release 6.14.8

debian/patches/bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch

@@ -18,7 +18,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 
 --- a/fs/btrfs/super.c
 +++ b/fs/btrfs/super.c
-@@ -2626,7 +2626,7 @@ module_exit(exit_btrfs_fs)
+@@ -2630,7 +2630,7 @@ module_exit(exit_btrfs_fs)
  
  MODULE_DESCRIPTION("B-Tree File System (BTRFS)");
  MODULE_LICENSE("GPL");

debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch

@@ -22,7 +22,7 @@ implementation went from disk-io.c to super.c; forwarded the issue]
 
 --- a/fs/btrfs/super.c
 +++ b/fs/btrfs/super.c
-@@ -765,6 +765,18 @@ static void set_device_specific_options(
+@@ -769,6 +769,18 @@ static void set_device_specific_options(
  		btrfs_set_opt(fs_info->mount_opt, SSD);
  
  	/*

debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch

@@ -20,7 +20,7 @@ is non-empty.
 ---
 --- a/Makefile
 +++ b/Makefile
-@@ -1876,7 +1876,7 @@ PHONY += prepare
+@@ -1875,7 +1875,7 @@ PHONY += prepare
  # now expand this into a simple variable to reduce the cost of shell evaluations
  prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT)
  prepare:

debian/patches/patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch

@@ -1,99 +0,0 @@
-From 762de1df7e501e019c3ae273c7e5e2d4c04b303c Mon Sep 17 00:00:00 2001
-From: Jarkko Sakkinen <jarkko@kernel.org>
-Date: Mon, 7 Apr 2025 15:28:05 +0300
-Subject: tpm: Mask TPM RC in tpm2_start_auth_session()
-
-tpm2_start_auth_session() does not mask TPM RC correctly from the callers:
-
-[   28.766528] tpm tpm0: A TPM error (2307) occurred start auth session
-
-Process TPM RCs inside tpm2_start_auth_session(), and map them to POSIX
-error codes.
-
-Cc: stable@vger.kernel.org # v6.10+
-Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions")
-Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
-Closes: https://lore.kernel.org/linux-integrity/Z_NgdRHuTKP6JK--@gondor.apana.org.au/
-Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
----
- drivers/char/tpm/tpm2-sessions.c | 20 ++++++--------------
- include/linux/tpm.h              | 21 +++++++++++++++++++++
- 2 files changed, 27 insertions(+), 14 deletions(-)
-
---- a/drivers/char/tpm/tpm2-sessions.c
-+++ b/drivers/char/tpm/tpm2-sessions.c
-@@ -40,11 +40,6 @@
-  *
-  * These are the usage functions:
-  *
-- * tpm2_start_auth_session() which allocates the opaque auth structure
-- *	and gets a session from the TPM.  This must be called before
-- *	any of the following functions.  The session is protected by a
-- *	session_key which is derived from a random salt value
-- *	encrypted to the NULL seed.
-  * tpm2_end_auth_session() kills the session and frees the resources.
-  *	Under normal operation this function is done by
-  *	tpm_buf_check_hmac_response(), so this is only to be used on
-@@ -963,16 +958,13 @@ err:
- }
- 
- /**
-- * tpm2_start_auth_session() - create a HMAC authentication session with the TPM
-- * @chip: the TPM chip structure to create the session with
-+ * tpm2_start_auth_session() - Create an a HMAC authentication session
-+ * @chip:	A TPM chip
-  *
-- * This function loads the NULL seed from its saved context and starts
-- * an authentication session on the null seed, fills in the
-- * @chip->auth structure to contain all the session details necessary
-- * for performing the HMAC, encrypt and decrypt operations and
-- * returns.  The NULL seed is flushed before this function returns.
-+ * Loads the ephemeral key (null seed), and starts an HMAC authenticated
-+ * session. The null seed is flushed before the return.
-  *
-- * Return: zero on success or actual error encountered.
-+ * Returns zero on success, or a POSIX error code.
-  */
- int tpm2_start_auth_session(struct tpm_chip *chip)
- {
-@@ -1024,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_c
- 	/* hash algorithm for session */
- 	tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- 
--	rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session");
-+	rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
- 	tpm2_flush_context(chip, null_key);
- 
- 	if (rc == TPM2_RC_SUCCESS)
---- a/include/linux/tpm.h
-+++ b/include/linux/tpm.h
-@@ -257,8 +257,29 @@ enum tpm2_return_codes {
- 	TPM2_RC_TESTING		= 0x090A, /* RC_WARN */
- 	TPM2_RC_REFERENCE_H0	= 0x0910,
- 	TPM2_RC_RETRY		= 0x0922,
-+	TPM2_RC_SESSION_MEMORY	= 0x0903,
- };
- 
-+/*
-+ * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
-+ * fallback return value is -EFAULT.
-+ */
-+static inline ssize_t tpm_to_ret(ssize_t ret)
-+{
-+	/* Already a POSIX error: */
-+	if (ret < 0)
-+		return ret;
-+
-+	switch (ret) {
-+	case TPM2_RC_SUCCESS:
-+		return 0;
-+	case TPM2_RC_SESSION_MEMORY:
-+		return -ENOMEM;
-+	default:
-+		return -EFAULT;
-+	}
-+}
-+
- enum tpm2_command_codes {
- 	TPM2_CC_FIRST		        = 0x011F,
- 	TPM2_CC_HIERARCHY_CONTROL       = 0x0121,

debian/patches/patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch

@@ -1,76 +0,0 @@
-From 74c95e079dc8b3c53ade90b2070458c0c69f3fdf Mon Sep 17 00:00:00 2001
-From: Oleksandr Natalenko <oleksandr@natalenko.name>
-Date: Tue, 8 Apr 2025 19:51:44 +0200
-Subject: fixes-6.14: update tpm2_start_auth_session() fix
-
-Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
----
- drivers/char/tpm/tpm2-sessions.c |  2 +-
- include/linux/tpm.h              | 38 +++++++++++++++-----------------
- 2 files changed, 19 insertions(+), 21 deletions(-)
-
---- a/drivers/char/tpm/tpm2-sessions.c
-+++ b/drivers/char/tpm/tpm2-sessions.c
-@@ -1016,7 +1016,7 @@ int tpm2_start_auth_session(struct tpm_c
- 	/* hash algorithm for session */
- 	tpm_buf_append_u16(&buf, TPM_ALG_SHA256);
- 
--	rc = tpm_to_ret(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
-+	rc = tpm_ret_to_err(tpm_transmit_cmd(chip, &buf, 0, "StartAuthSession"));
- 	tpm2_flush_context(chip, null_key);
- 
- 	if (rc == TPM2_RC_SUCCESS)
---- a/include/linux/tpm.h
-+++ b/include/linux/tpm.h
-@@ -260,26 +260,6 @@ enum tpm2_return_codes {
- 	TPM2_RC_SESSION_MEMORY	= 0x0903,
- };
- 
--/*
-- * Convert a return value from tpm_transmit_cmd() to a POSIX return value. The
-- * fallback return value is -EFAULT.
-- */
--static inline ssize_t tpm_to_ret(ssize_t ret)
--{
--	/* Already a POSIX error: */
--	if (ret < 0)
--		return ret;
--
--	switch (ret) {
--	case TPM2_RC_SUCCESS:
--		return 0;
--	case TPM2_RC_SESSION_MEMORY:
--		return -ENOMEM;
--	default:
--		return -EFAULT;
--	}
--}
--
- enum tpm2_command_codes {
- 	TPM2_CC_FIRST		        = 0x011F,
- 	TPM2_CC_HIERARCHY_CONTROL       = 0x0121,
-@@ -458,6 +438,24 @@ static inline u32 tpm2_rc_value(u32 rc)
- 	return (rc & BIT(7)) ? rc & 0xbf : rc;
- }
- 
-+/*
-+ * Convert a return value from tpm_transmit_cmd() to POSIX error code.
-+ */
-+static inline ssize_t tpm_ret_to_err(ssize_t ret)
-+{
-+	if (ret < 0)
-+		return ret;
-+
-+	switch (tpm2_rc_value(ret)) {
-+	case TPM2_RC_SUCCESS:
-+		return 0;
-+	case TPM2_RC_SESSION_MEMORY:
-+		return -ENOMEM;
-+	default:
-+		return -EFAULT;
-+	}
-+}
-+
- #if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
- 
- extern int tpm_is_tpm2(struct tpm_chip *chip);

debian/patches/patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch

@@ -0,0 +1,34 @@
+From c3781ee15fb846bc6ad09a09baa2ced404e74e47 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 20 May 2025 15:54:20 +0200
+Subject: loop: don't require ->write_iter for writable files in loop_configure
+
+Block devices can be opened read-write even if they can't be written to
+for historic reasons.  Remove the check requiring file->f_op->write_iter
+when the block devices was opened in loop_configure. The call to
+loop_check_backing_file just below ensures the ->write_iter is present
+for backing files opened for writing, which is the only check that is
+actually needed.
+
+Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter")
+Reported-by: Christian Hesse <mail@eworm.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250520135420.1177312-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cherry-picked-for: https://lore.kernel.org/r/20250519175640.2fcac001@leda.eworm.net
+---
+ drivers/block/loop.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -972,9 +972,6 @@ static int loop_configure(struct loop_de
+ 	if (!file)
+ 		return -EBADF;
+ 
+-	if ((mode & BLK_OPEN_WRITE) && !file->f_op->write_iter)
+-		return -EINVAL;
+-
+ 	error = loop_check_backing_file(file);
+ 	if (error)
+ 		return error;

debian/patches/patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch

@@ -1,35 +0,0 @@
-From 8ef14a884df5aaf48cf5f7ce6c91e7318cb07d4e Mon Sep 17 00:00:00 2001
-From: Jethro Donaldson <devel@jro.nz>
-Date: Thu, 15 May 2025 01:23:23 +1200
-Subject: smb: client: fix memory leak during error handling for POSIX mkdir
-
-The response buffer for the CREATE request handled by smb311_posix_mkdir()
-is leaked on the error path (goto err_free_rsp_buf) because the structure
-pointer *rsp passed to free_rsp_buf() is not assigned until *after* the
-error condition is checked.
-
-As *rsp is initialised to NULL, free_rsp_buf() becomes a no-op and the leak
-is instead reported by __kmem_cache_shutdown() upon subsequent rmmod of
-cifs.ko if (and only if) the error path has been hit.
-
-Pass rsp_iov.iov_base to free_rsp_buf() instead, similar to the code in
-other functions in smb2pdu.c for which *rsp is assigned late.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Jethro Donaldson <devel@jro.nz>
-Signed-off-by: Steve French <stfrench@microsoft.com>
----
- fs/smb/client/smb2pdu.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/smb/client/smb2pdu.c
-+++ b/fs/smb/client/smb2pdu.c
-@@ -2967,7 +2967,7 @@ replay_again:
- 	/* Eventually save off posix specific response info and timestamps */
- 
- err_free_rsp_buf:
--	free_rsp_buf(resp_buftype, rsp);
-+	free_rsp_buf(resp_buftype, rsp_iov.iov_base);
- 	kfree(pc_buf);
- err_free_req:
- 	cifs_small_buf_release(req);

debian/patches/patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch

@@ -1,33 +0,0 @@
-From 6dada600ab3579296c9b2b57cf41b95792f021ed Mon Sep 17 00:00:00 2001
-From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
-Date: Sat, 13 Jan 2024 15:29:25 +0100
-Subject: arch/Kconfig: Default to maximum amount of ASLR bits
-
-To mitigate CVE-2024-26621 and improve randomization quality further. Do
-this with a patch to avoid having to enable `CONFIG_EXPERT`.
-
-Cherry-picked-for: https://zolutal.github.io/aslrnt/
----
- arch/Kconfig | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/arch/Kconfig
-+++ b/arch/Kconfig
-@@ -1137,7 +1137,7 @@ config ARCH_MMAP_RND_BITS
- 	int "Number of bits to use for ASLR of mmap base address" if EXPERT
- 	range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
- 	default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
--	default ARCH_MMAP_RND_BITS_MIN
-+	default ARCH_MMAP_RND_BITS_MAX
- 	depends on HAVE_ARCH_MMAP_RND_BITS
- 	help
- 	  This value can be used to select the number of bits to use to
-@@ -1171,7 +1171,7 @@ config ARCH_MMAP_RND_COMPAT_BITS
- 	int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
- 	range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
- 	default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
--	default ARCH_MMAP_RND_COMPAT_BITS_MIN
-+	default ARCH_MMAP_RND_COMPAT_BITS_MAX
- 	depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
- 	help
- 	  This value can be used to select the number of bits to use to

debian/patches/patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch

@@ -0,0 +1,191 @@
+From 1d8e5829e40e6547e10a5f479e2a6fea0d412132 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 30 Apr 2025 15:07:03 -0400
+Subject: Bluetooth: hci_event: Fix not using key encryption size when its
+ known
+
+This fixes the regression introduced by 50c1241e6a8a ("Bluetooth: l2cap:
+Check encryption key size on incoming connection") introduced a check for
+l2cap_check_enc_key_size which checks for hcon->enc_key_size which may
+not be initialized if HCI_OP_READ_ENC_KEY_SIZE is still pending.
+
+If the key encryption size is known, due previously reading it using
+HCI_OP_READ_ENC_KEY_SIZE, then store it as part of link_key/smp_ltk
+structures so the next time the encryption is changed their values are
+used as conn->enc_key_size thus avoiding the racing against
+HCI_OP_READ_ENC_KEY_SIZE.
+
+Now that the enc_size is stored as part of key the information the code
+then attempts to check that there is no downgrade of security if
+HCI_OP_READ_ENC_KEY_SIZE returns a value smaller than what has been
+previously stored.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220061
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220063
+Fixes: 522e9ed157e3 ("Bluetooth: l2cap: Check encryption key size on incoming connection")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cherry-picked-for: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/137
+---
+ include/net/bluetooth/hci_core.h |  1 +
+ net/bluetooth/hci_conn.c         | 24 +++++++++++
+ net/bluetooth/hci_event.c        | 73 ++++++++++++++++++--------------
+ 3 files changed, 67 insertions(+), 31 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1778,6 +1778,7 @@ struct hci_conn_params *hci_pend_le_acti
+ void hci_uuids_clear(struct hci_dev *hdev);
+ 
+ void hci_link_keys_clear(struct hci_dev *hdev);
++u8 *hci_conn_key_enc_size(struct hci_conn *conn);
+ struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr);
+ struct link_key *hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn,
+ 				  bdaddr_t *bdaddr, u8 *val, u8 type,
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -2897,3 +2897,27 @@ int hci_abort_conn(struct hci_conn *conn
+ 	 */
+ 	return hci_cmd_sync_run_once(hdev, abort_conn_sync, conn, NULL);
+ }
++
++u8 *hci_conn_key_enc_size(struct hci_conn *conn)
++{
++	if (conn->type == ACL_LINK) {
++		struct link_key *key;
++
++		key = hci_find_link_key(conn->hdev, &conn->dst);
++		if (!key)
++			return NULL;
++
++		return &key->pin_len;
++	} else if (conn->type == LE_LINK) {
++		struct smp_ltk *ltk;
++
++		ltk = hci_find_ltk(conn->hdev, &conn->dst, conn->dst_type,
++				   conn->role);
++		if (!ltk)
++			return NULL;
++
++		return &ltk->enc_size;
++	}
++
++	return NULL;
++}
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -739,10 +739,17 @@ static u8 hci_cc_read_enc_key_size(struc
+ 			   handle);
+ 		conn->enc_key_size = 0;
+ 	} else {
++		u8 *key_enc_size = hci_conn_key_enc_size(conn);
++
+ 		conn->enc_key_size = rp->key_size;
+ 		status = 0;
+ 
+-		if (conn->enc_key_size < hdev->min_enc_key_size) {
++		/* Attempt to check if the key size is too small or if it has
++		 * been downgraded from the last time it was stored as part of
++		 * the link_key.
++		 */
++		if (conn->enc_key_size < hdev->min_enc_key_size ||
++		    (key_enc_size && conn->enc_key_size < *key_enc_size)) {
+ 			/* As slave role, the conn->state has been set to
+ 			 * BT_CONNECTED and l2cap conn req might not be received
+ 			 * yet, at this moment the l2cap layer almost does
+@@ -755,6 +762,10 @@ static u8 hci_cc_read_enc_key_size(struc
+ 			clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
+ 			clear_bit(HCI_CONN_AES_CCM, &conn->flags);
+ 		}
++
++		/* Update the key encryption size with the connection one */
++		if (key_enc_size && *key_enc_size != conn->enc_key_size)
++			*key_enc_size = conn->enc_key_size;
+ 	}
+ 
+ 	hci_encrypt_cfm(conn, status);
+@@ -3062,6 +3073,34 @@ static void hci_inquiry_result_evt(struc
+ 	hci_dev_unlock(hdev);
+ }
+ 
++static int hci_read_enc_key_size(struct hci_dev *hdev, struct hci_conn *conn)
++{
++	struct hci_cp_read_enc_key_size cp;
++	u8 *key_enc_size = hci_conn_key_enc_size(conn);
++
++	if (!read_key_size_capable(hdev)) {
++		conn->enc_key_size = HCI_LINK_KEY_SIZE;
++		return -EOPNOTSUPP;
++	}
++
++	bt_dev_dbg(hdev, "hcon %p", conn);
++
++	memset(&cp, 0, sizeof(cp));
++	cp.handle = cpu_to_le16(conn->handle);
++
++	/* If the key enc_size is already known, use it as conn->enc_key_size,
++	 * otherwise use hdev->min_enc_key_size so the likes of
++	 * l2cap_check_enc_key_size don't fail while waiting for
++	 * HCI_OP_READ_ENC_KEY_SIZE response.
++	 */
++	if (key_enc_size && *key_enc_size)
++		conn->enc_key_size = *key_enc_size;
++	else
++		conn->enc_key_size = hdev->min_enc_key_size;
++
++	return hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE, sizeof(cp), &cp);
++}
++
+ static void hci_conn_complete_evt(struct hci_dev *hdev, void *data,
+ 				  struct sk_buff *skb)
+ {
+@@ -3154,23 +3193,11 @@ static void hci_conn_complete_evt(struct
+ 		if (ev->encr_mode == 1 && !test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
+ 		    ev->link_type == ACL_LINK) {
+ 			struct link_key *key;
+-			struct hci_cp_read_enc_key_size cp;
+ 
+ 			key = hci_find_link_key(hdev, &ev->bdaddr);
+ 			if (key) {
+ 				set_bit(HCI_CONN_ENCRYPT, &conn->flags);
+-
+-				if (!read_key_size_capable(hdev)) {
+-					conn->enc_key_size = HCI_LINK_KEY_SIZE;
+-				} else {
+-					cp.handle = cpu_to_le16(conn->handle);
+-					if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
+-							 sizeof(cp), &cp)) {
+-						bt_dev_err(hdev, "sending read key size failed");
+-						conn->enc_key_size = HCI_LINK_KEY_SIZE;
+-					}
+-				}
+-
++				hci_read_enc_key_size(hdev, conn);
+ 				hci_encrypt_cfm(conn, ev->status);
+ 			}
+ 		}
+@@ -3609,24 +3636,8 @@ static void hci_encrypt_change_evt(struc
+ 
+ 	/* Try reading the encryption key size for encrypted ACL links */
+ 	if (!ev->status && ev->encrypt && conn->type == ACL_LINK) {
+-		struct hci_cp_read_enc_key_size cp;
+-
+-		/* Only send HCI_Read_Encryption_Key_Size if the
+-		 * controller really supports it. If it doesn't, assume
+-		 * the default size (16).
+-		 */
+-		if (!read_key_size_capable(hdev)) {
+-			conn->enc_key_size = HCI_LINK_KEY_SIZE;
++		if (hci_read_enc_key_size(hdev, conn))
+ 			goto notify;
+-		}
+-
+-		cp.handle = cpu_to_le16(conn->handle);
+-		if (hci_send_cmd(hdev, HCI_OP_READ_ENC_KEY_SIZE,
+-				 sizeof(cp), &cp)) {
+-			bt_dev_err(hdev, "sending read key size failed");
+-			conn->enc_key_size = HCI_LINK_KEY_SIZE;
+-			goto notify;
+-		}
+ 
+ 		goto unlock;
+ 	}

debian/patches/series

@@ -172,8 +172,6 @@ patchset-pf/invlpgb/0013-x86-mm-Always-set-the-ASID-valid-bit-for-the-INVLPGB.pa
 patchset-pf/invlpgb/0014-x86-mm-Only-do-broadcast-flush-from-reclaim-if-pages.patch
 patchset-pf/invlpgb/0015-x86-mm-Eliminate-window-where-TLB-flushes-may-be-ina.patch
 
-patchset-pf/smb/0001-smb-client-fix-memory-leak-during-error-handling-for.patch
-
 patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch
 patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch
 
@@ -263,15 +261,15 @@ patchset-zen/sauce/0023-ZEN-INTERACTIVE-Document-PDS-BMQ-configuration.patch
 
 patchset-pf/fixes/0001-Kunit-to-check-the-longest-symbol-length.patch
 patchset-pf/fixes/0002-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch
-patchset-pf/fixes/0003-tpm-Mask-TPM-RC-in-tpm2_start_auth_session.patch
-patchset-pf/fixes/0004-ice-mark-ice_write_prof_mask_reg-as-noinline.patch
-patchset-pf/fixes/0005-fixes-6.14-update-tpm2_start_auth_session-fix.patch
-patchset-pf/fixes/0006-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch
-patchset-pf/fixes/0007-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch
-patchset-pf/fixes/0008-gcc-15-make-unterminated-string-initialization-just-.patch
-patchset-pf/fixes/0009-gcc-15-disable-Wunterminated-string-initialization-e.patch
-patchset-pf/fixes/0010-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch
-patchset-pf/fixes/0011-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch
+patchset-pf/fixes/0003-ice-mark-ice_write_prof_mask_reg-as-noinline.patch
+patchset-pf/fixes/0004-wifi-ath12k-Abort-scan-before-removing-link-interfac.patch
+patchset-pf/fixes/0005-Kconfig-switch-CONFIG_SYSFS_SYCALL-default-to-n.patch
+patchset-pf/fixes/0006-gcc-15-make-unterminated-string-initialization-just-.patch
+patchset-pf/fixes/0007-gcc-15-disable-Wunterminated-string-initialization-e.patch
+patchset-pf/fixes/0008-wifi-mac80211-mark-copy_mesh_setup-as-noinline.patch
+patchset-pf/fixes/0009-mei-vsc-Use-struct-vsc_tp_packet-as-vsc-tp-tx_buf-an.patch
+patchset-pf/fixes/0010-loop-don-t-require-write_iter-for-writable-files-in-.patch
+
+patchset-zen/fixes/0001-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch
+patchset-zen/fixes/0002-Bluetooth-hci_event-Fix-not-using-key-encryption-siz.patch
 
-patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch
-patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch