diff --git a/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch b/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch
new file mode 100644
index 0000000..7a3bdb1
--- /dev/null
+++ b/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch
@@ -0,0 +1,53 @@
+From b34a2b24c107a63183726333388e7946a36f2ea1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 17 Feb 2023 17:52:16 +0100
+Subject: [PATCH] netlink_delinearize: fix decoding of concat data element
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
+Upstream Status: nftables commit db59a5c1204c9
+
+commit db59a5c1204c9246a82a115a8761f15809578479
+Author: Florian Westphal <fw@strlen.de>
+Date:   Mon Dec 12 11:04:34 2022 +0100
+
+    netlink_delinearize: fix decoding of concat data element
+
+    Its possible to use update as follows:
+
+     meta l4proto tcp update @pinned { ip saddr . ct original proto-src : ip daddr . ct original proto-dst }
+
+    ... but when listing, only the first element of the concatenation is
+    shown.
+
+    Check if the element size is too small and parse subsequent registers as
+    well.
+
+    Signed-off-by: Florian Westphal <fw@strlen.de>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink_delinearize.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 1d47c74..e9e0845 100644
+--- a/src/netlink_delinearize.c
++++ b/src/netlink_delinearize.c
+@@ -1659,6 +1659,14 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
+ 	if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) {
+ 		sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);
+ 		expr_data = netlink_get_register(ctx, loc, sreg_data);
++
++		if (expr_data->len < set->data->len) {
++			expr_free(expr_data);
++			expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);
++			if (expr_data == NULL)
++				netlink_error(ctx, loc,
++					      "Could not parse dynset map data expressions");
++		}
+ 	}
+ 
+ 	if (expr_data != NULL) {
+-- 
+2.39.2
+
diff --git a/0023-netlink_linearize-fix-timeout-with-map-updates.patch b/0023-netlink_linearize-fix-timeout-with-map-updates.patch
new file mode 100644
index 0000000..2943d34
--- /dev/null
+++ b/0023-netlink_linearize-fix-timeout-with-map-updates.patch
@@ -0,0 +1,66 @@
+From 7cb1f51b1791434fa513b516e416a18d27ad1eb9 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 17 Feb 2023 17:52:16 +0100
+Subject: [PATCH] netlink_linearize: fix timeout with map updates
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
+Upstream Status: nftables commit 284c038ef4c69
+
+commit 284c038ef4c69d042ef91272d90c143019ecea1f
+Author: Florian Westphal <fw@strlen.de>
+Date:   Mon Dec 12 11:04:35 2022 +0100
+
+    netlink_linearize: fix timeout with map updates
+
+    Map updates can use timeouts, just like with sets, but the
+    linearization step did not pass this info to the kernel.
+
+    meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport
+
+    Listing this won't show the "timeout 90s" because kernel never saw it to
+    begin with.
+
+    Also update evaluation step to reject a timeout that was set on
+    the data part: Timeouts are only allowed for the key-value pair
+    as a whole.
+
+    Signed-off-by: Florian Westphal <fw@strlen.de>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/evaluate.c          | 3 +++
+ src/netlink_linearize.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 7f81411..6d0a0f5 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -3858,6 +3858,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
+ 	if (stmt->map.data->comment != NULL)
+ 		return expr_error(ctx->msgs, stmt->map.data,
+ 				  "Data expression comments are not supported");
++	if (stmt->map.data->timeout > 0)
++		return expr_error(ctx->msgs, stmt->map.data,
++				  "Data expression timeouts are not supported");
+ 
+ 	list_for_each_entry(this, &stmt->map.stmt_list, list) {
+ 		if (stmt_evaluate(ctx, this) < 0)
+diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
+index c8bbcb7..6de0a96 100644
+--- a/src/netlink_linearize.c
++++ b/src/netlink_linearize.c
+@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
+ 	nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
+ 	nft_rule_add_expr(ctx, nle, &stmt->location);
+ 
++	if (stmt->map.key->timeout > 0)
++		nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT,
++				   stmt->map.key->timeout);
++
+ 	list_for_each_entry(this, &stmt->map.stmt_list, list)
+ 		num_stmts++;
+ 
+-- 
+2.39.2
+
diff --git a/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch b/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch
new file mode 100644
index 0000000..26d7634
--- /dev/null
+++ b/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch
@@ -0,0 +1,73 @@
+From 1bbcacb6445bda10aa0a82b12329116b56ea44e3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 17 Feb 2023 17:52:16 +0100
+Subject: [PATCH] tests: add a test case for map update from packet path with
+ concat
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
+Upstream Status: nftables commit b8e1940aa1907
+
+commit b8e1940aa190773b23b3ee9349beb20c31f42bdb
+Author: Florian Westphal <fw@strlen.de>
+Date:   Mon Dec 12 11:04:36 2022 +0100
+
+    tests: add a test case for map update from packet path with concat
+
+    add a second test case for map updates, this time with both
+    a timeout and a data element that consists of a concatenation.
+
+    Signed-off-by: Florian Westphal <fw@strlen.de>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ .../maps/dumps/typeof_maps_concat_update_0.nft | 12 ++++++++++++
+ .../testcases/maps/typeof_maps_concat_update_0 | 18 ++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+ create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
+ create mode 100755 tests/shell/testcases/maps/typeof_maps_concat_update_0
+
+diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
+new file mode 100644
+index 0000000..d91b795
+--- /dev/null
++++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
+@@ -0,0 +1,12 @@
++table ip foo {
++	map pinned {
++		typeof ip daddr . tcp dport : ip daddr . tcp dport
++		size 65535
++		flags dynamic,timeout
++		timeout 6m
++	}
++
++	chain pr {
++		update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
++	}
++}
+diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0
+new file mode 100755
+index 0000000..645ae14
+--- /dev/null
++++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0
+@@ -0,0 +1,18 @@
++#!/bin/bash
++
++# check update statement does print both concatentations (key and data).
++
++EXPECTED="table ip foo {
++ map pinned {
++	typeof ip daddr . tcp dport : ip daddr . tcp dport
++	size 65535
++	flags dynamic,timeout
++        timeout 6m
++  }
++  chain pr {
++     meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
++  }
++}"
++
++set -e
++$NFT -f - <<< $EXPECTED
+-- 
+2.39.2
+
diff --git a/nftables.spec b/nftables.spec
index 503ad47..6230d11 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,5 +1,5 @@
 %define rpmversion 1.0.4
-%define specrelease 8
+%define specrelease 9
 
 Name:           nftables
 Version:        %{rpmversion}
@@ -40,6 +40,9 @@ Patch18:            0018-evaluate-search-stacked-header-list-for-matching-pay.pa
 Patch19:            0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch
 Patch20:            0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch
 Patch21:            0021-monitor-Sanitize-startup-race-condition.patch
+Patch22:            0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch
+Patch23:            0023-netlink_linearize-fix-timeout-with-map-updates.patch
+Patch24:            0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -151,6 +154,11 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Fri Feb 17 2023 Phil Sutter <psutter@redhat.com> [1.0.4-9.el9]
+- tests: add a test case for map update from packet path with concat (Phil Sutter) [2094894]
+- netlink_linearize: fix timeout with map updates (Phil Sutter) [2094894]
+- netlink_delinearize: fix decoding of concat data element (Phil Sutter) [2094894]
+
 * Thu Feb 09 2023 Phil Sutter <psutter@redhat.com> [1.0.4-8.el9]
 - monitor: Sanitize startup race condition (Phil Sutter) [2130721]
 - evaluate: set eval ctx for add/update statements with integer constants (Phil Sutter) [2094894]
diff --git a/run-tests.stderr.expect b/run-tests.stderr.expect
index 7a58598..2364359 100644
--- a/run-tests.stderr.expect
+++ b/run-tests.stderr.expect
@@ -2,6 +2,5 @@ W: [FAILED]	././tests/shell/testcases/cache/0010_implicit_chain_0
 W: [FAILED]	././tests/shell/testcases/chains/0021prio_0
 W: [FAILED]	././tests/shell/testcases/chains/0041chain_binding_0
 W: [FAILED]	././tests/shell/testcases/maps/typeof_integer_0
-W: [DUMP FAIL]	././tests/shell/testcases/maps/typeof_maps_concat
 W: [FAILED]	././tests/shell/testcases/maps/typeof_raw_0
 W: [FAILED]	././tests/shell/testcases/sets/typeof_raw_0