting address ('target') to be included target_slot
-4. Allocate pages, which starting address is 'target'
-
-In step 1, 'alloc_min' is used to offset the starting address of memory
-chunk. But in step 3 'alloc_min' is not considered at all.  As the
-result, 'target' can be miscalculated and become lower than 'alloc_min'.
-
-When KASLR is disabled, 'target_slot' is always 0 and the problem
-happens everytime if the EFI memory map of the system meets the
-condition.
-
-Fix this problem by calculating 'target' considering 'alloc_min'.
-
-Cc: linux-efi@vger.kernel.org
-Cc: Tom Englund <tomenglund26@gmail.com>
-Cc: linux-kernel@vger.kernel.org
-Fixes: 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR")
-Signed-off-by: Kazuma Kondo <kazuma-kondo@nec.com>
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
----
- drivers/firmware/efi/libstub/randomalloc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c
-index 4e96a855fdf4..7e1852859550 100644
---- a/drivers/firmware/efi/libstub/randomalloc.c
-+++ b/drivers/firmware/efi/libstub/randomalloc.c
-@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size,
- 			continue;
- 		}
- 
--		target = round_up(md->phys_addr, align) + target_slot * align;
-+		target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align;
- 		pages = size / EFI_PAGE_SIZE;
- 
- 		status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS,
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
new file mode 100644
index 000000000..c59abc9f8
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
@@ -0,0 +1,155 @@
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 13 Feb 2024 09:33:06 -0500
+Subject: scsi: sd: usb_storage: uas: Access media prior to querying device
+ properties
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=46e587855c060a0fdcbb4349accb62b31e9ce70f
+
+[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ]
+
+It has been observed that some USB/UAS devices return generic properties
+hardcoded in firmware for mode pages for a period of time after a device
+has been discovered. The reported properties are either garbage or they do
+not accurately reflect the characteristics of the physical storage device
+attached in the case of a bridge.
+
+Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to
+avoid calling revalidate twice") we would call revalidate several
+times during device discovery. As a result, incorrect values would
+eventually get replaced with ones accurately describing the attached
+storage. When we did away with the redundant revalidate pass, several
+cases were reported where devices reported nonsensical values or would
+end up in write-protected state.
+
+An initial attempt at addressing this issue involved introducing a
+delayed second revalidate invocation. However, this approach still
+left some devices reporting incorrect characteristics.
+
+Tasos Sahanidis debugged the problem further and identified that
+introducing a READ operation prior to MODE SENSE fixed the problem and that
+it wasn't a timing issue. Issuing a READ appears to cause the devices to
+update their state to reflect the actual properties of the storage
+media. Device properties like vendor, model, and storage capacity appear to
+be correctly reported from the get-go. It is unclear why these devices
+defer populating the remaining characteristics.
+
+Match the behavior of a well known commercial operating system and
+trigger a READ operation prior to querying device characteristics to
+force the device to populate the mode pages.
+
+The additional READ is triggered by a flag set in the USB storage and
+UAS drivers. We avoid issuing the READ for other transport classes
+since some storage devices identify Linux through our particular
+discovery command sequence.
+
+Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com
+Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice")
+Cc: stable@vger.kernel.org
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c              | 26 +++++++++++++++++++++++++-
+ drivers/usb/storage/scsiglue.c |  7 +++++++
+ drivers/usb/storage/uas.c      |  7 +++++++
+ include/scsi/scsi_device.h     |  1 +
+ 4 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index ad619f7c7418..3ec9b324fdcf 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3286,6 +3286,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
+ 	return true;
+ }
+ 
++static void sd_read_block_zero(struct scsi_disk *sdkp)
++{
++	unsigned int buf_len = sdkp->device->sector_size;
++	char *buffer, cmd[10] = { };
++
++	buffer = kmalloc(buf_len, GFP_KERNEL);
++	if (!buffer)
++		return;
++
++	cmd[0] = READ_10;
++	put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
++	put_unaligned_be16(1, &cmd[7]);	/* Transfer 1 logical block */
++
++	scsi_execute_req(sdkp->device, cmd, DMA_FROM_DEVICE, buffer, buf_len,
++			 NULL, SD_TIMEOUT, sdkp->max_retries, NULL);
++	kfree(buffer);
++}
++
+ /**
+  *	sd_revalidate_disk - called the first time a new disk is seen,
+  *	performs disk spin up, read_capacity, etc.
+@@ -3325,7 +3343,13 @@ static int sd_revalidate_disk(struct gendisk *disk)
+ 	 */
+ 	if (sdkp->media_present) {
+ 		sd_read_capacity(sdkp, buffer);
+-
++		/*
++		 * Some USB/UAS devices return generic values for mode pages
++		 * until the media has been accessed. Trigger a READ operation
++		 * to force the device to populate mode pages.
++		 */
++		if (sdp->read_before_ms)
++			sd_read_block_zero(sdkp);
+ 		/*
+ 		 * set the default to rotational.  All non-rotational devices
+ 		 * support the block characteristics VPD page, which will
+diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
+index c54e9805da53..12cf9940e5b6 100644
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev)
+ 		 */
+ 		sdev->use_192_bytes_for_3f = 1;
+ 
++		/*
++		 * Some devices report generic values until the media has been
++		 * accessed. Force a READ(10) prior to querying device
++		 * characteristics.
++		 */
++		sdev->read_before_ms = 1;
++
+ 		/*
+ 		 * Some devices don't like MODE SENSE with page=0x3f,
+ 		 * which is the command used for checking if a device
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index ee5621bdb11e..af619efe8eab 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -876,6 +876,13 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ 	if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+ 		sdev->guess_capacity = 1;
+ 
++	/*
++	 * Some devices report generic values until the media has been
++	 * accessed. Force a READ(10) prior to querying device
++	 * characteristics.
++	 */
++	sdev->read_before_ms = 1;
++
+ 	/*
+ 	 * Some devices don't like MODE SENSE with page=0x3f,
+ 	 * which is the command used for checking if a device
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index d2751ed536df..1504d3137cc6 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -204,6 +204,7 @@ struct scsi_device {
+ 	unsigned use_10_for_rw:1; /* first try 10-byte read / write */
+ 	unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
+ 	unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
++	unsigned read_before_ms:1;	/* perform a READ before MODE SENSE */
+ 	unsigned no_report_opcodes:1;	/* no REPORT SUPPORTED OPERATION CODES */
+ 	unsigned no_write_same:1;	/* no WRITE SAME command */
+ 	unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
+-- 
+2.43.0
+
diff --git a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch b/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch
deleted file mode 100644
index ac7fb2e3e..000000000
--- a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Chen Ni <nichen@iscas.ac.cn>
-Date: Tue, 5 Mar 2024 07:59:27 +0000
-Subject: sr9800: Add check for usbnet_get_endpoints
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=9c402819620a842cbfe39359a3ddfaac9adc8384
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-26651
-
-[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ]
-
-Add check for usbnet_get_endpoints() and return the error if it fails
-in order to transfer the error.
-
-Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
-Reviewed-by: Simon Horman <horms@kernel.org>
-Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
-Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/usb/sr9800.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
-index f5e19f3ef6cd..4de514482183 100644
---- a/drivers/net/usb/sr9800.c
-+++ b/drivers/net/usb/sr9800.c
-@@ -737,7 +737,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
- 
- 	data->eeprom_len = SR9800_EEPROM_LEN;
- 
--	usbnet_get_endpoints(dev, intf);
-+	ret = usbnet_get_endpoints(dev, intf);
-+	if (ret)
-+		goto out;
- 
- 	/* LED Setting Rule :
- 	 * AABB:CCDD
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
new file mode 100644
index 000000000..bfb6301cf
--- /dev/null
+++ b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
@@ -0,0 +1,35 @@
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Mon, 31 Jul 2023 15:59:42 -0300
+Subject: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
+Origin: https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88
+Bug-Debian: https://bugs.debian.org/1068770
+
+Any unprivileged user can attach N_GSM0710 ldisc, but it requires
+CAP_NET_ADMIN to create a GSM network anyway.
+
+Require initial namespace CAP_NET_ADMIN to do that.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 1cdefac4dd1b..c7a787f10a9c 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -3576,6 +3576,9 @@ static int gsmld_open(struct tty_struct *tty)
+ {
+ 	struct gsm_mux *gsm;
+ 
++	if (!capable(CAP_NET_ADMIN))
++		return -EPERM;
++
+ 	if (tty->ops->write == NULL)
+ 		return -EINVAL;
+ 
+-- 
+2.43.0
+
diff --git a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch b/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
deleted file mode 100644
index 2747ec5b6..000000000
--- a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Xingyuan Mo <hdthky0@gmail.com>
-Date: Sun, 17 Dec 2023 13:29:01 +0200
-Subject: wifi: ath10k: fix NULL pointer dereference in
- ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=90f089d77e38db1c48629f111f3c8c336be1bc38
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-7042
-
-[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ]
-
-We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is
-present before accessing it, otherwise a null pointer deference error will
-occur.
-
-Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
-Signed-off-by: Xingyuan Mo <hdthky0@gmail.com>
-Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-index 876410a47d1d..4d5009604eee 100644
---- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-@@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb,
- 	}
- 
- 	ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT];
-+	if (!ev) {
-+		kfree(tb);
-+		return -EPROTO;
-+	}
- 
- 	arg->desc_id = ev->desc_id;
- 	arg->status = ev->status;
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch b/debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch
deleted file mode 100644
index 63c4cafae..000000000
--- a/debian/patches/bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: Ard Biesheuvel <ardb@kernel.org>
-Date: Fri, 15 Mar 2024 16:26:16 +0100
-Subject: x86/efistub: Clear decompressor BSS in native EFI entrypoint
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=9274ec2003042bf0ed847cb80ffcfab543a0a33a
-
-[ Upstream commit b3810c5a2cc4a6665f7a65bed5393c75ce3f3aa2 ]
-
-The EFI stub on x86 no longer invokes the decompressor as a subsequent
-boot stage, but calls into the decompression code directly while running
-in the context of the EFI boot services.
-
-This means that when using the native EFI entrypoint (as opposed to the
-EFI handover protocol, which clears BSS explicitly), the firmware PE
-image loader is being relied upon to ensure that BSS is zeroed before
-the EFI stub is entered from the firmware.
-
-As Radek's report proves, this is a bad idea. Not all loaders do this
-correctly, which means some global variables that should be statically
-initialized to 0x0 may have junk in them.
-
-So clear BSS explicitly when entering via efi_pe_entry(). Note that
-zeroing BSS from C code is not generally safe, but in this case, the
-following assignment and dereference of a global pointer variable
-ensures that the memset() cannot be deferred or reordered.
-
-Cc: <stable@kernel.org> # v6.1+
-Reported-by: Radek Podgorny <radek@podgorny.cz>
-Closes: https://lore.kernel.org/all/a99a831a-8ad5-4cb0-bff9-be637311f771@podgorny.cz
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/firmware/efi/libstub/x86-stub.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
-index 784e1b2ae5cc..aa07051459f5 100644
---- a/drivers/firmware/efi/libstub/x86-stub.c
-+++ b/drivers/firmware/efi/libstub/x86-stub.c
-@@ -21,6 +21,8 @@
- #include "efistub.h"
- #include "x86-stub.h"
- 
-+extern char _bss[], _ebss[];
-+
- const efi_system_table_t *efi_system_table;
- const efi_dxe_services_table_t *efi_dxe_table;
- static efi_loaded_image_t *image = NULL;
-@@ -432,6 +434,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
- 	efi_status_t status;
- 	char *cmdline_ptr;
- 
-+	memset(_bss, 0, _ebss - _bss);
-+
- 	efi_system_table = sys_table_arg;
- 
- 	/* Check if we were booted by the EFI firmware */
-@@ -950,8 +954,6 @@ void __noreturn efi_stub_entry(efi_handle_t handle,
- void efi_handover_entry(efi_handle_t handle, efi_system_table_t *sys_table_arg,
- 			struct boot_params *boot_params)
- {
--	extern char _bss[], _ebss[];
--
- 	memset(_bss, 0, _ebss - _bss);
- 	efi_stub_entry(handle, sys_table_arg, boot_params);
- }
--- 
-2.43.0
-
diff --git a/debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch b/debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch
deleted file mode 100644
index 2624812c5..000000000
--- a/debian/patches/bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Ard Biesheuvel <ardb@kernel.org>
-Date: Fri, 22 Mar 2024 17:01:45 +0100
-Subject: x86/efistub: Don't clear BSS twice in mixed mode
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=3a2a828d252f4280e15e61e0666644f1fadcf6c4
-
-[ Upstream commit df7ecce842b846a04d087ba85fdb79a90e26a1b0 ]
-
-Clearing BSS should only be done once, at the very beginning.
-efi_pe_entry() is the entrypoint from the firmware, which may not clear
-BSS and so it is done explicitly. However, efi_pe_entry() is also used
-as an entrypoint by the mixed mode startup code, in which case BSS will
-already have been cleared, and doing it again at this point will corrupt
-global variables holding the firmware's GDT/IDT and segment selectors.
-
-So make the memset() conditional on whether the EFI stub is running in
-native mode.
-
-Fixes: b3810c5a2cc4a666 ("x86/efistub: Clear decompressor BSS in native EFI entrypoint")
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/firmware/efi/libstub/x86-stub.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
-index aa07051459f5..dc50dda40239 100644
---- a/drivers/firmware/efi/libstub/x86-stub.c
-+++ b/drivers/firmware/efi/libstub/x86-stub.c
-@@ -434,7 +434,8 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
- 	efi_status_t status;
- 	char *cmdline_ptr;
- 
--	memset(_bss, 0, _ebss - _bss);
-+	if (efi_is_native())
-+		memset(_bss, 0, _ebss - _bss);
- 
- 	efi_system_table = sys_table_arg;
- 
--- 
-2.43.0
-
diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index 9ec425871..68255cb01 100644
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -24,20 +24,18 @@ Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
  security/lockdown/lockdown.c      |    2 +-
  5 files changed, 27 insertions(+), 3 deletions(-)
 
-Index: debian-kernel/arch/x86/kernel/setup.c
-===================================================================
---- debian-kernel.orig/arch/x86/kernel/setup.c
-+++ debian-kernel/arch/x86/kernel/setup.c
-@@ -979,6 +979,8 @@ void __init setup_arch(char **cmdline_p)
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1031,6 +1031,8 @@ void __init setup_arch(char **cmdline_p)
  	if (efi_enabled(EFI_BOOT))
  		efi_init();
  
 +	efi_set_secure_boot(boot_params.secure_boot);
 +
- 	dmi_setup();
+ 	x86_init.resources.dmi_setup();
  
  	/*
-@@ -1130,8 +1132,6 @@ void __init setup_arch(char **cmdline_p)
+@@ -1200,8 +1202,6 @@ void __init setup_arch(char **cmdline_p)
  	/* Allocate bigger log buffer */
  	setup_log_buf(1);
  
@@ -46,10 +44,8 @@ Index: debian-kernel/arch/x86/kernel/setup.c
  	reserve_initrd();
  
  	acpi_table_upgrade();
-Index: debian-kernel/drivers/firmware/efi/secureboot.c
-===================================================================
---- debian-kernel.orig/drivers/firmware/efi/secureboot.c
-+++ debian-kernel/drivers/firmware/efi/secureboot.c
+--- a/drivers/firmware/efi/secureboot.c
++++ b/drivers/firmware/efi/secureboot.c
 @@ -15,6 +15,7 @@
  #include <linux/efi.h>
  #include <linux/kernel.h>
@@ -69,11 +65,9 @@ Index: debian-kernel/drivers/firmware/efi/secureboot.c
  			pr_info("Secure boot enabled\n");
  			break;
  		default:
-Index: debian-kernel/include/linux/security.h
-===================================================================
---- debian-kernel.orig/include/linux/security.h
-+++ debian-kernel/include/linux/security.h
-@@ -451,6 +451,7 @@ int security_inode_notifysecctx(struct i
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -481,6 +481,7 @@ int security_inode_notifysecctx(struct i
  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
  int security_locked_down(enum lockdown_reason what);
@@ -81,7 +75,7 @@ Index: debian-kernel/include/linux/security.h
  #else /* CONFIG_SECURITY */
  
  static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
-@@ -1291,6 +1292,11 @@ static inline int security_locked_down(e
+@@ -1381,6 +1382,11 @@ static inline int security_locked_down(e
  {
  	return 0;
  }
@@ -93,10 +87,8 @@ Index: debian-kernel/include/linux/security.h
  #endif	/* CONFIG_SECURITY */
  
  #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
-Index: debian-kernel/security/lockdown/Kconfig
-===================================================================
---- debian-kernel.orig/security/lockdown/Kconfig
-+++ debian-kernel/security/lockdown/Kconfig
+--- a/security/lockdown/Kconfig
++++ b/security/lockdown/Kconfig
 @@ -45,3 +45,18 @@ config LOCK_DOWN_KERNEL_FORCE_CONFIDENTI
  	 disabled.
  
@@ -116,10 +108,8 @@ Index: debian-kernel/security/lockdown/Kconfig
 +
 +	  Enabling this option results in kernel lockdown being
 +	  triggered in integrity mode if EFI Secure Boot is set.
-Index: debian-kernel/security/lockdown/lockdown.c
-===================================================================
---- debian-kernel.orig/security/lockdown/lockdown.c
-+++ debian-kernel/security/lockdown/lockdown.c
+--- a/security/lockdown/lockdown.c
++++ b/security/lockdown/lockdown.c
 @@ -23,7 +23,7 @@ static const enum lockdown_reason lockdo
  /*
   * Put the kernel into lock-down mode.
diff --git a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
index 44dd25261..78f407896 100644
--- a/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
+++ b/debian/patches/features/x86/x86-make-x32-syscall-support-conditional.patch
@@ -29,7 +29,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -5768,6 +5768,10 @@
+@@ -6160,6 +6160,10 @@
  			later by a loaded module cannot be set this way.
  			Example: sysctl.vm.swappiness=40
  
@@ -42,7 +42,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			on older distributions. When this option is enabled
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -2865,6 +2865,14 @@ config COMPAT_32
+@@ -2997,6 +2997,14 @@ config COMPAT_32
  	select HAVE_UID16
  	select OLD_SIGSUSPEND3
  
@@ -59,14 +59,14 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  	depends on IA32_EMULATION || X86_X32_ABI
 --- a/arch/x86/entry/common.c
 +++ b/arch/x86/entry/common.c
-@@ -62,7 +62,7 @@ static __always_inline bool do_syscall_x
+@@ -63,7 +63,7 @@ static __always_inline bool do_syscall_x
  	 */
  	unsigned int xnr = nr - __X32_SYSCALL_BIT;
  
 -	if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) {
 +	if (IS_ENABLED(CONFIG_X86_X32_ABI) && unlikely(x32_enabled) && likely(xnr < X32_NR_syscalls)) {
  		xnr = array_index_nospec(xnr, X32_NR_syscalls);
- 		regs->ax = x32_sys_call_table[xnr](regs);
+ 		regs->ax = x32_sys_call(regs, xnr);
  		return true;
 --- a/arch/x86/entry/syscall_x32.c
 +++ b/arch/x86/entry/syscall_x32.c
@@ -80,9 +80,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #include <linux/syscalls.h>
  #include <asm/syscall.h>
  
-@@ -16,3 +19,46 @@
- asmlinkage const sys_call_ptr_t x32_sys_call_table[] = {
- #include <asm/syscalls_x32.h>
+@@ -20,3 +23,46 @@ long x32_sys_call(const struct pt_regs *
+ 	default: return __x64_sys_ni_syscall(regs);
+ 	}
  };
 +
 +/* Maybe enable x32 syscalls */
@@ -139,7 +139,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  
  typedef unsigned long elf_greg_t;
  
-@@ -161,7 +164,8 @@ do {						\
+@@ -150,7 +153,8 @@ do {						\
  
  #define compat_elf_check_arch(x)					\
  	(elf_check_arch_ia32(x) ||					\
@@ -159,9 +159,9 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  #include <asm/thread_info.h>	/* for TS_COMPAT */
  #include <asm/unistd.h>
  
-@@ -30,6 +31,18 @@ extern const sys_call_ptr_t ia32_sys_cal
- extern const sys_call_ptr_t x32_sys_call_table[];
- #endif
+@@ -28,6 +29,18 @@ extern long ia32_sys_call(const struct p
+ extern long x32_sys_call(const struct pt_regs *, unsigned int nr);
+ extern long x64_sys_call(const struct pt_regs *, unsigned int nr);
  
 +#if defined(CONFIG_X86_X32_ABI)
 +#if defined(CONFIG_X86_X32_DISABLED)
diff --git a/debian/patches/series b/debian/patches/series
index aa81c467d..8b86219be 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -71,8 +71,6 @@ bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
 bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
 bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
 bugfix/alpha/alpha-fix-missing-symbol-versions-for-str-n-cat-cpy.patch
-bugfix/x86/x86-efistub-Clear-decompressor-BSS-in-native-EFI-ent.patch
-bugfix/x86/x86-efistub-Don-t-clear-BSS-twice-in-mixed-mode.patch
 
 # Arch features
 features/arm64/dt-bindings-rockchip-Add-Hardkernel-ODROID-M1-board.patch
@@ -105,9 +103,9 @@ features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-Model-A-baseboard.patch
 # Miscellaneous bug fixes
 bugfix/all/disable-some-marvell-phys.patch
 bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
-bugfix/all/efi-fix-panic-in-kdump-kernel.patch
-bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch
-bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch
+bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
+bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
+bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
 bugfix/all/media-cx18-avoid-strlen-call-that-triggers-ice-in-gc.patch
 
 # Miscellaneous features
@@ -126,10 +124,7 @@ features/all/db-mok-keyring/trust-machine-keyring-by-default.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
-bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
-bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
-bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
-bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch
+bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch