diff --git a/build.env b/build.env
index a7446f7..b38f1cb 100644
--- a/build.env
+++ b/build.env
@@ -6,6 +6,15 @@ TAG=dev
 # NXP's Linux Factory
 LINUX_FACTORY=6.18.2-1.0.0
 NXP_VERSION=lf-$(LINUX_FACTORY)
+NXP_KERNEL_VERSION=6.18.30-1.0.0-dev
+
+# This kernel applies upstream fixes
+# If you want the original, use:
+#    https://github.com/nxp-qoriq/linux/archive/refs/tags/lf-${NXP_KERNEL_VERSION}.tar.gz
+# and change NXP_KERNEL_VERSION to match LINUX_FACTORY
+# However you may have to fix the failed patches in patches/ask/upstream/kernel/
+NXP_KERNEL_URL=https://github.com/tgckpg/linux-layerscape-stable/archive/refs/tags/lf-${NXP_KERNEL_VERSION}.tar.gz
+
 FMLIB_VERSION=lf-$(LINUX_FACTORY)
 FMC_VERSION=lf-$(LINUX_FACTORY)
 DPDK_VERSION=lf-$(LINUX_FACTORY)
diff --git a/docker/ask.Dockerfile b/docker/ask.Dockerfile
index 9bc18cf..99309e4 100644
--- a/docker/ask.Dockerfile
+++ b/docker/ask.Dockerfile
@@ -13,7 +13,7 @@ RUN git config --global user.email "monok8s@localhost" && \
 WORKDIR /src
 
 ARG AARCH64_MUSL_CC_TAR
-ARG NXP_TAR
+ARG NXP_KERNEL_TAR
 ARG MONO_ASK_TAR
 ARG LIBNFNETLINK_TAR
 ARG LIBMNL_TAR
@@ -33,7 +33,7 @@ ARG LIBNFCT_VERSION
 COPY "${AARCH64_MUSL_CC_TAR}"  ./aarch64_musl_cc.tar.gz
 
 # Linux kernel
-COPY "${NXP_TAR}"		  ./kernel.tar.gz
+COPY "${NXP_KERNEL_TAR}"		  ./kernel.tar.gz
 
 # Copy the ASK deps
 COPY "${MONO_ASK_TAR}"	 ./mono-ask.tar.gz
diff --git a/docker/download-packages.Dockerfile b/docker/download-packages.Dockerfile
index 964e10b..6f20afc 100644
--- a/docker/download-packages.Dockerfile
+++ b/docker/download-packages.Dockerfile
@@ -204,13 +204,14 @@ RUN fetch-artifact \
 
 # ---- nxp linux ----
 FROM base AS nxp_linux
-ARG NXP_VERSION
-ARG NXP_TAR
+ARG NXP_KERNEL_VERSION
+ARG NXP_KERNEL_TAR
+ARG NXP_KERNEL_URL
 WORKDIR /out/nxp/kernel
 RUN fetch-artifact \
-        "${NXP_TAR}" \
-        "${NXP_VERSION}.tar.gz" \
-        "https://github.com/nxp-qoriq/linux/archive/refs/tags/${NXP_VERSION}.tar.gz"
+		"${NXP_KERNEL_TAR}" \
+		"${NXP_KERNEL_VERSION}.tar.gz" \
+		"${NXP_KERNEL_URL}"
 
 # ---- crio ----
 FROM base AS crio
diff --git a/makefile b/makefile
index 32500a6..9f9a860 100644
--- a/makefile
+++ b/makefile
@@ -7,13 +7,13 @@ TAG ?= dev
 PACKAGES_DIR := packages
 OUT_DIR      := out
 
-E2FSPROGS_TAR := $(PACKAGES_DIR)/e2fsprogs-v$(E2FSPROGS_VERSION).tar.gz
-BUSYBOX_TAR   := $(PACKAGES_DIR)/busybox-$(BUSYBOX_VERSION).tar.gz
-ALPINE_TAR    := $(PACKAGES_DIR)/alpine-minirootfs-$(ALPINE_VER)-$(ALPINE_ARCH).tar.gz
-NXP_TAR       := $(PACKAGES_DIR)/nxp/kernel/$(NXP_VERSION).tar.gz
-VPP_TAR       := $(PACKAGES_DIR)/nxp/vpp/$(VPP_VERSION).tar.gz
-DPDK_TAR      := $(PACKAGES_DIR)/nxp/dpdk/$(DPDK_VERSION).tar.gz
-CRIO_TAR      := $(PACKAGES_DIR)/$(CRIO_VERSION).tar.gz
+E2FSPROGS_TAR  := $(PACKAGES_DIR)/e2fsprogs-v$(E2FSPROGS_VERSION).tar.gz
+BUSYBOX_TAR    := $(PACKAGES_DIR)/busybox-$(BUSYBOX_VERSION).tar.gz
+ALPINE_TAR     := $(PACKAGES_DIR)/alpine-minirootfs-$(ALPINE_VER)-$(ALPINE_ARCH).tar.gz
+NXP_KERNEL_TAR := $(PACKAGES_DIR)/nxp/kernel/$(NXP_KERNEL_VERSION).tar.gz
+VPP_TAR        := $(PACKAGES_DIR)/nxp/vpp/$(VPP_VERSION).tar.gz
+DPDK_TAR       := $(PACKAGES_DIR)/nxp/dpdk/$(DPDK_VERSION).tar.gz
+CRIO_TAR       := $(PACKAGES_DIR)/$(CRIO_VERSION).tar.gz
 
 AARCH64_MUSL_CC_TAR := $(PACKAGES_DIR)/aarch64-linux-musl-cross.tgz
 
@@ -166,7 +166,9 @@ $(DOWNLOAD_PACKAGES_STAMP): docker/download-packages.Dockerfile build.env makefi
 		--build-arg LIBPCAP_TAR=$(LIBPCAP_TAR) \
 		--build-arg TCLAP_TAR=$(TCLAP_TAR) \
 		--build-arg ALPINE_TAR=$(ALPINE_TAR) \
-		--build-arg NXP_TAR=$(NXP_TAR) \
+		--build-arg NXP_KERNEL_VERSION=$(NXP_KERNEL_VERSION) \
+		--build-arg NXP_KERNEL_TAR=$(NXP_KERNEL_TAR) \
+		--build-arg NXP_KERNEL_URL=$(NXP_KERNEL_URL) \
 		--build-arg CRIO_TAR=$(CRIO_TAR) \
 		--output type=local,dest=./$(PACKAGES_DIR) .
 	@touch $@
@@ -233,7 +235,7 @@ ASK: $(ASK_TAR) $(LIBNFCT_TAR) $(LIBNFNETLINK_TAR) $(TCLAP_TAR) $(LIBXML2_TAR) |
 		--build-arg BUILD_BASE_TAG=$$build_base_tag \
 		--build-arg MONO_ASK_TAR=$(MONO_ASK_TAR) \
 		--build-arg AARCH64_MUSL_CC_TAR=$(AARCH64_MUSL_CC_TAR) \
-		--build-arg NXP_TAR=$(NXP_TAR) \
+		--build-arg NXP_KERNEL_TAR=$(NXP_KERNEL_TAR) \
 		--build-arg FMLIB_TAR=$(FMLIB_TAR) \
 		--build-arg FMC_TAR=$(FMC_TAR) \
 		--build-arg LIBNFNETLINK_TAR=$(LIBNFNETLINK_TAR) \
@@ -260,7 +262,7 @@ push-cmm-image: cmm-image
 	docker tag -t localhost/monok8s/cmm:$(TAG) $(IMAGE_REPOSITORY)/cmm:$(KUBE_VERSION)-$(TAG) .
 	docker push $(IMAGE_REPOSITORY)/cmm:$(KUBE_VERSION)-$(TAG)
 
-vpp: $(BUILD_BASE_STAMP) $(VPP_TAR) $(DPDK_TAR) $(FMLIB_TAR) $(FMC_TAR) $(NXP_TAR)
+vpp: $(BUILD_BASE_STAMP) $(VPP_TAR) $(DPDK_TAR) $(FMLIB_TAR) $(FMC_TAR) $(NXP_KERNEL_TAR)
 	@build_base_tag=$$(docker image inspect \
 		--format '{{.Id}}' \
 		$(DOCKER_IMAGE_ROOT)/build-base:$(TAG) \
diff --git a/patches/ask/upstream/kernel/0099-net__bridge__br_input.c.patch b/patches/ask/upstream/kernel/0099-net__bridge__br_input.c.patch
new file mode 100644
index 0000000..2ae5ae9
--- /dev/null
+++ b/patches/ask/upstream/kernel/0099-net__bridge__br_input.c.patch
@@ -0,0 +1,36 @@
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -65,6 +65,10 @@ static int br_pass_frame_up(struct sk_buff *skb, bool promisc)
+ 	br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb),
+ 			   BR_MCAST_DIR_TX);
+ 
++#if defined(CONFIG_CPE_FAST_PATH)
++	skb->underlying_iif = indev->ifindex;
++#endif
++
+ 	BR_INPUT_SKB_CB(skb)->promisc = promisc;
+ 
+ 	return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
+@@ -166,6 +170,10 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ 	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
+ 	BR_INPUT_SKB_CB(skb)->src_port_isolated = !!(p->flags & BR_ISOLATED);
+ 
++#if defined(CONFIG_CPE_FAST_PATH)
++	skb->abm_ff = 0;
++#endif
++
+ 	if (IS_ENABLED(CONFIG_INET) &&
+ 	    (skb->protocol == htons(ETH_P_ARP) ||
+ 	     skb->protocol == htons(ETH_P_RARP))) {
+@@ -223,6 +231,10 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ 
+ 		if (now != READ_ONCE(dst->used))
+ 			WRITE_ONCE(dst->used, now);
++#if defined(CONFIG_CPE_FAST_PATH)
++		/* Used by ABM module */
++		skb->abm_ff = 1;
++#endif
+ 		br_forward(dst->dst, skb, local_rcv, false);
+ 	} else {
+ 		if (!mcast_hit)
diff --git a/patches/ask/upstream/kernel/0136-net__xfrm__xfrm_policy.c.patch b/patches/ask/upstream/kernel/0136-net__xfrm__xfrm_policy.c.patch
index 30460f8..a163f22 100644
--- a/patches/ask/upstream/kernel/0136-net__xfrm__xfrm_policy.c.patch
+++ b/patches/ask/upstream/kernel/0136-net__xfrm__xfrm_policy.c.patch
@@ -1,5 +1,5 @@
 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index 62486f8..3cbe4f8 100644
+index 29c94ee..f9c222f 100644
 --- a/net/xfrm/xfrm_policy.c
 +++ b/net/xfrm/xfrm_policy.c
 @@ -48,6 +48,11 @@
@@ -86,7 +86,7 @@ index 62486f8..3cbe4f8 100644
  ok:
  	xfrm_pols_put(pols, drop_pols);
  	if (dst->xfrm &&
-@@ -3853,6 +3909,34 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+@@ -3859,6 +3915,34 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
  			goto reject;
  		}
  
@@ -118,10 +118,10 @@ index 62486f8..3cbe4f8 100644
 +#endif
 +#endif
 +
+ out:
  		xfrm_pols_put(pols, npols);
  		sp->verified_cnt = k;
- 
-@@ -4328,6 +4412,14 @@ static int __net_init xfrm_net_init(struct net *net)
+@@ -4339,6 +4423,14 @@ static int __net_init xfrm_net_init(struct net *net)
  	if (rv < 0)
  		goto out_sysctl;
  
@@ -136,7 +136,7 @@ index 62486f8..3cbe4f8 100644
  	rv = xfrm_nat_keepalive_net_init(net);
  	if (rv < 0)
  		goto out_nat_keepalive;
-@@ -4335,6 +4427,12 @@ static int __net_init xfrm_net_init(struct net *net)
+@@ -4346,6 +4438,12 @@ static int __net_init xfrm_net_init(struct net *net)
  	return 0;
  
  out_nat_keepalive:
@@ -149,7 +149,7 @@ index 62486f8..3cbe4f8 100644
  	xfrm_sysctl_fini(net);
  out_sysctl:
  	xfrm_policy_fini(net);
-@@ -4349,6 +4447,11 @@ out_statistics:
+@@ -4360,6 +4458,11 @@ out_statistics:
  static void __net_exit xfrm_net_exit(struct net *net)
  {
  	xfrm_nat_keepalive_net_fini(net);
diff --git a/patches/ask/upstream/kernel/0137-net__xfrm__xfrm_state.c.patch b/patches/ask/upstream/kernel/0137-net__xfrm__xfrm_state.c.patch
index 36db635..94ff4a1 100644
--- a/patches/ask/upstream/kernel/0137-net__xfrm__xfrm_state.c.patch
+++ b/patches/ask/upstream/kernel/0137-net__xfrm__xfrm_state.c.patch
@@ -126,13 +126,13 @@ index 9e14e45..d685ed7 100644
  		x->pcpu_num = UINT_MAX;
  		spin_lock_init(&x->lock);
  		x->mode_data = NULL;
-@@ -829,6 +878,12 @@ int __xfrm_state_delete(struct xfrm_state *x)
+@@ -850,6 +899,12 @@ int __xfrm_state_delete(struct xfrm_state *x)
  
- 		if (x->id.spi)
- 			hlist_del_rcu(&x->byspi);
+ 		if (!hlist_unhashed(&x->byspi))
+ 			hlist_del_init_rcu(&x->byspi);
 +#if defined(CONFIG_INET_IPSEC_OFFLOAD) || defined(CONFIG_INET6_IPSEC_OFFLOAD)
 +		if (x->handle && x->in_byh_hash) {
-+			hlist_del_rcu(&x->byh);
++			hlist_del_init_rcu(&x->byh);
 +			x->in_byh_hash = 0;
 +		}
 +#endif