update ABI file for 4.15.18-30-pve

(generated with debian/scripts/abi-generate)

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

.gitmodules

@@ -1,6 +1,6 @@
 [submodule "submodules/zfsonlinux"]
 	path = submodules/zfsonlinux
 	url = ../zfsonlinux
-[submodule "submodules/ubuntu-kernel"]
-	path = submodules/ubuntu-kernel
-	url = ../mirror_ubuntu-kernels
+[submodule "submodules/ubuntu-bionic"]
+	path = submodules/ubuntu-bionic
+	url = ../mirror_ubuntu-bionic-kernel

Makefile

@@ -1,133 +1,146 @@
-include /usr/share/dpkg/pkg-info.mk
-
-# also bump proxmox-kernel-meta if the default MAJ.MIN version changes!
-KERNEL_MAJ=6
-KERNEL_MIN=2
-KERNEL_PATCHLEVEL=16
-# increment KREL for every published package release!
+# also bump pve-kernel-meta if either of MAJ.MIN, PATCHLEVEL or KREL change
+KERNEL_MAJ=4
+KERNEL_MIN=15
+KERNEL_PATCHLEVEL=18
+# increment KREL if the ABI changes (abicheck target in debian/rules)
 # rebuild packages with new KREL and run 'make abiupdate'
-KREL=20
+KREL=30
+
+PKGREL=58
 
 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)
 
-EXTRAVERSION=-$(KREL)-pve
-KVNAME=$(KERNEL_VER)$(EXTRAVERSION)
-PACKAGE=proxmox-kernel-$(KVNAME)
-HDRPACKAGE=proxmox-headers-$(KVNAME)
+EXTRAVERSION=-${KREL}-pve
+KVNAME=${KERNEL_VER}${EXTRAVERSION}
+PACKAGE=pve-kernel-${KVNAME}
+HDRPACKAGE=pve-headers-${KVNAME}
 
 ARCH=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
 
 # amd64/x86_64/x86 share the arch subdirectory in the kernel, 'x86' so we need
 # a mapping
 KERNEL_ARCH=x86
-ifneq ($(ARCH), amd64)
-KERNEL_ARCH=$(ARCH)
+ifneq (${ARCH}, amd64)
+KERNEL_ARCH=${ARCH}
 endif
 
+GITVERSION:=$(shell git rev-parse HEAD)
+
 SKIPABI=0
 
-BUILD_DIR=proxmox-kernel-$(KERNEL_VER)
+ifeq    ($(CC), cc)
+GCC=gcc
+else
+GCC=$(CC)
+endif
 
-KERNEL_SRC=ubuntu-kernel
+BUILD_DIR=build
+
+KERNEL_SRC=ubuntu-bionic
 KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
-KERNEL_CFG_ORG=config-$(KERNEL_VER).org
+KERNEL_CFG_ORG=config-${KERNEL_VER}.org
+
+E1000EDIR=e1000e-3.4.1.1
+E1000ESRC=${E1000EDIR}.tar.gz
+
+IGBDIR=igb-5.3.5.18
+IGBSRC=${IGBDIR}.tar.gz
 
 ZFSONLINUX_SUBMODULE=submodules/zfsonlinux
+SPLDIR=pkg-spl
 ZFSDIR=pkg-zfs
 
 MODULES=modules
-MODULE_DIRS=$(ZFSDIR)
+MODULE_DIRS=${E1000EDIR} ${IGBDIR} ${SPLDIR} ${ZFSDIR}
 
 # exported to debian/rules via debian/rules.d/dirs.mk
-DIRS=KERNEL_SRC ZFSDIR MODULES
+DIRS=KERNEL_SRC E1000EDIR IGBDIR SPLDIR ZFSDIR MODULES
 
-DSC=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL).dsc
-DST_DEB=$(PACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
-META_DEB=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
-HDR_DEB=$(HDRPACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
-META_HDR_DEB=proxmox-headers-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
-USR_HDR_DEB=proxmox-kernel-libc-dev_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
-LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
-LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 
-DEBS=$(DST_DEB) $(META_DEB) $(HDR_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) # $(USR_HDR_DEB)
+DEBS=${DST_DEB} ${HDR_DEB} ${LINUX_TOOLS_DEB}
 
-all: deb
-deb: $(DEBS)
+all: check_gcc deb
+deb: ${DEBS}
 
-$(META_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
-$(DST_DEB): $(BUILD_DIR).prepared
-	cd $(BUILD_DIR); dpkg-buildpackage --jobs=auto -b -uc -us
-	lintian $(DST_DEB)
-	#lintian $(HDR_DEB)
-	lintian $(LINUX_TOOLS_DEB)
+check_gcc:
+	$(GCC) --version|grep "6\.3" || false
+	@$(GCC) -Werror -mindirect-branch=thunk-extern -mindirect-branch-register -c -x c /dev/null -o check_gcc.o \
+		|| ( rm -f check_gcc.o; \
+		     echo "Please install gcc-6 packages with indirect thunk / RETPOLINE support"; \
+		     false)
+	@rm -f check_gcc.o
 
-dsc:
-	$(MAKE) $(DSC)
-	lintian $(DSC)
+${LINUX_TOOLS_DEB} ${HDR_DEB}: ${DST_DEB}
+${DST_DEB}: ${BUILD_DIR}.prepared
+	cd ${BUILD_DIR}; dpkg-buildpackage --jobs=auto -b -uc -us
+	lintian ${DST_DEB}
+	#lintian ${HDR_DEB}
+	lintian ${LINUX_TOOLS_DEB}
 
-$(DSC): $(BUILD_DIR).prepared
-	cd $(BUILD_DIR); dpkg-buildpackage -S -uc -us -d
-
-sbuild: $(DSC)
-	sbuild $(DSC)
-
-$(BUILD_DIR).prepared: $(addsuffix .prepared,$(KERNEL_SRC) $(MODULES) debian)
-	cp -a fwlist-previous $(BUILD_DIR)/
-	cp -a abi-prev-* $(BUILD_DIR)/
-	cp -a abi-blacklist $(BUILD_DIR)/
+${BUILD_DIR}.prepared: $(addsuffix .prepared,${KERNEL_SRC} ${MODULES} debian)
+	cp -a fwlist-previous ${BUILD_DIR}/
+	cp -a abi-prev-* ${BUILD_DIR}/
+	cp -a abi-blacklist ${BUILD_DIR}/
 	touch $@
 
-.PHONY: build-dir-fresh
-build-dir-fresh:
-	$(MAKE) clean
-	$(MAKE) $(BUILD_DIR).prepared
-	echo "created build-directory: $(BUILD_DIR).prepared/"
-
 debian.prepared: debian
-	rm -rf $(BUILD_DIR)/debian
-	mkdir -p $(BUILD_DIR)
-	cp -a debian $(BUILD_DIR)/debian
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout $(shell git rev-parse HEAD)" \
-	    >$(BUILD_DIR)/debian/SOURCE
-	@$(foreach dir, $(DIRS),echo "$(dir)=$($(dir))" >> $(BUILD_DIR)/debian/rules.d/env.mk;)
-	echo "KVNAME=$(KVNAME)" >> $(BUILD_DIR)/debian/rules.d/env.mk
-	echo "KERNEL_MAJMIN=$(KERNEL_MAJMIN)" >> $(BUILD_DIR)/debian/rules.d/env.mk
-	cd $(BUILD_DIR); debian/rules debian/control
+	rm -rf ${BUILD_DIR}/debian
+	mkdir -p ${BUILD_DIR}
+	cp -a debian ${BUILD_DIR}/debian
+	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > ${BUILD_DIR}/debian/SOURCE
+	@$(foreach dir, ${DIRS},echo "${dir}=${${dir}}" >> ${BUILD_DIR}/debian/rules.d/env.mk;)
+	echo "KVNAME=${KVNAME}" >> ${BUILD_DIR}/debian/rules.d/env.mk
+	echo "KERNEL_MAJMIN=${KERNEL_MAJMIN}" >> ${BUILD_DIR}/debian/rules.d/env.mk
+	cd ${BUILD_DIR}; debian/rules debian/control
 	touch $@
 
-$(KERNEL_SRC).prepared: $(KERNEL_SRC_SUBMODULE) | submodule
-	rm -rf $(BUILD_DIR)/$(KERNEL_SRC) $@
-	mkdir -p $(BUILD_DIR)
-	cp -a $(KERNEL_SRC_SUBMODULE) $(BUILD_DIR)/$(KERNEL_SRC)
+${KERNEL_SRC}.prepared: ${KERNEL_SRC_SUBMODULE} | submodule
+	rm -rf ${BUILD_DIR}/${KERNEL_SRC} $@
+	mkdir -p ${BUILD_DIR}
+	cp -a ${KERNEL_SRC_SUBMODULE} ${BUILD_DIR}/${KERNEL_SRC}
 # TODO: split for archs, track and diff in our repository?
-	cd $(BUILD_DIR)/$(KERNEL_SRC); python3 debian/scripts/misc/annotations --arch amd64 --export >../../$(KERNEL_CFG_ORG)
-	cp $(KERNEL_CFG_ORG) $(BUILD_DIR)/$(KERNEL_SRC)/.config
-	sed -i $(BUILD_DIR)/$(KERNEL_SRC)/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=$(EXTRAVERSION)/'
-	rm -rf $(BUILD_DIR)/$(KERNEL_SRC)/debian $(BUILD_DIR)/$(KERNEL_SRC)/debian.master
-	set -e; cd $(BUILD_DIR)/$(KERNEL_SRC); \
-	  for patch in ../../patches/kernel/*.patch; do \
-	    echo "applying patch '$$patch'"; \
-	    patch --batch -p1 < "$${patch}"; \
-	  done
+	cat ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/config.common.ubuntu ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.common.${ARCH} ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.flavour.generic > ${KERNEL_CFG_ORG}
+	cp ${KERNEL_CFG_ORG} ${BUILD_DIR}/${KERNEL_SRC}/.config
+	sed -i ${BUILD_DIR}/${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
+	rm -rf ${BUILD_DIR}/${KERNEL_SRC}/debian ${BUILD_DIR}/${KERNEL_SRC}/debian.master
+	set -e; cd ${BUILD_DIR}/${KERNEL_SRC}; for patch in ../../patches/kernel/*.patch; do echo "applying patch '$$patch'" && patch -p1 < $${patch}; done
 	touch $@
 
-$(MODULES).prepared: $(addsuffix .prepared,$(MODULE_DIRS))
+${MODULES}.prepared: $(addsuffix .prepared,${MODULE_DIRS})
 	touch $@
 
-$(ZFSDIR).prepared: $(ZFSONLINUX_SUBMODULE)
-	rm -rf $(BUILD_DIR)/$(MODULES)/$(ZFSDIR) $(BUILD_DIR)/$(MODULES)/tmp $@
-	mkdir -p $(BUILD_DIR)/$(MODULES)/tmp
-	cp -a $(ZFSONLINUX_SUBMODULE)/* $(BUILD_DIR)/$(MODULES)/tmp
-	cd $(BUILD_DIR)/$(MODULES)/tmp; make kernel
-	rm -rf $(BUILD_DIR)/$(MODULES)/tmp
-	touch $(ZFSDIR).prepared
+${E1000EDIR}.prepared: ${E1000ESRC}
+	rm -rf ${BUILD_DIR}/${MODULES}/${E1000EDIR} $@
+	mkdir -p ${BUILD_DIR}/${MODULES}/${E1000EDIR}
+	tar --strip-components=1 -C ${BUILD_DIR}/${MODULES}/${E1000EDIR} -xf ${E1000ESRC}
+	cd ${BUILD_DIR}/${MODULES}/${E1000EDIR}; patch -p1 < ../../../patches/intel/intel-module-gcc6-compat.patch
+	cd ${BUILD_DIR}/${MODULES}/${E1000EDIR}; patch -p1 < ../../../patches/intel/e1000e/e1000e_4.10_max-mtu.patch
+	cd ${BUILD_DIR}/${MODULES}/${E1000EDIR}; patch -p1 < ../../../patches/intel/e1000e/e1000e_4.15-new-timer.patch
+	touch $@
+
+${IGBDIR}.prepared: ${IGBSRC}
+	rm -rf ${BUILD_DIR}/${MODULES}/${IGBDIR} $@
+	mkdir -p ${BUILD_DIR}/${MODULES}/${IGBDIR}
+	tar --strip-components=1 -C ${BUILD_DIR}/${MODULES}/${IGBDIR} -xf ${IGBSRC}
+	cd ${BUILD_DIR}/${MODULES}/${IGBDIR}; patch -p1 < ../../../patches/intel/igb/igb_4.15_mtu.patch
+	touch $@
+
+${SPLDIR}.prepared: ${ZFSDIR}.prepared
+${ZFSDIR}.prepared: ${ZFSONLINUX_SUBMODULE}
+	rm -rf ${BUILD_DIR}/${MODULES}/${SPLDIR} ${BUILD_DIR}/${MODULES}/${ZFSDIR} ${BUILD_DIR}/${MODULES}/tmp $@
+	mkdir -p ${BUILD_DIR}/${MODULES}/tmp
+	cp -a ${ZFSONLINUX_SUBMODULE}/* ${BUILD_DIR}/${MODULES}/tmp
+	cd ${BUILD_DIR}/${MODULES}/tmp; make kernel
+	rm -rf ${BUILD_DIR}/${MODULES}/tmp
+	touch ${ZFSDIR}.prepared ${SPLDIR}.prepared
 
 .PHONY: upload
-upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
-upload: $(DEBS)
-	tar cf - $(DEBS)|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist $(UPLOAD_DIST) --arch $(ARCH)
+upload: ${DEBS}
+	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg --dist stretch --arch ${ARCH}
 
 .PHONY: distclean
 distclean: clean
@@ -137,18 +150,19 @@ distclean: clean
 .PHONY: update_modules
 update_modules: submodule
 	git submodule foreach 'git pull --ff-only origin master'
-	cd $(ZFSONLINUX_SUBMODULE); git pull --ff-only origin master
+	cd ${ZFSONLINUX_SUBMODULE}; git pull --ff-only origin master
 
 # make sure submodules were initialized
 .PHONY: submodule
 submodule:
-	test -f "$(KERNEL_SRC_SUBMODULE)/README" || git submodule update --init $(KERNEL_SRC_SUBMODULE)
-	test -f "$(ZFSONLINUX_SUBMODULE)/Makefile" || git submodule update --init --recursive $(ZFSONLINUX_SUBMODULE)
+	test -f "${KERNEL_SRC_SUBMODULE}/README" || git submodule update --init ${KERNEL_SRC_SUBMODULE}
+	test -f "${ZFSONLINUX_SUBMODULE}/Makefile" || git submodule update --init ${ZFSONLINUX_SUBMODULE}
+	(test -f "${ZFSONLINUX_SUBMODULE}/zfs/upstream/README.markdown" && test -f "${ZFSONLINUX_SUBMODULE}/spl/upstream/README.markdown") || (cd ${ZFSONLINUX_SUBMODULE}; git submodule update --init)
 
 # call after ABI bump with header deb in working directory
 .PHONY: abiupdate
-abiupdate: abi-prev-$(KVNAME)
-abi-prev-$(KVNAME): abi-tmp-$(KVNAME)
+abiupdate: abi-prev-${KVNAME}
+abi-prev-${KVNAME}: abi-tmp-${KVNAME}
 ifneq ($(strip $(shell git status --untracked-files=no --porcelain -z)),)
 	@echo "working directory unclean, aborting!"
 	@false
@@ -156,15 +170,15 @@ else
 	git rm "abi-prev-*"
 	mv $< $@
 	git add $@
-	git commit -s -m "update ABI file for $(KVNAME)" -m "(generated with debian/scripts/abi-generate)"
-	@echo "update abi-prev-$(KVNAME) committed!"
+	git commit -s -m "update ABI file for ${KVNAME}" -m "(generated with debian/scripts/abi-generate)"
+	@echo "update abi-prev-${KVNAME} committed!"
 endif
 
-abi-tmp-$(KVNAME):
-	@ test -e $(HDR_DEB) || (echo "need $(HDR_DEB) to extract ABI data!" && false)
-	debian/scripts/abi-generate $(HDR_DEB) $@ $(KVNAME) 1
+abi-tmp-${KVNAME}:
+	@ test -e ${HDR_DEB} || (echo "need ${HDR_DEB} to extract ABI data!" && false)
+	debian/scripts/abi-generate ${HDR_DEB} $@ ${KVNAME} 1
 
 .PHONY: clean
 clean:
-	rm -rf *~ proxmox-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
-	rm -f *.deb *.dsc *.changes *.buildinfo *.build proxmox-kernel*.tar.*
+	rm -rf *~ build *.prepared ${KERNEL_CFG_ORG}
+	rm -f *.deb *.changes *.buildinfo

README

@@ -1,22 +1,22 @@
 KERNEL SOURCE:
 ==============
 
-We currently use the Ubuntu kernel sources, available from our mirror:
+We currently use the Ubuntu kernel sources, available from:
 
- https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary
+ http://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/
 
 Ubuntu will maintain those kernels till:
 
  https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
- or
- https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
-
- whatever happens to be earlier.
 
 
 Additional/Updated Modules:
 ---------------------------
 
+- include latest e1000e driver from intel/sourceforge
+
+- include latest igb driver from intel/sourceforge
+
 - include native OpenZFS filesystem kernel modules for Linux
 
   * https://github.com/zfsonlinux/
@@ -24,67 +24,6 @@ Additional/Updated Modules:
   For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ
 
 
-BUILD
-=====
-
-As this is packaging for the Linux kernel with some extra integrations, like
-ZFS, this repo cannot be handled like a plain Linux kernel git repository.
-
-The actual Linux kernel source lives in a git submodule.
-
-For a build you should init the submodules and then handle it like most our
-Debian packaging builds. If unsure you can follow this:
-
-Installing Build-Dependencies
------------------------------
-
-You can either just check the package metadata template `debian/control.in`
-and install the packages listed in the `Build-Depends` section manually
-(replace `debhelper-compat` with just `debhelper`) or use a more automated way
-described below:
-
- # install base build-dependencies and helpers
- apt update
- apt install devscripts
-
- # create build-directory so that we got final packaging control files from the
- # .in templates generated
- make build-dir-fresh
-
- # install build-dependencies (replace BUILD-DIR with actual one)
- mk-build-deps -ir BUILD-DIR/debian/control
-
-
-Package Build
--------------
-
- # start the actual build
- make deb
-
-For simple KConfig modifications you can adapt the list in `debian/rules` file.
-For quick code changes to the actual kernel code you can do them directly in
-the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:
-
- make clean
- # now build again, explicitly creating the build-dir isn't required anymore
- # after one has the build-dependencies already installed.
- make deb
-
-
-Modify-Build-Test Cycles
-------------------------
-
-Ideally you avoid the need for doing a full package build and just directly
-build linux from the ubuntu-kernels or the mainline (stable) repo with copying
-over a build-config of a proxmox-kernel to that as .config and then using the
-`make olddefconfig` target.
-
-If you need full package builds you can try to make changes inside the
-BUILD-DIR directly and then continue build from there, e.g., using
-`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
-to continue build you might need to touch, or remove some *.prepared files.
-Just check `debian/rules` for how kernel build progress is tracked by make.
-
 SUBMODULE
 =========
 
@@ -96,7 +35,7 @@ get applied with the `patch` tool. From a git point-of-view, the copied
 directory remains clean even with extra patches applied since it does not
 contain a .git directory, but a reference to the (still pristine) submodule:
 
-$ cat build/ubuntu-kernel/.git
+$ cat build/ubuntu-bionic/.git
 
 If you mistakenly cloned the upstream repo as "normal" clone (not via the
 submodule mechanics) this means that you have a real .git directory with its
@@ -121,30 +60,18 @@ top level meta package, depends on current default kernel series meta package.
 
 git clone git://git.proxmox.com/git/proxmox-ve.git
 
-proxmox-default-kernel
-----------------------
+pve-kernel-meta
+---------------
 
-Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
-proxmox-headers-6.2.
+depends on latest kernel and header package within a certain kernel series,
+e.g., pve-kernel-4.15 / pve-headers-4.15
 
 git clone git://git.proxmox.com/git/pve-kernel-meta.git
 
-proxmox-kernel-X.Y
-------------------
-
-Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
-package within a certain series.
-
-e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve
-
-NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
-with every version bump due to module signing. Since then the meta package was
-pulled into the kernel repo, before that it lived in pve-kernel-meta.git.
-
 pve-firmware
 ------------
 
-Contains the firmware for all released PVE kernels.
+contains the firmware for all released PVE kernels.
 
 git clone git://git.proxmox.com/git/pve-firmware.git
 
@@ -172,21 +99,9 @@ Watchdog blacklist
 
 By default, all watchdog modules are black-listed because it is totally undefined
 which device is actually used for /dev/watchdog.
-We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
+We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
 The user typically edit /etc/modules to enable a specific watchdog device.
 
-Debug kernel and modules
-------------------------
-
-In order to build a -dbgsym package containing an unstripped copy of the kernel
-image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
-exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
-be used together with 'crash'/'kdump-tools' to debug kernel crashes.
-
-Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
-the same build. A kernel/module from a different build will likely not match,
-even if both builds are of the same kernel and package version.
-
 Additional information
 ----------------------
 
@@ -210,39 +125,55 @@ NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)
   	 CONFIG_BLK_DEV_SR=y
   	 CONFIG_BLK_DEV_DM=y
 
+- add workaround for Debian bug #807000 (see
+  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)
+
+  	 CONFIG_BLK_DEV_NVME=y
+
 - compile NBD and RBD modules
 	 CONFIG_BLK_DEV_NBD=m
 	 CONFIG_BLK_DEV_RBD=m
 
 - enable IBM JFS file system as module
-  requested by users (bug #64)
+
+  enable it as requested by users (bug #64)
 
 - enable apple HFS and HFSPLUS as module
-  requested by users
+
+  enable it as requested by users
 
 - enable CONFIG_BCACHE=m (requested by user)
 
 - enable CONFIG_BRIDGE=y
-  to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key
+
+  Else we get warnings on boot, that
+  net.bridge.bridge-nf-call-iptables is an unknown key
 
 - enable CONFIG_DEFAULT_SECURITY_APPARMOR
+
   We need this for lxc
 
 - set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
+
   because if not set, it can give some dynamic memory or cpu frequencies 
   change, and vms can crash (mainly windows guest).
+
   see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273
 
 - use 'deadline' as default scheduler
-  This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.
+
+  This is the suggested setting for KVM. We also measure bad fsync
+  performance with ext4 and cfq.
 
 - disable CONFIG_INPUT_EVBUG
-  Module evbug is not blacklisted on debian, so we simply disable it to avoid
-  key-event logs (which is a big security problem)
+
+  Module evbug is not blacklisted on debian, so we simply disable it
+  to avoid key-event logs (which is a big security problem)
 
 - enable CONFIG_MODVERSIONS (needed for ABI tracking)
 
 - switch default UNWINDER to FRAME_POINTER
+
   the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS
 
 - enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)

debian/compat

@@ -0,0 +1 @@
+10

debian/control.in

@@ -1,4 +1,4 @@
-Source: proxmox-kernel-@KVMAJMIN@
+Source: pve-kernel
 Section: devel
 Priority: optional
 Maintainer: Proxmox Support Team <support@proxmox.com>
@@ -7,12 +7,10 @@ Build-Depends: asciidoc-base,
                bc,
                bison,
                cpio,
-               debhelper-compat (= 13),
-               dh-python,
-               dwarves,
+               debhelper (>= 10~),
                file,
                flex,
-               gcc (>= 8.3.0-6),
+               gcc-6 (>= 6.3.0-18+deb9u1),
                git,
                kmod,
                libdw-dev,
@@ -24,15 +22,14 @@ Build-Depends: asciidoc-base,
                libssl-dev,
                libtool,
                lintian,
-               lz4,
-               python3-minimal,
+               perl-modules,
+               python-minimal,
                rsync,
-               sphinx-common,
+               sed,
+               tar,
                xmlto,
                zlib1g-dev,
-               zstd,
-Build-Conflicts: proxmox-headers-@KVNAME@,
-Standards-Version: 4.6.2
+Build-Conflicts: pve-headers-@KVNAME@,
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
 
@@ -40,77 +37,32 @@ Package: linux-tools-@KVMAJMIN@
 Architecture: any
 Section: devel
 Priority: optional
-Depends: linux-base, ${misc:Depends}, ${shlibs:Depends},
+Depends: linux-base,
+         ${misc:Depends},
+         ${shlibs:Depends},
 Description: Linux kernel version specific tools for version @KVMAJMIN@
  This package provides the architecture dependent parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy)
 
-Package: proxmox-headers-@KVNAME@
+Package: pve-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers-@KVNAME@-amd64, pve-headers-@KVNAME@
-Depends: ${misc:Depends},
-Description: Proxmox Kernel Headers
+Provides: linux-headers,
+          linux-headers-2.6,
+Depends: coreutils | fileutils (>= 4.0),
+Description: The Proxmox PVE Kernel Headers
  This package contains the linux kernel headers
 
-Package: proxmox-kernel-@KVNAME@
+Package: pve-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
+Provides: linux-image,
+          linux-image-2.6,
 Suggests: pve-firmware,
-Depends: busybox, initramfs-tools | linux-initramfs-tool, ${misc:Depends},
-Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
-Description: Proxmox Kernel Image
+Depends: busybox,
+         grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
+         initramfs-tools,
+Description: The Proxmox PVE Kernel Image
  This package contains the linux kernel and initial ramdisk used for booting
-
-Package: proxmox-kernel-@KVNAME@-dbgsym
-Architecture: any
-Provides: linux-debug, pve-kernel-@KVNAME@-dbgsym
-Section: devel
-Priority: optional
-Build-Profiles: <pkg.proxmox-kernel.debug>
-Depends: ${misc:Depends},
-Description: Proxmox Kernel debug image
- This package provides the kernel debug image for version @KVNAME@. The debug
- kernel image contained in this package is NOT meant to boot from - it is
- uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
- to analyze kernel crashes. This package also contains the proxmox-kernel modules
- in their unstripped version.
-
-Package: proxmox-kernel-libc-dev
-Section: devel
-Priority: optional
-Architecture: any
-Provides: linux-libc-dev (=${binary:Version}), pve-kernel-libc-dev
-Conflicts: linux-libc-dev,
-Replaces: linux-libc-dev, pve-kernel-libc-dev
-Breaks: pve-kernel-libc-dev
-Depends: ${misc:Depends},
-Description: Linux support headers for userspace development
- This package provides userspaces headers from the Linux kernel.  These headers
- are used by the installed headers for GNU libc and other system libraries.
-
-Package: proxmox-headers-@KVMAJMIN@
-Architecture: all
-Section: admin
-Provides: linux-headers-amd64, linux-headers-generic, pve-headers-@KVMAJMIN@
-Replaces: pve-headers-@KVMAJMIN@
-Priority: optional
-Depends: proxmox-headers-@KVNAME@, ${misc:Depends},
-Description: Latest Proxmox Kernel Headers
- This is a metapackage which will install the kernel headers
- for the latest available proxmox kernel from the @KVMAJMIN@
- series.
-
-Package: proxmox-kernel-@KVMAJMIN@
-Architecture: all
-Section: admin
-Provides: linux-image-amd64, linux-image-generic, wireguard-modules (=1.0.0), pve-kernel-@KVMAJMIN@
-Replaces: pve-kernel-@KVMAJMIN@
-Priority: optional
-Depends: pve-firmware, proxmox-kernel-@KVNAME@, ${misc:Depends},
-Description: Latest Proxmox Kernel Image
- This is a metapackage which will install the latest available
- proxmox kernel from the @KVMAJMIN@ series.

debian/copyright

@@ -1,8 +1,11 @@
 This is a prepackaged version of the Linux kernel binary image.
 
-For the packaging and all files in the debian/ folder consider:
- Copyright (C) 2007-2022 Proxmox Server Solutions GmbH
- Licensed under the AGPL-3.0-or-later
+This package was put together by Proxmox Server
+Solutions GmbH <support@proxmox.com>.
+
+We use the RHEL7 kernel sources, available from:
+
+ftp://ftp.redhat.com/redhat/rhel/
 
 Linux is copyrighted by Linus Torvalds and others.
 

debian/proxmox-kernel-meta.postinst.in

@@ -1,17 +0,0 @@
-#! /bin/sh
-
-# Abort if any command returns an error value 
-set -e
-
-case "$1" in
-  configure)
-    # setup kernel links for installation CD (rescue boot)
-    mkdir -p /boot/pve
-    ln -sf /boot/vmlinuz-@@KVNAME@@ /boot/pve/vmlinuz-@@KVMAJMIN@@
-    ln -sf /boot/initrd.img-@@KVNAME@@ /boot/pve/initrd.img-@@KVMAJMIN@@
-    ;;
-esac
-
-#DEBHELPER#
-
-exit 0

debian/proxmox-kernel-meta.postrm.in

@@ -1,19 +0,0 @@
-#! /bin/sh
-
-# Abort if any command returns an error value
-set -e
-
-case "$1" in
-    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-        # remove kernel symlinks
-        rm -f /boot/pve/vmlinuz-@@KVNAME@@
-        rm -f /boot/pve/initrd.img-@@KVNAME@@
-    ;;
-
-    *)
-        echo "postrm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-#DEBHELPER#

debian/proxmox-kernel.postrm.in

@@ -1,46 +0,0 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
-
-# Ignore all 'upgrade' invocations .
-exit 0 if $ARGV[0] =~ /upgrade/;
-
-my $imagedir = "/boot";
-
-my $version = "@@KVNAME@@";
-
-if (-d "/etc/kernel/postrm.d") {
-  print STDERR "Examining /etc/kernel/postrm.d.\n";
-  system (
-      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postrm.d"
-  ) && die "Failed to process /etc/kernel/postrm.d";
-}
-
-unlink "$imagedir/initrd.img-$version";
-unlink "$imagedir/initrd.img-$version.bak";
-unlink "/var/lib/initramfs-tools/$version";
-
-# Ignore all invocations except when called on to purge.
-exit 0 unless $ARGV[0] =~ /purge/;
-
-my @files_to_remove = qw{
-    modules.dep modules.isapnpmap modules.pcimap
-    modules.usbmap modules.parportmap
-    modules.generic_string modules.ieee1394map
-    modules.ieee1394map modules.pnpbiosmap
-    modules.alias modules.ccwmap modules.inputmap
-    modules.symbols modules.ofmap
-    modules.seriomap modules.*.bin
-    modules.softdep modules.devname
-};
-
-foreach my $extra_file (@files_to_remove) {
-    for (glob("/lib/modules/$version/$extra_file")) {
-	unlink;
-    }
-}
-
-system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
-
-exit 0

debian/pve-kernel.postinst.in

@@ -1,7 +1,6 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
 
 use strict;
-use warnings;
 
 # Ignore all invocations except when called on to configure.
 exit 0 unless $ARGV[0] =~ /configure/;
@@ -17,9 +16,10 @@ system("depmod $version");
 
 if (-d "/etc/kernel/postinst.d") {
   print STDERR "Examining /etc/kernel/postinst.d.\n";
-  system(
-      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postinst.d"
-  ) && die "Failed to process /etc/kernel/postinst.d";
+  system ("run-parts --verbose --exit-on-error --arg=$version " .
+          "--arg=$imagedir/vmlinuz-$version " .
+          "/etc/kernel/postinst.d") &&
+            die "Failed to process /etc/kernel/postinst.d";
 }
 
 exit 0

debian/pve-kernel.postrm.in

@@ -0,0 +1,46 @@
+#!/usr/bin/perl -w
+
+use strict;
+
+# Ignore all 'upgrade' invocations .
+exit 0 if $ARGV[0] =~ /upgrade/;
+
+my $imagedir = "/boot";
+
+my $version = "@@KVNAME@@";
+
+if (-d "/etc/kernel/postrm.d") {
+  print STDERR "Examining /etc/kernel/postrm.d.\n";
+  system ("run-parts --verbose --exit-on-error --arg=$version " .
+          "--arg=$imagedir/vmlinuz-$version " .
+          "/etc/kernel/postrm.d") &&
+            die "Failed to process /etc/kernel/postrm.d";
+}
+
+unlink "$imagedir/initrd.img-$version";
+unlink "$imagedir/initrd.img-$version.bak";
+unlink "/var/lib/initramfs-tools/$version";
+
+# Ignore all invocations except when called on to purge.
+exit 0 unless $ARGV[0] =~ /purge/;
+
+my @files_to_remove = qw{
+                         modules.dep modules.isapnpmap modules.pcimap
+                         modules.usbmap modules.parportmap
+                         modules.generic_string modules.ieee1394map
+                         modules.ieee1394map modules.pnpbiosmap
+                         modules.alias modules.ccwmap modules.inputmap
+                         modules.symbols modules.ofmap
+                         modules.seriomap modules.*.bin
+			 modules.softdep modules.devname
+                       };
+
+foreach my $extra_file (@files_to_remove) {
+    for (glob("/lib/modules/$version/$extra_file")) {
+	unlink;
+    }
+}
+
+system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
+
+exit 0

debian/pve-kernel.prerm.in

@@ -1,7 +1,6 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
 
 use strict;
-use warnings;
 
 # Ignore all invocations uxcept when called on to remove
 exit 0 unless ($ARGV[0] && $ARGV[0] =~ /remove/) ;
@@ -15,9 +14,10 @@ my $version = "@@KVNAME@@";
 
 if (-d "/etc/kernel/prerm.d") {
   print STDERR "Examining /etc/kernel/prerm.d.\n";
-  system(
-      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/prerm.d"
-  ) && die "Failed to process /etc/kernel/prerm.d";
+  system ("run-parts --verbose --exit-on-error --arg=$version " . 
+          "--arg=$imagedir/vmlinuz-$version " .
+          "/etc/kernel/prerm.d") &&
+	  die "Failed to process /etc/kernel/prerm.d";
 }
 
 exit 0

debian/rules

@@ -9,23 +9,17 @@ BUILD_DIR=$(shell pwd)
 
 include /usr/share/dpkg/default.mk
 include debian/rules.d/env.mk
-include debian/rules.d/$(DEB_BUILD_ARCH).mk
-
-MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))
+include debian/rules.d/${DEB_BUILD_ARCH}.mk
 
 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
-CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)
 
-PMX_KERNEL_PKG=proxmox-kernel-$(KVNAME)
-PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
-PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
-PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
-PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
-LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
-KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
+PVE_KERNEL_PKG=pve-kernel-${KVNAME}
+PVE_HEADER_PKG=pve-headers-${KVNAME}
+LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
+KERNEL_SRC_COPY=${KERNEL_SRC}_tmp
 
 # TODO: split for archs, move to files?
-PMX_CONFIG_OPTS= \
+PVE_CONFIG_OPTS= \
 -m INTEL_MEI_WDT \
 -d CONFIG_SND_PCM_OSS \
 -e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
@@ -33,91 +27,49 @@ PMX_CONFIG_OPTS= \
 -m CONFIG_CEPH_FS \
 -m CONFIG_BLK_DEV_NBD \
 -m CONFIG_BLK_DEV_RBD \
--m CONFIG_BLK_DEV_UBLK \
 -d CONFIG_SND_PCSP \
 -m CONFIG_BCACHE \
 -m CONFIG_JFS_FS \
 -m CONFIG_HFS_FS \
 -m CONFIG_HFSPLUS_FS \
--e CIFS_SMB_DIRECT \
--e CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU \
 -e CONFIG_BRIDGE \
 -e CONFIG_BRIDGE_NETFILTER \
 -e CONFIG_BLK_DEV_SD \
 -e CONFIG_BLK_DEV_SR \
 -e CONFIG_BLK_DEV_DM \
--m CONFIG_BLK_DEV_NVME \
--e CONFIG_NLS_ISO8859_1 \
+-e CONFIG_BLK_DEV_NVME \
 -d CONFIG_INPUT_EVBUG \
 -d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
--d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
--e CONFIG_SYSFB_SIMPLEFB \
--e CONFIG_DRM_SIMPLEDRM \
--e CONFIG_MODULE_SIG \
--e CONFIG_MODULE_SIG_ALL \
--e CONFIG_MODULE_SIG_FORMAT \
---set-str CONFIG_MODULE_SIG_HASH sha512 \
---set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
--e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
--e CONFIG_MODULE_SIG_SHA512 \
+-d CONFIG_MODULE_SIG \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
--e CONFIG_HYPERV \
--m CONFIG_VFIO_IOMMU_TYPE1 \
--m CONFIG_VFIO_VIRQFD \
--m CONFIG_VFIO \
--m CONFIG_VFIO_PCI \
--m CONFIG_USB_XHCI_HCD \
--m CONFIG_USB_XHCI_PCI \
--m CONFIG_USB_EHCI_HCD \
--m CONFIG_USB_EHCI_PCI \
--m CONFIG_USB_EHCI_HCD_PLATFORM \
--m CONFIG_USB_OHCI_HCD \
--m CONFIG_USB_OHCI_HCD_PCI \
--m CONFIG_USB_OHCI_HCD_PLATFORM \
--d CONFIG_USB_OHCI_HCD_SSB \
--m CONFIG_USB_UHCI_HCD \
--d CONFIG_USB_SL811_HCD_ISO \
 -e CONFIG_MEMCG_KMEM \
 -d CONFIG_DEFAULT_CFQ \
 -e CONFIG_DEFAULT_DEADLINE \
 -e CONFIG_MODVERSIONS \
--e CONFIG_ZSTD_COMPRESS \
 -d CONFIG_DEFAULT_SECURITY_DAC \
 -e CONFIG_DEFAULT_SECURITY_APPARMOR \
 --set-str CONFIG_DEFAULT_SECURITY apparmor \
--e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
 -d CONFIG_UNWINDER_ORC \
 -d CONFIG_UNWINDER_GUESS \
 -e CONFIG_UNWINDER_FRAME_POINTER \
---set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
---set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--e CONFIG_SECURITY_LOCKDOWN_LSM \
--e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
--e CONFIG_PAGE_TABLE_ISOLATION \
--e CONFIG_ARCH_HAS_CPU_FINALIZE_INIT \
--d CONFIG_GDS_FORCE_MITIGATION
+-e CONFIG_PAGE_TABLE_ISOLATION
 
 debian/control: $(wildcard debian/*.in)
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PMX_KERNEL_PKG).postrm
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PMX_KERNEL_PKG).postinst
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PMX_HEADER_PKG).postinst
-	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PMX_KERNEL_SERIES_PKG).postrm
-	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PMX_KERNEL_SERIES_PKG).postinst
-	chmod +x debian/$(PMX_KERNEL_PKG).prerm
-	chmod +x debian/$(PMX_KERNEL_PKG).postrm
-	chmod +x debian/$(PMX_KERNEL_PKG).postinst
-	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postrm
-	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postinst
-	chmod +x debian/$(PMX_HEADER_PKG).postinst
-	sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/${PVE_KERNEL_PKG}.prerm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/${PVE_KERNEL_PKG}.postrm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/${PVE_KERNEL_PKG}.postinst
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-headers.postinst.in > debian/${PVE_HEADER_PKG}.postinst
+	chmod +x debian/${PVE_KERNEL_PKG}.prerm
+	chmod +x debian/${PVE_KERNEL_PKG}.postrm
+	chmod +x debian/${PVE_KERNEL_PKG}.postinst
+	chmod +x debian/${PVE_HEADER_PKG}.postinst
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
 
 build: .compile_mark .tools_compile_mark .modules_compile_mark
 
-install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
+install: .install_mark .tools_install_mark .headers_install_mark
 	dh_installdocs -A debian/copyright debian/SOURCE
 	dh_installchangelogs
 	dh_installman
@@ -127,7 +79,7 @@ install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_in
 
 binary: install
 	debian/rules fwcheck abicheck
-	dh_strip -N$(PMX_HEADER_PKG) -N$(PMX_USR_HEADER_PKG)
+	dh_strip -N${PVE_HEADER_PKG}
 	dh_makeshlibs
 	dh_shlibdeps
 	dh_installdeb
@@ -136,90 +88,72 @@ binary: install
 	dh_builddeb
 
 .config_mark:
-	cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
-	$(MAKE) -C $(KERNEL_SRC) oldconfig
-	# copy to allow building in parallel to kernel/module compilation without interference
-	rm -rf $(KERNEL_SRC_COPY)
-	cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
+	cd ${KERNEL_SRC}; scripts/config ${PVE_CONFIG_OPTS}
+	${MAKE} -C ${KERNEL_SRC} oldconfig
 	touch $@
 
 .compile_mark: .config_mark
-	$(MAKE) -C $(KERNEL_SRC) KBUILD_BUILD_VERSION_TIMESTAMP="PMX $(DEB_VERSION) ($(CHANGELOG_DATE_UTC_ISO))"
+	${MAKE} -C ${KERNEL_SRC} KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${DEB_VERSION} (${CHANGELOG_DATE})"
 	touch $@
 
 .install_mark: .compile_mark .modules_compile_mark
-	rm -rf debian/$(PMX_KERNEL_PKG)
-	mkdir -p debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)
-	mkdir debian/$(PMX_KERNEL_PKG)/boot
-	install -m 644 $(KERNEL_SRC)/.config debian/$(PMX_KERNEL_PKG)/boot/config-$(KVNAME)
-	install -m 644 $(KERNEL_SRC)/System.map debian/$(PMX_KERNEL_PKG)/boot/System.map-$(KVNAME)
-	install -m 644 $(KERNEL_SRC)/$(KERNEL_IMAGE_PATH) debian/$(PMX_KERNEL_PKG)/boot/$(KERNEL_INSTALL_FILE)-$(KVNAME)
-	$(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
+	rm -rf debian/${PVE_KERNEL_PKG}
+	mkdir -p debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}
+	mkdir debian/${PVE_KERNEL_PKG}/boot
+	install -m 644 ${KERNEL_SRC}/.config debian/${PVE_KERNEL_PKG}/boot/config-${KVNAME}
+	install -m 644 ${KERNEL_SRC}/System.map debian/${PVE_KERNEL_PKG}/boot/System.map-${KVNAME}
+	install -m 644 ${KERNEL_SRC}/${KERNEL_IMAGE_PATH} debian/${PVE_KERNEL_PKG}/boot/${KERNEL_INSTALL_FILE}-${KVNAME}
+	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
+	## install latest ibg driver
+	install -m 644 ${MODULES}/igb.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/igb/
+	# install latest e1000e driver
+	install -m 644 ${MODULES}/e1000e.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/e1000e/
 	# install zfs drivers
-	install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
-	install -m 644 $(addprefix $(MODULES)/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 $(addprefix ${MODULES}/,spl.ko splat.ko zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko zpios.ko icp.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
 	# remove firmware
-	rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware
-
-ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
-	echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
-else
-	echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
-	mkdir -p debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
-	mkdir debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
-	install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
-	cp -r debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/
-	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/source
-	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/build
-	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/modules.*
-endif
-
+	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
 	# strip debug info
-	find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
-
-	# sign modules using ephemeral, embedded key
-	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
-		find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
-			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
-		done; \
-		rm ./ubuntu-kernel/certs/signing_key.pem ; \
-	fi
+	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
 	# finalize
-	/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
+	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
 	# Autogenerate blacklist for watchdog devices (see README)
-	install -m 0755 -d debian/$(PMX_KERNEL_PKG)/lib/modprobe.d
-	ls debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
+	install -m 0755 -d debian/${PVE_KERNEL_PKG}/lib/modprobe.d
+	ls debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
 	echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
-	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
-	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
-	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
+	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
+	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
 	touch $@
 
 .tools_compile_mark: .compile_mark
-	$(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
+	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python2.7
 	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
-	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
-	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
-	$(MAKE) -C $(KERNEL_SRC)/tools/perf man
+	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
+	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
+	${MAKE} -C ${KERNEL_SRC}/tools/perf man
 	touch $@
 
 .tools_install_mark: .tools_compile_mark
-	rm -rf debian/$(LINUX_TOOLS_PKG)
-	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/bin
-	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1
-	install -m 755 $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/perf debian/$(LINUX_TOOLS_PKG)/usr/bin/perf_$(KERNEL_MAJMIN)
-	for i in $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/Documentation/*.1; do \
+	rm -rf debian/${LINUX_TOOLS_PKG}
+	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/bin
+	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/share/man/man1
+	install -m 755 ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/perf debian/${LINUX_TOOLS_PKG}/usr/bin/perf_$(KERNEL_MAJMIN)
+	for i in ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/Documentation/*.1; do \
 	    fname="$${i##*/}"; manname="$${fname%.1}"; \
-	    install -m644 "$$i" "debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
+	    install -m644 "$$i" "debian/${LINUX_TOOLS_PKG}/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
 	done
 	touch $@
 
 .headers_prepare_mark: .config_mark
-	rm -rf debian/$(PMX_HEADER_PKG)
-	mkdir -p debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
-	install -m 0644 $(KERNEL_SRC)/.config debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
-	make -C $(KERNEL_SRC_COPY) mrproper
-	cd $(KERNEL_SRC_COPY); find . -path './debian/*' -prune \
+	rm -rf debian/${PVE_HEADER_PKG}
+	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	# copy to allow building in parallel to kernel/module compilation without interference
+	rm -rf ${KERNEL_SRC_COPY}
+	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
+	make -C ${KERNEL_SRC_COPY} mrproper
+	cd ${KERNEL_SRC_COPY}; find . -path './debian/*' -prune \
 	    -o -path './include/*' -prune \
 	    -o -path './Documentation' -prune \
 	    -o -path './scripts' -prune \
@@ -231,87 +165,84 @@ endif
 	        -o -name '*.sh' \
 	        -o -name '*.pl' \
 	    \) \
-	    -print | cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
-	cd $(KERNEL_SRC_COPY); \
+	    -print | cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	cd ${KERNEL_SRC_COPY}; cp -a include scripts ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	cd ${KERNEL_SRC_COPY}; \
 	    ( \
-	        find arch/$(KERNEL_HEADER_ARCH) -name include -type d -print | \
+	        find arch/${KERNEL_HEADER_ARCH} -name include -type d -print | \
 	        xargs -n1 -i: find : -type f \
 	    ) | \
-	    cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	    cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
 	touch $@
 
 .headers_compile_mark: .headers_prepare_mark
 	# set output to subdir of source to reduce number of hardcoded paths in output files
-	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
-	mkdir -p $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
-	cp $(KERNEL_SRC)/.config $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/.config
-	$(MAKE) -C $(KERNEL_SRC_COPY) O=$(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -j1 syncconfig modules_prepare prepare scripts
-	cd $(KERNEL_SRC_COPY); cp -a include scripts $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
-	find $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
-	rsync --ignore-existing -r -v -a $(addprefix $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/,arch include kernel scripts tools) $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/
-	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)
+	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
+	mkdir -p ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
+	cp ${KERNEL_SRC}/.config ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/.config
+	${MAKE} -C ${KERNEL_SRC_COPY} O=${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -j1 silentoldconfig prepare scripts
+	find ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -name \*.o.ur-\* | xargs rm -f
+	rsync --ignore-existing -r -v -a $(addprefix ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/,arch include kernel scripts tools) ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/
+	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}
 	touch $@
 
 .headers_install_mark: .compile_mark .modules_compile_mark .headers_compile_mark
-	cp $(KERNEL_SRC)/include/generated/compile.h debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/include/generated/compile.h
-	install -m 0644 $(KERNEL_SRC)/Module.symvers debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
-	mkdir -p debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)
-	ln -sf /usr/src/linux-headers-$(KVNAME) debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)/build
+	cp ${KERNEL_SRC}/include/generated/compile.h debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/include/generated/compile.h
+	install -m 0644 ${KERNEL_SRC}/Module.symvers debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	mkdir -p debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}
+	ln -sf /usr/src/linux-headers-${KVNAME} debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}/build
 	touch $@
 
-.usr_headers_install_mark: PKG_DIR = debian/$(PMX_USR_HEADER_PKG)
-.usr_headers_install_mark: OUT_DIR = $(PKG_DIR)/usr
-.usr_headers_install_mark: .config_mark
-	rm -rf '$(PKG_DIR)'
-	mkdir -p  '$(PKG_DIR)'
-	$(MAKE) -C $(KERNEL_SRC) headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
-	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
-	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +
-
-# Move include/asm to arch-specific directory
-	mkdir -p $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)
-	mv $(OUT_DIR)/include/asm $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
-	test ! -d $(OUT_DIR)/include/arch || \
-		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+.modules_compile_mark: $(addprefix ${MODULES}/,igb.ko e1000e.ko spl.ko zfs.ko)
 	touch $@
 
-.modules_compile_mark: $(MODULES)/zfs.ko
-	touch $@
+${MODULES}/spl.ko: .compile_mark
+	cd ${MODULES}/${SPLDIR}; ./autogen.sh
+	cd ${MODULES}/${SPLDIR}; ./configure --with-config=kernel --with-linux=${BUILD_DIR}/${KERNEL_SRC} --with-linux-obj=${BUILD_DIR}/${KERNEL_SRC}
+	${MAKE} -C ${MODULES}/${SPLDIR}
+	cp ${MODULES}/${SPLDIR}/module/splat/splat.ko ${MODULES}/
+	cp ${MODULES}/${SPLDIR}/module/spl/spl.ko ${MODULES}/
 
-$(MODULES)/zfs.ko: .compile_mark
-	cd $(MODULES)/$(ZFSDIR); ./autogen.sh
-	cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
-	$(MAKE) -C $(MODULES)/$(ZFSDIR)
-	cp $(MODULES)/$(ZFSDIR)/module/avl/zavl.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/nvpair/znvpair.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/unicode/zunicode.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/zcommon/zcommon.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/icp/icp.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/zfs/zfs.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/lua/zlua.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/spl/spl.ko $(MODULES)/
-	cp $(MODULES)/$(ZFSDIR)/module/zstd/zzstd.ko $(MODULES)/
+${MODULES}/zfs.ko: .compile_mark ${MODULES}/spl.ko
+	cd ${MODULES}/${ZFSDIR}; ./autogen.sh
+	cd ${MODULES}/${ZFSDIR}; ./configure --with-spl=${BUILD_DIR}/${MODULES}/${SPLDIR} --with-spl-obj=${BUILD_DIR}/${MODULES}/${SPLDIR} --with-config=kernel --with-linux=${BUILD_DIR}/${KERNEL_SRC} --with-linux-obj=${BUILD_DIR}/${KERNEL_SRC}
+	${MAKE} -C ${MODULES}/${ZFSDIR}
+	cp ${MODULES}/${ZFSDIR}/module/avl/zavl.ko ${MODULES}/
+	cp ${MODULES}/${ZFSDIR}/module/nvpair/znvpair.ko ${MODULES}/
+	cp ${MODULES}/${ZFSDIR}/module/unicode/zunicode.ko ${MODULES}/
+	cp ${MODULES}/${ZFSDIR}/module/zcommon/zcommon.ko ${MODULES}/
+	cp ${MODULES}/${ZFSDIR}/module/zpios/zpios.ko ${MODULES}/
+	cp ${MODULES}/${ZFSDIR}/module/icp/icp.ko ${MODULES}/
+	cp ${MODULES}/${ZFSDIR}/module/zfs/zfs.ko ${MODULES}/
 
-fwlist-$(KVNAME): .compile_mark .modules_compile_mark
-	debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp
+${MODULES}/igb.ko: .compile_mark
+	${MAKE} -C ${MODULES}/${IGBDIR}/src BUILD_KERNEL=${KVNAME} KSRC=${BUILD_DIR}/${KERNEL_SRC}
+	cp ${MODULES}/${IGBDIR}/src/igb.ko ${MODULES}/
+
+${MODULES}/e1000e.ko: .compile_mark
+	${MAKE} -C ${MODULES}/${E1000EDIR}/src BUILD_KERNEL=${KVNAME} KSRC=${BUILD_DIR}/${KERNEL_SRC}
+	cp ${MODULES}/${E1000EDIR}/src/e1000e.ko ${MODULES}/
+
+fwlist-${KVNAME}: .compile_mark .modules_compile_mark
+	debian/scripts/find-firmware.pl debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} >fwlist.tmp
 	mv fwlist.tmp $@
 
 .PHONY: fwcheck
-fwcheck: fwlist-$(KVNAME) fwlist-previous
+fwcheck: fwlist-${KVNAME} fwlist-previous
 	@echo "checking fwlist for changes since last built firmware package.."
-	@echo "if this check fails, add fwlist-$(KVNAME) to the pve-firmware repository and upload a new firmware package together with the $(KVNAME) kernel"
+	@echo "if this check fails, add fwlist-${KVNAME} to the pve-firmware repository and upload a new firmware package together with the ${KVNAME} kernel"
 	sort fwlist-previous | uniq > fwlist-previous.sorted
-	sort fwlist-$(KVNAME) | uniq > fwlist-$(KVNAME).sorted
-	diff -up -N fwlist-previous.sorted fwlist-$(KVNAME).sorted > fwlist.diff
-	rm fwlist.diff fwlist-previous.sorted fwlist-$(KVNAME).sorted
+	sort fwlist-${KVNAME} | uniq > fwlist-${KVNAME}.sorted
+	diff -up -N fwlist-previous.sorted fwlist-${KVNAME}.sorted > fwlist.diff
+	rm fwlist.diff fwlist-previous.sorted fwlist-${KVNAME}.sorted
 	@echo "done, no need to rebuild pve-firmware"
 
 
-abi-$(KVNAME): .compile_mark
-	debian/scripts/abi-generate debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/Module.symvers abi-$(KVNAME) $(KVNAME)
+abi-${KVNAME}: .compile_mark
+	debian/scripts/abi-generate debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/Module.symvers abi-${KVNAME} ${KVNAME}
 
 .PHONY: abicheck
-abicheck: debian/scripts/abi-check abi-$(KVNAME) abi-prev-* abi-blacklist
-	debian/scripts/abi-check abi-$(KVNAME) abi-prev-* $(SKIPABI)
+abicheck: debian/scripts/abi-check abi-${KVNAME} abi-prev-* abi-blacklist
+	debian/scripts/abi-check abi-${KVNAME} abi-prev-* ${SKIPABI}
 
 .PHONY: clean

debian/scripts/abi-check

@@ -1,14 +1,12 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
+#!/usr/bin/perl -w
 
 my $abinew = shift;
 my $abiold = shift;
 my $skipabi = shift;
 
 # to catch multiple abi-prev-* files being passed in
-die "invalid value '$skipabi' for skipabi parameter\n" if defined($skipabi) && $skipabi !~ /^[01]$/;
+die "invalid value for skipabi parameter\n"
+	if (defined($skipabi) && $skipabi !~ /^[01]$/);
 
 $abinew =~ /abi-(.*)/;
 my $abistr = $1;
@@ -25,30 +23,30 @@ my $count;
 print "II: Checking ABI...\n";
 
 if ($skipabi) {
-    print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
-    $fail_exit = 0;
-    $abiskip = 1;
-    $EE = "WW:";
+	print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
+	$fail_exit = 0;
+	$abiskip = 1;
+	$EE = "WW:";
 }
 
 if ($prev_abistr ne $abistr) {
-    print "II: Different ABI's, running in no-fail mode\n";
-    $fail_exit = 0;
-    $EE = "WW:";
+	print "II: Different ABI's, running in no-fail mode\n";
+	$fail_exit = 0;
+	$EE = "WW:";
 }
 
 if (not -f "$abinew" or not -f "$abiold") {
-    print "EE: Previous or current ABI file missing!\n";
-    print "    $abinew\n" if not -f "$abinew";
-    print "    $abiold\n" if not -f "$abiold";
+	print "EE: Previous or current ABI file missing!\n";
+	print "    $abinew\n" if not -f "$abinew";
+	print "    $abiold\n" if not -f "$abiold";
 
-    # Exit if the ABI files are missing, but return status based on whether
-    # skip ABI was indicated.
-    if ("$abiskip" eq "1") {
-	exit(0);
-    } else {
-	exit(1);
-    }
+	# Exit if the ABI files are missing, but return status based on whether
+	# skip ABI was indicated.
+	if ("$abiskip" eq "1") {
+		exit(0);
+	} else {
+		exit(1);
+	}
 }
 
 my %symbols;
@@ -60,97 +58,101 @@ my %module_syms;
 my $ignore = 0;
 print "    Reading symbols/modules to ignore...";
 
-for my $file ("abi-blacklist") {
-    next if !-f $file;
-    open(my $IGNORE_FH, '<', $file) or die "Could not open $file - $!";
-
-    while (<$IGNORE_FH>) {
-	chomp;
-	if ($_ =~ m/M: (.*)/) {
-	    $modules_ignore{$1} = 1;
-	} else {
-	    $symbols_ignore{$_} = 1;
+for $file ("abi-blacklist") {
+	if (-f $file) {
+		open(IGNORE, "< $file") or
+			die "Could not open $file";
+		while (<IGNORE>) {
+			chomp;
+			if ($_ =~ m/M: (.*)/) {
+				$modules_ignore{$1} = 1;
+			} else {
+				$symbols_ignore{$_} = 1;
+			}
+			$ignore++;
+		}
+		close(IGNORE);
 	}
-	$ignore++;
-    }
-    close($IGNORE_FH);
 }
 print "read $ignore symbols/modules.\n";
 
 sub is_ignored($$) {
-    my ($mod, $sym) = @_;
+	my ($mod, $sym) = @_;
 
-    die "Missing module name in is_ignored()" if not defined($mod);
-    die "Missing symbol name in is_ignored()" if not defined($sym);
+	die "Missing module name in is_ignored()" if not defined($mod);
+	die "Missing symbol name in is_ignored()" if not defined($sym);
 
-    if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
-	return 1;
-    }
-    return 0;
+	if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
+		return 1;
+	}
+	return 0;
 }
 
 # Read new syms first
 print "    Reading new symbols ($abistr)...";
 $count = 0;
-open(my $NEW_FH, '<', $abinew) or die "Could not open $abinew - $!";
-while (<$NEW_FH>) {
-    chomp;
-    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-    $symbols{$4}{'type'} = $1;
-    $symbols{$4}{'loc'} = $2;
-    $symbols{$4}{'hash'} = $3;
-    $module_syms{$2} = 0;
-    $count++;
+open(NEW, "< $abinew") or
+	die "Could not open $abinew";
+while (<NEW>) {
+	chomp;
+	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+	$symbols{$4}{'type'} = $1;
+	$symbols{$4}{'loc'} = $2;
+	$symbols{$4}{'hash'} = $3;
+	$module_syms{$2} = 0;
+	$count++;
 }
-close($NEW_FH);
+close(NEW);
 print "read $count symbols.\n";
 
 # Now the old symbols, checking for missing ones
 print "    Reading old symbols...";
 $count = 0;
-open(my $OLD_FH, '<', $abiold) or die "Could not open $abiold - $!";
-while (<$OLD_FH>) {
-    chomp;
-    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-    $symbols{$4}{'old_type'} = $1;
-    $symbols{$4}{'old_loc'} = $2;
-    $symbols{$4}{'old_hash'} = $3;
-    $count++;
+open(OLD, "< $abiold") or
+	die "Could not open $abiold";
+while (<OLD>) {
+	chomp;
+	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+	$symbols{$4}{'old_type'} = $1;
+	$symbols{$4}{'old_loc'} = $2;
+	$symbols{$4}{'old_hash'} = $3;
+	$count++;
 }
-close($OLD_FH);
+close(OLD);
 
 print "read $count symbols.\n";
 
 print "II: Checking for missing symbols in new ABI...";
 $count = 0;
-for my $sym (keys(%symbols)) {
-    if (!defined($symbols{$sym}{'type'})) {
-	print "\n" if not $count;
-	printf("    MISS : %s%s\n", $sym, is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
-	$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
-    }
+foreach $sym (keys(%symbols)) {
+	if (!defined($symbols{$sym}{'type'})) {
+		print "\n" if not $count;
+		printf("    MISS : %s%s\n", $sym,
+			is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
+		$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
+	}
 }
 print "    " if $count;
 print "found $count missing symbols\n";
 if ($count) {
-    print "$EE Symbols gone missing (what did you do!?!)\n";
-    $errors++;
+	print "$EE Symbols gone missing (what did you do!?!)\n";
+	$errors++;
 }
 
 
 print "II: Checking for new symbols in new ABI...";
 $count = 0;
-for my $sym (keys(%symbols)) {
-    if (!defined($symbols{$sym}{'old_type'})) {
-	print "\n" if not $count;
-	print "    NEW : $sym\n";
-	$count++;
-    }
+foreach $sym (keys(%symbols)) {
+	if (!defined($symbols{$sym}{'old_type'})) {
+		print "\n" if not $count;
+		print "    NEW : $sym\n";
+		$count++;
+	}
 }
 print "    " if $count;
 print "found $count new symbols\n";
 if ($count) {
-    print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
+	print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
 }
 
 print "II: Checking for changes to ABI...\n";
@@ -158,34 +160,37 @@ $count = 0;
 my $moved = 0;
 my $changed_type = 0;
 my $changed_hash = 0;
-for my $sym (keys(%symbols)) {
-    if (!defined($symbols{$sym}{'old_type'}) or !defined($symbols{$sym}{'type'})) {
-	next;
-    }
+foreach $sym (keys(%symbols)) {
+	if (!defined($symbols{$sym}{'old_type'}) or
+	    !defined($symbols{$sym}{'type'})) {
+		next;
+	}
 
-    # Changes in location don't hurt us, but log it anyway
-    if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
-	printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'}, $symbols{$sym}{'loc'});
-	$moved++;
-    }
+	# Changes in location don't hurt us, but log it anyway
+	if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
+		printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'},
+			$symbols{$sym}{'loc'});
+		$moved++;
+	}
 
-    # Changes to export type are only bad if new type isn't
-    # EXPORT_SYMBOL. Changing things to GPL are bad.
-    if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
-	printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
-	    $symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-	    ? " (ignored)" : "");
-	$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL" and !is_ignored($symbols{$sym}{'loc'}, $sym);
-    }
+	# Changes to export type are only bad if new type isn't
+	# EXPORT_SYMBOL. Changing things to GPL are bad.
+	if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
+		printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
+			$symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+			? " (ignored)" : "");
+		$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL"
+			and !is_ignored($symbols{$sym}{'loc'}, $sym);
+	}
 
-    # Changes to the hash are always bad
-    if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
-	printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
-	    $symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-	    ? " (ignored)" : "");
-	$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
-	$module_syms{$symbols{$sym}{'loc'}}++;
-    }
+	# Changes to the hash are always bad
+	if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
+		printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
+			$symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+			? " (ignored)" : "");
+		$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
+		$module_syms{$symbols{$sym}{'loc'}}++;
+	}
 }
 
 print "WW: $moved symbols changed location\n" if $moved;
@@ -194,17 +199,17 @@ print "$EE $changed_hash symbols changed hash and weren't ignored\n" if $changed
 
 $errors++ if $changed_hash or $changed_type;
 if ($changed_hash) {
-    print "II: Module hash change summary...\n";
-    for my $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
-	next if ! $module_syms{$mod};
-	printf("    %-40s: %d\n", $mod, $module_syms{$mod});
-    }
+	print "II: Module hash change summary...\n";
+	foreach $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
+		next if ! $module_syms{$mod};
+		printf("    %-40s: %d\n", $mod, $module_syms{$mod});
+	}
 }
 
 print "II: Done\n";
 
 if ($errors) {
-    exit($fail_exit);
+	exit($fail_exit);
 } else {
-    exit(0);
+	exit(0);
 }

debian/scripts/abi-generate

@@ -1,11 +1,8 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
 
-use strict;
-use warnings;
+use PVE::Tools;
 
-use PVE::Tools ();
-
-use IO::File ();
+use IO::File;
 
 sub usage {
     die "USAGE: $0 INFILE OUTFILE [ABI INFILE-IS-DEB]\n";

debian/scripts/export-patchqueue

@@ -6,7 +6,7 @@ top=$(pwd)
 
 if [ "$#" -ne 3 ]; then
     echo "USAGE: $0 repo patchdir ref"
-    printf "\t exports patches from 'repo' to 'patchdir' based on 'ref'\n"
+    echo "\t exports patches from 'repo' to 'patchdir' based on 'ref'"
     exit 1
 fi
 
@@ -25,10 +25,10 @@ git format-patch \
     --no-cover-letter \
     --zero-commit \
     --no-signature \
-    --diff-algorithm=myers \
-    --output-directory="${top}/${kernel_patchdir}" \
+    --output-dir \
+    "${top}/${kernel_patchdir}" \
     "${base_ref}.."
 
-git checkout "${base_ref}"
+git checkout ${base_ref}
 
 cd "${top}"

debian/scripts/find-firmware.pl

@@ -1,7 +1,6 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
 
 use strict;
-use warnings;
 
 my $dir = shift;
 
@@ -9,25 +8,25 @@ die "no directory to scan" if !$dir;
 
 die "no such directory" if ! -d $dir;
 
-warn "\n\nNOTE: strange directory name: $dir\n\n" if $dir !~ m|^(.*/)?(\d+.\d+.\d+\-\d+\-pve)(/+)?$|;
+die "strange directory name" if $dir !~ m|^(.*/)?(4.15.\d+\-\d+\-pve)(/+)?$|;
 
 my $apiver = $2;
 
-open(my $FIND_KO_FH, "find '$dir' -name '*.ko'|");
-while (defined(my $fn = <$FIND_KO_FH>)) {
+open(TMP, "find '$dir' -name '*.ko'|");
+while (defined(my $fn = <TMP>)) {
     chomp $fn;
     my $relfn = $fn;
     $relfn =~ s|^$dir/*||;
 
     my $cmd = "/sbin/modinfo -F firmware '$fn'";
-    open(my $MOD_FH, "$cmd|");
-    while (defined(my $fw = <$MOD_FH>)) {
+    open(MOD, "$cmd|");
+    while (defined(my $fw = <MOD>)) {
 	chomp $fw;
 	print "$fw $relfn\n";
     }
-    close($MOD_FH);
+    close(MOD);
 
 }
-close($FIND_KO_FH);
+close TMP;
 
 exit 0;

debian/source/lintian-overrides

@@ -1,2 +0,0 @@
-proxmox-kernel-6.2 source: debian-control-has-dbgsym-package (in section for proxmox-kernel-*-pve-dbgsym) Package [debian/control:*]
-proxmox-kernel-6.2 source: license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]

patches/intel/e1000e/e1000e_4.10_max-mtu.patch

@@ -0,0 +1,37 @@
+diff --git a/src/netdev.c b/src/netdev.c
+index 73b0f9a..aef1bc2 100644
+--- a/src/netdev.c
++++ b/src/netdev.c
+@@ -6724,19 +6724,12 @@ static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
+ 	int max_frame = new_mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+ 
+ 	/* Jumbo frame support */
+-	if ((max_frame > (VLAN_ETH_FRAME_LEN + ETH_FCS_LEN)) &&
++	if ((new_mtu > ETH_DATA_LEN) &&
+ 	    !(adapter->flags & FLAG_HAS_JUMBO_FRAMES)) {
+ 		e_err("Jumbo Frames not supported.\n");
+ 		return -EINVAL;
+ 	}
+ 
+-	/* Supported frame sizes */
+-	if ((new_mtu < (VLAN_ETH_ZLEN + ETH_FCS_LEN)) ||
+-	    (max_frame > adapter->max_hw_frame_size)) {
+-		e_err("Unsupported MTU setting\n");
+-		return -EINVAL;
+-	}
+-
+ 	/* Jumbo frame workaround on 82579 and newer requires CRC be stripped */
+ 	if ((adapter->hw.mac.type >= e1000_pch2lan) &&
+ 	    !(adapter->flags2 & FLAG2_CRC_STRIPPING) &&
+@@ -8262,6 +8255,11 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ #endif /* HAVE_NETDEV_VLAN_FEATURES */
+ 	}
+ 
++	/* MTU range: 68 - max_hw_frame_size */
++	netdev->min_mtu = ETH_MIN_MTU;
++	netdev->max_mtu = adapter->max_hw_frame_size -
++	                  (VLAN_ETH_HLEN + ETH_FCS_LEN);
++
+ 	if (e1000e_enable_mng_pass_thru(&adapter->hw))
+ 		adapter->flags |= FLAG_MNG_PT_ENABLED;
+ 

patches/intel/e1000e/e1000e_4.15-new-timer.patch

@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Tue, 5 Jun 2018 11:16:29 +0200
+Subject: [PATCH] port to new internal kernel timer API
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+diff --git a/src/netdev.c b/src/netdev.c
+--- a/src/netdev.c
++++ b/src/netdev.c
+@@ -5389,9 +5389,10 @@
+  * Need to wait a few seconds after link up to get diagnostic information from
+  * the phy
+  **/
+-static void e1000_update_phy_info(unsigned long data)
++static void e1000_update_phy_info(struct timer_list *t)
+ {
+-	struct e1000_adapter *adapter = (struct e1000_adapter *)data;
++	struct e1000_adapter *adapter;
++	adapter = from_timer(adapter, t, phy_info_timer);
+ 
+ 	if (test_bit(__E1000_DOWN, &adapter->state))
+ 		return;
+@@ -5774,9 +5775,10 @@
+  * e1000_watchdog - Timer Call-back
+  * @data: pointer to adapter cast into an unsigned long
+  **/
+-static void e1000_watchdog(unsigned long data)
++static void e1000_watchdog(struct timer_list *t)
+ {
+-	struct e1000_adapter *adapter = (struct e1000_adapter *)data;
++	struct e1000_adapter *adapter;
++	adapter = from_timer(adapter, t, watchdog_timer);
+ 
+ 	/* Do the rest outside of interrupt context */
+ 	schedule_work(&adapter->watchdog_task);
+@@ -8348,13 +8348,9 @@
+ 		goto err_eeprom;
+ 	}
+ 
+-	init_timer(&adapter->watchdog_timer);
+-	adapter->watchdog_timer.function = e1000_watchdog;
+-	adapter->watchdog_timer.data = (unsigned long)adapter;
+-
+-	init_timer(&adapter->phy_info_timer);
+-	adapter->phy_info_timer.function = e1000_update_phy_info;
+-	adapter->phy_info_timer.data = (unsigned long)adapter;
++	timer_setup(&adapter->watchdog_timer, e1000_watchdog, 0);
++
++	timer_setup(&adapter->phy_info_timer, e1000_update_phy_info, 0);
+ 
+ 	INIT_WORK(&adapter->reset_task, e1000_reset_task);
+ 	INIT_WORK(&adapter->watchdog_task, e1000_watchdog_task);

patches/intel/igb/igb_4.15_mtu.patch

@@ -0,0 +1,15 @@
+diff --git a/src/igb_main.c.orig b/src/igb_main.c
+index 3ee1ec7..c8adf04 100644
+--- a/src/igb_main.c.orig
++++ b/src/igb_main.c
+@@ -5888,10 +5888,8 @@ static int igb_change_mtu(struct net_dev
+ 	while (test_and_set_bit(__IGB_RESETTING, &adapter->state))
+ 		usleep_range(1000, 2000);
+ 
+-#ifndef HAVE_NETDEVICE_MIN_MAX_MTU
+ 	/* igb_down has a dependency on max_frame_size */
+ 	adapter->max_frame_size = max_frame;
+-#endif
+ 
+ 	if (netif_running(netdev))
+ 		igb_down(adapter);

patches/intel/intel-module-gcc6-compat.patch

@@ -0,0 +1,18 @@
+diff --git a/src/Makefile.orig b/src/Makefile
+index 8e962f7..50bcdcc 100644
+--- a/src/Makefile.orig
++++ b/src/Makefile
+@@ -123,6 +123,13 @@ ifeq (,$(CC))
+   $(error Compiler not found)
+ endif
+ 
++# workaround for GCC6's default PIE
++ifeq ($(CC),gcc)
++  PIE_TEST = [ -z "`$(CC) -fno-PIE -no-pie -x c -c /dev/null -o /dev/null 2>&1`" ]
++  PIE_FLAGS := $(shell $(PIE_TEST) && echo '-fno-PIE -no-pie')
++  EXTRA_CFLAGS += $(PIE_FLAGS)
++endif
++
+ # we need to know what platform the driver is being built on
+ # some additional features are only built on Intel platforms
+ ARCH := $(shell uname -m | sed 's/i.86/i386/')

patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch

@@ -17,19 +17,28 @@ $KBUILD_BUILD_TIMESTAMP.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- init/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ scripts/mkcompile_h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
 
-diff --git a/init/Makefile b/init/Makefile
-index ec557ada3c12..72095034f338 100644
---- a/init/Makefile
-+++ b/init/Makefile
-@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
- preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
+diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
+index 87f1fc9801d7..4ef868f1f244 100755
+--- a/scripts/mkcompile_h
++++ b/scripts/mkcompile_h
+@@ -33,10 +33,14 @@ else
+ 	VERSION=$KBUILD_BUILD_VERSION
+ fi
  
- build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
--build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
-+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
- 
- # Maximum length of UTS_VERSION is 64 chars
- filechk_uts_version = \
+-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
+-	TIMESTAMP=`date`
++if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
++	if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
++		TIMESTAMP=`date`
++	else
++		TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
++	fi
+ else
+-	TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
++	TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
+ fi
+ if test -z "$KBUILD_BUILD_USER"; then
+ 	LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')

patches/kernel/0002-bridge-keep-MAC-of-first-assigned-port.patch

@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 4 deletions(-)
 
 diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index 75204d36d7f9..1fb5ff73ec1e 100644
+index 808e2b914015..b0ad54384826 100644
 --- a/net/bridge/br_stp_if.c
 +++ b/net/bridge/br_stp_if.c
-@@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
+@@ -259,10 +259,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
  		return false;
  
  	list_for_each_entry(p, &br->port_list, list) {

patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch

@@ -51,14 +51,14 @@ Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
  .../admin-guide/kernel-parameters.txt         |   9 ++
- drivers/pci/quirks.c                          | 102 ++++++++++++++++++
- 2 files changed, 111 insertions(+)
+ drivers/pci/quirks.c                          | 101 ++++++++++++++++++
+ 2 files changed, 110 insertions(+)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 5d47f23514d0..f06df077504b 100644
+index 325a5dd7813d..a95cc0b61b29 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -4210,6 +4210,15 @@
+@@ -3181,6 +3181,15 @@
  				Also, it enforces the PCI Local Bus spec
  				rule that those bits should be 0 in system reset
  				events (useful for kexec/kdump cases).
@@ -75,11 +75,11 @@ index 5d47f23514d0..f06df077504b 100644
  				Safety option to keep boot IRQs enabled. This
  				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 592e1c4ae697..aebf6f412203 100644
+index e5d1a00c481d..7ecd84506d8d 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -194,6 +194,106 @@ static int __init pci_apply_final_quirks(void)
- }
+@@ -3769,6 +3769,106 @@ static int __init pci_apply_final_quirks(void)
+ 
  fs_initcall_sync(pci_apply_final_quirks);
  
 +static bool acs_on_downstream;
@@ -183,14 +183,13 @@ index 592e1c4ae697..aebf6f412203 100644
 +}
 +
  /*
-  * Decoding should be disabled for a PCI device during BAR sizing to avoid
-  * conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4974,6 +5074,8 @@ static const struct pci_dev_acs_enabled {
- 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
+  * Following are device-specific reset methods which can be used to
+  * reset a single function if other methods (e.g. FLR, PM D0->D3) are
+@@ -4664,6 +4764,7 @@ static const struct pci_dev_acs_enabled {
+ 	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
  	/* APM X-Gene */
  	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
-+	/* Enable overrides for missing ACS capabilities */
 +	{ PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides },
- 	/* Ampere Computing */
- 	{ PCI_VENDOR_ID_AMPERE, 0xE005, pci_quirk_xgene_acs },
- 	{ PCI_VENDOR_ID_AMPERE, 0xE006, pci_quirk_xgene_acs },
+ 	{ 0 }
+ };
+ 

patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch

@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 73fad57408f7..99ae3e468ce6 100644
+index 706b13f0c698..c6749d154ebc 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -79,7 +79,7 @@ module_param(halt_poll_ns, uint, 0644);
+@@ -78,7 +78,7 @@ module_param(halt_poll_ns, uint, 0644);
  EXPORT_SYMBOL_GPL(halt_poll_ns);
  
  /* Default doubles per-vcpu halt_poll_ns. */

patches/kernel/0005-ocfs2-make-metadata-estimation-accurate-and-clear.patch

@@ -0,0 +1,59 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Changwei Ge <ge.changwei@h3c.com>
+Date: Wed, 31 Jan 2018 16:15:02 -0800
+Subject: [PATCH] ocfs2: make metadata estimation accurate and clear
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Current code assume that ::w_unwritten_list always has only one item on.
+This is not right and hard to get understood.  So improve how to count
+unwritten item.
+
+Link: http://lkml.kernel.org/r/1515479070-32653-1-git-send-email-ge.changwei@h3c.com
+Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
+Reported-by: John Lightsey <john@nixnuts.net>
+Tested-by: John Lightsey <john@nixnuts.net>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+(cherry picked from commit 63de8bd9328bf2a778fc277503da163ae3defa3c)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ fs/ocfs2/aops.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index 7de0c9562b70..209cec7efef4 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -797,6 +797,7 @@ struct ocfs2_write_ctxt {
+ 	struct ocfs2_cached_dealloc_ctxt w_dealloc;
+ 
+ 	struct list_head		w_unwritten_list;
++	unsigned int			w_unwritten_count;
+ };
+ 
+ void ocfs2_unlock_and_free_pages(struct page **pages, int num_pages)
+@@ -1386,6 +1387,7 @@ static int ocfs2_unwritten_check(struct inode *inode,
+ 	desc->c_clear_unwritten = 0;
+ 	list_add_tail(&new->ue_ip_node, &oi->ip_unwritten_list);
+ 	list_add_tail(&new->ue_node, &wc->w_unwritten_list);
++	wc->w_unwritten_count++;
+ 	new = NULL;
+ unlock:
+ 	spin_unlock(&oi->ip_lock);
+@@ -2277,7 +2279,7 @@ static int ocfs2_dio_wr_get_block(struct inode *inode, sector_t iblock,
+ 		ue->ue_phys = desc->c_phys;
+ 
+ 		list_splice_tail_init(&wc->w_unwritten_list, &dwc->dw_zero_list);
+-		dwc->dw_zero_count++;
++		dwc->dw_zero_count += wc->w_unwritten_count;
+ 	}
+ 
+ 	ret = ocfs2_write_end_nolock(inode->i_mapping, pos, len, len, wc);

patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch

@@ -1,28 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Wed, 7 Oct 2020 17:18:28 +0200
-Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
- emergency to error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- net/core/dev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/core/dev.c b/net/core/dev.c
-index 555bbe774734..de2e0d0185fc 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -10262,7 +10262,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
- 		if (time_after(jiffies, warning_time +
- 			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
- 			list_for_each_entry(dev, list, todo_list) {
--				pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
-+				pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
- 					 dev->name, netdev_refcnt_read(dev));
- 				ref_tracker_dir_print(&dev->refcnt_tracker, 10);
- 			}

patches/kernel/0006-ocfs2-try-to-reuse-extent-block-in-dealloc-without-m.patch

@@ -0,0 +1,368 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Changwei Ge <ge.changwei@h3c.com>
+Date: Wed, 31 Jan 2018 16:15:06 -0800
+Subject: [PATCH] ocfs2: try to reuse extent block in dealloc without
+ meta_alloc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A crash issue was reported by John Lightsey with a call trace as follows:
+
+  ocfs2_split_extent+0x1ad3/0x1b40 [ocfs2]
+  ocfs2_change_extent_flag+0x33a/0x470 [ocfs2]
+  ocfs2_mark_extent_written+0x172/0x220 [ocfs2]
+  ocfs2_dio_end_io+0x62d/0x910 [ocfs2]
+  dio_complete+0x19a/0x1a0
+  do_blockdev_direct_IO+0x19dd/0x1eb0
+  __blockdev_direct_IO+0x43/0x50
+  ocfs2_direct_IO+0x8f/0xa0 [ocfs2]
+  generic_file_direct_write+0xb2/0x170
+  __generic_file_write_iter+0xc3/0x1b0
+  ocfs2_file_write_iter+0x4bb/0xca0 [ocfs2]
+  __vfs_write+0xae/0xf0
+  vfs_write+0xb8/0x1b0
+  SyS_write+0x4f/0xb0
+  system_call_fastpath+0x16/0x75
+
+The BUG code told that extent tree wants to grow but no metadata was
+reserved ahead of time.  From my investigation into this issue, the root
+cause it that although enough metadata is not reserved, there should be
+enough for following use.  Rightmost extent is merged into its left one
+due to a certain times of marking extent written.  Because during
+marking extent written, we got many physically continuous extents.  At
+last, an empty extent showed up and the rightmost path is removed from
+extent tree.
+
+Add a new mechanism to reuse extent block cached in dealloc which were
+just unlinked from extent tree to solve this crash issue.
+
+Criteria is that during marking extents *written*, if extent rotation
+and merging results in unlinking extent with growing extent tree later
+without any metadata reserved ahead of time, try to reuse those extents
+in dealloc in which deleted extents are cached.
+
+Also, this patch addresses the issue John reported that ::dw_zero_count
+is not calculated properly.
+
+After applying this patch, the issue John reported was gone.  Thanks for
+the reproducer provided by John.  And this patch has passed
+ocfs2-test(29 cases) suite running by New H3C Group.
+
+[ge.changwei@h3c.com: fix static checker warnning]
+  Link: http://lkml.kernel.org/r/63ADC13FD55D6546B7DECE290D39E373F29196AE@H3CMLB12-EX.srv.huawei-3com.com
+[akpm@linux-foundation.org: brelse(NULL) is legal]
+Link: http://lkml.kernel.org/r/1515479070-32653-2-git-send-email-ge.changwei@h3c.com
+Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
+Reported-by: John Lightsey <john@nixnuts.net>
+Tested-by: John Lightsey <john@nixnuts.net>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Mark Fasheh <mfasheh@versity.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+(cherry picked from commit 71a36944042b7d9dd71f6a5d1c5ea1c2353b5d42)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ fs/ocfs2/alloc.c | 206 ++++++++++++++++++++++++++++++++++++++++++++---
+ fs/ocfs2/alloc.h |   1 +
+ fs/ocfs2/aops.c  |   6 ++
+ 3 files changed, 203 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 6b177de324c0..3760888f2e76 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -165,6 +165,13 @@ static int ocfs2_dinode_insert_check(struct ocfs2_extent_tree *et,
+ 				     struct ocfs2_extent_rec *rec);
+ static int ocfs2_dinode_sanity_check(struct ocfs2_extent_tree *et);
+ static void ocfs2_dinode_fill_root_el(struct ocfs2_extent_tree *et);
++
++static int ocfs2_reuse_blk_from_dealloc(handle_t *handle,
++					struct ocfs2_extent_tree *et,
++					struct buffer_head **new_eb_bh,
++					int blk_wanted, int *blk_given);
++static int ocfs2_is_dealloc_empty(struct ocfs2_extent_tree *et);
++
+ static const struct ocfs2_extent_tree_operations ocfs2_dinode_et_ops = {
+ 	.eo_set_last_eb_blk	= ocfs2_dinode_set_last_eb_blk,
+ 	.eo_get_last_eb_blk	= ocfs2_dinode_get_last_eb_blk,
+@@ -448,6 +455,7 @@ static void __ocfs2_init_extent_tree(struct ocfs2_extent_tree *et,
+ 	if (!obj)
+ 		obj = (void *)bh->b_data;
+ 	et->et_object = obj;
++	et->et_dealloc = NULL;
+ 
+ 	et->et_ops->eo_fill_root_el(et);
+ 	if (!et->et_ops->eo_fill_max_leaf_clusters)
+@@ -1158,7 +1166,7 @@ static int ocfs2_add_branch(handle_t *handle,
+ 			    struct buffer_head **last_eb_bh,
+ 			    struct ocfs2_alloc_context *meta_ac)
+ {
+-	int status, new_blocks, i;
++	int status, new_blocks, i, block_given = 0;
+ 	u64 next_blkno, new_last_eb_blk;
+ 	struct buffer_head *bh;
+ 	struct buffer_head **new_eb_bhs = NULL;
+@@ -1213,11 +1221,31 @@ static int ocfs2_add_branch(handle_t *handle,
+ 		goto bail;
+ 	}
+ 
+-	status = ocfs2_create_new_meta_bhs(handle, et, new_blocks,
+-					   meta_ac, new_eb_bhs);
+-	if (status < 0) {
+-		mlog_errno(status);
+-		goto bail;
++	/* Firstyly, try to reuse dealloc since we have already estimated how
++	 * many extent blocks we may use.
++	 */
++	if (!ocfs2_is_dealloc_empty(et)) {
++		status = ocfs2_reuse_blk_from_dealloc(handle, et,
++						      new_eb_bhs, new_blocks,
++						      &block_given);
++		if (status < 0) {
++			mlog_errno(status);
++			goto bail;
++		}
++	}
++
++	BUG_ON(block_given > new_blocks);
++
++	if (block_given < new_blocks) {
++		BUG_ON(!meta_ac);
++		status = ocfs2_create_new_meta_bhs(handle, et,
++						   new_blocks - block_given,
++						   meta_ac,
++						   &new_eb_bhs[block_given]);
++		if (status < 0) {
++			mlog_errno(status);
++			goto bail;
++		}
+ 	}
+ 
+ 	/* Note: new_eb_bhs[new_blocks - 1] is the guy which will be
+@@ -1340,15 +1368,25 @@ static int ocfs2_shift_tree_depth(handle_t *handle,
+ 				  struct ocfs2_alloc_context *meta_ac,
+ 				  struct buffer_head **ret_new_eb_bh)
+ {
+-	int status, i;
++	int status, i, block_given = 0;
+ 	u32 new_clusters;
+ 	struct buffer_head *new_eb_bh = NULL;
+ 	struct ocfs2_extent_block *eb;
+ 	struct ocfs2_extent_list  *root_el;
+ 	struct ocfs2_extent_list  *eb_el;
+ 
+-	status = ocfs2_create_new_meta_bhs(handle, et, 1, meta_ac,
+-					   &new_eb_bh);
++	if (!ocfs2_is_dealloc_empty(et)) {
++		status = ocfs2_reuse_blk_from_dealloc(handle, et,
++						      &new_eb_bh, 1,
++						      &block_given);
++	} else if (meta_ac) {
++		status = ocfs2_create_new_meta_bhs(handle, et, 1, meta_ac,
++						   &new_eb_bh);
++
++	} else {
++		BUG();
++	}
++
+ 	if (status < 0) {
+ 		mlog_errno(status);
+ 		goto bail;
+@@ -1511,7 +1549,7 @@ static int ocfs2_grow_tree(handle_t *handle, struct ocfs2_extent_tree *et,
+ 	int depth = le16_to_cpu(el->l_tree_depth);
+ 	struct buffer_head *bh = NULL;
+ 
+-	BUG_ON(meta_ac == NULL);
++	BUG_ON(meta_ac == NULL && ocfs2_is_dealloc_empty(et));
+ 
+ 	shift = ocfs2_find_branch_target(et, &bh);
+ 	if (shift < 0) {
+@@ -6585,6 +6623,154 @@ ocfs2_find_per_slot_free_list(int type,
+ 	return fl;
+ }
+ 
++static struct ocfs2_per_slot_free_list *
++ocfs2_find_preferred_free_list(int type,
++			       int preferred_slot,
++			       int *real_slot,
++			       struct ocfs2_cached_dealloc_ctxt *ctxt)
++{
++	struct ocfs2_per_slot_free_list *fl = ctxt->c_first_suballocator;
++
++	while (fl) {
++		if (fl->f_inode_type == type && fl->f_slot == preferred_slot) {
++			*real_slot = fl->f_slot;
++			return fl;
++		}
++
++		fl = fl->f_next_suballocator;
++	}
++
++	/* If we can't find any free list matching preferred slot, just use
++	 * the first one.
++	 */
++	fl = ctxt->c_first_suballocator;
++	*real_slot = fl->f_slot;
++
++	return fl;
++}
++
++/* Return Value 1 indicates empty */
++static int ocfs2_is_dealloc_empty(struct ocfs2_extent_tree *et)
++{
++	struct ocfs2_per_slot_free_list *fl = NULL;
++
++	if (!et->et_dealloc)
++		return 1;
++
++	fl = et->et_dealloc->c_first_suballocator;
++	if (!fl)
++		return 1;
++
++	if (!fl->f_first)
++		return 1;
++
++	return 0;
++}
++
++/* If extent was deleted from tree due to extent rotation and merging, and
++ * no metadata is reserved ahead of time. Try to reuse some extents
++ * just deleted. This is only used to reuse extent blocks.
++ * It is supposed to find enough extent blocks in dealloc if our estimation
++ * on metadata is accurate.
++ */
++static int ocfs2_reuse_blk_from_dealloc(handle_t *handle,
++					struct ocfs2_extent_tree *et,
++					struct buffer_head **new_eb_bh,
++					int blk_wanted, int *blk_given)
++{
++	int i, status = 0, real_slot;
++	struct ocfs2_cached_dealloc_ctxt *dealloc;
++	struct ocfs2_per_slot_free_list *fl;
++	struct ocfs2_cached_block_free *bf;
++	struct ocfs2_extent_block *eb;
++	struct ocfs2_super *osb =
++		OCFS2_SB(ocfs2_metadata_cache_get_super(et->et_ci));
++
++	*blk_given = 0;
++
++	/* If extent tree doesn't have a dealloc, this is not faulty. Just
++	 * tell upper caller dealloc can't provide any block and it should
++	 * ask for alloc to claim more space.
++	 */
++	dealloc = et->et_dealloc;
++	if (!dealloc)
++		goto bail;
++
++	for (i = 0; i < blk_wanted; i++) {
++		/* Prefer to use local slot */
++		fl = ocfs2_find_preferred_free_list(EXTENT_ALLOC_SYSTEM_INODE,
++						    osb->slot_num, &real_slot,
++						    dealloc);
++		/* If no more block can be reused, we should claim more
++		 * from alloc. Just return here normally.
++		 */
++		if (!fl) {
++			status = 0;
++			break;
++		}
++
++		bf = fl->f_first;
++		fl->f_first = bf->free_next;
++
++		new_eb_bh[i] = sb_getblk(osb->sb, bf->free_blk);
++		if (new_eb_bh[i] == NULL) {
++			status = -ENOMEM;
++			mlog_errno(status);
++			goto bail;
++		}
++
++		mlog(0, "Reusing block(%llu) from "
++		     "dealloc(local slot:%d, real slot:%d)\n",
++		     bf->free_blk, osb->slot_num, real_slot);
++
++		ocfs2_set_new_buffer_uptodate(et->et_ci, new_eb_bh[i]);
++
++		status = ocfs2_journal_access_eb(handle, et->et_ci,
++						 new_eb_bh[i],
++						 OCFS2_JOURNAL_ACCESS_CREATE);
++		if (status < 0) {
++			mlog_errno(status);
++			goto bail;
++		}
++
++		memset(new_eb_bh[i]->b_data, 0, osb->sb->s_blocksize);
++		eb = (struct ocfs2_extent_block *) new_eb_bh[i]->b_data;
++
++		/* We can't guarantee that buffer head is still cached, so
++		 * polutlate the extent block again.
++		 */
++		strcpy(eb->h_signature, OCFS2_EXTENT_BLOCK_SIGNATURE);
++		eb->h_blkno = cpu_to_le64(bf->free_blk);
++		eb->h_fs_generation = cpu_to_le32(osb->fs_generation);
++		eb->h_suballoc_slot = cpu_to_le16(real_slot);
++		eb->h_suballoc_loc = cpu_to_le64(bf->free_bg);
++		eb->h_suballoc_bit = cpu_to_le16(bf->free_bit);
++		eb->h_list.l_count =
++			cpu_to_le16(ocfs2_extent_recs_per_eb(osb->sb));
++
++		/* We'll also be dirtied by the caller, so
++		 * this isn't absolutely necessary.
++		 */
++		ocfs2_journal_dirty(handle, new_eb_bh[i]);
++
++		if (!fl->f_first) {
++			dealloc->c_first_suballocator = fl->f_next_suballocator;
++			kfree(fl);
++		}
++		kfree(bf);
++	}
++
++	*blk_given = i;
++
++bail:
++	if (unlikely(status < 0)) {
++		for (i = 0; i < blk_wanted; i++)
++			brelse(new_eb_bh[i]);
++	}
++
++	return status;
++}
++
+ int ocfs2_cache_block_dealloc(struct ocfs2_cached_dealloc_ctxt *ctxt,
+ 			      int type, int slot, u64 suballoc,
+ 			      u64 blkno, unsigned int bit)
+diff --git a/fs/ocfs2/alloc.h b/fs/ocfs2/alloc.h
+index 27b75cf32cfa..250bcacdf9e9 100644
+--- a/fs/ocfs2/alloc.h
++++ b/fs/ocfs2/alloc.h
+@@ -61,6 +61,7 @@ struct ocfs2_extent_tree {
+ 	ocfs2_journal_access_func		et_root_journal_access;
+ 	void					*et_object;
+ 	unsigned int				et_max_leaf_clusters;
++	struct ocfs2_cached_dealloc_ctxt	*et_dealloc;
+ };
+ 
+ /*
+diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
+index 209cec7efef4..1cf7ac84b70b 100644
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -2353,6 +2353,12 @@ static int ocfs2_dio_end_io_write(struct inode *inode,
+ 
+ 	ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh);
+ 
++	/* Attach dealloc with extent tree in case that we may reuse extents
++	 * which are already unlinked from current extent tree due to extent
++	 * rotation and merging.
++	 */
++	et.et_dealloc = &dealloc;
++
+ 	ret = ocfs2_lock_allocators(inode, &et, 0, dwc->dw_zero_count*2,
+ 				    &data_ac, &meta_ac);
+ 	if (ret) {

patches/kernel/0007-Revert-UBUNTU-Packaging-retpoline-add-safe-usage-hin.patch

@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Tue, 3 Apr 2018 14:59:26 +0200
+Subject: [PATCH] Revert "UBUNTU: [Packaging] retpoline -- add safe usage hint
+ support"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This (partially) reverts commit 1e39020902132b3065bedf0a0c33031e89f9f57a.
+
+this modifies the upstream kernel build to call an Ubuntu script which
+we remove before building. it would also be required by any module
+builds afterwards and is not shipped by Ubuntu's kernel packages either.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ scripts/Makefile.build | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index 5d72aa39d3c1..451546219dfc 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -295,27 +295,19 @@ objtool_dep = $(objtool_obj)					\
+ 	      $(wildcard include/config/orc/unwinder.h		\
+ 			 include/config/stack/validation.h)
+ 
+-ifdef CONFIG_RETPOLINE
+-cmd_ubuntu_retpoline = $(CONFIG_SHELL) $(srctree)/scripts/ubuntu-retpoline-extract-one $(@) $(<) "$(filter -m16 %code16gcc.h,$(a_flags))";
+-else
+-cmd_ubuntu_retpoline =
+-endif
+-
+ define rule_cc_o_c
+ 	$(call echo-cmd,checksrc) $(cmd_checksrc)			  \
+ 	$(call cmd_and_fixdep,cc_o_c)					  \
+ 	$(cmd_checkdoc)							  \
+ 	$(call echo-cmd,objtool) $(cmd_objtool)				  \
+ 	$(cmd_modversions_c)						  \
+-	$(call echo-cmd,ubuntu-retpoline) $(cmd_ubuntu_retpoline)	  \
+ 	$(call echo-cmd,record_mcount) $(cmd_record_mcount)
+ endef
+ 
+ define rule_as_o_S
+ 	$(call cmd_and_fixdep,as_o_S)					  \
+ 	$(call echo-cmd,objtool) $(cmd_objtool)				  \
+-	$(cmd_modversions_S)						  \
+-	$(call echo-cmd,ubuntu-retpoline) $(cmd_ubuntu_retpoline)
++	$(cmd_modversions_S)
+ endef
+ 
+ # List module undefined symbols (or empty line if not enabled)

patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch

@@ -1,29 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Tue, 10 Jan 2023 08:52:40 +0100
-Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- include/linux/fortify-string.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
-index 7cad8bb031e9..acc24887db3e 100644
---- a/include/linux/fortify-string.h
-+++ b/include/linux/fortify-string.h
-@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
- 
- #define __compiletime_strlen(p)					\
- ({								\
--	char *__p = (char *)(p);				\
-+	unsigned char *__p = (unsigned char *)(p);		\
- 	size_t __ret = SIZE_MAX;				\
- 	size_t __p_size = __member_size(p);			\
- 	if (__p_size != SIZE_MAX &&				\

patches/kernel/0008-KVM-Take-vcpu-mutex-outside-vcpu_load.patch

@@ -0,0 +1,168 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Mon, 4 Dec 2017 21:35:23 +0100
+Subject: [PATCH] KVM: Take vcpu->mutex outside vcpu_load
+
+As we're about to call vcpu_load() from architecture-specific
+implementations of the KVM vcpu ioctls, but yet we access data
+structures protected by the vcpu->mutex in the generic code, factor
+this logic out from vcpu_load().
+
+x86 is the only architecture which calls vcpu_load() outside of the main
+vcpu ioctl function, and these calls will no longer take the vcpu mutex
+following this patch.  However, with the exception of
+kvm_arch_vcpu_postcreate (see below), the callers are either in the
+creation or destruction path of the VCPU, which means there cannot be
+any concurrent access to the data structure, because the file descriptor
+is not yet accessible, or is already gone.
+
+kvm_arch_vcpu_postcreate makes the newly created vcpu potentially
+accessible by other in-kernel threads through the kvm->vcpus array, and
+we therefore take the vcpu mutex in this case directly.
+
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit ec7660ccdd2b71d8c7f0243f8590253713e9b75d)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/vmx.c       |  4 +---
+ arch/x86/kvm/x86.c       | 16 ++++++----------
+ include/linux/kvm_host.h |  2 +-
+ virt/kvm/kvm_main.c      | 17 ++++++-----------
+ 4 files changed, 14 insertions(+), 25 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 6875c8d13052..5dc2144a0991 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10017,10 +10017,8 @@ static void vmx_switch_vmcs(struct kvm_vcpu *vcpu, struct loaded_vmcs *vmcs)
+ static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
+ {
+        struct vcpu_vmx *vmx = to_vmx(vcpu);
+-       int r;
+ 
+-       r = vcpu_load(vcpu);
+-       BUG_ON(r);
++       vcpu_load(vcpu);
+        vmx_switch_vmcs(vcpu, &vmx->vmcs01);
+        free_nested(vmx);
+        vcpu_put(vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 960b14ba645e..6b1e434ceaf8 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8061,17 +8061,13 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
+ 
+ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
+ {
+-	int r;
+-
+ 	vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
+ 	kvm_vcpu_mtrr_init(vcpu);
+-	r = vcpu_load(vcpu);
+-	if (r)
+-		return r;
++	vcpu_load(vcpu);
+ 	kvm_vcpu_reset(vcpu, false);
+ 	kvm_mmu_setup(vcpu);
+ 	vcpu_put(vcpu);
+-	return r;
++	return 0;
+ }
+ 
+ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
+@@ -8081,13 +8077,15 @@ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
+ 
+ 	kvm_hv_vcpu_postcreate(vcpu);
+ 
+-	if (vcpu_load(vcpu))
++	if (mutex_lock_killable(&vcpu->mutex))
+ 		return;
++	vcpu_load(vcpu);
+ 	msr.data = 0x0;
+ 	msr.index = MSR_IA32_TSC;
+ 	msr.host_initiated = true;
+ 	kvm_write_tsc(vcpu, &msr);
+ 	vcpu_put(vcpu);
++	mutex_unlock(&vcpu->mutex);
+ 
+ 	if (!kvmclock_periodic_sync)
+ 		return;
+@@ -8474,9 +8472,7 @@ int kvm_arch_post_init_vm(struct kvm *kvm)
+ 
+ static void kvm_unload_vcpu_mmu(struct kvm_vcpu *vcpu)
+ {
+-	int r;
+-	r = vcpu_load(vcpu);
+-	BUG_ON(r);
++	vcpu_load(vcpu);
+ 	kvm_mmu_unload(vcpu);
+ 	vcpu_put(vcpu);
+ }
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index f182bbfb0ac5..f8b7ac63219d 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -560,7 +560,7 @@ static inline int kvm_vcpu_get_idx(struct kvm_vcpu *vcpu)
+ int kvm_vcpu_init(struct kvm_vcpu *vcpu, struct kvm *kvm, unsigned id);
+ void kvm_vcpu_uninit(struct kvm_vcpu *vcpu);
+ 
+-int __must_check vcpu_load(struct kvm_vcpu *vcpu);
++void vcpu_load(struct kvm_vcpu *vcpu);
+ void vcpu_put(struct kvm_vcpu *vcpu);
+ 
+ #ifdef __KVM_HAVE_IOAPIC
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index c6749d154ebc..66998264619b 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -172,17 +172,12 @@ bool kvm_is_reserved_pfn(kvm_pfn_t pfn)
+ /*
+  * Switches to specified vcpu, until a matching vcpu_put()
+  */
+-int vcpu_load(struct kvm_vcpu *vcpu)
++void vcpu_load(struct kvm_vcpu *vcpu)
+ {
+-	int cpu;
+-
+-	if (mutex_lock_killable(&vcpu->mutex))
+-		return -EINTR;
+-	cpu = get_cpu();
++	int cpu = get_cpu();
+ 	preempt_notifier_register(&vcpu->preempt_notifier);
+ 	kvm_arch_vcpu_load(vcpu, cpu);
+ 	put_cpu();
+-	return 0;
+ }
+ EXPORT_SYMBOL_GPL(vcpu_load);
+ 
+@@ -192,7 +187,6 @@ void vcpu_put(struct kvm_vcpu *vcpu)
+ 	kvm_arch_vcpu_put(vcpu);
+ 	preempt_notifier_unregister(&vcpu->preempt_notifier);
+ 	preempt_enable();
+-	mutex_unlock(&vcpu->mutex);
+ }
+ EXPORT_SYMBOL_GPL(vcpu_put);
+ 
+@@ -2786,9 +2780,9 @@ static long kvm_vcpu_ioctl(struct file *filp,
+ #endif
+ 
+ 
+-	r = vcpu_load(vcpu);
+-	if (r)
+-		return r;
++	if (mutex_lock_killable(&vcpu->mutex))
++		return -EINTR;
++	vcpu_load(vcpu);
+ 	switch (ioctl) {
+ 	case KVM_RUN: {
+ 		struct pid *oldpid;
+@@ -2961,6 +2955,7 @@ static long kvm_vcpu_ioctl(struct file *filp,
+ 	}
+ out:
+ 	vcpu_put(vcpu);
++	mutex_unlock(&vcpu->mutex);
+ 	kfree(fpu);
+ 	kfree(kvm_sregs);
+ 	return r;

patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch

@@ -1,133 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Fri, 14 Jul 2023 18:10:32 +0200
-Subject: [PATCH] kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no
- support
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes live-migrations & snapshot-rollback of VMs with a restricted
-CPU type (e.g., qemu64) from our 5.15 based kernel (default Proxmox
-VE 7.4) to the 6.2 (and future newer) of Proxmox VE 8.0.
-
-Previous to ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to
-supported bits of XCR0") the PKRU bit of the host could leak into the
-state from the guest, which caused trouble when migrating between
-hosts with different CPUs, i.e., where the source supported it but
-the target did not, causing a general protection fault when the guest
-tried to use a pkru related instruction after the migration.
-
-But the fix, while welcome, caused a temporary out-of-sync state when
-migrating such a VM from a kernel without the fix to a kernel with
-the fix, as it threw of KVM when the CPUID of the guest and most of
-the state doesn't report XSAVE and thus any xfeatures, but PKRU and
-the related state is set as enabled, causing the vCPU to spin at 100%
-without any progress forever.
-
-The fix could be at two sites, either in QEMU or in the kernel, I
-choose the kernel as we have all the info there for a targeted
-heuristic so that we don't have to adapt QEMU and qemu-server, the
-latter even on both sides.
-
-Still, a short summary of the possible fixes and short drawbacks:
-* on QEMU-side either
-  - clear the PKRU state in the migration saved state would be rather
-    complicated to implement as the vCPU is initialised way before we
-    have the saved xfeature state available to check what we'd need
-    to do, plus the user-space only gets a memory blob from ioctl
-    KVM_GET_XSAVE2 that it passes to KVM_SET_XSAVE ioctl, there are
-    no ABI guarantees, and while the struct seem stable for 5.15 to
-    6.5-rc1, that doesn't has to be for future kernels, so off the
-    table.
-  - enforce that the CPUID reports PKU support even if it normally
-    wouldn't. While this works (tested by hard-coding it as POC) it
-    is a) not really nice and b) needs some interaction from
-    qemu-server to enable this flag as otherwise we have no good info
-    to decide when it's OK to do this, which means we need to adapt
-    both PVE 7 and 8's qemu-server and also pve-qemu, workable but
-    not optimal
-
-* on Kernel/KVM-side we can hook into the set XSAVE ioctl specific to
-  the KVM subsystem, which already reduces chance of regression for
-  all other places. There we have access to the union/struct
-  definitions of the saved state and thus can savely cast to that.
-  We also got access to the vCPU's CPUID capabilities, meaning we can
-  check if the XCR0 (first XSAVE Control Register) reports
-  that it support the PKRU feature, and if it does *NOT* but the
-  saved xfeatures register from XSAVE *DOES* report it, we can safely
-  assume that this combination is due to an migration from an older,
-  leaky kernel – and clear the bit in the xfeature register before
-  restoring it to the guest vCPU KVM state, avoiding the confusing
-  situation that made the vCPU spin at 100%.
-  This should be safe to do, as the guest vCPU CPUID never reported
-  support for the PKRU feature, and it's also a relatively niche and
-  newish feature.
-
-If it gains us something we can drop this patch a bit in the future
-Proxmox VE 9 major release, but we should ensure that VMs that where
-started before PVE 8 cannot be directly live-migrated to the release
-that includes that change; so we should rather only drop it if the
-maintenance burden is high.
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- arch/x86/kvm/cpuid.c |  6 ++++++
- arch/x86/kvm/cpuid.h |  2 ++
- arch/x86/kvm/x86.c   | 13 +++++++++++++
- 3 files changed, 21 insertions(+)
-
-diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
-index 7ccdf991d18e..61aefeb3fdbc 100644
---- a/arch/x86/kvm/cpuid.c
-+++ b/arch/x86/kvm/cpuid.c
-@@ -251,6 +251,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
- 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
- }
- 
-+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu) {
-+	u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(
-+	    vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
-+	return (guest_supported_xcr0 & XFEATURE_MASK_PKRU) != 0;
-+}
-+
- static void __kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *entries,
- 				       int nent)
- {
-diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
-index b1658c0de847..12a02851ff57 100644
---- a/arch/x86/kvm/cpuid.h
-+++ b/arch/x86/kvm/cpuid.h
-@@ -32,6 +32,8 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
- bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
- 	       u32 *ecx, u32 *edx, bool exact_only);
- 
-+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu);
-+
- u32 xstate_required_size(u64 xstate_bv, bool compacted);
- 
- int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index ee603f4edce1..ff92ff41d5ce 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -5342,6 +5342,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
- 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
- 		return 0;
- 
-+	if (!vcpu_supports_xsave_pkru(vcpu)) {
-+		void *buf = guest_xsave->region;
-+		union fpregs_state *ustate = buf;
-+		if (ustate->xsave.header.xfeatures & XFEATURE_MASK_PKRU) {
-+			printk(
-+				KERN_NOTICE "clearing PKRU xfeature bit as vCPU from PID %d"
-+				" reports no PKRU support - migration from fpu-leaky kernel?",
-+				current->pid
-+			);
-+			ustate->xsave.header.xfeatures &= ~XFEATURE_MASK_PKRU;
-+		}
-+	}
-+
- 	return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
- 					      guest_xsave->region,
- 					      kvm_caps.supported_xcr0,

patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch

@@ -1,41 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: kiler129 <grzegorz@noflash.pl>
-Date: Mon, 18 Sep 2023 15:19:26 +0200
-Subject: [PATCH] allow opt-in to allow pass-through on broken hardware..
-
-adapted from https://github.com/kiler129/relax-intel-rmrr , licensed under MIT or GPL 2.0+
----
- drivers/iommu/intel/iommu.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
-index 1c5ba4dbfe78..887667218e3b 100644
---- a/drivers/iommu/intel/iommu.c
-+++ b/drivers/iommu/intel/iommu.c
-@@ -297,6 +297,7 @@ static int dmar_map_gfx = 1;
- static int dmar_map_ipu = 1;
- static int intel_iommu_superpage = 1;
- static int iommu_identity_mapping;
-+static int intel_relaxable_rmrr = 0;
- static int iommu_skip_te_disable;
- 
- #define IDENTMAP_GFX		2
-@@ -358,6 +359,9 @@ static int __init intel_iommu_setup(char *str)
- 		} else if (!strncmp(str, "tboot_noforce", 13)) {
- 			pr_info("Intel-IOMMU: not forcing on after tboot. This could expose security risk for tboot\n");
- 			intel_iommu_tboot_noforce = 1;
-+		} else if (!strncmp(str, "relax_rmrr", 10)) {
-+			pr_info("Intel-IOMMU: assuming all RMRRs are relaxable. This can lead to instability or data loss\n");
-+			intel_relaxable_rmrr = 1;
- 		} else {
- 			pr_notice("Unknown option - '%s'\n", str);
- 		}
-@@ -2538,7 +2542,7 @@ static bool device_rmrr_is_relaxable(struct device *dev)
- 		return false;
- 
- 	pdev = to_pci_dev(dev);
--	if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
-+	if (intel_relaxable_rmrr || IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
- 		return true;
- 	else
- 		return false;

patches/kernel/0009-kvm-x86-Don-t-modify-MSR_PLATFORM_INFO-on-vCPU-reset.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jim Mattson <jmattson@google.com>
+Date: Tue, 30 Oct 2018 12:20:21 -0700
+Subject: [PATCH] kvm: x86: Don't modify MSR_PLATFORM_INFO on vCPU reset
+
+If userspace has provided a different value for this MSR (e.g with the
+turbo bits set), the userspace-provided value should survive a vCPU
+reset. For backwards compatibility, MSR_PLATFORM_INFO is initialized
+in kvm_arch_vcpu_setup.
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Drew Schmitt <dasch@google.com>
+Cc: Abhiroop Dabral <adabral@paloaltonetworks.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit e53d88af63ab4104e1226b8f9959f1e9903da10b)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 6b1e434ceaf8..93bc3504d39e 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8062,6 +8062,7 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm,
+ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
+ {
+ 	vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
++	vcpu->arch.msr_platform_info = MSR_PLATFORM_INFO_CPUID_FAULT;
+ 	kvm_vcpu_mtrr_init(vcpu);
+ 	vcpu_load(vcpu);
+ 	kvm_vcpu_reset(vcpu, false);
+@@ -8157,7 +8158,6 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
+ 		kvm_pmu_reset(vcpu);
+ 		vcpu->arch.smbase = 0x30000;
+ 
+-		vcpu->arch.msr_platform_info = MSR_PLATFORM_INFO_CPUID_FAULT;
+ 		vcpu->arch.msr_misc_features_enables = 0;
+ 
+ 		vcpu->arch.xcr0 = XFEATURE_MASK_FP;

patches/kernel/0010-net-thunderbolt-Fix-TCPv6-GSO-checksum-calculation.patch

@@ -1,42 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mika Westerberg <mika.westerberg@linux.intel.com>
-Date: Wed, 13 Sep 2023 08:26:47 +0300
-Subject: [PATCH] net: thunderbolt: Fix TCPv6 GSO checksum calculation
-
-Alex reported that running ssh over IPv6 does not work with
-Thunderbolt/USB4 networking driver. The reason for that is that driver
-should call skb_is_gso() before calling skb_is_gso_v6(), and it should
-not return false after calculates the checksum successfully. This probably
-was a copy paste error from the original driver where it was done properly.
-
-Reported-by: Alex Balcanquall <alex@alexbal.com>
-Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable")
-Cc: stable@vger.kernel.org
-Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiri Pirko <jiri@nvidia.com>
-Reviewed-by: Jiri Pirko <jiri@nvidia.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- drivers/net/thunderbolt.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
-index 990484776f2d..0c554a7a5ce4 100644
---- a/drivers/net/thunderbolt.c
-+++ b/drivers/net/thunderbolt.c
-@@ -1005,12 +1005,11 @@ static bool tbnet_xmit_csum_and_map(struct tbnet *net, struct sk_buff *skb,
- 		*tucso = ~csum_tcpudp_magic(ip_hdr(skb)->saddr,
- 					    ip_hdr(skb)->daddr, 0,
- 					    ip_hdr(skb)->protocol, 0);
--	} else if (skb_is_gso_v6(skb)) {
-+	} else if (skb_is_gso(skb) && skb_is_gso_v6(skb)) {
- 		tucso = dest + ((void *)&(tcp_hdr(skb)->check) - data);
- 		*tucso = ~csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
- 					  &ipv6_hdr(skb)->daddr, 0,
- 					  IPPROTO_TCP, 0);
--		return false;
- 	} else if (protocol == htons(ETH_P_IPV6)) {
- 		tucso = dest + skb_checksum_start_offset(skb) + skb->csum_offset;
- 		*tucso = ~csum_ipv6_magic(&ipv6_hdr(skb)->saddr,

patches/kernel/0010-ntb-test-remove-unused-conflicting-SZ_4G-define.patch

@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 6 Sep 2019 13:04:30 +0200
+Subject: [PATCH] ntb test: remove unused conflicting SZ_4G define
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/ntb/test/ntb_perf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c
+index 427112cf101a..1f8ee33a07a2 100644
+--- a/drivers/ntb/test/ntb_perf.c
++++ b/drivers/ntb/test/ntb_perf.c
+@@ -74,7 +74,6 @@
+ #define MAX_SRCS		32
+ #define DMA_OUT_RESOURCE_TO	msecs_to_jiffies(50)
+ #define DMA_RETRIES		20
+-#define SZ_4G			(1ULL << 32)
+ #define MAX_SEG_ORDER		20 /* no larger than 1M for kmalloc buffer */
+ #define PIDX			NTB_DEF_PEER_IDX
+ 

patches/kernel/0011-thunderbolt-Restart-XDomain-discovery-handshake-afte.patch

@@ -1,134 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mika Westerberg <mika.westerberg@linux.intel.com>
-Date: Thu, 7 Sep 2023 16:02:30 +0300
-Subject: [PATCH] thunderbolt: Restart XDomain discovery handshake after
- failure
-
-Alex reported that after rebooting the other host the peer-to-peer link
-does not come up anymore. The reason for this is that the host that was
-not rebooted tries to send the UUID request only 10 times according to
-the USB4 Inter-Domain spec and gives up if it does not get reply. Then
-when the other side is actually ready it cannot get the link established
-anymore. The USB4 Inter-Domain spec requires that the discovery protocol
-is restarted in that case so implement this now.
-
-Reported-by: Alex Balcanquall <alex@alexbal.com>
-Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
-Cc: stable@vger.kernel.org
-Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- drivers/thunderbolt/xdomain.c | 58 +++++++++++++++++++++++++----------
- 1 file changed, 41 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
-index 3c51e47dd86b..0b17a4d4e9b9 100644
---- a/drivers/thunderbolt/xdomain.c
-+++ b/drivers/thunderbolt/xdomain.c
-@@ -704,6 +704,27 @@ static void update_property_block(struct tb_xdomain *xd)
- 	mutex_unlock(&xdomain_lock);
- }
- 
-+static void start_handshake(struct tb_xdomain *xd)
-+{
-+	xd->state = XDOMAIN_STATE_INIT;
-+	queue_delayed_work(xd->tb->wq, &xd->state_work,
-+			   msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT));
-+}
-+
-+/* Can be called from state_work */
-+static void __stop_handshake(struct tb_xdomain *xd)
-+{
-+	cancel_delayed_work_sync(&xd->properties_changed_work);
-+	xd->properties_changed_retries = 0;
-+	xd->state_retries = 0;
-+}
-+
-+static void stop_handshake(struct tb_xdomain *xd)
-+{
-+	cancel_delayed_work_sync(&xd->state_work);
-+	__stop_handshake(xd);
-+}
-+
- static void tb_xdp_handle_request(struct work_struct *work)
- {
- 	struct xdomain_request_work *xw = container_of(work, typeof(*xw), work);
-@@ -766,6 +787,15 @@ static void tb_xdp_handle_request(struct work_struct *work)
- 	case UUID_REQUEST:
- 		tb_dbg(tb, "%llx: received XDomain UUID request\n", route);
- 		ret = tb_xdp_uuid_response(ctl, route, sequence, uuid);
-+		/*
-+		 * If we've stopped the discovery with an error such as
-+		 * timing out, we will restart the handshake now that we
-+		 * received UUID request from the remote host.
-+		 */
-+		if (!ret && xd && xd->state == XDOMAIN_STATE_ERROR) {
-+			dev_dbg(&xd->dev, "restarting handshake\n");
-+			start_handshake(xd);
-+		}
- 		break;
- 
- 	case LINK_STATE_STATUS_REQUEST:
-@@ -1522,6 +1552,13 @@ static void tb_xdomain_queue_properties_changed(struct tb_xdomain *xd)
- 			   msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT));
- }
- 
-+static void tb_xdomain_failed(struct tb_xdomain *xd)
-+{
-+	xd->state = XDOMAIN_STATE_ERROR;
-+	queue_delayed_work(xd->tb->wq, &xd->state_work,
-+			   msecs_to_jiffies(XDOMAIN_DEFAULT_TIMEOUT));
-+}
-+
- static void tb_xdomain_state_work(struct work_struct *work)
- {
- 	struct tb_xdomain *xd = container_of(work, typeof(*xd), state_work.work);
-@@ -1548,7 +1585,7 @@ static void tb_xdomain_state_work(struct work_struct *work)
- 		if (ret) {
- 			if (ret == -EAGAIN)
- 				goto retry_state;
--			xd->state = XDOMAIN_STATE_ERROR;
-+			tb_xdomain_failed(xd);
- 		} else {
- 			tb_xdomain_queue_properties_changed(xd);
- 			if (xd->bonding_possible)
-@@ -1613,7 +1650,7 @@ static void tb_xdomain_state_work(struct work_struct *work)
- 		if (ret) {
- 			if (ret == -EAGAIN)
- 				goto retry_state;
--			xd->state = XDOMAIN_STATE_ERROR;
-+			tb_xdomain_failed(xd);
- 		} else {
- 			xd->state = XDOMAIN_STATE_ENUMERATED;
- 		}
-@@ -1624,6 +1661,8 @@ static void tb_xdomain_state_work(struct work_struct *work)
- 		break;
- 
- 	case XDOMAIN_STATE_ERROR:
-+		dev_dbg(&xd->dev, "discovery failed, stopping handshake\n");
-+		__stop_handshake(xd);
- 		break;
- 
- 	default:
-@@ -1793,21 +1832,6 @@ static void tb_xdomain_release(struct device *dev)
- 	kfree(xd);
- }
- 
--static void start_handshake(struct tb_xdomain *xd)
--{
--	xd->state = XDOMAIN_STATE_INIT;
--	queue_delayed_work(xd->tb->wq, &xd->state_work,
--			   msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT));
--}
--
--static void stop_handshake(struct tb_xdomain *xd)
--{
--	cancel_delayed_work_sync(&xd->properties_changed_work);
--	cancel_delayed_work_sync(&xd->state_work);
--	xd->properties_changed_retries = 0;
--	xd->state_retries = 0;
--}
--
- static int __maybe_unused tb_xdomain_suspend(struct device *dev)
- {
- 	stop_handshake(tb_to_xdomain(dev));

patches/kernel/0012-x86-cpu-Fix-AMD-erratum-1485-on-Zen4-based-CPUs.patch

@@ -1,72 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Borislav Petkov (AMD)" <bp@alien8.de>
-Date: Sat, 7 Oct 2023 12:57:02 +0200
-Subject: [PATCH] x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix erratum #1485 on Zen4 parts where running with STIBP disabled can
-cause an #UD exception. The performance impact of the fix is negligible.
-
-Reported-by: René Rebe <rene@exactcode.de>
-Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
-Tested-by: René Rebe <rene@exactcode.de>
-Cc: <stable@kernel.org>
-Link: https://lore.kernel.org/r/D99589F4-BC5D-430B-87B2-72C20370CF57@exactcode.com
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- arch/x86/include/asm/msr-index.h | 9 +++++++--
- arch/x86/kernel/cpu/amd.c        | 8 ++++++++
- 2 files changed, 15 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index ebbf80d8b8bd..a79b10e57757 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -630,12 +630,17 @@
- /* AMD Last Branch Record MSRs */
- #define MSR_AMD64_LBR_SELECT			0xc000010e
- 
--/* Fam 17h MSRs */
--#define MSR_F17H_IRPERF			0xc00000e9
-+/* Zen4 */
-+#define MSR_ZEN4_BP_CFG			0xc001102e
-+#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
- 
-+/* Zen 2 */
- #define MSR_ZEN2_SPECTRAL_CHICKEN	0xc00110e3
- #define MSR_ZEN2_SPECTRAL_CHICKEN_BIT	BIT_ULL(1)
- 
-+/* Fam 17h MSRs */
-+#define MSR_F17H_IRPERF			0xc00000e9
-+
- /* Fam 16h MSRs */
- #define MSR_F16H_L2I_PERF_CTL		0xc0010230
- #define MSR_F16H_L2I_PERF_CTR		0xc0010231
-diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
-index a608a2b78073..154e9c0c16bd 100644
---- a/arch/x86/kernel/cpu/amd.c
-+++ b/arch/x86/kernel/cpu/amd.c
-@@ -80,6 +80,10 @@ static const int amd_div0[] =
- 	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x00, 0x0, 0x2f, 0xf),
- 			   AMD_MODEL_RANGE(0x17, 0x50, 0x0, 0x5f, 0xf));
- 
-+static const int amd_erratum_1485[] =
-+	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x19, 0x10, 0x0, 0x1f, 0xf),
-+			   AMD_MODEL_RANGE(0x19, 0x60, 0x0, 0xaf, 0xf));
-+
- static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
- {
- 	int osvw_id = *erratum++;
-@@ -1125,6 +1129,10 @@ static void init_amd(struct cpuinfo_x86 *c)
- 		pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n");
- 		setup_force_cpu_bug(X86_BUG_DIV0);
- 	}
-+
-+	if (!cpu_has(c, X86_FEATURE_HYPERVISOR) &&
-+	     cpu_has_amd_erratum(c, amd_erratum_1485))
-+		msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT);
- }
- 
- #ifdef CONFIG_X86_32

patches/kernel/0013-Revert-nSVM-Check-for-reserved-encodings-of-TLB_CONT.patch

@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stefan Sterz <s.sterz@proxmox.com>
-Date: Wed, 18 Oct 2023 10:45:45 +0200
-Subject: [PATCH] Revert "nSVM: Check for reserved encodings of TLB_CONTROL in
- nested VMCB"
-
-This reverts commit 174a921b6975ef959dd82ee9e8844067a62e3ec1.
-
-Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
----
- arch/x86/kvm/svm/nested.c | 15 ---------------
- 1 file changed, 15 deletions(-)
-
-diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
-index add65dd59756..61a6c0235519 100644
---- a/arch/x86/kvm/svm/nested.c
-+++ b/arch/x86/kvm/svm/nested.c
-@@ -242,18 +242,6 @@ static bool nested_svm_check_bitmap_pa(struct kvm_vcpu *vcpu, u64 pa, u32 size)
- 	    kvm_vcpu_is_legal_gpa(vcpu, addr + size - 1);
- }
- 
--static bool nested_svm_check_tlb_ctl(struct kvm_vcpu *vcpu, u8 tlb_ctl)
--{
--	/* Nested FLUSHBYASID is not supported yet.  */
--	switch(tlb_ctl) {
--		case TLB_CONTROL_DO_NOTHING:
--		case TLB_CONTROL_FLUSH_ALL_ASID:
--			return true;
--		default:
--			return false;
--	}
--}
--
- static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
- 					 struct vmcb_ctrl_area_cached *control)
- {
-@@ -273,9 +261,6 @@ static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
- 					   IOPM_SIZE)))
- 		return false;
- 
--	if (CC(!nested_svm_check_tlb_ctl(vcpu, control->tlb_ctl)))
--		return false;
--
- 	return true;
- }
- 

patches/kernel/0014-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch

@@ -1,36 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Sean Christopherson <seanjc@google.com>
-Date: Wed, 18 Oct 2023 12:41:04 -0700
-Subject: [PATCH] KVM: nSVM: Advertise support for flush-by-ASID
-
-Advertise support for FLUSHBYASID when nested SVM is enabled, as KVM can
-always emulate flushing TLB entries for a vmcb12 ASID, e.g. by running L2
-with a new, fresh ASID in vmcb02.  Some modern hypervisors, e.g. VMWare
-Workstation 17, require FLUSHBYASID support and will refuse to run if it's
-not present.
-
-Punt on proper support, as "Honor L1's request to flush an ASID on nested
-VMRUN" is one of the TODO items in the (incomplete) list of issues that
-need to be addressed in order for KVM to NOT do a full TLB flush on every
-nested SVM transition (see nested_svm_transition_tlb_flush()).
-
-Reported-by: Stefan Sterz <s.sterz@proxmox.com>
-Closes: https://lkml.kernel.org/r/b9915c9c-4cf6-051a-2d91-44cc6380f455%40proxmox.com
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
----
- arch/x86/kvm/svm/svm.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index cf31babfbbb9..99a7e93b2edf 100644
---- a/arch/x86/kvm/svm/svm.c
-+++ b/arch/x86/kvm/svm/svm.c
-@@ -4920,6 +4920,7 @@ static __init void svm_set_cpu_caps(void)
- 	if (nested) {
- 		kvm_cpu_cap_set(X86_FEATURE_SVM);
- 		kvm_cpu_cap_set(X86_FEATURE_VMCBCLEAN);
-+		kvm_cpu_cap_set(X86_FEATURE_FLUSHBYASID);
- 
- 		if (nrips)
- 			kvm_cpu_cap_set(X86_FEATURE_NRIPS);

patches/kernel/0015-x86-fpu-Allow-caller-to-constrain-xfeatures-when-cop.patch

@@ -1,164 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Sean Christopherson <seanjc@google.com>
-Date: Wed, 27 Sep 2023 17:19:52 -0700
-Subject: [PATCH] x86/fpu: Allow caller to constrain xfeatures when copying to
- uabi buffer
-
-Plumb an xfeatures mask into __copy_xstate_to_uabi_buf() so that KVM can
-constrain which xfeatures are saved into the userspace buffer without
-having to modify the user_xfeatures field in KVM's guest_fpu state.
-
-KVM's ABI for KVM_GET_XSAVE{2} is that features that are not exposed to
-guest must not show up in the effective xstate_bv field of the buffer.
-Saving only the guest-supported xfeatures allows userspace to load the
-saved state on a different host with a fewer xfeatures, so long as the
-target host supports the xfeatures that are exposed to the guest.
-
-KVM currently sets user_xfeatures directly to restrict KVM_GET_XSAVE{2} to
-the set of guest-supported xfeatures, but doing so broke KVM's historical
-ABI for KVM_SET_XSAVE, which allows userspace to load any xfeatures that
-are supported by the *host*.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20230928001956.924301-2-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 18164f66e6c59fda15c198b371fa008431efdb22)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- arch/x86/include/asm/fpu/api.h |  3 ++-
- arch/x86/kernel/fpu/core.c     |  5 +++--
- arch/x86/kernel/fpu/xstate.c   |  7 +++++--
- arch/x86/kernel/fpu/xstate.h   |  3 ++-
- arch/x86/kvm/x86.c             | 21 +++++++++------------
- 5 files changed, 21 insertions(+), 18 deletions(-)
-
-diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
-index b475d9a582b8..e829fa4c6788 100644
---- a/arch/x86/include/asm/fpu/api.h
-+++ b/arch/x86/include/asm/fpu/api.h
-@@ -148,7 +148,8 @@ static inline void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd) {
- static inline void fpu_sync_guest_vmexit_xfd_state(void) { }
- #endif
- 
--extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf, unsigned int size, u32 pkru);
-+extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf,
-+					   unsigned int size, u64 xfeatures, u32 pkru);
- extern int fpu_copy_uabi_to_guest_fpstate(struct fpu_guest *gfpu, const void *buf, u64 xcr0, u32 *vpkru);
- 
- static inline void fpstate_set_confidential(struct fpu_guest *gfpu)
-diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
-index a083f9ac9e4f..1d190761d00f 100644
---- a/arch/x86/kernel/fpu/core.c
-+++ b/arch/x86/kernel/fpu/core.c
-@@ -369,14 +369,15 @@ int fpu_swap_kvm_fpstate(struct fpu_guest *guest_fpu, bool enter_guest)
- EXPORT_SYMBOL_GPL(fpu_swap_kvm_fpstate);
- 
- void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf,
--				    unsigned int size, u32 pkru)
-+				    unsigned int size, u64 xfeatures, u32 pkru)
- {
- 	struct fpstate *kstate = gfpu->fpstate;
- 	union fpregs_state *ustate = buf;
- 	struct membuf mb = { .p = buf, .left = size };
- 
- 	if (cpu_feature_enabled(X86_FEATURE_XSAVE)) {
--		__copy_xstate_to_uabi_buf(mb, kstate, pkru, XSTATE_COPY_XSAVE);
-+		__copy_xstate_to_uabi_buf(mb, kstate, xfeatures, pkru,
-+					  XSTATE_COPY_XSAVE);
- 	} else {
- 		memcpy(&ustate->fxsave, &kstate->regs.fxsave,
- 		       sizeof(ustate->fxsave));
-diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
-index 1afbc4866b10..463ec0cd0dab 100644
---- a/arch/x86/kernel/fpu/xstate.c
-+++ b/arch/x86/kernel/fpu/xstate.c
-@@ -1053,6 +1053,7 @@ static void copy_feature(bool from_xstate, struct membuf *to, void *xstate,
-  * __copy_xstate_to_uabi_buf - Copy kernel saved xstate to a UABI buffer
-  * @to:		membuf descriptor
-  * @fpstate:	The fpstate buffer from which to copy
-+ * @xfeatures:	The mask of xfeatures to save (XSAVE mode only)
-  * @pkru_val:	The PKRU value to store in the PKRU component
-  * @copy_mode:	The requested copy mode
-  *
-@@ -1063,7 +1064,8 @@ static void copy_feature(bool from_xstate, struct membuf *to, void *xstate,
-  * It supports partial copy but @to.pos always starts from zero.
-  */
- void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
--			       u32 pkru_val, enum xstate_copy_mode copy_mode)
-+			       u64 xfeatures, u32 pkru_val,
-+			       enum xstate_copy_mode copy_mode)
- {
- 	const unsigned int off_mxcsr = offsetof(struct fxregs_state, mxcsr);
- 	struct xregs_state *xinit = &init_fpstate.regs.xsave;
-@@ -1087,7 +1089,7 @@ void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
- 		break;
- 
- 	case XSTATE_COPY_XSAVE:
--		header.xfeatures &= fpstate->user_xfeatures;
-+		header.xfeatures &= fpstate->user_xfeatures & xfeatures;
- 		break;
- 	}
- 
-@@ -1189,6 +1191,7 @@ void copy_xstate_to_uabi_buf(struct membuf to, struct task_struct *tsk,
- 			     enum xstate_copy_mode copy_mode)
- {
- 	__copy_xstate_to_uabi_buf(to, tsk->thread.fpu.fpstate,
-+				  tsk->thread.fpu.fpstate->user_xfeatures,
- 				  tsk->thread.pkru, copy_mode);
- }
- 
-diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h
-index a4ecb04d8d64..3518fb26d06b 100644
---- a/arch/x86/kernel/fpu/xstate.h
-+++ b/arch/x86/kernel/fpu/xstate.h
-@@ -43,7 +43,8 @@ enum xstate_copy_mode {
- 
- struct membuf;
- extern void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
--				      u32 pkru_val, enum xstate_copy_mode copy_mode);
-+				      u64 xfeatures, u32 pkru_val,
-+				      enum xstate_copy_mode copy_mode);
- extern void copy_xstate_to_uabi_buf(struct membuf to, struct task_struct *tsk,
- 				    enum xstate_copy_mode mode);
- extern int copy_uabi_from_kernel_to_xstate(struct fpstate *fpstate, const void *kbuf, u32 *pkru);
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index ff92ff41d5ce..a43a950d04cb 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -5314,26 +5314,23 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
- 	return 0;
- }
- 
--static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
--					 struct kvm_xsave *guest_xsave)
-+
-+static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
-+					  u8 *state, unsigned int size)
- {
- 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
- 		return;
- 
--	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu,
--				       guest_xsave->region,
--				       sizeof(guest_xsave->region),
-+	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu, state, size,
-+				       vcpu->arch.guest_fpu.fpstate->user_xfeatures,
- 				       vcpu->arch.pkru);
- }
- 
--static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
--					  u8 *state, unsigned int size)
-+static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
-+					 struct kvm_xsave *guest_xsave)
- {
--	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
--		return;
--
--	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu,
--				       state, size, vcpu->arch.pkru);
-+	return kvm_vcpu_ioctl_x86_get_xsave2(vcpu, (void *)guest_xsave->region,
-+					     sizeof(guest_xsave->region));
- }
- 
- static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,

patches/kernel/0016-KVM-x86-Constrain-guest-supported-xfeatures-only-at-.patch

@@ -1,119 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Sean Christopherson <seanjc@google.com>
-Date: Wed, 27 Sep 2023 17:19:53 -0700
-Subject: [PATCH] KVM: x86: Constrain guest-supported xfeatures only at
- KVM_GET_XSAVE{2}
-
-Mask off xfeatures that aren't exposed to the guest only when saving guest
-state via KVM_GET_XSAVE{2} instead of modifying user_xfeatures directly.
-Preserving the maximal set of xfeatures in user_xfeatures restores KVM's
-ABI for KVM_SET_XSAVE, which prior to commit ad856280ddea ("x86/kvm/fpu:
-Limit guest user_xfeatures to supported bits of XCR0") allowed userspace
-to load xfeatures that are supported by the host, irrespective of what
-xfeatures are exposed to the guest.
-
-There is no known use case where userspace *intentionally* loads xfeatures
-that aren't exposed to the guest, but the bug fixed by commit ad856280ddea
-was specifically that KVM_GET_SAVE{2} would save xfeatures that weren't
-exposed to the guest, e.g. would lead to userspace unintentionally loading
-guest-unsupported xfeatures when live migrating a VM.
-
-Restricting KVM_SET_XSAVE to guest-supported xfeatures is especially
-problematic for QEMU-based setups, as QEMU has a bug where instead of
-terminating the VM if KVM_SET_XSAVE fails, QEMU instead simply stops
-loading guest state, i.e. resumes the guest after live migration with
-incomplete guest state, and ultimately results in guest data corruption.
-
-Note, letting userspace restore all host-supported xfeatures does not fix
-setups where a VM is migrated from a host *without* commit ad856280ddea,
-to a target with a subset of host-supported xfeatures.  However there is
-no way to safely address that scenario, e.g. KVM could silently drop the
-unsupported features, but that would be a clear violation of KVM's ABI and
-so would require userspace to opt-in, at which point userspace could
-simply be updated to sanitize the to-be-loaded XSAVE state.
-
-Reported-by: Tyler Stachecki <stachecki.tyler@gmail.com>
-Closes: https://lore.kernel.org/all/20230914010003.358162-1-tstachecki@bloomberg.net
-Fixes: ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0")
-Cc: stable@vger.kernel.org
-Cc: Leonardo Bras <leobras@redhat.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
-Message-Id: <20230928001956.924301-3-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit 8647c52e9504c99752a39f1d44f6268f82c40a5c)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- arch/x86/kernel/fpu/xstate.c |  5 +----
- arch/x86/kvm/cpuid.c         |  8 --------
- arch/x86/kvm/x86.c           | 18 ++++++++++++++++--
- 3 files changed, 17 insertions(+), 14 deletions(-)
-
-diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
-index 463ec0cd0dab..ebe698f8af73 100644
---- a/arch/x86/kernel/fpu/xstate.c
-+++ b/arch/x86/kernel/fpu/xstate.c
-@@ -1543,10 +1543,7 @@ static int fpstate_realloc(u64 xfeatures, unsigned int ksize,
- 		fpregs_restore_userregs();
- 
- 	newfps->xfeatures = curfps->xfeatures | xfeatures;
--
--	if (!guest_fpu)
--		newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
--
-+	newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
- 	newfps->xfd = curfps->xfd & ~xfeatures;
- 
- 	/* Do the final updates within the locked region */
-diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
-index 61aefeb3fdbc..e5393ee652ba 100644
---- a/arch/x86/kvm/cpuid.c
-+++ b/arch/x86/kvm/cpuid.c
-@@ -350,14 +350,6 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
- 	vcpu->arch.guest_supported_xcr0 =
- 		cpuid_get_supported_xcr0(vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
- 
--	/*
--	 * FP+SSE can always be saved/restored via KVM_{G,S}ET_XSAVE, even if
--	 * XSAVE/XCRO are not exposed to the guest, and even if XSAVE isn't
--	 * supported by the host.
--	 */
--	vcpu->arch.guest_fpu.fpstate->user_xfeatures = vcpu->arch.guest_supported_xcr0 |
--						       XFEATURE_MASK_FPSSE;
--
- 	kvm_update_pv_runtime(vcpu);
- 
- 	vcpu->arch.maxphyaddr = cpuid_query_maxphyaddr(vcpu);
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index a43a950d04cb..a4a44adf7c72 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -5318,12 +5318,26 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
- static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
- 					  u8 *state, unsigned int size)
- {
-+	/*
-+	 * Only copy state for features that are enabled for the guest.  The
-+	 * state itself isn't problematic, but setting bits in the header for
-+	 * features that are supported in *this* host but not exposed to the
-+	 * guest can result in KVM_SET_XSAVE failing when live migrating to a
-+	 * compatible host without the features that are NOT exposed to the
-+	 * guest.
-+	 *
-+	 * FP+SSE can always be saved/restored via KVM_{G,S}ET_XSAVE, even if
-+	 * XSAVE/XCRO are not exposed to the guest, and even if XSAVE isn't
-+	 * supported by the host.
-+	 */
-+	u64 supported_xcr0 = vcpu->arch.guest_supported_xcr0 |
-+			     XFEATURE_MASK_FPSSE;
-+
- 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
- 		return;
- 
- 	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu, state, size,
--				       vcpu->arch.guest_fpu.fpstate->user_xfeatures,
--				       vcpu->arch.pkru);
-+				       supported_xcr0, vcpu->arch.pkru);
- }
- 
- static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,