diff --git a/debian/changelog b/debian/changelog
index 5461a62c3..ddee1f75b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,40 @@
-linux (4.9.10-2) UNRELEASED; urgency=medium
+linux (4.9.11-1) UNRELEASED; urgency=medium
 
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
+    - can: Fix kernel panic at security_sock_rcv_skb
+    - net/mlx5e: Fix update of hash function/key via ethtool
+    - net/sched: matchall: Fix configuration race
+    - ipv6: fix ip6_tnl_parse_tlv_enc_lim()
+    - ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
+    - tcp: fix 0 divide in __tcp_select_window()
+    - stmmac: Discard masked flags in interrupt status register
+    - net: use a work queue to defer net_disable_timestamp() work
+    - netlabel: out of bound access in cipso_v4_validate()
+    - ip6_gre: fix ip6gre_err() invalid reads
+    - ipv6: tcp: add a missing tcp_v6_restore_cb()
+    - tcp: avoid infinite loop in tcp_splice_read()
+    - tun: read vnet_hdr_sz once
+    - macvtap: read vnet_hdr_size once
+    - rtl8150: Use heap buffers for all register access
+    - catc: Combine failure cleanup code in catc_probe()
+    - catc: Use heap buffer for memory size test
+    - mlx4: Invoke softirqs after napi_reschedule
+    - lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled
+    - sit: fix a double free on error path
+    - net: introduce device min_header_len
+    - packet: round up linear to header len
+    - ping: fix a null pointer dereference
+    - net: dsa: Do not destroy invalid network devices
+    - l2tp: do not use udp_ioctl()
+    - mld: do not remove mld souce list info when set link down
+    - igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
+    - tcp: fix mark propagation with fwmark_reflect enabled
+    - net/mlx5: Don't unlock fte while still using it
+    - tcp: don't annotate mark on control socket from tcp_v6_send_response()
+    - [x86] fpu/xstate: Fix xcomp_bv in XSAVES header
+
+  [ Ben Hutchings ]
   * [armel] dts: kirkwood: Fix SATA pinmux-ing for TS419 (Closes: #855017)
   * [armhf] Enable DRM_OMAP_PANEL_TPO_TD028TTEC1, PWM_OMAP_DMTIMER as modules
     (Closes: #855472)
diff --git a/debian/patches/bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch b/debian/patches/bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
deleted file mode 100644
index cb1c8ad2b..000000000
--- a/debian/patches/bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Eric Dumazet <edumazet@google.com>
-Date: Sat, 4 Feb 2017 11:16:52 -0800
-Subject: ipv4: keep skb->dst around in presence of IP options
-Origin: https://git.kernel.org/linus/34b2cef20f19c87999fff3da4071e66937db9644
-
-Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
-is accessed.
-
-ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
-are present.
-
-We could refine the test to the presence of ts_needtime or srr,
-but IP options are not often used, so let's be conservative.
-
-Thanks to syzkaller team for finding this bug.
-
-Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ip_sockglue.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 53ae0c6..9000117 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -1238,7 +1238,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
- 		pktinfo->ipi_ifindex = 0;
- 		pktinfo->ipi_spec_dst.s_addr = 0;
- 	}
--	skb_dst_drop(skb);
-+	/* We need to keep the dst for __ip_options_echo()
-+	 * We could restrict the test to opt.ts_needtime || opt.srr,
-+	 * but the following is good enough as IP options are not often used.
-+	 */
-+	if (unlikely(IPCB(skb)->opt.optlen))
-+		skb_dst_force(skb);
-+	else
-+		skb_dst_drop(skb);
- }
- 
- int ip_setsockopt(struct sock *sk, int level,
--- 
-2.1.4
-
diff --git a/debian/patches/bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch b/debian/patches/bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
deleted file mode 100644
index c09f50cd0..000000000
--- a/debian/patches/bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Fri, 27 Jan 2017 02:44:26 +0000
-Subject: pegasus: Use heap buffers for all register access
-Forwarded: https://patchwork.ozlabs.org/patch/724109/
-Bug-Debian: https://bugs.debian.org/852556
-
-Allocating USB buffers on the stack is not portable, and no longer
-works on x86_64 (with VMAP_STACK enabled as per default).
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-References: https://bugs.debian.org/852556
-Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
-Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- drivers/net/usb/pegasus.c | 29 +++++++++++++++++++++++++----
- 1 file changed, 25 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
-index 24e803fe9a53..36674484c6fb 100644
---- a/drivers/net/usb/pegasus.c
-+++ b/drivers/net/usb/pegasus.c
-@@ -126,40 +126,61 @@ static void async_ctrl_callback(struct urb *urb)
- 
- static int get_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
- {
-+	u8 *buf;
- 	int ret;
- 
-+	buf = kmalloc(size, GFP_NOIO);
-+	if (!buf)
-+		return -ENOMEM;
-+
- 	ret = usb_control_msg(pegasus->usb, usb_rcvctrlpipe(pegasus->usb, 0),
- 			      PEGASUS_REQ_GET_REGS, PEGASUS_REQT_READ, 0,
--			      indx, data, size, 1000);
-+			      indx, buf, size, 1000);
- 	if (ret < 0)
- 		netif_dbg(pegasus, drv, pegasus->net,
- 			  "%s returned %d\n", __func__, ret);
-+	else if (ret <= size)
-+		memcpy(data, buf, ret);
-+	kfree(buf);
- 	return ret;
- }
- 
--static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size, void *data)
-+static int set_registers(pegasus_t *pegasus, __u16 indx, __u16 size,
-+			 const void *data)
- {
-+	u8 *buf;
- 	int ret;
- 
-+	buf = kmemdup(data, size, GFP_NOIO);
-+	if (!buf)
-+		return -ENOMEM;
-+
- 	ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
- 			      PEGASUS_REQ_SET_REGS, PEGASUS_REQT_WRITE, 0,
--			      indx, data, size, 100);
-+			      indx, buf, size, 100);
- 	if (ret < 0)
- 		netif_dbg(pegasus, drv, pegasus->net,
- 			  "%s returned %d\n", __func__, ret);
-+	kfree(buf);
- 	return ret;
- }
- 
- static int set_register(pegasus_t *pegasus, __u16 indx, __u8 data)
- {
-+	u8 *buf;
- 	int ret;
- 
-+	buf = kmemdup(&data, 1, GFP_NOIO);
-+	if (!buf)
-+		return -ENOMEM;
-+
- 	ret = usb_control_msg(pegasus->usb, usb_sndctrlpipe(pegasus->usb, 0),
- 			      PEGASUS_REQ_SET_REG, PEGASUS_REQT_WRITE, data,
--			      indx, &data, 1, 1000);
-+			      indx, buf, 1, 1000);
- 	if (ret < 0)
- 		netif_dbg(pegasus, drv, pegasus->net,
- 			  "%s returned %d\n", __func__, ret);
-+	kfree(buf);
- 	return ret;
- }
- 
diff --git a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch b/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
deleted file mode 100644
index 0fcbbcfd1..000000000
--- a/debian/patches/bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Date: Mon, 6 Feb 2017 18:10:31 -0200
-Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
-Origin: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90
-
-Alexander Popov reported that an application may trigger a BUG_ON in
-sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
-waiting on it to queue more data and meanwhile another thread peels off
-the association being used by the first thread.
-
-This patch replaces the BUG_ON call with a proper error handling. It
-will return -EPIPE to the original sendmsg call, similarly to what would
-have been done if the association wasn't found in the first place.
-
-Acked-by: Alexander Popov <alex.popov@linux.com>
-Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Reviewed-by: Xin Long <lucien.xin@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/socket.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 37eeab7..e214d2e 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7426,7 +7426,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
- 		 */
- 		release_sock(sk);
- 		current_timeo = schedule_timeout(current_timeo);
--		BUG_ON(sk != asoc->base.sk);
-+		if (sk != asoc->base.sk)
-+			goto do_error;
- 		lock_sock(sk);
- 
- 		*timeo_p = current_timeo;
--- 
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index d5e6c2da9..6f3c454a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -77,7 +77,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
 bugfix/all/ath9k-fix-null-pointer-dereference.patch
 bugfix/all/nbd-fix-64-bit-division.patch
-bugfix/all/pegasus-use-heap-buffers-for-all-register-access.patch
 bugfix/all/net-ipv6-check-route-protocol-when-deleting-routes.patch
 bugfix/all/media-dvb-usb-dibusb-mc-common-add-module_license.patch
 
@@ -109,8 +108,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
-bugfix/all/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch