update submodules

2024-07-02 01:19:26 +03:00 · 2024-07-02 01:18:13 +03:00 · 2024-07-02 01:01:54 +03:00 · 2024-07-02 00:59:07 +03:00 · 2024-07-02 00:29:43 +03:00 · 2024-07-02 00:15:58 +03:00
87 changed files with 37760 additions and 25646 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,3 @@
 ubuntu-zesty
+*.prepared
+.*/
--- a/.gitmodules
+++ b/.gitmodules
@ -1,9 +1,6 @@
-[submodule "submodules/ubuntu-zesty"]
-	path = submodules/ubuntu-zesty
-	url = ../mirror_ubuntu-zesty-kernel
-[submodule "submodules/zfs-module"]
-	path = submodules/zfs-module
-	url = ../mirror_zfs-debian
-[submodule "submodules/spl-module"]
-	path = submodules/spl-module
-	url = ../mirror_spl-debian
+[submodule "submodules/ubuntu-kernel"]
+	path = submodules/ubuntu-kernel
+	url = https://dev.lirent.ru/c/mirror_ubuntu-kernels.git
+[submodule "submodules/zfsonlinux"]
+	path = submodules/zfsonlinux
+	url = https://dev.lirent.ru/c/zfsonlinux.git
--- a/0001-Revert-net-reduce-skb_warn_bad_offload-noise.patch
+++ b/0001-Revert-net-reduce-skb_warn_bad_offload-noise.patch
@ -1,51 +0,0 @@
-From b776ff7db868804129b9f364825fd4e949a493ee Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
-Date: Tue, 19 Sep 2017 09:36:43 +0200
-Subject: [PATCH] Revert "net: reduce skb_warn_bad_offload() noise"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit b2504a5dbef3305ef41988ad270b0e8ec289331c.
-
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- net/core/dev.c | 12 +++---------
- 1 file changed, 3 insertions(+), 9 deletions(-)
-
-diff --git a/net/core/dev.c b/net/core/dev.c
-index 73d5644fa834..7c8959936169 100644
--- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -2702,12 +2702,11 @@ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path)
- struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
- 				  netdev_features_t features, bool tx_path)
- {
-	struct sk_buff *segs;
-
- 	if (unlikely(skb_needs_check(skb, tx_path))) {
- 		int err;
- 
-		/* We're going to init ->check field in TCP or UDP header */
-+		skb_warn_bad_offload(skb);
-+
- 		err = skb_cow_head(skb, 0);
- 		if (err < 0)
- 			return ERR_PTR(err);
-@@ -2735,12 +2734,7 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
- 	skb_reset_mac_header(skb);
- 	skb_reset_mac_len(skb);
- 
-	segs = skb_mac_gso_segment(skb, features);
-
-	if (unlikely(skb_needs_check(skb, tx_path)))
-		skb_warn_bad_offload(skb);
-
-	return segs;
-+	return skb_mac_gso_segment(skb, features);
- }
- EXPORT_SYMBOL(__skb_gso_segment);
- 
-- 
-2.11.0
-
--- a/0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch
+++ b/0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch
@ -1,54 +0,0 @@
-From 6fa9fc0ce1032710ce017c444b0c66eaf9e77782 Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Mon, 22 May 2017 00:17:30 +0200
-Subject: [PATCH linux] netfilter: nft_set_rbtree: handle re-addition element
- after deletion
-
-The existing code selects no next branch to be inspected when
-re-inserting an inactive element into the rb-tree, looping endlessly.
-This patch restricts the check for active elements to the EEXIST case
-only.
-
-Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
-Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
- net/netfilter/nft_set_rbtree.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
-index f06f55e..51ff879 100644
--- a/net/netfilter/nft_set_rbtree.c
-+++ b/net/netfilter/nft_set_rbtree.c
-@@ -118,17 +118,17 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
- 		else if (d > 0)
- 			p = &parent->rb_right;
- 		else {
-			if (nft_set_elem_active(&rbe->ext, genmask)) {
-				if (nft_rbtree_interval_end(rbe) &&
-				    !nft_rbtree_interval_end(new))
-					p = &parent->rb_left;
-				else if (!nft_rbtree_interval_end(rbe) &&
-					 nft_rbtree_interval_end(new))
-					p = &parent->rb_right;
-				else {
-					*ext = &rbe->ext;
-					return -EEXIST;
-				}
-+			if (nft_rbtree_interval_end(rbe) &&
-+			    !nft_rbtree_interval_end(new)) {
-+				p = &parent->rb_left;
-+			} else if (!nft_rbtree_interval_end(rbe) &&
-+				   nft_rbtree_interval_end(new)) {
-+				p = &parent->rb_right;
-+			} else if (nft_set_elem_active(&rbe->ext, genmask)) {
-+				*ext = &rbe->ext;
-+				return -EEXIST;
-+			} else {
-+				p = &parent->rb_left;
- 			}
- 		}
- 	}
-- 
-2.1.4
-
--- a/0001-tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
+++ b/0001-tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
@ -1,43 +0,0 @@
-From d747a7a51b00984127a88113cdbbc26f91e9d815 Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Sat, 24 Jun 2017 23:50:30 -0700
-Subject: [PATCH] tcp: reset sk_rx_dst in tcp_disconnect()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We have to reset the sk->sk_rx_dst when we disconnect a TCP
-connection, because otherwise when we re-connect it this
-dst reference is simply overridden in tcp_finish_connect().
-
-This fixes a dst leak which leads to a loopback dev refcnt
-leak. It is a long-standing bug, Kevin reported a very similar
-(if not same) bug before. Thanks to Andrei for providing such
-a reliable reproducer which greatly narrows down the problem.
-
-Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
-Reported-by: Andrei Vagin <avagin@gmail.com>
-Reported-by: Kevin Xu <kaiwen.xu@hulu.com>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- net/ipv4/tcp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index b5ea036ca781..40aca7803cf2 100644
--- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -2330,6 +2330,8 @@ int tcp_disconnect(struct sock *sk, int flags)
- 	tcp_init_send_head(sk);
- 	memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
- 	__sk_dst_reset(sk);
-+	dst_release(sk->sk_rx_dst);
-+	sk->sk_rx_dst = NULL;
- 	tcp_saved_syn_free(tp);
- 
- 	/* Clean up fastopen related fields */
-- 
-2.11.0
-
--- a/444
+++ b/444
@ -1,367 +1,171 @@
-RELEASE=5.0
+include /usr/share/dpkg/pkg-info.mk

-# also update proxmox-ve/changelog if you change KERNEL_VER or KREL
-KERNEL_VER=4.10.17
-PKGREL=23
-# also include firmware of previous version into
-# the fw package:  fwlist-2.6.32-PREV-pve
-KREL=3
+# also bump proxmox-kernel-meta if the default MAJ.MIN version changes!
+KERNEL_MAJ=6
+KERNEL_MIN=8
+KERNEL_PATCHLEVEL=8
+# increment KREL for every published package release!
+# rebuild packages with new KREL and run 'make abiupdate'
+KREL=2

-KERNEL_SRC=ubuntu-zesty
-KERNEL_SRC_SUBMODULE=submodules/ubuntu-zesty
+KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
+KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

-EXTRAVERSION=-${KREL}-pve
-KVNAME=${KERNEL_VER}${EXTRAVERSION}
-PACKAGE=pve-kernel-${KVNAME}
-HDRPACKAGE=pve-headers-${KVNAME}
+EXTRAVERSION=-$(KREL)-pve
+KVNAME=$(KERNEL_VER)$(EXTRAVERSION)
+PACKAGE=proxmox-kernel-$(KVNAME)
+HDRPACKAGE=proxmox-headers-$(KVNAME)

 ARCH=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
-NPROCS=$(shell nproc)

 # amd64/x86_64/x86 share the arch subdirectory in the kernel, 'x86' so we need
 # a mapping
 KERNEL_ARCH=x86
-ifneq (${ARCH}, amd64)
-KERNEL_ARCH=${ARCH}
+ifneq ($(ARCH), amd64)
+KERNEL_ARCH=$(ARCH)
 endif

-GITVERSION:=$(shell git rev-parse HEAD)
-CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate -lchangelog.Debian)
-export SOURCE_DATE_EPOCH ?= $(shell dpkg-parsechangelog -STimestamp -lchangelog.Debian)
-
 SKIPABI=0

-TOP=$(shell pwd)
+BUILD_DIR=proxmox-kernel-$(KERNEL_VER)

-KERNEL_CFG_ORG=config-${KERNEL_VER}.org
+KERNEL_SRC=ubuntu-kernel
+KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
+KERNEL_CFG_ORG=config-$(KERNEL_VER).org

-E1000EDIR=e1000e-3.3.5.3
-E1000ESRC=${E1000EDIR}.tar.gz
-
-IGBDIR=igb-5.3.5.4
-IGBSRC=${IGBDIR}.tar.gz
-
-IXGBEDIR=ixgbe-5.0.4
-IXGBESRC=${IXGBEDIR}.tar.gz
-
-SPLDIR=pkg-spl
-SPLSRC=submodules/spl-module
+ZFSONLINUX_SUBMODULE=submodules/zfsonlinux
 ZFSDIR=pkg-zfs
-ZFSSRC=submodules/zfs-module
-ZFS_KO=zfs.ko
-ZFS_KO_REST=zavl.ko znvpair.ko zunicode.ko zcommon.ko zpios.ko
-ZFS_MODULES=$(ZFS_KO) $(ZFS_KO_REST)
-SPL_KO=spl.ko
-SPL_KO_REST=splat.ko
-SPL_MODULES=$(SPL_KO) $(SPL_KO_REST)

-DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-PVEPKG=proxmox-ve
-PVE_DEB=${PVEPKG}_${RELEASE}-${PKGREL}_all.deb
-VIRTUALHDRPACKAGE=pve-headers
-VIRTUAL_HDR_DEB=${VIRTUALHDRPACKAGE}_${RELEASE}-${PKGREL}_all.deb
+MODULES=modules
+MODULE_DIRS=$(ZFSDIR)

-LINUX_TOOLS_PKG=linux-tools-4.10
-LINUX_TOOLS_DEB=${LINUX_TOOLS_PKG}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+# exported to debian/rules via debian/rules.d/dirs.mk
+DIRS=KERNEL_SRC ZFSDIR MODULES

-DEBS=${DST_DEB} ${HDR_DEB} ${PVE_DEB} ${VIRTUAL_HDR_DEB} ${LINUX_TOOLS_DEB}
+DSC=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL).dsc
+DST_DEB=$(PACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+SIGNED_TEMPLATE_DEB=$(PACKAGE)-signed-template_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_DEB=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+HDR_DEB=$(HDRPACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_HDR_DEB=proxmox-headers-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+USR_HDR_DEB=proxmox-kernel-libc-dev_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_$(KERNEL_VER)-$(KREL)_$(ARCH).deb

-all: check_gcc deb
-deb: ${DEBS}
+DEBS=$(DST_DEB) $(META_DEB) $(HDR_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) $(SIGNED_TEMPLATE_DEB) # $(USR_HDR_DEB)

-pve: $(PVE_DEB)
-${PVE_DEB}: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
-	rm -rf proxmox-ve/data
-	mkdir -p proxmox-ve/data/DEBIAN
-	mkdir -p proxmox-ve/data/usr/share/doc/${PVEPKG}/
-	mkdir -p proxmox-ve/data/etc/apt/trusted.gpg.d
-	install -m 0644 proxmox-ve/proxmox-release-5.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
-	sed -e 's/@KVNAME@/${KVNAME}/' -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@RELEASE@/${RELEASE}/' -e 's/@PKGREL@/${PKGREL}/' <proxmox-ve/control >proxmox-ve/data/DEBIAN/control
-	sed -e 's/@KVNAME@/${KVNAME}/' <proxmox-ve/postinst >proxmox-ve/data/DEBIAN/postinst
-	chmod 0755 proxmox-ve/data/DEBIAN/postinst
-	install -m 0755 proxmox-ve/postrm proxmox-ve/data/DEBIAN/postrm
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > proxmox-ve/data/usr/share/doc/${PVEPKG}/SOURCE
-	install -m 0644 proxmox-ve/copyright proxmox-ve/data/usr/share/doc/${PVEPKG}
-	install -m 0644 proxmox-ve/changelog.Debian proxmox-ve/data/usr/share/doc/${PVEPKG}
-	gzip -n --best proxmox-ve/data/usr/share/doc/${PVEPKG}/changelog.Debian
-	dpkg-deb --build proxmox-ve/data ${PVE_DEB}
+all: deb
+deb: $(DEBS)

-pve-headers: $(VIRTUAL_HDR_DEB)
-${VIRTUAL_HDR_DEB}: proxmox-ve/pve-headers.control
-	rm -rf pve-headers/data
-	mkdir -p pve-headers/data/DEBIAN
-	mkdir -p pve-headers/data/usr/share/doc/${VIRTUALHDRPACKAGE}/
-	sed -e 's/@KVNAME@/${KVNAME}/' -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@RELEASE@/${RELEASE}/' -e 's/@PKGREL@/${PKGREL}/' <proxmox-ve/pve-headers.control >pve-headers/data/DEBIAN/control
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > pve-headers/data/usr/share/doc/${VIRTUALHDRPACKAGE}/SOURCE
-	install -m 0644 proxmox-ve/copyright pve-headers/data/usr/share/doc/${VIRTUALHDRPACKAGE}
-	install -m 0644 proxmox-ve/changelog.Debian pve-headers/data/usr/share/doc/${VIRTUALHDRPACKAGE}
-	gzip -n --best pve-headers/data/usr/share/doc/${VIRTUALHDRPACKAGE}/changelog.Debian
-	dpkg-deb --build pve-headers/data ${VIRTUAL_HDR_DEB}
+$(META_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
+$(DST_DEB): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage --jobs=auto -b -uc -us
+	lintian $(DST_DEB)
+	#lintian $(HDR_DEB)
+	lintian $(LINUX_TOOLS_DEB)

-check_gcc: 
-ifeq    ($(CC), cc)
-	gcc --version|grep "6\.3" || false
-else
-	$(CC) --version|grep "6\.3" || false
-endif
+dsc:
+	$(MAKE) $(DSC)
+	lintian $(DSC)

-${DST_DEB}: data control.in prerm.in postinst.in postrm.in copyright changelog.Debian | fwcheck abicheck
-	mkdir -p data/DEBIAN
-	sed -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@KVNAME@/${KVNAME}/' -e 's/@PKGREL@/${PKGREL}/' -e 's/@ARCH@/${ARCH}/' <control.in >data/DEBIAN/control
-	sed -e 's/@@KVNAME@@/${KVNAME}/g'  <prerm.in >data/DEBIAN/prerm
-	chmod 0755 data/DEBIAN/prerm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g'  <postinst.in >data/DEBIAN/postinst
-	chmod 0755 data/DEBIAN/postinst
-	sed -e 's/@@KVNAME@@/${KVNAME}/g'  <postrm.in >data/DEBIAN/postrm
-	chmod 0755 data/DEBIAN/postrm
-	install -D -m 644 copyright data/usr/share/doc/${PACKAGE}/copyright
-	install -D -m 644 changelog.Debian data/usr/share/doc/${PACKAGE}/changelog.Debian
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > data/usr/share/doc/${PACKAGE}/SOURCE
-	gzip -n -f --best data/usr/share/doc/${PACKAGE}/changelog.Debian
-	rm -f data/lib/modules/${KVNAME}/source
-	rm -f data/lib/modules/${KVNAME}/build
-	dpkg-deb --build data ${DST_DEB}
-	lintian ${DST_DEB}
+$(DSC): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage -S -uc -us -d

-LINUX_TOOLS_DH_LIST=strip installchangelogs installdocs compress shlibdeps gencontrol md5sums builddeb
+sbuild: $(DSC)
+	sbuild $(DSC)

-${LINUX_TOOLS_DEB}: .compile_mark control.tools changelog.Debian copyright
-	rm -rf linux-tools ${LINUX_TOOLS_DEB}
-	mkdir -p linux-tools/debian
-	cp control.tools linux-tools/debian/control
-	echo 9 > linux-tools/debian/compat
-	cp changelog.Debian linux-tools/debian/changelog
-	cp copyright linux-tools/debian
-	mkdir -p linux-tools/debian/linux-tools-4.10/usr/bin
-	install -m 0755 ${KERNEL_SRC}/tools/perf/perf linux-tools/debian/linux-tools-4.10/usr/bin/perf_4.10
-	cd linux-tools; for i in ${LINUX_TOOLS_DH_LIST}; do dh_$$i; done
-	lintian ${LINUX_TOOLS_DEB}
-
-fwlist-${KVNAME}: data
-	./find-firmware.pl data/lib/modules/${KVNAME} >fwlist.tmp
-	mv fwlist.tmp $@
-
-.PHONY: fwcheck
-fwcheck: fwlist-${KVNAME} fwlist-previous
-	@echo "checking fwlist for changes since last built firmware package.."
-	@echo "if this check fails, add fwlist-${KVNAME} to the pve-firmware repository and upload a new firmware package together with the ${KVNAME} kernel"
-	sort fwlist-previous | uniq > fwlist-previous.sorted
-	sort fwlist-${KVNAME} | uniq > fwlist-${KVNAME}.sorted
-	diff -up -N fwlist-previous.sorted fwlist-${KVNAME}.sorted > fwlist.diff
-	rm fwlist.diff fwlist-previous.sorted fwlist-${KVNAME}.sorted
-	@echo "done, no need to rebuild pve-firmware"
-
-
-abi-${KVNAME}: .compile_mark
-	sed -e 's/^\(.\+\)[[:space:]]\+\(.\+\)[[:space:]]\(.\+\)$$/\3 \2 \1/' ${KERNEL_SRC}/Module.symvers | sort > abi-${KVNAME}
-
-.PHONY: abicheck
-abicheck: abi-${KVNAME} abi-previous abi-blacklist
-	./abi-check abi-${KVNAME} abi-previous ${SKIPABI}
-
-data: .compile_mark igb.ko ixgbe.ko e1000e.ko ${SPL_MODULES} ${ZFS_MODULES}
-	rm -rf data tmp; mkdir -p tmp/lib/modules/${KVNAME}
-	mkdir tmp/boot
-	install -m 644 ${KERNEL_SRC}/.config tmp/boot/config-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/System.map tmp/boot/System.map-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/arch/${KERNEL_ARCH}/boot/bzImage tmp/boot/vmlinuz-${KVNAME}
-	cd ${KERNEL_SRC}; make INSTALL_MOD_PATH=../tmp/ modules_install
-	## install latest ibg driver
-	install -m 644 igb.ko tmp/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/igb/
-	# install latest ixgbe driver
-	install -m 644 ixgbe.ko tmp/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/ixgbe/
-	# install latest e1000e driver
-	install -m 644 e1000e.ko tmp/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/e1000e/
-	# install zfs drivers
-	install -d -m 0755 tmp/lib/modules/${KVNAME}/zfs
-	install -m 644 ${SPL_MODULES} ${ZFS_MODULES} tmp/lib/modules/${KVNAME}/zfs
-	# remove firmware
-	rm -rf tmp/lib/firmware
-	# strip debug info
-	find tmp/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
-	# finalize
-	/sbin/depmod -b tmp/ ${KVNAME}
-	# Autogenerate blacklist for watchdog devices (see README)
-	install -m 0755 -d tmp/lib/modprobe.d
-	ls tmp/lib/modules/${KVNAME}/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
-	echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
-	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > tmp/lib/modprobe.d/blacklist_${PACKAGE}.conf
-	mv tmp data
-
-PVE_CONFIG_OPTS= \
-m INTEL_MEI_WDT \
-d CONFIG_SND_PCM_OSS \
-e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
-d CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS \
-m CONFIG_CEPH_FS \
-m CONFIG_BLK_DEV_NBD \
-m CONFIG_BLK_DEV_RBD \
-m CONFIG_BCACHE \
-m CONFIG_JFS_FS \
-m CONFIG_HFS_FS \
-m CONFIG_HFSPLUS_FS \
-e CONFIG_BRIDGE \
-e CONFIG_BRIDGE_NETFILTER \
-e CONFIG_BLK_DEV_SD \
-e CONFIG_BLK_DEV_SR \
-e CONFIG_BLK_DEV_DM \
-e CONFIG_BLK_DEV_NVME \
-d CONFIG_INPUT_EVBUG \
-d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-d CONFIG_MODULE_SIG \
-d CONFIG_MEMCG_DISABLED \
-e CONFIG_MEMCG_SWAP_ENABLED \
-e CONFIG_MEMCG_KMEM \
-d CONFIG_DEFAULT_CFQ \
-e CONFIG_DEFAULT_DEADLINE \
-e CONFIG_MODVERSIONS \
-d CONFIG_DEFAULT_SECURITY_DAC \
-e CONFIG_DEFAULT_SECURITY_APPARMOR \
--set-str CONFIG_DEFAULT_SECURITY apparmor
-
-.compile_mark: ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}
-	[ ! -e /lib/modules/${KVNAME}/build ] || (echo "please remove /lib/modules/${KVNAME}/build" && false)
-	cp ${KERNEL_CFG_ORG} ${KERNEL_SRC}/.config
-	cd ${KERNEL_SRC}; ./scripts/config ${PVE_CONFIG_OPTS}
-	cd ${KERNEL_SRC}; make oldconfig
-	cd ${KERNEL_SRC}; make KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${KERNEL_VER}-${PKGREL} (${CHANGELOG_DATE})" -j ${NPROCS}
-	make -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_CPLUS_DEMANGLE=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python2.7
-	make -C ${KERNEL_SRC}/tools/perf man
+$(BUILD_DIR).prepared: $(addsuffix .prepared,$(KERNEL_SRC) $(MODULES) debian)
+	cp -a fwlist-previous $(BUILD_DIR)/
+	cp -a abi-prev-* $(BUILD_DIR)/
+	cp -a abi-blacklist $(BUILD_DIR)/
 	touch $@

-${KERNEL_CFG_ORG}: ${KERNEL_SRC}/README
-${KERNEL_SRC}/README: ${KERNEL_SRC_SUBMODULE} | submodules
-	rm -rf ${KERNEL_SRC}
-	cp -a ${KERNEL_SRC_SUBMODULE} ${KERNEL_SRC}
-	cat ${KERNEL_SRC}/debian.master/config/config.common.ubuntu ${KERNEL_SRC}/debian.master/config/${ARCH}/config.common.${ARCH} ${KERNEL_SRC}/debian.master/config/${ARCH}/config.flavour.generic > ${KERNEL_CFG_ORG}
-	cd ${KERNEL_SRC}; patch -p1 < ../uname-version-timestamp.patch
-	cd ${KERNEL_SRC}; patch -p1 <../bridge-patch.diff
-	#cd ${KERNEL_SRC}; patch -p1 <../bridge-forward-ipv6-neighbor-solicitation.patch
-	#cd ${KERNEL_SRC}; patch -p1 <../add-empty-ndo_poll_controller-to-veth.patch
-	cd ${KERNEL_SRC}; patch -p1 <../override_for_missing_acs_capabilities.patch
-	#cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
-	cd ${KERNEL_SRC}; patch -p1 < ../kvm-dynamic-halt-polling-disable-default.patch
-	cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch
-	cd ${KERNEL_SRC}; patch -p1 < ../0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch # DoS from within (unpriv) containers
-	cd ${KERNEL_SRC}; patch -p1 < ../0001-tcp-reset-sk_rx_dst-in-tcp_disconnect.patch
-	cd ${KERNEL_SRC}; patch -p1 < ../0001-Revert-net-reduce-skb_warn_bad_offload-noise.patch
-	sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
+.PHONY: build-dir-fresh
+build-dir-fresh:
+	$(MAKE) clean
+	$(MAKE) $(BUILD_DIR).prepared
+	echo "created build-directory: $(BUILD_DIR).prepared/"
+
+debian.prepared: debian
+	rm -rf $(BUILD_DIR)/debian
+	mkdir -p $(BUILD_DIR)
+	cp -a debian $(BUILD_DIR)/debian
+	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout $(shell git rev-parse HEAD)" \
+	    >$(BUILD_DIR)/debian/SOURCE
+	@$(foreach dir, $(DIRS),echo "$(dir)=$($(dir))" >> $(BUILD_DIR)/debian/rules.d/env.mk;)
+	echo "KVNAME=$(KVNAME)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	echo "KERNEL_MAJMIN=$(KERNEL_MAJMIN)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	cd $(BUILD_DIR); debian/rules debian/control
 	touch $@

-e1000e.ko e1000e: .compile_mark ${E1000ESRC}
-	rm -rf ${E1000EDIR}
-	tar xf ${E1000ESRC}
-	[ ! -e /lib/modules/${KVNAME}/build ] || (echo "please remove /lib/modules/${KVNAME}/build" && false)
-	cd ${E1000EDIR}; patch -p1 < ../intel-module-gcc6-compat.patch
-	cd ${E1000EDIR}; patch -p1 < ../e1000e_4.10_compat.patch
-	cd ${E1000EDIR}; patch -p1 < ../e1000e_4.10_max-mtu.patch
-	cd ${E1000EDIR}/src; make BUILD_KERNEL=${KVNAME} KSRC=${TOP}/${KERNEL_SRC}
-	cp ${E1000EDIR}/src/e1000e.ko e1000e.ko
+$(KERNEL_SRC).prepared: $(KERNEL_SRC_SUBMODULE) | submodule
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC) $@
+	mkdir -p $(BUILD_DIR)
+	cp -a $(KERNEL_SRC_SUBMODULE) $(BUILD_DIR)/$(KERNEL_SRC)
+# TODO: split for archs, track and diff in our repository?
+	cd $(BUILD_DIR)/$(KERNEL_SRC); python3 debian/scripts/misc/annotations --arch amd64 --export >../../$(KERNEL_CFG_ORG)
+	cp $(KERNEL_CFG_ORG) $(BUILD_DIR)/$(KERNEL_SRC)/.config
+	sed -i $(BUILD_DIR)/$(KERNEL_SRC)/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=$(EXTRAVERSION)/'
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC)/debian $(BUILD_DIR)/$(KERNEL_SRC)/debian.master
+	set -e; cd $(BUILD_DIR)/$(KERNEL_SRC); \
+	  for patch in ../../patches/kernel/*.patch; do \
+	    echo "applying patch '$$patch'"; \
+	    patch --batch -p1 < "$${patch}"; \
+	  done
+	touch $@

-igb.ko igb: .compile_mark ${IGBSRC}
-	rm -rf ${IGBDIR}
-	tar xf ${IGBSRC}
-	[ ! -e /lib/modules/${KVNAME}/build ] || (echo "please remove /lib/modules/${KVNAME}/build" && false)
-	cd ${IGBDIR}; patch -p1 < ../intel-module-gcc6-compat.patch
-	cd ${IGBDIR}; patch -p1 < ../igb_4.9_compat.patch
-	cd ${IGBDIR}; patch -p1 < ../igb_4.10_compat.patch
-	cd ${IGBDIR}; patch -p1 < ../igb_4.10_max-mtu.patch
-	cd ${IGBDIR}/src; make BUILD_KERNEL=${KVNAME} KSRC=${TOP}/${KERNEL_SRC}
-	cp ${IGBDIR}/src/igb.ko igb.ko
+$(MODULES).prepared: $(addsuffix .prepared,$(MODULE_DIRS))
+	touch $@

-ixgbe.ko ixgbe: .compile_mark ${IXGBESRC}
-	rm -rf ${IXGBEDIR}
-	tar xf ${IXGBESRC}
-	[ ! -e /lib/modules/${KVNAME}/build ] || (echo "please remove /lib/modules/${KVNAME}/build" && false)
-	cd ${IXGBEDIR}; patch -p1 < ../ixgbe_4.10_compat.patch
-	cd ${IXGBEDIR}; patch -p1 < ../ixgbe_4.10_max-mtu.patch
-	cd ${IXGBEDIR}/src; make CFLAGS_EXTRA="-DIXGBE_NO_LRO" BUILD_KERNEL=${KVNAME} KSRC=${TOP}/${KERNEL_SRC}
-	cp ${IXGBEDIR}/src/ixgbe.ko ixgbe.ko
-
-$(SPL_KO_REST): $(SPL_KO)
-$(SPL_KO): .compile_mark ${SPLSRC}
-	rm -rf ${SPLDIR}
-	rsync -ra ${SPLSRC}/ ${SPLDIR}
-	[ ! -e /lib/modules/${KVNAME}/build ] || (echo "please remove /lib/modules/${KVNAME}/build" && false)
-	cd ${SPLDIR}; ./autogen.sh
-	cd ${SPLDIR}; ./configure --with-config=kernel --with-linux=${TOP}/${KERNEL_SRC} --with-linux-obj=${TOP}/${KERNEL_SRC}
-	cd ${SPLDIR}; make
-	cp ${SPLDIR}/module/spl/spl.ko spl.ko
-	cp ${SPLDIR}/module/splat/splat.ko splat.ko
-
-$(ZFS_KO_REST): $(ZFS_KO)
-$(ZFS_KO): .compile_mark ${ZFSSRC}
-	rm -rf ${ZFSDIR}
-	rsync -ra ${ZFSSRC}/ ${ZFSDIR}
-	[ ! -e /lib/modules/${KVNAME}/build ] || (echo "please remove /lib/modules/${KVNAME}/build" && false)
-	cd ${ZFSDIR}; ./autogen.sh
-	cd ${ZFSDIR}; ./configure --with-spl=${TOP}/${SPLDIR} --with-spl-obj=${TOP}/${SPLDIR} --with-config=kernel --with-linux=${TOP}/${KERNEL_SRC} --with-linux-obj=${TOP}/${KERNEL_SRC}
-	cd ${ZFSDIR}; make
-	cp ${ZFSDIR}/module/zfs/zfs.ko zfs.ko
-	cp ${ZFSDIR}/module/avl/zavl.ko zavl.ko
-	cp ${ZFSDIR}/module/nvpair/znvpair.ko znvpair.ko
-	cp ${ZFSDIR}/module/unicode/zunicode.ko zunicode.ko
-	cp ${ZFSDIR}/module/zcommon/zcommon.ko zcommon.ko
-	cp ${ZFSDIR}/module/zpios/zpios.ko zpios.ko
-
-headers_tmp := $(CURDIR)/tmp-headers
-headers_dir := $(headers_tmp)/usr/src/linux-headers-${KVNAME}
-
-hdr: $(HDR_DEB)
-${HDR_DEB}: .compile_mark headers-control.in headers-postinst.in
-	rm -rf $(headers_tmp)
-	install -d $(headers_tmp)/DEBIAN $(headers_dir)/include/
-	sed -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@KVNAME@/${KVNAME}/' -e 's/@PKGREL@/${PKGREL}/' -e 's/@ARCH@/${ARCH}/' <headers-control.in >$(headers_tmp)/DEBIAN/control
-	sed -e 's/@@KVNAME@@/${KVNAME}/g'  <headers-postinst.in >$(headers_tmp)/DEBIAN/postinst
-	chmod 0755 $(headers_tmp)/DEBIAN/postinst
-	install -D -m 644 copyright $(headers_tmp)/usr/share/doc/${HDRPACKAGE}/copyright
-	install -D -m 644 changelog.Debian $(headers_tmp)/usr/share/doc/${HDRPACKAGE}/changelog.Debian
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > $(headers_tmp)/usr/share/doc/${HDRPACKAGE}/SOURCE
-	gzip -n -f --best $(headers_tmp)/usr/share/doc/${HDRPACKAGE}/changelog.Debian
-	install -m 0644 ${KERNEL_SRC}/.config $(headers_dir)
-	install -m 0644 ${KERNEL_SRC}/Module.symvers $(headers_dir)
-	cd ${KERNEL_SRC}; find . -path './debian/*' -prune -o -path './include/*' -prune -o -path './Documentation' -prune \
-	  -o -path './scripts' -prune -o -type f \
-	  \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-	     -name '*.sh' -o -name '*.pl' \) \
-	  -print | cpio -pd --preserve-modification-time $(headers_dir)
-	cd ${KERNEL_SRC}; cp -a include scripts $(headers_dir)
-	cd ${KERNEL_SRC}; (find arch/${KERNEL_ARCH} -name include -type d -print | \
-		xargs -n1 -i: find : -type f) | \
-		cpio -pd --preserve-modification-time $(headers_dir)
-	mkdir -p ${headers_tmp}/lib/modules/${KVNAME}
-	ln -sf /usr/src/linux-headers-${KVNAME} ${headers_tmp}/lib/modules/${KVNAME}/build
-	dpkg-deb --build $(headers_tmp) ${HDR_DEB}
-	#lintian ${HDR_DEB}
+$(ZFSDIR).prepared: $(ZFSONLINUX_SUBMODULE)
+	rm -rf $(BUILD_DIR)/$(MODULES)/$(ZFSDIR) $(BUILD_DIR)/$(MODULES)/tmp $@
+	mkdir -p $(BUILD_DIR)/$(MODULES)/tmp
+	cp -a $(ZFSONLINUX_SUBMODULE)/* $(BUILD_DIR)/$(MODULES)/tmp
+	cd $(BUILD_DIR)/$(MODULES)/tmp; make kernel
+	rm -rf $(BUILD_DIR)/$(MODULES)/tmp
+	touch $(ZFSDIR).prepared

 .PHONY: upload
-upload: ${DEBS}
-	tar cf - ${DEBS}|ssh repoman@repo.proxmox.com -- upload --product pve --dist stretch --arch ${ARCH}
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
+upload: $(DEBS)
+	tar cf - $(DEBS)|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist $(UPLOAD_DIST) --arch $(ARCH)

 .PHONY: distclean
 distclean: clean
-	rm -rf linux-firmware.git dvb-firmware.git ${KERNEL_SRC}.org 
+	git submodule deinit --all

 # upgrade to current master
 .PHONY: update_modules
-update_modules: submodules
+update_modules: submodule
 	git submodule foreach 'git pull --ff-only origin master'
+	cd $(ZFSONLINUX_SUBMODULE); git pull --ff-only origin master

 # make sure submodules were initialized
-.PHONY: submodules
-submodules:
-	test -f "${KERNEL_SRC_SUBMODULE}/README" || git submodule update --init
-	test -f "${ZFSSRC}/debian/changelog" || git submodule update --init
-	test -f "${SPLSRC}/debian/changelog" || git submodule update --init
+.PHONY: submodule
+submodule:
+	test -f "$(KERNEL_SRC_SUBMODULE)/README" || git submodule update --init $(KERNEL_SRC_SUBMODULE)
+	test -f "$(ZFSONLINUX_SUBMODULE)/Makefile" || git submodule update --init --recursive $(ZFSONLINUX_SUBMODULE)

+# call after ABI bump with header deb in working directory
+.PHONY: abiupdate
+abiupdate: abi-prev-$(KVNAME)
+abi-prev-$(KVNAME): abi-tmp-$(KVNAME)
+ifneq ($(strip $(shell git status --untracked-files=no --porcelain -z)),)
+	@echo "working directory unclean, aborting!"
+	@false
+else
+	git rm "abi-prev-*"
+	mv $< $@
+	git add $@
+	git commit -s -m "update ABI file for $(KVNAME)" -m "(generated with debian/scripts/abi-generate)"
+	@echo "update abi-prev-$(KVNAME) committed!"
+endif
+
+abi-tmp-$(KVNAME):
+	@ test -e $(HDR_DEB) || (echo "need $(HDR_DEB) to extract ABI data!" && false)
+	debian/scripts/abi-generate $(HDR_DEB) $@ $(KVNAME) 1

 .PHONY: clean
 clean:
-	rm -rf *~ .compile_mark watchdog-blacklist.tmp ${KERNEL_CFG_ORG} ${KERNEL_SRC} ${KERNEL_SRC}.tmp ${KERNEL_CFG_ORG} ${KERNEL_SRC}.org orig tmp data proxmox-ve/data *.deb ${headers_tmp} fwdata fwlist.tmp *.ko abi-${KVNAME} fwlist-${KVNAME} ${ZFSDIR} ${SPLDIR} ${SPL_MODULES} ${ZFS_MODULES} hpsa.ko ${HPSADIR} ${DRBDDIR} drbd-9.0 ${IGBDIR} igb.ko ${IXGBEDIR} ixgbe.ko ${E1000EDIR} e1000e.ko linux-tools ${LINUX_TOOLS_DEB}
-
-
-
-
-
+	rm -rf *~ proxmox-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
+	rm -f *.deb *.dsc *.changes *.buildinfo *.build proxmox-kernel*.tar.*
--- a/248
+++ b/248
@ -1,152 +1,248 @@
 KERNEL SOURCE:
 ==============

-We currently use the Ubuntu kernel sources, available from:
+We currently use the Ubuntu kernel sources, available from our mirror:

- http://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/
+ https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary

 Ubuntu will maintain those kernels till:

 https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
+ or
+ https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
+
+ whatever happens to be earlier.


 Additional/Updated Modules:
 ---------------------------

- include latest e1000e driver from intel/sourceforge
-
- include latest ixgbe driver from intel/sourceforge
-
- - include latest igb driver from intel/sourceforge
-
-# Note: hpsa does not compile with kernel 3.19.8
-#- include latest HPSA driver (HP Smart Array)
-#
-#  * http://sourceforge.net/projects/cciss/
-
 - include native OpenZFS filesystem kernel modules for Linux

  * https://github.com/zfsonlinux/

  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ

- include latest DRBD 9 driver, see http://drbd.linbit.com/home/what-is-drbd/
+
+BUILD
+=====
+
+As this is packaging for the Linux kernel with some extra integrations, like
+ZFS, this repo cannot be handled like a plain Linux kernel git repository.
+
+The actual Linux kernel source lives in a git submodule.
+
+For a build you should init the submodules and then handle it like most our
+Debian packaging builds. If unsure you can follow this:
+
+Installing Build-Dependencies
+-----------------------------
+
+You can either just check the package metadata template `debian/control.in`
+and install the packages listed in the `Build-Depends` section manually
+(replace `debhelper-compat` with just `debhelper`) or use a more automated way
+described below:
+
+ # install base build-dependencies and helpers
+ apt update
+ apt install devscripts
+
+ # create build-directory so that we got final packaging control files from the
+ # .in templates generated
+ make build-dir-fresh
+
+ # install build-dependencies (replace BUILD-DIR with actual one)
+ mk-build-deps -ir BUILD-DIR/debian/control


-FIRMWARE:
+Package Build
+-------------
+
+ # start the actual build
+ make deb
+
+For simple KConfig modifications you can adapt the list in `debian/rules` file.
+For quick code changes to the actual kernel code you can do them directly in
+the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:
+
+ make clean
+ # now build again, explicitly creating the build-dir isn't required anymore
+ # after one has the build-dependencies already installed.
+ make deb
+
+
+Modify-Build-Test Cycles
+------------------------
+
+Ideally you avoid the need for doing a full package build and just directly
+build linux from the ubuntu-kernels or the mainline (stable) repo with copying
+over a build-config of a proxmox-kernel to that as .config and then using the
+`make olddefconfig` target.
+
+If you need full package builds you can try to make changes inside the
+BUILD-DIR directly and then continue build from there, e.g., using
+`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
+to continue build you might need to touch, or remove some *.prepared files.
+Just check `debian/rules` for how kernel build progress is tracked by make.
+
+SUBMODULE
 =========

-We create our own firmware package, which includes the firmware for
-all proxmox-ve kernels. So far this include
+We track the current upstream repository as submodule. Besides obvious
+advantages over tracking binary tar archives this also has some implications.

-pve-kernel-2.6.18
-pve-kernel-2.6.24
-pve-kernel-2.6.32
-pve-kernel-3.10.0
-pve-kernel-3.19.0
+For building the submodule directory gets copied into build/ and a few patches
+get applied with the `patch` tool. From a git point-of-view, the copied
+directory remains clean even with extra patches applied since it does not
+contain a .git directory, but a reference to the (still pristine) submodule:

-We use 'find-firmware.pl' to extract lists of required firmeware
-files.  The script 'assemble-firmware.pl' is used to read those lists
-and copy the files from various source directory into a target
-directory.
+$ cat build/ubuntu-kernel/.git

-We do not include firmeware for some wireless HW when there is a
-separate debian package for that, for example:
+If you mistakenly cloned the upstream repo as "normal" clone (not via the
+submodule mechanics) this means that you have a real .git directory with its
+independent objects and tracking info when copying for building, thus git
+operates on the copied directory - and "sees" that it was dirtied by `patch`,
+and thus the kernel buildsystem sees this too and will add a '+' to the version
+as a result. This changes the output directories for modules and other build
+artefacts and let's then the build fail on packaging.

-zd1211-firmware
-atmel-firmware
-bluez-firmware 
+So always ensure that you really checked it out as submodule, not as full
+"normal" clone. You can also explicitly set the LOCALVERSION variable to
+undefined with: `export LOCALVERSION= but that should only be done for test
+builds.
+
+RELATED PACKAGES:
+=================
+
+proxmox-ve
+----------
+
+top level meta package, depends on current default kernel series meta package.
+
+git clone git://git.proxmox.com/git/proxmox-ve.git
+
+proxmox-default-kernel
+----------------------
+
+Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
+proxmox-headers-6.2.
+
+git clone git://git.proxmox.com/git/pve-kernel-meta.git
+
+proxmox-kernel-X.Y
+------------------
+
+Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
+package within a certain series.
+
+e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve
+
+NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
+with every version bump due to module signing. Since then the meta package was
+pulled into the kernel repo, before that it lived in pve-kernel-meta.git.
+
+pve-firmware
+------------
+
+Contains the firmware for all released PVE kernels.
+
+git clone git://git.proxmox.com/git/pve-firmware.git


-PATCHES:
--------
+NOTES:
+======

- bridge-patch.diff: Avoid bridge problems with changing MAC
-  see also: http://forum.openvz.org/index.php?t=msg&th=5291
+ABI versions, package versions and package name:
+------------------------------------------------

-  Behaviour after 2.6.27 has changed slighly - after setting mac address
-  of bridge device, then address won't change. So we could omit
-  that patch, requiring to set hwaddress in /etc/network/interfaces.
+We follow debian's versioning w.r.t ABI changes:
+
+https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
+https://wiki.debian.org/DebianKernelABIChanges
+
+The debian/rules file has a target comparing the build kernel's ABI against the
+version stored in the repository and indicates when an ABI bump is necessary.
+An ABI bump within one upstream version consists of incrementing the KREL
+variable in the Makefile, rebuilding the packages and running 'make abiupdate'
+(the 'abiupdate' target in 'Makefile' contains the steps for consistently
+updating the repository).

 Watchdog blacklist
 ------------------

 By default, all watchdog modules are black-listed because it is totally undefined
 which device is actually used for /dev/watchdog.
-We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
+We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
 The user typically edit /etc/modules to enable a specific watchdog device.

+Debug kernel and modules
+------------------------
+
+In order to build a -dbgsym package containing an unstripped copy of the kernel
+image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
+exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
+be used together with 'crash'/'kdump-tools' to debug kernel crashes.
+
+Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
+the same build. A kernel/module from a different build will likely not match,
+even if both builds are of the same kernel and package version.
+
 Additional information
 ----------------------

 We use the default configuration provided by Ubuntu, and apply
-the following modification:
+the following modifications:

-see Makefile (PVE_CONFIG_OPTS)
+NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)
+
+- enable INTEL_MEI_WDT=m (to allow disabling via patch)
+
+- disable CONFIG_SND_PCM_OSS (enabled by default in Ubuntu, not needed)
+
+- switch CONFIG_TRANSPARENT_HUGEPAGE to MADVISE from ALWAYS

 - enable CONFIG_CEPH_FS=m (request from user)

 - enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
-  problems (udev, undate-initramfs have serious problems without that)
+  problems (udev, update-initramfs have serious problems without that)

  	 CONFIG_BLK_DEV_SD=y
  	 CONFIG_BLK_DEV_SR=y
  	 CONFIG_BLK_DEV_DM=y

- add workaround for Debian bug #807000 (see
-  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)
-
-  	 CONFIG_BLK_DEV_NVME=y
-
 - compile NBD and RBD modules
 	 CONFIG_BLK_DEV_NBD=m
 	 CONFIG_BLK_DEV_RBD=m

- set LOOP_MIN_COUNT to 8 (debian defaults)
-	 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+- enable IBM JFS file system as module
+  requested by users (bug #64)

- disable module signatures (CONFIG_MODULE_SIG)
- 
- enable IBM JFS file system 
-
-  This is disabled in RHEL kernel for no real reason, so we enable
-  it as requested by users (bug #64)
-
- enable apple HFS and HFSPLUS
-
-  This is disabled in RHEL kernel for no real reason, so we enable
-  it as requested by users
+- enable apple HFS and HFSPLUS as module
+  requested by users

 - enable CONFIG_BCACHE=m (requested by user)

 - enable CONFIG_BRIDGE=y
-
-  Else we get warnings on boot, that
-  net.bridge.bridge-nf-call-iptables is an unknown key
+  to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key

 - enable CONFIG_DEFAULT_SECURITY_APPARMOR
-
  We need this for lxc
-  
- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y

+- set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
  because if not set, it can give some dynamic memory or cpu frequencies 
  change, and vms can crash (mainly windows guest).
-
  see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273

 - use 'deadline' as default scheduler
-
-  This is the suggested setting for KVM. We also measure bad fsync
-  performance with ext4 and cfq.
+  This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.

 - disable CONFIG_INPUT_EVBUG
+  Module evbug is not blacklisted on debian, so we simply disable it to avoid
+  key-event logs (which is a big security problem)

-  Module evbug is not blacklisted on debian, so we simply disable it
-  to avoid key-event logs (which is a big security problem)
+- enable CONFIG_MODVERSIONS (needed for ABI tracking)

-Testing final kernel with kvm
-----------------------------
-
-kvm -kernel data/boot/vmlinuz-3.19.8-1-pve -initrd initrd.img-3.19.8-1-pve -append "vga=791 video=vesafb:ywrap,mtrr" /dev/zero
+- switch default UNWINDER to FRAME_POINTER
+  the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS

+- enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)
--- a/209
+++ b/209
@ -1,209 +0,0 @@
-#!/usr/bin/perl -w
-
-my $abinew = shift;
-my $abiold = shift;
-my $skipabi = shift;
-
-$abinew =~ /abi-(.*)/;
-my $abinum = $1;
-
-my $fail_exit = 1;
-my $EE = "EE:";
-my $errors = 0;
-my $abiskip = 0;
-
-my $count;
-
-print "II: Checking ABI...\n";
-
-if ($skipabi) {
-	print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
-	$fail_exit = 0;
-	$abiskip = 1;
-	$EE = "WW:";
-}
-
-#if ($prev_abinum != $abinum) {
-#	print "II: Different ABI's, running in no-fail mode\n";
-#	$fail_exit = 0;
-#	$EE = "WW:";
-#}
-#
-if (not -f "$abinew" or not -f "$abiold") {
-	print "EE: Previous or current ABI file missing!\n";
-	print "    $abinew\n" if not -f "$abinew";
-	print "    $abiold\n" if not -f "$abiold";
-
-	# Exit if the ABI files are missing, but return status based on whether
-	# skip ABI was indicated.
-	if ("$abiskip" eq "1") {
-		exit(0);
-	} else {
-		exit(1);
-	}
-}
-
-my %symbols;
-my %symbols_ignore;
-my %modules_ignore;
-my %module_syms;
-
-# See if we have any ignores
-my $ignore = 0;
-print "    Reading symbols/modules to ignore...";
-
-for $file ("abi-blacklist") {
-	if (-f $file) {
-		open(IGNORE, "< $file") or
-			die "Could not open $file";
-		while (<IGNORE>) {
-			chomp;
-			if ($_ =~ m/M: (.*)/) {
-				$modules_ignore{$1} = 1;
-			} else {
-				$symbols_ignore{$_} = 1;
-			}
-			$ignore++;
-		}
-		close(IGNORE);
-	}
-}
-print "read $ignore symbols/modules.\n";
-
-sub is_ignored($$) {
-	my ($mod, $sym) = @_;
-
-	die "Missing module name in is_ignored()" if not defined($mod);
-	die "Missing symbol name in is_ignored()" if not defined($sym);
-
-	if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
-		return 1;
-	}
-	return 0;
-}
-
-# Read new syms first
-print "    Reading new symbols ($abinum)...";
-$count = 0;
-open(NEW, "< $abinew") or
-	die "Could not open $abinew";
-while (<NEW>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'type'} = $1;
-	$symbols{$4}{'loc'} = $2;
-	$symbols{$4}{'hash'} = $3;
-	$module_syms{$2} = 0;
-	$count++;
-}
-close(NEW);
-print "read $count symbols.\n";
-
-# Now the old symbols, checking for missing ones
-print "    Reading old symbols...";
-$count = 0;
-open(OLD, "< $abiold") or
-	die "Could not open $abiold";
-while (<OLD>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'old_type'} = $1;
-	$symbols{$4}{'old_loc'} = $2;
-	$symbols{$4}{'old_hash'} = $3;
-	$count++;
-}
-close(OLD);
-
-print "read $count symbols.\n";
-
-print "II: Checking for missing symbols in new ABI...";
-$count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'type'})) {
-		print "\n" if not $count;
-		printf("    MISS : %s%s\n", $sym,
-			is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
-		$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
-	}
-}
-print "    " if $count;
-print "found $count missing symbols\n";
-if ($count) {
-	print "$EE Symbols gone missing (what did you do!?!)\n";
-	$errors++;
-}
-
-
-print "II: Checking for new symbols in new ABI...";
-$count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'})) {
-		print "\n" if not $count;
-		print "    NEW : $sym\n";
-		$count++;
-	}
-}
-print "    " if $count;
-print "found $count new symbols\n";
-if ($count) {
-	print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
-}
-
-print "II: Checking for changes to ABI...\n";
-$count = 0;
-my $moved = 0;
-my $changed_type = 0;
-my $changed_hash = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'}) or
-	    !defined($symbols{$sym}{'type'})) {
-		next;
-	}
-
-	# Changes in location don't hurt us, but log it anyway
-	if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
-		printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'},
-			$symbols{$sym}{'loc'});
-		$moved++;
-	}
-
-	# Changes to export type are only bad if new type isn't
-	# EXPORT_SYMBOL. Changing things to GPL are bad.
-	if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
-		printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
-			$symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL"
-			and !is_ignored($symbols{$sym}{'loc'}, $sym);
-	}
-
-	# Changes to the hash are always bad
-	if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
-		printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
-			$symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
-		$module_syms{$symbols{$sym}{'loc'}}++;
-	}
-}
-
-print "WW: $moved symbols changed location\n" if $moved;
-print "$EE $changed_type symbols changed export type and weren't ignored\n" if $changed_type;
-print "$EE $changed_hash symbols changed hash and weren't ignored\n" if $changed_hash;
-
-$errors++ if $changed_hash or $changed_type;
-if ($changed_hash) {
-	print "II: Module hash change summary...\n";
-	foreach $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
-		next if ! $module_syms{$mod};
-		printf("    %-40s: %d\n", $mod, $module_syms{$mod});
-	}
-}
-
-print "II: Done\n";
-
-if ($errors) {
-	exit($fail_exit);
-} else {
-	exit(0);
-}
--- a/abi-prev-6.8.8-2-pve
+++ b/abi-prev-6.8.8-2-pve
--- a/21375
+++ b/21375
--- a/bridge-patch.diff
+++ b/bridge-patch.diff
@ -1,14 +0,0 @@
--- linux-2.6-3.10.0/net/bridge/br_stp_if.c.orig	2013-11-26 22:20:20.000000000 +0100
-+++ linux-2.6-3.10.0/net/bridge/br_stp_if.c	2013-12-17 08:42:10.004428223 +0100
-@@ -228,10 +228,7 @@
- 		return false;
- 
- 	list_for_each_entry(p, &br->port_list, list) {
-		if (addr == br_mac_zero ||
-		    memcmp(p->dev->dev_addr, addr, ETH_ALEN) < 0)
-			addr = p->dev->dev_addr;
-
-+	        addr = p->dev->dev_addr;
- 	}
- 
- 	if (ether_addr_equal(br->bridge_id.addr, addr))
--- a/ceph-scheduler-fix.patch
+++ b/ceph-scheduler-fix.patch
@ -1,137 +0,0 @@
-commit 8974189222159154c55f24ddad33e3613960521a
-Author: Peter Zijlstra <peterz@infradead.org>
-Date:   Thu Jun 16 10:50:40 2016 +0200
-
-    sched/fair: Fix cfs_rq avg tracking underflow
-    
-    As per commit:
-    
-      b7fa30c9cc48 ("sched/fair: Fix post_init_entity_util_avg() serialization")
-    
-    > the code generated from update_cfs_rq_load_avg():
-    >
-    > 	if (atomic_long_read(&cfs_rq->removed_load_avg)) {
-    > 		s64 r = atomic_long_xchg(&cfs_rq->removed_load_avg, 0);
-    > 		sa->load_avg = max_t(long, sa->load_avg - r, 0);
-    > 		sa->load_sum = max_t(s64, sa->load_sum - r * LOAD_AVG_MAX, 0);
-    > 		removed_load = 1;
-    > 	}
-    >
-    > turns into:
-    >
-    > ffffffff81087064:       49 8b 85 98 00 00 00    mov    0x98(%r13),%rax
-    > ffffffff8108706b:       48 85 c0                test   %rax,%rax
-    > ffffffff8108706e:       74 40                   je     ffffffff810870b0 <update_blocked_averages+0xc0>
-    > ffffffff81087070:       4c 89 f8                mov    %r15,%rax
-    > ffffffff81087073:       49 87 85 98 00 00 00    xchg   %rax,0x98(%r13)
-    > ffffffff8108707a:       49 29 45 70             sub    %rax,0x70(%r13)
-    > ffffffff8108707e:       4c 89 f9                mov    %r15,%rcx
-    > ffffffff81087081:       bb 01 00 00 00          mov    $0x1,%ebx
-    > ffffffff81087086:       49 83 7d 70 00          cmpq   $0x0,0x70(%r13)
-    > ffffffff8108708b:       49 0f 49 4d 70          cmovns 0x70(%r13),%rcx
-    >
-    > Which you'll note ends up with sa->load_avg -= r in memory at
-    > ffffffff8108707a.
-    
-    So I _should_ have looked at other unserialized users of ->load_avg,
-    but alas. Luckily nikbor reported a similar /0 from task_h_load() which
-    instantly triggered recollection of this here problem.
-    
-    Aside from the intermediate value hitting memory and causing problems,
-    there's another problem: the underflow detection relies on the signed
-    bit. This reduces the effective width of the variables, IOW its
-    effectively the same as having these variables be of signed type.
-    
-    This patch changes to a different means of unsigned underflow
-    detection to not rely on the signed bit. This allows the variables to
-    use the 'full' unsigned range. And it does so with explicit LOAD -
-    STORE to ensure any intermediate value will never be visible in
-    memory, allowing these unserialized loads.
-    
-    Note: GCC generates crap code for this, might warrant a look later.
-    
-    Note2: I say 'full' above, if we end up at U*_MAX we'll still explode;
-           maybe we should do clamping on add too.
-    
-    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-    Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
-    Cc: Chris Wilson <chris@chris-wilson.co.uk>
-    Cc: Linus Torvalds <torvalds@linux-foundation.org>
-    Cc: Mike Galbraith <efault@gmx.de>
-    Cc: Peter Zijlstra <peterz@infradead.org>
-    Cc: Thomas Gleixner <tglx@linutronix.de>
-    Cc: Yuyang Du <yuyang.du@intel.com>
-    Cc: bsegall@google.com
-    Cc: kernel@kyup.com
-    Cc: morten.rasmussen@arm.com
-    Cc: pjt@google.com
-    Cc: steve.muckle@linaro.org
-    Fixes: 9d89c257dfb9 ("sched/fair: Rewrite runnable load and utilization average tracking")
-    Link: http://lkml.kernel.org/r/20160617091948.GJ30927@twins.programming.kicks-ass.net
-    Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
---
- kernel/sched/fair.c |   33 +++++++++++++++++++++++++--------
- 1 file changed, 25 insertions(+), 8 deletions(-)
-
--- a/kernel/sched/fair.c
-+++ b/kernel/sched/fair.c
-@@ -2682,6 +2682,23 @@ static inline void update_tg_load_avg(st
- 
- static inline u64 cfs_rq_clock_task(struct cfs_rq *cfs_rq);
- 
-+/*
-+ * Unsigned subtract and clamp on underflow.
-+ *
-+ * Explicitly do a load-store to ensure the intermediate value never hits
-+ * memory. This allows lockless observations without ever seeing the negative
-+ * values.
-+ */
-+#define sub_positive(_ptr, _val) do {				\
-+	typeof(_ptr) ptr = (_ptr);				\
-+	typeof(*ptr) val = (_val);				\
-+	typeof(*ptr) res, var = READ_ONCE(*ptr);		\
-+	res = var - val;					\
-+	if (res > var)						\
-+		res = 0;					\
-+	WRITE_ONCE(*ptr, res);					\
-+} while (0)
-+
- /* Group cfs_rq's load_avg is used for task_h_load and update_cfs_share */
- static inline int update_cfs_rq_load_avg(u64 now, struct cfs_rq *cfs_rq)
- {
-@@ -2690,15 +2707,15 @@ static inline int update_cfs_rq_load_avg
- 
- 	if (atomic_long_read(&cfs_rq->removed_load_avg)) {
- 		s64 r = atomic_long_xchg(&cfs_rq->removed_load_avg, 0);
-		sa->load_avg = max_t(long, sa->load_avg - r, 0);
-		sa->load_sum = max_t(s64, sa->load_sum - r * LOAD_AVG_MAX, 0);
-+		sub_positive(&sa->load_avg, r);
-+		sub_positive(&sa->load_sum, r * LOAD_AVG_MAX);
- 		removed = 1;
- 	}
- 
- 	if (atomic_long_read(&cfs_rq->removed_util_avg)) {
- 		long r = atomic_long_xchg(&cfs_rq->removed_util_avg, 0);
-		sa->util_avg = max_t(long, sa->util_avg - r, 0);
-		sa->util_sum = max_t(s32, sa->util_sum - r * LOAD_AVG_MAX, 0);
-+		sub_positive(&sa->util_avg, r);
-+		sub_positive(&sa->util_sum, r * LOAD_AVG_MAX);
- 	}
- 
- 	decayed = __update_load_avg(now, cpu_of(rq_of(cfs_rq)), sa,
-@@ -2764,10 +2781,10 @@ static void detach_entity_load_avg(struc
- 			  &se->avg, se->on_rq * scale_load_down(se->load.weight),
- 			  cfs_rq->curr == se, NULL);
- 
-	cfs_rq->avg.load_avg = max_t(long, cfs_rq->avg.load_avg - se->avg.load_avg, 0);
-	cfs_rq->avg.load_sum = max_t(s64,  cfs_rq->avg.load_sum - se->avg.load_sum, 0);
-	cfs_rq->avg.util_avg = max_t(long, cfs_rq->avg.util_avg - se->avg.util_avg, 0);
-	cfs_rq->avg.util_sum = max_t(s32,  cfs_rq->avg.util_sum - se->avg.util_sum, 0);
-+	sub_positive(&cfs_rq->avg.load_avg, se->avg.load_avg);
-+	sub_positive(&cfs_rq->avg.load_sum, se->avg.load_sum);
-+	sub_positive(&cfs_rq->avg.util_avg, se->avg.util_avg);
-+	sub_positive(&cfs_rq->avg.util_sum, se->avg.util_sum);
- }
- 
- /* Add the load generated by se into cfs_rq's load average */
--- a/cgroup-cpuset-add-cpuset.remap_cpus.patch
+++ b/cgroup-cpuset-add-cpuset.remap_cpus.patch
@ -1,178 +0,0 @@
-From 40d641241a5399afc93d4eb75d8794f72fe3c0fb Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 21 Dec 2016 15:37:20 +0100
-Subject: [PATCH] cgroup, cpuset: add cpuset.remap_cpus
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Changes a cpuset, recursively remapping all its descendants
-to the new range.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- include/linux/cpumask.h | 17 ++++++++++++++++
- kernel/cpuset.c         | 54 +++++++++++++++++++++++++++++++++++++++----------
- 2 files changed, 60 insertions(+), 11 deletions(-)
-
-diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
-index 59915ea..f5487c8 100644
--- a/include/linux/cpumask.h
-+++ b/include/linux/cpumask.h
-@@ -514,6 +514,23 @@ static inline void cpumask_copy(struct cpumask *dstp,
- }
- 
- /**
-+ * cpumask_remap - *dstp = map(old, new)(*srcp)
-+ * @dstp: the result
-+ * @srcp: the input cpumask
-+ * @oldp: the old mask
-+ * @newp: the new mask
-+ */
-+static inline void cpumask_remap(struct cpumask *dstp,
-+				 const struct cpumask *srcp,
-+				 const struct cpumask *oldp,
-+				 const struct cpumask *newp)
-+{
-+	bitmap_remap(cpumask_bits(dstp), cpumask_bits(srcp),
-+		     cpumask_bits(oldp), cpumask_bits(newp),
-+		     nr_cpumask_bits);
-+}
-+
-+/**
-  * cpumask_any - pick a "random" cpu from *srcp
-  * @srcp: the input cpumask
-  *
-diff --git a/kernel/cpuset.c b/kernel/cpuset.c
-index 7e78cfe..ff5ff3a 100644
--- a/kernel/cpuset.c
-+++ b/kernel/cpuset.c
-@@ -462,7 +462,8 @@ static void free_trial_cpuset(struct cpuset *trial)
-  * Return 0 if valid, -errno if not.
-  */
- 
-static int validate_change(struct cpuset *cur, struct cpuset *trial)
-+static int validate_change(struct cpuset *cur, struct cpuset *trial,
-+			   int remap)
- {
- 	struct cgroup_subsys_state *css;
- 	struct cpuset *c, *par;
-@@ -470,11 +471,13 @@ static int validate_change(struct cpuset *cur, struct cpuset *trial)
- 
- 	rcu_read_lock();
- 
-	/* Each of our child cpusets must be a subset of us */
-	ret = -EBUSY;
-	cpuset_for_each_child(c, css, cur)
-		if (!is_cpuset_subset(c, trial))
-			goto out;
-+	if (!remap) {
-+		/* Each of our child cpusets must be a subset of us */
-+		ret = -EBUSY;
-+		cpuset_for_each_child(c, css, cur)
-+			if (!is_cpuset_subset(c, trial))
-+				goto out;
-+	}
- 
- 	/* Remaining checks don't apply to root cpuset */
- 	ret = 0;
-@@ -937,11 +940,15 @@ static void update_cpumasks_hier(struct cpuset *cs, struct cpumask *new_cpus)
-  * @cs: the cpuset to consider
-  * @trialcs: trial cpuset
-  * @buf: buffer of cpu numbers written to this cpuset
-+ * @remap: recursively remap all child nodes
-  */
- static int update_cpumask(struct cpuset *cs, struct cpuset *trialcs,
-			  const char *buf)
-+			  const char *buf, int remap)
- {
- 	int retval;
-+	struct cpuset *cp;
-+	struct cgroup_subsys_state *pos_css;
-+	struct cpumask tempmask;
- 
- 	/* top_cpuset.cpus_allowed tracks cpu_online_mask; it's read-only */
- 	if (cs == &top_cpuset)
-@@ -969,11 +976,25 @@ static int update_cpumask(struct cpuset *cs, struct cpuset *trialcs,
- 	if (cpumask_equal(cs->cpus_allowed, trialcs->cpus_allowed))
- 		return 0;
- 
-	retval = validate_change(cs, trialcs);
-+	retval = validate_change(cs, trialcs, remap);
- 	if (retval < 0)
- 		return retval;
- 
- 	spin_lock_irq(&callback_lock);
-+	if (remap) {
-+		rcu_read_lock();
-+		cpuset_for_each_descendant_pre(cp, pos_css, cs) {
-+			/* skip empty subtrees */
-+			if (cpumask_empty(cp->cpus_allowed)) {
-+				pos_css = css_rightmost_descendant(pos_css);
-+				continue;
-+			}
-+			cpumask_copy(&tempmask, cp->cpus_allowed);
-+			cpumask_remap(cp->cpus_allowed, &tempmask,
-+				      cs->cpus_allowed, trialcs->cpus_allowed);
-+		}
-+		rcu_read_unlock();
-+	}
- 	cpumask_copy(cs->cpus_allowed, trialcs->cpus_allowed);
- 	spin_unlock_irq(&callback_lock);
- 
-@@ -1250,7 +1271,7 @@ static int update_nodemask(struct cpuset *cs, struct cpuset *trialcs,
- 		retval = 0;		/* Too easy - nothing to do */
- 		goto done;
- 	}
-	retval = validate_change(cs, trialcs);
-+	retval = validate_change(cs, trialcs, 0);
- 	if (retval < 0)
- 		goto done;
- 
-@@ -1337,7 +1358,7 @@ static int update_flag(cpuset_flagbits_t bit, struct cpuset *cs,
- 	else
- 		clear_bit(bit, &trialcs->flags);
- 
-	err = validate_change(cs, trialcs);
-+	err = validate_change(cs, trialcs, 0);
- 	if (err < 0)
- 		goto out;
- 
-@@ -1596,6 +1617,7 @@ static void cpuset_attach(struct cgroup_taskset *tset)
- typedef enum {
- 	FILE_MEMORY_MIGRATE,
- 	FILE_CPULIST,
-+	FILE_REMAP_CPULIST,
- 	FILE_MEMLIST,
- 	FILE_EFFECTIVE_CPULIST,
- 	FILE_EFFECTIVE_MEMLIST,
-@@ -1728,7 +1750,10 @@ static ssize_t cpuset_write_resmask(struct kernfs_open_file *of,
- 
- 	switch (of_cft(of)->private) {
- 	case FILE_CPULIST:
-		retval = update_cpumask(cs, trialcs, buf);
-+		retval = update_cpumask(cs, trialcs, buf, 0);
-+		break;
-+	case FILE_REMAP_CPULIST:
-+		retval = update_cpumask(cs, trialcs, buf, 1);
- 		break;
- 	case FILE_MEMLIST:
- 		retval = update_nodemask(cs, trialcs, buf);
-@@ -1845,6 +1870,13 @@ static struct cftype files[] = {
- 	},
- 
- 	{
-+		.name = "remap_cpus",
-+		.write = cpuset_write_resmask,
-+		.max_write_len = (100U + 6 * NR_CPUS),
-+		.private = FILE_REMAP_CPULIST,
-+	},
-+
-+	{
- 		.name = "mems",
- 		.seq_show = cpuset_common_seq_show,
- 		.write = cpuset_write_resmask,
-- 
-2.1.4
-
--- a/changelog.Debian
+++ b/changelog.Debian
--- a/control.in
+++ b/control.in
@ -1,11 +0,0 @@
-Package: pve-kernel-@KVNAME@
-Version: @KERNEL_VER@-@PKGREL@
-Section: admin
-Priority: optional
-Architecture: @ARCH@
-Provides: linux-image, linux-image-2.6
-Suggests: pve-firmware
-Depends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64, initramfs-tools, busybox
-Maintainer: Proxmox Support Team <support@proxmox.com>
-Description: The Proxmox PVE Kernel Image
- This package contains the linux kernel and initial ramdisk used for booting
--- a/control.tools
+++ b/control.tools
@ -1,12 +0,0 @@
-Source: pve-kernel
-Maintainer: Proxmox Support Team <support@proxmox.com>
-
-Package: linux-tools-4.10
-Architecture: any
-Section: devel
-Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-base
-Description: Linux kernel version specific tools for version 4.10
- This package provides the architecture dependent parts for kernel
- version locked tools (such as perf and x86_energy_perf_policy)
- 
--- a/debian/certs/proxmox-uefi-ca.pem
+++ b/debian/certs/proxmox-uefi-ca.pem
@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbjCCBFagAwIBAgIUTVo8veNlt0qzt14J+H2mhEB2SNUwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTM1MTM0WhcNMzMwMzAzMTM1MTM0WjCBkzELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEXMBUGA1UEAwwOU2Vj
+dXJlIEJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEm9mZmljZUBwcm94bW94LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ59mP8gRLqsA6P53ejy0wMk
+0qLlICtDkPXsJoi4QRHjlPErxXv5zsZ4WqSG2bQ8EW95FAf8EOF6ge+G17neYt1w
+DmlvHzLBfqTJj5EBRgVjdWOjX3AkS/elOyzHdq4rKOteUSpQlMP4ub2cAUdy/8rp
+ouTbduttNv8mymAO89/kbXCEmKFiRS+av+hykFFyXH/KTRa2QnvLVadMEkmtA+vm
+yQhYWCTD8hdisa1o3dKM0Z2l8LyzfIOsVXcwHHB7AhtR4tbLR9Tz2p/m9Gz//vj
+82dBaChh6kxIMZ8kACP28dA561R2P6ZcjzLSJ0Tq5e4tiW9SNEzuTYKTRvFeQoQh
+4usDdSF3ifXDuimShpv8Yaf4fntyIaUfnm6H5tvNr9b9Rw6ZL200LV5VugQ1EpfE
+F0+c3LQfurwT7svISgXSY62Fe/TiHFANOVXM5j3/Dr2ktKyce7BUGN4ewpWPvP99
+io+rdd4bTReuDh8j0nhsSdYKfvuOmvQpgL8Smzno54/hdpuO6cv+slCr1ApDexl8
+gAPPwCZRsH7aPc92g+YPzDm3k77RqkCXPA19KKQLYKvL7a+H3rnqgO81CdGFPHOz
+I5UruKLLeDGAWR0bo0JqDMEL8/oPh9IvGo8lFcTros0NEof6A7p8SGmxM2NodTo9
+spDVs84xDPlp4yX4u8A9AgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFLXxsR5I
+LbWGkynLl1qjUgX4cs16MB8GA1UdIwQYMBaAFLXxsR5ILbWGkynLl1qjUgX4cs16
+MB0GA1UdEQQWMBSBEm9mZmljZUBwcm94bW94LmNvbTAdBgNVHRIEFjAUgRJvZmZp
+Y2VAcHJveG1veC5jb20wDQYJKoZIhvcNAQELBQADggIBAAUGWTt792ibVtE9yKgq
+9YtmybKGWjDHdMKl5AcnxLD60z7cEgcUBpEXaUbTzic5rz7fYhUM29LZkF8NIA2a
+rzrF0w+J1zZZKG2VvTWmdgynNNKQ/iTRbhgSZ94hEWOwumlEW4O6HwUN+VYFx8wf
+jvyWc1K6cdCc70IeC5POjYTlXKPoDq8ysPMLhxm7dsk7DDWcR0siMbYqGLLK5cJB
+lZE+9Q3Nj/q4m3odjK1ILrDGKqWWJgxopE21e903Ej+TNw+TduXygHqwVloEXUi4
+clmMMwCfhEBI9Vuy0+QSLxvrHKbwYpWd59RBQEsUubi8sT8Oh7njgmEd/Pf9uD7U
+1Rd9I+1MkNOZXyoyvaJQl9NZ9RpyG+ZbeQoFcL2CeCy0jJQQSilI5k4RtiDrGn6R
+GxlRL/FTvGWBkQGNwvoeFwD6i7zYainf1Z7f1Dh83MxKarxpAwX61K+rHpvAvjN/
+Hd4dslj5C+p188FnGaqiFlFAgVcF//F+yZFGYu1sTIQJ5f0C3LiFLeQYi3SPTf0L
+wk78eHgo6x1cIOM3/Ct4mflHBxnrfOJ9YdEAn2MklpDT5dif+9+zpN1myCQn4HoW
+OgoWIacSuvuFczHTQf2IX4ZEEE5SZwE31f7E0cqjgXmwbz1a81UMZHzvr71rDeWi
+oRgE3Pe1htzpOmw5Ygvjtn8k
+-----END CERTIFICATE-----
--- a/debian/certs/proxmox-uefi-signer-2023.pem
+++ b/debian/certs/proxmox-uefi-signer-2023.pem
@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbzCCBFegAwIBAgIUakjebPHbd0vTEj9dEa3OF+gioGMwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTQwNTI1WhcNMjcwNDE0MTQwNTI1WjCBmjELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEeMBwGA1UEAwwVU2Vj
+dXJlIEJvb3QgU2lnbiAyMDIzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1v
+eC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJGReH5i3aihb/
+frdbzzNueHBt7DC9W2/GXYf0wfl8izCXz2SYM/UIZavbpzF2uhgxli3Dj4M0FyR2
+oTKRseWyy+YMiwuhQcqCw0KRS6uOUiGjOtPHsEqDFO6DP8d1gNjYkF0jzY/CNf0N
+5Sc+w8jknQJgZ9G1RGcC2ihZATx2pgG9nYA30Op8qHyhcF2KrUmh8wpXky21u0Ja
+0/whsNFNSfQrvosgUroxLd2TvBdcBJu3SXt0B15jfY4Qssjmwgfs/oU8YGaAYnIp
+PLJRqzho/kpDA3PH2lsgxv5BJHQgDuODLj3Q3dx09C71Qdb3FlQ6z9hIdFUoPrvC
+kUpZ5lEwGUyvFZtJJQvGm/1BpDj1G7P8lqODyfkJ4c77XoH7M9z945HmxrfAyjP7
+9Jk8NXA9bSy+ygPHPHlTLEc10HKvk/SRg/sGGUveTr9C6rObfP8EmvXogpS46xSn
+W9s2vFSVFyOBvLpdIhU91McBFinvQaqY0r2XTNrsU3Zp5YG3z6hh6BOLCpD/pixc
+BQyfT8wGeI59dobVSSrWqt+1vNxO02I5t7Mlam687Ix1e3C/nk7+i44WMcmB8n+x
+Dq/v/L+UJlQ75u2dsaAiYUrGcsHQWAZ34oIAfec9qCgG+OLTwobwXXiOlaWiO51n
+0xCQ4ePK+vZuDxRHaXL7hOxFCe3iKwIDAQABo4GxMIGuMB0GA1UdDgQWBBRr/2t+
+Hu0KTVTbNhd31p7aJH15IjAfBgNVHSMEGDAWgBS18bEeSC21hpMpy5dao1IF+HLN
+ejAdBgNVHREEFjAUgRJvZmZpY2VAcHJveG1veC5jb20wHQYDVR0SBBYwFIESb2Zm
+aWNlQHByb3htb3guY29tMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwMwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQBYmLgWPJSK/pP/CkZE
+iYttW1Vd0Wm4DeZVSyUh2c9AI+A+IT5otEXjCflU8sYU4vm0eEtNwhmGdVf8oZe4
+tS/2eFawDAqEQ8xMsinbMJoqvcYx9uEZPiOOo3GS2YjfUy03Q3BAOV3rMFOjP4y+
+dfYF3IWnKQxvUV0wapRyDbT62plKt4UCtBagUPcm838YRD6ax+4yK/5sojMQM1IW
+2yGgEz8jeCyPI19Ots2RBZTJU2BZ1QqRPLybvLfsENtKgKqOE14BEp6WqtYBaj89
+QZD4tbP9Mqcmnj8AfG89pb1Fj6tq0MLZsboF6i0J7uuQ6CKkb5ksQhLODLMwAZi1
+1EAgWk5btwj6ZvoOHFOjAXGJ13tmUeYt/Zipyy/ie+5LSEdFevQ+zmZzsglfX3QK
+6skoBpHs3kLcuPsoe8uhCvn/b22lHkFdYYkIwIUQFPJgdvBzD8LYHnD8P60UdsQO
+vSSt9qzsq04DCEjwhmNJUeddL9ESGNL8vgpB9GvNjFEq6QMncELkdXDoAeqGFolE
+/dj+8sVq+34plRsvD1GDDx70UWk0ZtQlvhqDJ0kxeT+yYASrwLoujK44SLq8cMJr
+JYxDoxFOy5MSw+EzEXTP9LLkYNdPv/nzPbEz3lEctczyOgBWr22272Kdv3QCHBdP
+v4+vFbHnrXmu8cC9T45r2aX3rQ==
+-----END CERTIFICATE-----
--- a/debian/changelog
+++ b/debian/changelog
--- a/debian/control.in
+++ b/debian/control.in
@ -0,0 +1,124 @@
+Source: proxmox-kernel-@KVMAJMIN@
+Section: devel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Build-Depends: asciidoc-base,
+               automake,
+               bc,
+               bison,
+               cpio,
+               debhelper-compat (= 13),
+               dh-python,
+               dwarves,
+               file,
+               flex,
+               gcc (>= 8.3.0-6),
+               git,
+               kmod,
+               libdw-dev,
+               libelf-dev,
+               libiberty-dev,
+               libnuma-dev,
+               libpve-common-perl,
+               libslang2-dev,
+               libssl-dev,
+               libtool,
+               lintian,
+               lz4,
+               python3-dev,
+               python3-minimal,
+               rsync,
+               sphinx-common,
+               xmlto,
+               zlib1g-dev,
+               zstd,
+Build-Conflicts: proxmox-headers-@KVNAME@,
+Standards-Version: 4.6.2
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: linux-tools-@KVMAJMIN@
+Architecture: any
+Section: devel
+Priority: optional
+Depends: linux-base, ${misc:Depends}, ${shlibs:Depends},
+Description: Linux kernel version specific tools for version @KVMAJMIN@
+ This package provides the architecture dependent parts for kernel
+ version locked tools (such as perf and x86_energy_perf_policy)
+
+Package: proxmox-headers-@KVNAME@
+Section: devel
+Priority: optional
+Architecture: any
+Provides: linux-headers-@KVNAME@-amd64, pve-headers-@KVNAME@
+Depends: ${misc:Depends},
+Description: Proxmox Kernel Headers
+ This package contains the linux kernel headers
+
+Package: proxmox-kernel-@KVNAME@
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
+Suggests: pve-firmware,
+Depends: busybox, initramfs-tools | linux-initramfs-tool, ${misc:Depends},
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
+Description: Proxmox Kernel Image
+ This package contains the linux kernel and initial ramdisk used for booting
+
+Package: proxmox-kernel-@KVNAME@-dbgsym
+Architecture: any
+Provides: linux-debug, pve-kernel-@KVNAME@-dbgsym
+Section: devel
+Priority: optional
+Build-Profiles: <pkg.proxmox-kernel.debug>
+Depends: ${misc:Depends},
+Description: Proxmox Kernel debug image
+ This package provides the kernel debug image for version @KVNAME@. The debug
+ kernel image contained in this package is NOT meant to boot from - it is
+ uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
+ to analyze kernel crashes. This package also contains the proxmox-kernel modules
+ in their unstripped version.
+
+Package: proxmox-kernel-@KVNAME@-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed kernel package
+ This package is used to control code signing by the Proxmox signing
+ service.
+
+Package: proxmox-kernel-libc-dev
+Section: devel
+Priority: optional
+Architecture: any
+Provides: linux-libc-dev (=${binary:Version}), pve-kernel-libc-dev
+Conflicts: linux-libc-dev,
+Replaces: linux-libc-dev, pve-kernel-libc-dev
+Breaks: pve-kernel-libc-dev
+Depends: ${misc:Depends},
+Description: Linux support headers for userspace development
+ This package provides userspaces headers from the Linux kernel.  These headers
+ are used by the installed headers for GNU libc and other system libraries.
+
+Package: proxmox-headers-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-headers-amd64, linux-headers-generic, pve-headers-@KVMAJMIN@
+Replaces: pve-headers-@KVMAJMIN@
+Priority: optional
+Depends: proxmox-headers-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Headers
+ This is a metapackage which will install the kernel headers
+ for the latest available proxmox kernel from the @KVMAJMIN@
+ series.
+
+Package: proxmox-kernel-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-image-amd64, linux-image-generic, wireguard-modules (=1.0.0), pve-kernel-@KVMAJMIN@
+Replaces: pve-kernel-@KVMAJMIN@
+Priority: optional
+Depends: pve-firmware, proxmox-kernel-@KVNAME@-signed | proxmox-kernel-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Image
+ This is a metapackage which will install the latest available
+ proxmox kernel from the @KVMAJMIN@ series.
--- a/debian/copyright
+++ b/debian/copyright
@ -1,11 +1,8 @@
 This is a prepackaged version of the Linux kernel binary image.

-This package was put together by Proxmox Server
-Solutions GmbH <support@proxmox.com>.
-
-We use the RHEL7 kernel sources, available from:
-
-ftp://ftp.redhat.com/redhat/rhel/
+For the packaging and all files in the debian/ folder consider:
+ Copyright (C) 2007-2022 Proxmox Server Solutions GmbH
+ Licensed under the AGPL-3.0-or-later

 Linux is copyrighted by Linus Torvalds and others.

@ -26,6 +23,5 @@ The complete text of the GNU General Public License can be found in
 `/usr/share/common-licenses/GPL-2'.


-ZFS module is licensed under the Common Development and Distribution 
+ZFS module is licensed under the Common Development and Distribution
 License (CDDL).
-
--- a/debian/proxmox-headers.postinst.in
+++ b/debian/proxmox-headers.postinst.in
--- a/debian/proxmox-kernel-meta.postinst.in
+++ b/debian/proxmox-kernel-meta.postinst.in
@ -0,0 +1,17 @@
+#! /bin/sh
+
+# Abort if any command returns an error value 
+set -e
+
+case "$1" in
+  configure)
+    # setup kernel links for installation CD (rescue boot)
+    mkdir -p /boot/pve
+    ln -sf /boot/vmlinuz-@@KVNAME@@ /boot/pve/vmlinuz-@@KVMAJMIN@@
+    ln -sf /boot/initrd.img-@@KVNAME@@ /boot/pve/initrd.img-@@KVMAJMIN@@
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
--- a/debian/proxmox-kernel-meta.postrm.in
+++ b/debian/proxmox-kernel-meta.postrm.in
@ -5,10 +5,9 @@ set -e

 case "$1" in
    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-	# remove kernel symlinks
-	rm -f /boot/pve/vmlinuz
-	rm -f /boot/pve/initrd.img
-	rmdir --ignore-fail-on-non-empty /boot/pve/ || true
+        # remove kernel symlinks
+        rm -f /boot/pve/vmlinuz-@@KVNAME@@
+        rm -f /boot/pve/initrd.img-@@KVNAME@@
    ;;

    *)
@ -17,3 +16,4 @@ case "$1" in
    ;;
 esac

+#DEBHELPER#
--- a/debian/proxmox-kernel.postinst.in
+++ b/debian/proxmox-kernel.postinst.in
@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations except when called on to configure.
 exit 0 unless $ARGV[0] =~ /configure/;
@ -16,10 +17,9 @@ system("depmod $version");

 if (-d "/etc/kernel/postinst.d") {
  print STDERR "Examining /etc/kernel/postinst.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postinst.d") &&
-            die "Failed to process /etc/kernel/postinst.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postinst.d"
+  ) && die "Failed to process /etc/kernel/postinst.d";
 }

 exit 0
--- a/debian/proxmox-kernel.postrm.in
+++ b/debian/proxmox-kernel.postrm.in
@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+# Ignore all 'upgrade' invocations .
+exit 0 if $ARGV[0] =~ /upgrade/;
+
+my $imagedir = "/boot";
+
+my $version = "@@KVNAME@@";
+
+if (-d "/etc/kernel/postrm.d") {
+  print STDERR "Examining /etc/kernel/postrm.d.\n";
+  system (
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postrm.d"
+  ) && die "Failed to process /etc/kernel/postrm.d";
+}
+
+unlink "$imagedir/initrd.img-$version";
+unlink "$imagedir/initrd.img-$version.bak";
+unlink "/var/lib/initramfs-tools/$version";
+
+# Ignore all invocations except when called on to purge.
+exit 0 unless $ARGV[0] =~ /purge/;
+
+my @files_to_remove = qw{
+    modules.dep modules.isapnpmap modules.pcimap
+    modules.usbmap modules.parportmap
+    modules.generic_string modules.ieee1394map
+    modules.ieee1394map modules.pnpbiosmap
+    modules.alias modules.ccwmap modules.inputmap
+    modules.symbols modules.ofmap
+    modules.seriomap modules.*.bin
+    modules.softdep modules.devname
+};
+
+foreach my $extra_file (@files_to_remove) {
+    for (glob("/lib/modules/$version/$extra_file")) {
+	unlink;
+    }
+}
+
+system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
+
+exit 0
--- a/debian/proxmox-kernel.prerm.in
+++ b/debian/proxmox-kernel.prerm.in
@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations uxcept when called on to remove
 exit 0 unless ($ARGV[0] && $ARGV[0] =~ /remove/) ;
@ -14,10 +15,9 @@ my $version = "@@KVNAME@@";

 if (-d "/etc/kernel/prerm.d") {
  print STDERR "Examining /etc/kernel/prerm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " . 
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/prerm.d") &&
-	  die "Failed to process /etc/kernel/prerm.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/prerm.d"
+  ) && die "Failed to process /etc/kernel/prerm.d";
 }

 exit 0
--- a/debian/rules
+++ b/debian/rules
@ -0,0 +1,342 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+# TODO: check for headers not being installed
+BUILD_DIR=$(shell pwd)
+
+include /usr/share/dpkg/default.mk
+include debian/rules.d/env.mk
+include debian/rules.d/$(DEB_BUILD_ARCH).mk
+
+MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))
+
+CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
+CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)
+
+PMX_KERNEL_PKG=proxmox-kernel-$(KVNAME)
+PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
+PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
+PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
+PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template
+PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
+LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
+KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
+
+# TODO: split for archs, move to files?
+PMX_CONFIG_OPTS= \
+-m INTEL_MEI_WDT \
+-d CONFIG_SND_PCM_OSS \
+-e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
+-d CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS \
+-m CONFIG_CEPH_FS \
+-m CONFIG_BLK_DEV_NBD \
+-m CONFIG_BLK_DEV_RBD \
+-m CONFIG_BLK_DEV_UBLK \
+-d CONFIG_SND_PCSP \
+-m CONFIG_BCACHE \
+-m CONFIG_JFS_FS \
+-m CONFIG_HFS_FS \
+-m CONFIG_HFSPLUS_FS \
+-e CIFS_SMB_DIRECT \
+-e CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU \
+-e CONFIG_BRIDGE \
+-e CONFIG_BRIDGE_NETFILTER \
+-e CONFIG_BLK_DEV_SD \
+-e CONFIG_BLK_DEV_SR \
+-e CONFIG_BLK_DEV_DM \
+-m CONFIG_BLK_DEV_NVME \
+-e CONFIG_NLS_ISO8859_1 \
+-d CONFIG_INPUT_EVBUG \
+-d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
+-d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
+-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
+-e CONFIG_SYSFB_SIMPLEFB \
+-e CONFIG_DRM_SIMPLEDRM \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
+-d CONFIG_MEMCG_DISABLED \
+-e CONFIG_MEMCG_SWAP_ENABLED \
+-e CONFIG_HYPERV \
+-m CONFIG_VFIO_IOMMU_TYPE1 \
+-e CONFIG_VFIO_VIRQFD \
+-m CONFIG_VFIO \
+-m CONFIG_VFIO_PCI \
+-m CONFIG_USB_XHCI_HCD \
+-m CONFIG_USB_XHCI_PCI \
+-m CONFIG_USB_EHCI_HCD \
+-m CONFIG_USB_EHCI_PCI \
+-m CONFIG_USB_EHCI_HCD_PLATFORM \
+-m CONFIG_USB_OHCI_HCD \
+-m CONFIG_USB_OHCI_HCD_PCI \
+-m CONFIG_USB_OHCI_HCD_PLATFORM \
+-d CONFIG_USB_OHCI_HCD_SSB \
+-m CONFIG_USB_UHCI_HCD \
+-d CONFIG_USB_SL811_HCD_ISO \
+-e CONFIG_MEMCG_KMEM \
+-d CONFIG_DEFAULT_CFQ \
+-e CONFIG_DEFAULT_DEADLINE \
+-e CONFIG_MODVERSIONS \
+-e CONFIG_ZSTD_COMPRESS \
+-d CONFIG_DEFAULT_SECURITY_DAC \
+-e CONFIG_DEFAULT_SECURITY_APPARMOR \
+--set-str CONFIG_DEFAULT_SECURITY apparmor \
+-e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
+-d CONFIG_UNWINDER_ORC \
+-d CONFIG_UNWINDER_GUESS \
+-e CONFIG_UNWINDER_FRAME_POINTER \
+--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
+--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
+-e CONFIG_PAGE_TABLE_ISOLATION \
+-e CONFIG_ARCH_HAS_CPU_FINALIZE_INIT \
+-d CONFIG_GDS_FORCE_MITIGATION \
+-d CONFIG_WQ_CPU_INTENSIVE_REPORT \
+-d CONFIG_N_GSM \
+-d UBSAN_BOUNDS \
+
+debian/control: $(wildcard debian/*.in)
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PMX_KERNEL_PKG).postrm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PMX_KERNEL_PKG).postinst
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_PKG).prerm
+	chmod +x debian/$(PMX_KERNEL_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
+
+	# signing-template
+	sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+	sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst
+	rm debian/signing-template/*.in
+	cp debian/SOURCE debian/signing-template/
+
+build: .compile_mark .tools_compile_mark .modules_compile_mark
+
+install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
+	dh_installdocs -A debian/copyright debian/SOURCE
+	dh_installchangelogs
+	dh_installman
+	dh_strip_nondeterminism
+	dh_compress
+	dh_fixperms
+
+binary: install
+	debian/rules fwcheck abicheck
+	dh_strip -N$(PMX_HEADER_PKG) -N$(PMX_USR_HEADER_PKG)
+	dh_makeshlibs
+	dh_shlibdeps
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+.config_mark:
+	cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
+	$(MAKE) -C $(KERNEL_SRC) olddefconfig
+	# copy to allow building in parallel to kernel/module compilation without interference
+	rm -rf $(KERNEL_SRC_COPY)
+	cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
+	touch $@
+
+.compile_mark: .config_mark
+	$(MAKE) -C $(KERNEL_SRC) KBUILD_BUILD_VERSION_TIMESTAMP="PMX $(DEB_VERSION) ($(CHANGELOG_DATE_UTC_ISO))"
+	touch $@
+
+.install_mark: .compile_mark .modules_compile_mark
+	rm -rf debian/$(PMX_KERNEL_PKG)
+	mkdir -p debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_KERNEL_PKG)/boot
+	install -m 644 $(KERNEL_SRC)/.config debian/$(PMX_KERNEL_PKG)/boot/config-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/System.map debian/$(PMX_KERNEL_PKG)/boot/System.map-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/$(KERNEL_IMAGE_PATH) debian/$(PMX_KERNEL_PKG)/boot/$(KERNEL_INSTALL_FILE)-$(KVNAME)
+	$(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
+	# install zfs drivers
+	install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+	install -m 644 $(MODULES)/zfs.ko $(MODULES)/spl.ko debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+	# remove firmware
+	rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware
+
+ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
+	echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
+else
+	echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
+	mkdir -p debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
+	install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
+	cp -r debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/build
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/modules.*
+endif
+
+	# strip debug info
+	find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+	# sign modules using ephemeral, embedded key
+	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+		find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+		done; \
+		rm ./ubuntu-kernel/certs/signing_key.pem ; \
+	fi
+	# finalize
+	/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
+	# Autogenerate blacklist for watchdog devices (see README)
+	install -m 0755 -d debian/$(PMX_KERNEL_PKG)/lib/modprobe.d
+	ls debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
+	echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
+	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+
+	# copy signing template contents
+	rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}
+	mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp -R debian/copyright \
+		debian/signing-template/rules \
+		debian/signing-template/control \
+		debian/signing-template/source \
+		debian/signing-template/changelog \
+		debian/signing-template/prerm \
+		debian/signing-template/postrm \
+		debian/signing-template/postinst \
+		debian/signing-template/SOURCE \
+		debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/
+
+	touch $@
+
+.tools_compile_mark: .compile_mark
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr NO_LIBTRACEEVENT=1 HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
+	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf NO_LIBTRACEEVENT=1 man
+	touch $@
+
+.tools_install_mark: .tools_compile_mark
+	rm -rf debian/$(LINUX_TOOLS_PKG)
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/bin
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1
+	install -m 755 $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/perf debian/$(LINUX_TOOLS_PKG)/usr/bin/perf_$(KERNEL_MAJMIN)
+	for i in $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/Documentation/*.1; do \
+	    fname="$${i##*/}"; manname="$${fname%.1}"; \
+	    install -m644 "$$i" "debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
+	done
+	touch $@
+
+.headers_prepare_mark: .config_mark
+	rm -rf debian/$(PMX_HEADER_PKG)
+	mkdir -p debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	install -m 0644 $(KERNEL_SRC)/.config debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	make -C $(KERNEL_SRC_COPY) mrproper
+	cd $(KERNEL_SRC_COPY); find . -path './debian/*' -prune \
+	    -o -path './include/*' -prune \
+	    -o -path './Documentation' -prune \
+	    -o -path './scripts' -prune \
+	    -o -type f \
+	    \( \
+	        -name 'Makefile*' \
+	        -o -name 'Kconfig*' \
+	        -o -name 'Kbuild*' \
+	        -o -name '*.sh' \
+	        -o -name '*.pl' \
+	    \) \
+	    -print | cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	cd $(KERNEL_SRC_COPY); \
+	    ( \
+	        find arch/$(KERNEL_HEADER_ARCH) -name include -type d -print | \
+	        xargs -n1 -i: find : -type f \
+	    ) | \
+	    cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	touch $@
+
+.headers_compile_mark: .headers_prepare_mark
+	# set output to subdir of source to reduce number of hardcoded paths in output files
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	mkdir -p $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	cp $(KERNEL_SRC)/.config $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/.config
+	$(MAKE) -C $(KERNEL_SRC_COPY) O=$(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -j1 syncconfig modules_prepare prepare scripts
+	cd $(KERNEL_SRC_COPY); cp -a include scripts $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	find $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
+	rsync --ignore-existing -r -v -a $(addprefix $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/,arch include kernel scripts tools) $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)
+	touch $@
+
+.headers_install_mark: .compile_mark .modules_compile_mark .headers_compile_mark
+	cp $(KERNEL_SRC)/include/generated/compile.h debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/include/generated/compile.h
+	install -m 0644 $(KERNEL_SRC)/Module.symvers debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	mkdir -p debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)
+	ln -sf /usr/src/linux-headers-$(KVNAME) debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)/build
+	touch $@
+
+.usr_headers_install_mark: PKG_DIR = debian/$(PMX_USR_HEADER_PKG)
+.usr_headers_install_mark: OUT_DIR = $(PKG_DIR)/usr
+.usr_headers_install_mark: .config_mark
+	rm -rf '$(PKG_DIR)'
+	mkdir -p  '$(PKG_DIR)'
+	$(MAKE) -C $(KERNEL_SRC) headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
+	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
+	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +
+
+# Move include/asm to arch-specific directory
+	mkdir -p $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)
+	mv $(OUT_DIR)/include/asm $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+	test ! -d $(OUT_DIR)/include/arch || \
+		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+	touch $@
+
+.modules_compile_mark: $(MODULES)/zfs.ko
+	touch $@
+
+$(MODULES)/zfs.ko: .compile_mark
+	cd $(MODULES)/$(ZFSDIR); ./autogen.sh
+	cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
+	$(MAKE) -C $(MODULES)/$(ZFSDIR)
+	cp $(MODULES)/$(ZFSDIR)/module/zfs.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/spl.ko $(MODULES)/
+
+fwlist-$(KVNAME): .compile_mark .modules_compile_mark
+	debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp
+	mv fwlist.tmp $@
+
+.PHONY: fwcheck
+fwcheck: fwlist-$(KVNAME) fwlist-previous
+	@echo "checking fwlist for changes since last built firmware package.."
+	@echo "if this check fails, add fwlist-$(KVNAME) to the pve-firmware repository and upload a new firmware package together with the $(KVNAME) kernel"
+	sort fwlist-previous | uniq > fwlist-previous.sorted
+	sort fwlist-$(KVNAME) | uniq > fwlist-$(KVNAME).sorted
+	diff -up -N fwlist-previous.sorted fwlist-$(KVNAME).sorted > fwlist.diff
+	rm fwlist.diff fwlist-previous.sorted fwlist-$(KVNAME).sorted
+	@echo "done, no need to rebuild pve-firmware"
+
+
+abi-$(KVNAME): .compile_mark
+	debian/scripts/abi-generate debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/Module.symvers abi-$(KVNAME) $(KVNAME)
+
+.PHONY: abicheck
+abicheck: debian/scripts/abi-check abi-$(KVNAME) abi-prev-* abi-blacklist
+	debian/scripts/abi-check abi-$(KVNAME) abi-prev-* $(SKIPABI)
+
+.PHONY: clean
--- a/debian/rules.d/amd64.mk
+++ b/debian/rules.d/amd64.mk
@ -0,0 +1,5 @@
+KERNEL_BUILD_ARCH	= x86
+KERNEL_HEADER_ARCH	= $(KERNEL_BUILD_ARCH)
+KERNEL_BUILD_IMAGE	= bzImage
+KERNEL_IMAGE_PATH	= arch/$(KERNEL_BUILD_ARCH)/boot/${KERNEL_BUILD_IMAGE}
+KERNEL_INSTALL_FILE	= vmlinuz
--- a/debian/scripts/abi-check
+++ b/debian/scripts/abi-check
@ -0,0 +1,210 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+my $abinew = shift;
+my $abiold = shift;
+my $skipabi = shift;
+
+# to catch multiple abi-prev-* files being passed in
+die "invalid value '$skipabi' for skipabi parameter\n" if defined($skipabi) && $skipabi !~ /^[01]$/;
+
+$abinew =~ /abi-(.*)/;
+my $abistr = $1;
+$abiold =~ /abi-prev-(.*)/;
+my $prev_abistr = $1;
+
+my $fail_exit = 1;
+my $EE = "EE:";
+my $errors = 0;
+my $abiskip = 0;
+
+my $count;
+
+print "II: Checking ABI...\n";
+
+if ($skipabi) {
+    print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
+    $fail_exit = 0;
+    $abiskip = 1;
+    $EE = "WW:";
+}
+
+if ($prev_abistr ne $abistr) {
+    print "II: Different ABI's, running in no-fail mode\n";
+    $fail_exit = 0;
+    $EE = "WW:";
+}
+
+if (not -f "$abinew" or not -f "$abiold") {
+    print "EE: Previous or current ABI file missing!\n";
+    print "    $abinew\n" if not -f "$abinew";
+    print "    $abiold\n" if not -f "$abiold";
+
+    # Exit if the ABI files are missing, but return status based on whether
+    # skip ABI was indicated.
+    if ("$abiskip" eq "1") {
+	exit(0);
+    } else {
+	exit(1);
+    }
+}
+
+my %symbols;
+my %symbols_ignore;
+my %modules_ignore;
+my %module_syms;
+
+# See if we have any ignores
+my $ignore = 0;
+print "    Reading symbols/modules to ignore...";
+
+for my $file ("abi-blacklist") {
+    next if !-f $file;
+    open(my $IGNORE_FH, '<', $file) or die "Could not open $file - $!";
+
+    while (<$IGNORE_FH>) {
+	chomp;
+	if ($_ =~ m/M: (.*)/) {
+	    $modules_ignore{$1} = 1;
+	} else {
+	    $symbols_ignore{$_} = 1;
+	}
+	$ignore++;
+    }
+    close($IGNORE_FH);
+}
+print "read $ignore symbols/modules.\n";
+
+sub is_ignored($$) {
+    my ($mod, $sym) = @_;
+
+    die "Missing module name in is_ignored()" if not defined($mod);
+    die "Missing symbol name in is_ignored()" if not defined($sym);
+
+    if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
+	return 1;
+    }
+    return 0;
+}
+
+# Read new syms first
+print "    Reading new symbols ($abistr)...";
+$count = 0;
+open(my $NEW_FH, '<', $abinew) or die "Could not open $abinew - $!";
+while (<$NEW_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'type'} = $1;
+    $symbols{$4}{'loc'} = $2;
+    $symbols{$4}{'hash'} = $3;
+    $module_syms{$2} = 0;
+    $count++;
+}
+close($NEW_FH);
+print "read $count symbols.\n";
+
+# Now the old symbols, checking for missing ones
+print "    Reading old symbols...";
+$count = 0;
+open(my $OLD_FH, '<', $abiold) or die "Could not open $abiold - $!";
+while (<$OLD_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'old_type'} = $1;
+    $symbols{$4}{'old_loc'} = $2;
+    $symbols{$4}{'old_hash'} = $3;
+    $count++;
+}
+close($OLD_FH);
+
+print "read $count symbols.\n";
+
+print "II: Checking for missing symbols in new ABI...";
+$count = 0;
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'type'})) {
+	print "\n" if not $count;
+	printf("    MISS : %s%s\n", $sym, is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
+	$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
+    }
+}
+print "    " if $count;
+print "found $count missing symbols\n";
+if ($count) {
+    print "$EE Symbols gone missing (what did you do!?!)\n";
+    $errors++;
+}
+
+
+print "II: Checking for new symbols in new ABI...";
+$count = 0;
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'})) {
+	print "\n" if not $count;
+	print "    NEW : $sym\n";
+	$count++;
+    }
+}
+print "    " if $count;
+print "found $count new symbols\n";
+if ($count) {
+    print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
+}
+
+print "II: Checking for changes to ABI...\n";
+$count = 0;
+my $moved = 0;
+my $changed_type = 0;
+my $changed_hash = 0;
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'}) or !defined($symbols{$sym}{'type'})) {
+	next;
+    }
+
+    # Changes in location don't hurt us, but log it anyway
+    if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
+	printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'}, $symbols{$sym}{'loc'});
+	$moved++;
+    }
+
+    # Changes to export type are only bad if new type isn't
+    # EXPORT_SYMBOL. Changing things to GPL are bad.
+    if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
+	printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
+	    $symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL" and !is_ignored($symbols{$sym}{'loc'}, $sym);
+    }
+
+    # Changes to the hash are always bad
+    if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
+	printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
+	    $symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
+	$module_syms{$symbols{$sym}{'loc'}}++;
+    }
+}
+
+print "WW: $moved symbols changed location\n" if $moved;
+print "$EE $changed_type symbols changed export type and weren't ignored\n" if $changed_type;
+print "$EE $changed_hash symbols changed hash and weren't ignored\n" if $changed_hash;
+
+$errors++ if $changed_hash or $changed_type;
+if ($changed_hash) {
+    print "II: Module hash change summary...\n";
+    for my $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
+	next if ! $module_syms{$mod};
+	printf("    %-40s: %d\n", $mod, $module_syms{$mod});
+    }
+}
+
+print "II: Done\n";
+
+if ($errors) {
+    exit($fail_exit);
+} else {
+    exit(0);
+}
--- a/debian/scripts/abi-generate
+++ b/debian/scripts/abi-generate
@ -0,0 +1,45 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use PVE::Tools ();
+
+use IO::File ();
+
+sub usage {
+    die "USAGE: $0 INFILE OUTFILE [ABI INFILE-IS-DEB]\n";
+}
+
+my $input_file = shift // usage();
+my $output_file = shift // usage();
+my $abi = shift;
+my $extract_deb = shift;
+
+die "input file '$input_file' does not exist\n" if ! -e $input_file;
+
+my $modules_symver_fh;
+
+if ($extract_deb) {
+	usage() if !defined($abi);
+	my $cmd = [];
+	push @$cmd, ['dpkg', '--fsys-tarfile', $input_file];
+	push @$cmd, ['tar', '-xOf', '-', "./usr/src/linux-headers-${abi}/Module.symvers"];
+	$modules_symver_fh = IO::File->new_tmpfile();
+	PVE::Tools::run_command($cmd, output => '>&'.fileno($modules_symver_fh));
+	seek($modules_symver_fh, 0, 0);
+} else {
+	open($modules_symver_fh, '<', $input_file) or die "can't open '$input_file' - $!\n";
+}
+
+my $lines = [];
+while(my $line = <$modules_symver_fh>) {
+	if ($line =~ /^(.+)\s+(.+)\s+(.+)$/) {
+		push @$lines, "$3 $2 $1";
+	} else {
+		warn "malformed symvers line: '$line'\n";
+	}
+}
+close($modules_symver_fh);
+
+PVE::Tools::file_set_contents($output_file, join("\n", sort @$lines));
--- a/debian/scripts/export-patchqueue
+++ b/debian/scripts/export-patchqueue
@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -e
+
+top=$(pwd)
+
+if [ "$#" -ne 3 ]; then
+    echo "USAGE: $0 repo patchdir ref"
+    printf "\t exports patches from 'repo' to 'patchdir' based on 'ref'\n"
+    exit 1
+fi
+
+# parameters
+kernel_submodule=$1
+kernel_patchdir=$2
+base_ref=$3
+
+cd "${kernel_submodule}"
+echo "clearing old exported patchqueue"
+rm -f "${top}/${kernel_patchdir}"/*.patch
+echo "exporting patchqueue using 'git format-patch [...] ${base_ref}.."
+git format-patch \
+    --quiet \
+    --no-numbered \
+    --no-cover-letter \
+    --zero-commit \
+    --no-signature \
+    --diff-algorithm=myers \
+    --output-directory="${top}/${kernel_patchdir}" \
+    "${base_ref}.."
+
+git checkout "${base_ref}"
+
+cd "${top}"
--- a/debian/scripts/find-firmware.pl
+++ b/debian/scripts/find-firmware.pl
@ -0,0 +1,33 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+my $dir = shift;
+
+die "no directory to scan" if !$dir;
+
+die "no such directory" if ! -d $dir;
+
+warn "\n\nNOTE: strange directory name: $dir\n\n" if $dir !~ m|^(.*/)?(\d+.\d+.\d+\-\d+\-pve)(/+)?$|;
+
+my $apiver = $2;
+
+open(my $FIND_KO_FH, "find '$dir' -name '*.ko'|");
+while (defined(my $fn = <$FIND_KO_FH>)) {
+    chomp $fn;
+    my $relfn = $fn;
+    $relfn =~ s|^$dir/*||;
+
+    my $cmd = "/sbin/modinfo -F firmware '$fn'";
+    open(my $MOD_FH, "$cmd|");
+    while (defined(my $fw = <$MOD_FH>)) {
+	chomp $fw;
+	print "$fw $relfn\n";
+    }
+    close($MOD_FH);
+
+}
+close($FIND_KO_FH);
+
+exit 0;
--- a/debian/scripts/import-patchqueue
+++ b/debian/scripts/import-patchqueue
@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+top=$(pwd)
+
+if [[ "$#" -lt 2 || "$#" -gt 3 ]]; then
+    echo "USAGE: $0 repo patchdir [branch]"
+    echo "\t imports patches from 'patchdir' into patchqueue branch 'branch' in 'repo'"
+    exit 1
+fi
+
+
+# parameters
+kernel_submodule=$1
+kernel_patchdir=$2
+if [[ -z "$3" ]]; then
+    pq_branch='pq'
+else
+    pq_branch=$3
+fi
+
+cd "${kernel_submodule}"
+echo "creating patchqeueue branch '${pq_branch}'"
+git checkout -b "${pq_branch}"
+echo "importing patches from '${kernel_patchdir}'"
+git am "${top}/${kernel_patchdir}"/*.patch
+
+cd "${top}"
--- a/debian/scripts/import-upstream-tag
+++ b/debian/scripts/import-upstream-tag
@ -0,0 +1,119 @@
+#!/bin/bash
+
+set -e
+
+top=$(pwd)
+
+# parameters
+kernel_submodule=
+kernel_patchdir=
+new_tag=
+rebase=
+
+# generated based on new_tag
+pq_branch=
+# previously checked out in submodule
+old_ref=
+
+function cleanup_pq_branch {
+    if [[ -n $pq_branch ]]; then
+	echo "cleaning up PQ branch '$pq_branch'"
+	cd "${top}/${kernel_submodule}"
+	git checkout --quiet $old_ref
+	git reset --hard
+	git branch -D "$pq_branch"
+    fi
+}
+
+function error_exit {
+    echo "$1"
+    set +e
+
+    cleanup_pq_branch
+
+    cd "${top}"
+
+    exit 1
+}
+
+if [[ "$#" -lt 3 || "$#" -gt 4 ]]; then
+    echo "USAGE: $0 submodule patchdir tag [rebase]"
+    echo "\t fetches and checks out 'tag' in 'submodule'"
+    echo "\t if 'rebase' is given, imports, rebases and exports patchqueue from 'patchdir' as well"
+    exit 1
+fi
+
+kernel_submodule=$1
+if [ ! -d "${kernel_submodule}" ]; then
+    error_exit "'${kernel_submodule}' must be a directory!"
+fi
+
+kernel_patchdir=$2
+if [ ! -d "${kernel_patchdir}" ]; then
+    error_exit "'${kernel_patchdir}' must be a directory!"
+fi
+
+new_tag=$3
+rebase=$4
+
+if [[ -n $(git status --untracked-files=no --porcelain) ]]; then
+    error_exit "working directory unclean, aborting"
+fi
+
+
+cd "${kernel_submodule}"
+## check for tag and fetch if needed
+echo "checking for tag '${new_tag}'"
+if [[ -z $(git tag -l "${new_tag}") ]]; then
+    echo "tag not found, fetching and retrying"
+    git fetch --tags
+fi
+if [[ -z $(git tag -l "${new_tag}") ]]; then
+    error_exit "tag not found, aborting"
+fi
+echo "tag found"
+cd "${top}"
+
+if [[ -n "$rebase" ]]; then
+    echo ""
+    echo "automatic patchqueue rebase enabled"
+    cd "${kernel_submodule}"
+    ## preparing patch queue branch
+    old_ref=$(git rev-parse HEAD)
+    pq_branch="auto_pq/${new_tag}"
+    cd "${top}"
+
+    echo "previous HEAD: ${old_ref}"
+
+    echo ""
+    "${top}/debian/scripts/import-patchqueue" "${kernel_submodule}" "${kernel_patchdir}" "${pq_branch}" || error_exit "failed to import patchqueue"
+
+    cd "${kernel_submodule}"
+    ## rebase patches
+    echo ""
+    echo "rebasing patchqueue on top of '${new_tag}'"
+    git rebase "${new_tag}"
+    cd "${top}"
+
+    ## regenerate exported patch queue
+    echo ""
+    "${top}/debian/scripts/export-patchqueue" "${kernel_submodule}" "${kernel_patchdir}" "${new_tag}" || error_exit "failed to export patchqueue"
+
+    cleanup_pq_branch
+    cd "${top}"
+    pq_branch=
+fi
+
+cd "${kernel_submodule}"
+echo ""
+echo "checking out '${new_tag}' in submodule"
+git checkout --quiet "${new_tag}"
+cd "${top}"
+
+echo ""
+echo "committing results"
+git commit --verbose -s -m "update sources to ${new_tag}" -m "(generated with debian/scripts/import-upstream-tag)" "${kernel_submodule}"
+if [[ -n "$rebase" ]]; then
+    git add "${kernel_patchdir}"
+    git commit --verbose -s -m "rebase patches on top of ${new_tag}" -m "(generated with debian/scripts/import-upstream-tag)" "${kernel_patchdir}"
+fi
--- a/debian/signing-template/control.in
+++ b/debian/signing-template/control.in
@ -0,0 +1,25 @@
+Source: proxmox-kernel-signed-@KVMAJMIN@
+Section: kernel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.2.0
+Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, proxmox-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
+Rules-Requires-Root: no
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: proxmox-kernel-@KVNAME@-signed
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, proxmox-kernel-@KVNAME@
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: proxmox-kernel-@KVNAME@
+Replaces: proxmox-kernel-@KVNAME@
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ This package contains the kernel image signed by the Proxmox Secure Boot CA.
--- a/debian/signing-template/files.json.in
+++ b/debian/signing-template/files.json.in
@ -0,0 +1,13 @@
+{
+	"packages": {
+		"proxmox-kernel-@KVNAME@": {
+			"trusted_certs": [],
+			"files": [
+				{
+					"sig_type": "efi",
+					"file": "boot/vmlinuz-@KVNAME@"
+				}
+			]
+		}
+	}
+}
--- a/debian/signing-template/rules.in
+++ b/debian/signing-template/rules.in
@ -0,0 +1,58 @@
+#!/usr/bin/make -f
+
+SHELL := bash -e
+
+export DH_OPTIONS
+
+include /usr/share/dpkg/architecture.mk
+
+KERNEL_VERSION=@KVNAME@
+IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION)
+PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
+PACKAGE_VERSION=@PKG_VERSION@
+PACKAGE_DIR=debian/$(PACKAGE_NAME)
+SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+	dh_testdir
+	dh_clean
+
+binary: binary-arch binary-indep
+binary-arch:
+	dh_testdir
+	mkdir -p $(PACKAGE_DIR)/boot
+	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
+	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+	else \
+		echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
+		false; \
+	fi
+	mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+	rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+	mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
+	cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
+	dh_install
+	dh_installchangelogs
+	dh_installdocs -A debian/copyright debian/SOURCE
+	dh_lintian
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	# Copy most package relations and description from unsigned package
+	for field in Depends Suggests Recommends Breaks; do \
+		echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+	done
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+	dh_gencontrol -- -v$(PACKAGE_VERSION)
+	dh_md5sums
+	dh_builddeb
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
--- a/debian/signing-template/source/format
+++ b/debian/signing-template/source/format
@ -0,0 +1 @@
+3.0 (native)
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@ -0,0 +1,2 @@
+debian-control-has-dbgsym-package (in section for proxmox-kernel-*-pve-dbgsym) Package [debian/control:*]
+license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]
--- a/e1000e-3.3.5.3.tar.gz
+++ b/e1000e-3.3.5.3.tar.gz
--- a/e1000e_4.10_compat.patch
+++ b/e1000e_4.10_compat.patch
@ -1,81 +0,0 @@
- src/{netdev.c.orig => netdev.c} | 18 +++++++++---------
- src/{ptp.c.orig => ptp.c} | 4 ++--
- 2 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/src/netdev.c.orig b/src/netdev.c
-index 73b0f9a..480265b 100644
--- a/src/netdev.c.orig
-+++ b/src/netdev.c
-@@ -4833,24 +4833,24 @@ void e1000e_reinit_locked(struct e1000_adapter *adapter)
- /**
-  * e1000e_sanitize_systim - sanitize raw cycle counter reads
-  * @hw: pointer to the HW structure
- * @systim: cycle_t value read, sanitized and returned
-+ * @systim: u64 value read, sanitized and returned
-  *
-  * Errata for 82574/82583 possible bad bits read from SYSTIMH/L:
-  * check to see that the time is incrementing at a reasonable
-  * rate and is a multiple of incvalue.
-  **/
-static cycle_t e1000e_sanitize_systim(struct e1000_hw *hw, cycle_t systim)
-+static u64 e1000e_sanitize_systim(struct e1000_hw *hw, u64 systim)
- {
- 	u64 time_delta, rem, temp;
-	cycle_t systim_next;
-+	u64 systim_next;
- 	u32 incvalue;
- 	int i;
- 
- 	incvalue = er32(TIMINCA) & E1000_TIMINCA_INCVALUE_MASK;
- 	for (i = 0; i < E1000_MAX_82574_SYSTIM_REREADS; i++) {
- 		/* latch SYSTIMH on read of SYSTIML */
-		systim_next = (cycle_t)er32(SYSTIML);
-		systim_next |= (cycle_t)er32(SYSTIMH) << 32;
-+		systim_next = (u64)er32(SYSTIML);
-+		systim_next |= (u64)er32(SYSTIMH) << 32;
- 
- 		time_delta = systim_next - systim;
- 		temp = time_delta;
-@@ -4872,13 +4872,13 @@ static cycle_t e1000e_sanitize_systim(struct e1000_hw *hw, cycle_t systim)
-  * e1000e_cyclecounter_read - read raw cycle counter (used by time counter)
-  * @cc: cyclecounter structure
-  **/
-static cycle_t e1000e_cyclecounter_read(const struct cyclecounter *cc)
-+static u64 e1000e_cyclecounter_read(const struct cyclecounter *cc)
- {
- 	struct e1000_adapter *adapter = container_of(cc, struct e1000_adapter,
- 						     cc);
- 	struct e1000_hw *hw = &adapter->hw;
- 	u32 systimel, systimeh;
-	cycle_t systim;
-+	u64 systim;
- 	/* SYSTIMH latching upon SYSTIML read does not work well.
- 	 * This means that if SYSTIML overflows after we read it but before
- 	 * we read SYSTIMH, the value of SYSTIMH has been incremented and we
-@@ -4899,8 +4899,8 @@ static cycle_t e1000e_cyclecounter_read(const struct cyclecounter *cc)
- 			systimel = systimel_2;
- 		}
- 	}
-	systim = (cycle_t)systimel;
-	systim |= (cycle_t)systimeh << 32;
-+	systim = (u64)systimel;
-+	systim |= (u64)systimeh << 32;
- 
- 	if (adapter->flags2 & FLAG2_CHECK_SYSTIM_OVERFLOW)
- 		systim = e1000e_sanitize_systim(hw, systim);
-
-diff --git a/src/ptp.c.orig b/src/ptp.c
-index 00c419f..228adce 100644
--- a/src/ptp.c.orig
-+++ b/src/ptp.c
-@@ -136,8 +136,8 @@ static int e1000e_phc_get_syncdevicetime(ktime_t * device,
- 	unsigned long flags;
- 	int i;
- 	u32 tsync_ctrl;
-	cycle_t dev_cycles;
-	cycle_t sys_cycles;
-+	u64 dev_cycles;
-+	u64 sys_cycles;
- 
- 	tsync_ctrl = er32(TSYNCTXCTL);
- 	tsync_ctrl |= E1000_TSYNCTXCTL_START_SYNC |
--- a/e1000e_4.10_max-mtu.patch
+++ b/e1000e_4.10_max-mtu.patch
@ -1,37 +0,0 @@
-diff --git a/src/netdev.c b/src/netdev.c
-index 73b0f9a..aef1bc2 100644
--- a/src/netdev.c
-+++ b/src/netdev.c
-@@ -6724,19 +6724,12 @@ static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
- 	int max_frame = new_mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
- 
- 	/* Jumbo frame support */
-	if ((max_frame > (VLAN_ETH_FRAME_LEN + ETH_FCS_LEN)) &&
-+	if ((new_mtu > ETH_DATA_LEN) &&
- 	    !(adapter->flags & FLAG_HAS_JUMBO_FRAMES)) {
- 		e_err("Jumbo Frames not supported.\n");
- 		return -EINVAL;
- 	}
- 
-	/* Supported frame sizes */
-	if ((new_mtu < (VLAN_ETH_ZLEN + ETH_FCS_LEN)) ||
-	    (max_frame > adapter->max_hw_frame_size)) {
-		e_err("Unsupported MTU setting\n");
-		return -EINVAL;
-	}
-
- 	/* Jumbo frame workaround on 82579 and newer requires CRC be stripped */
- 	if ((adapter->hw.mac.type >= e1000_pch2lan) &&
- 	    !(adapter->flags2 & FLAG2_CRC_STRIPPING) &&
-@@ -8262,6 +8255,11 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
- #endif /* HAVE_NETDEV_VLAN_FEATURES */
- 	}
- 
-+	/* MTU range: 68 - max_hw_frame_size */
-+	netdev->min_mtu = ETH_MIN_MTU;
-+	netdev->max_mtu = adapter->max_hw_frame_size -
-+	                  (VLAN_ETH_HLEN + ETH_FCS_LEN);
-+
- 	if (e1000e_enable_mng_pass_thru(&adapter->hw))
- 		adapter->flags |= FLAG_MNG_PT_ENABLED;
- 
--- a/find-firmware.pl
+++ b/find-firmware.pl
@ -1,32 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-my $dir = shift;
-
-die "no directory to scan" if !$dir;
-
-die "no such directory" if ! -d $dir;
-
-die "strange directory name" if $dir !~ m|^(.*/)?(4.10.\d+\-\d+\-pve)(/+)?$|;
-
-my $apiver = $2;
-
-open(TMP, "find '$dir' -name '*.ko'|");
-while (defined(my $fn = <TMP>)) {
-    chomp $fn;
-    my $relfn = $fn;
-    $relfn =~ s|^$dir/*||;
-
-    my $cmd = "/sbin/modinfo -F firmware '$fn'";
-    open(MOD, "$cmd|");
-    while (defined(my $fw = <MOD>)) {
-	chomp $fw;
-	print "$fw $relfn\n";
-    }
-    close(MOD);
-
-}
-close TMP;
-
-exit 0;
--- a/3449
+++ b/3449
--- a/headers-control.in
+++ b/headers-control.in
@ -1,10 +0,0 @@
-Package: pve-headers-@KVNAME@
-Version: @KERNEL_VER@-@PKGREL@
-Section: devel
-Priority: optional
-Architecture: @ARCH@
-Provides: linux-headers, linux-headers-2.6
-Depends: coreutils | fileutils (>= 4.0)
-Maintainer: Proxmox Support Team <support@proxmox.com>
-Description: The Proxmox PVE Kernel Headers
- This package contains the linux kernel headers
--- a/igb-5.3.5.4.tar.gz
+++ b/igb-5.3.5.4.tar.gz
--- a/igb_4.10_compat.patch
+++ b/igb_4.10_compat.patch
@ -1,25 +0,0 @@
- src/{igb_ptp.c.orig => igb_ptp.c} | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/igb_ptp.c.orig b/src/igb_ptp.c
-index 744fa65..f334ac7 100644
--- a/src/igb_ptp.c.orig
-+++ b/src/igb_ptp.c
-@@ -93,7 +93,7 @@
-  * SYSTIM read access for the 82576
-  */
- 
-static cycle_t igb_ptp_read_82576(const struct cyclecounter *cc)
-+static u64 igb_ptp_read_82576(const struct cyclecounter *cc)
- {
- 	struct igb_adapter *igb = container_of(cc, struct igb_adapter, cc);
- 	struct e1000_hw *hw = &igb->hw;
-@@ -113,7 +113,7 @@ static cycle_t igb_ptp_read_82576(const struct cyclecounter *cc)
-  * SYSTIM read access for the 82580
-  */
- 
-static cycle_t igb_ptp_read_82580(const struct cyclecounter *cc)
-+static u64 igb_ptp_read_82580(const struct cyclecounter *cc)
- {
- 	struct igb_adapter *igb = container_of(cc, struct igb_adapter, cc);
- 	struct e1000_hw *hw = &igb->hw;
--- a/igb_4.10_max-mtu.patch
+++ b/igb_4.10_max-mtu.patch
@ -1,47 +0,0 @@
-diff --git a/src/e1000_defines.h b/src/e1000_defines.h
-index 6de3988..d58e12f 100644
--- a/src/e1000_defines.h
-+++ b/src/e1000_defines.h
-@@ -423,7 +423,8 @@
- #define ETHERNET_IEEE_VLAN_TYPE		0x8100  /* 802.3ac packet */
- 
- #define ETHERNET_FCS_SIZE		4
-#define MAX_JUMBO_FRAME_SIZE		0x3F00
-+#define MAX_JUMBO_FRAME_SIZE		0x2600
-+#define MAX_STD_JUMBO_FRAME_SIZE	9216
- /* The datasheet maximum supported RX size is 9.5KB (9728 bytes) */
- #define MAX_RX_JUMBO_FRAME_SIZE		0x2600
- #define E1000_TX_PTR_GAP		0x1F
-diff --git a/src/igb_main.c b/src/igb_main.c
-index 2dff0f4..bbfe87e 100644
--- a/src/igb_main.c
-+++ b/src/igb_main.c
-@@ -2852,6 +2852,10 @@ static int igb_probe(struct pci_dev *pdev,
- 	if (pci_using_dac)
- 		netdev->features |= NETIF_F_HIGHDMA;
- 
-+	/* MTU range: 68 - 9216 */
-+	netdev->min_mtu = ETH_MIN_MTU;
-+	netdev->max_mtu = MAX_STD_JUMBO_FRAME_SIZE;
-+
- 	adapter->en_mng_pt = e1000_enable_mng_pass_thru(hw);
- #ifdef DEBUG
- 	if (adapter->dmac != IGB_DMAC_DISABLE)
-@@ -5832,17 +5836,6 @@ static int igb_change_mtu(struct net_device *netdev, int new_mtu)
- 	struct pci_dev *pdev = adapter->pdev;
- 	int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN + VLAN_HLEN;
- 
-	if ((new_mtu < 68) || (max_frame > MAX_JUMBO_FRAME_SIZE)) {
-		dev_err(pci_dev_to_dev(pdev), "Invalid MTU setting\n");
-		return -EINVAL;
-	}
-
-#define MAX_STD_JUMBO_FRAME_SIZE 9238
-	if (max_frame > MAX_STD_JUMBO_FRAME_SIZE) {
-		dev_err(pci_dev_to_dev(pdev), "MTU > 9216 not supported.\n");
-		return -EINVAL;
-	}
-
- 	/* adjust max frame to be at least the size of a standard frame */
- 	if (max_frame < (ETH_FRAME_LEN + ETH_FCS_LEN))
- 		max_frame = ETH_FRAME_LEN + ETH_FCS_LEN;
--- a/igb_4.9_compat.patch
+++ b/igb_4.9_compat.patch
@ -1,95 +0,0 @@
-From 6445198f802d993c73f4b246353b2ceb2dfafc32 Mon Sep 17 00:00:00 2001
-From: Ferruh Yigit <ferruh.yigit@intel.com>
-Date: Mon, 17 Oct 2016 11:23:14 +0100
-Subject: kni: fix build with kernel 4.9
-
-compile error:
-  CC [M]  .../lib/librte_eal/linuxapp/kni/igb_main.o
-.../lib/librte_eal/linuxapp/kni/igb_main.c:2317:21:
-error: initialization from incompatible pointer type
-	[-Werror=incompatible-pointer-types]
-  .ndo_set_vf_vlan = igb_ndo_set_vf_vlan,
-                     ^~~~~~~~~~~~~~~~~~~
-
-Linux kernel 4.9 updates API for ndo_set_vf_vlan:
-Linux: 79aab093a0b5 ("net: Update API for VF vlan protocol 802.1ad support")
-
-Use new API for Linux kernels >= 4.9
-
-Signed-off-by: Ferruh Yigit <ferruh.yigit@intel.com>
-Tested-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
- src/igb_main.c | 19 +++++++++++++++++++
- src/kcompat.h  |  4 ++++
- 2 files changed, 23 insertions(+)
-
-diff --git a/src/igb_main.c b/src/igb_main.c
-index 23e2d64..f4dca5a 100644
--- a/src/igb_main.c
-+++ b/src/igb_main.c
-@@ -195,7 +195,11 @@ static void igb_process_mdd_event(struct igb_adapter *);
- #ifdef IFLA_VF_MAX
- static int igb_ndo_set_vf_mac( struct net_device *netdev, int vf, u8 *mac);
- static int igb_ndo_set_vf_vlan(struct net_device *netdev,
-+#ifdef HAVE_VF_VLAN_PROTO
-+			       int vf, u16 vlan, u8 qos, __be16 vlan_proto);
-+#else
- 			       int vf, u16 vlan, u8 qos);
-+#endif
- #ifdef HAVE_VF_SPOOFCHK_CONFIGURE
- static int igb_ndo_set_vf_spoofchk(struct net_device *netdev, int vf,
- 				bool setting);
-@@ -6412,7 +6416,11 @@ static void igb_set_vmvir(struct igb_adapter *adapter, u32 vid, u32 vf)
- }
- 
- static int igb_ndo_set_vf_vlan(struct net_device *netdev,
-+#ifdef HAVE_VF_VLAN_PROTO
-+			       int vf, u16 vlan, u8 qos, __be16 vlan_proto)
-+#else
- 			       int vf, u16 vlan, u8 qos)
-+#endif
- {
- 	int err = 0;
- 	struct igb_adapter *adapter = netdev_priv(netdev);
-@@ -6420,6 +6428,12 @@ static int igb_ndo_set_vf_vlan(struct net_device *netdev,
- 	/* VLAN IDs accepted range 0-4094 */
- 	if ((vf >= adapter->vfs_allocated_count) || (vlan > VLAN_VID_MASK-1) || (qos > 7))
- 		return -EINVAL;
-+
-+#ifdef HAVE_VF_VLAN_PROTO
-+	if (vlan_proto != htons(ETH_P_8021Q))
-+		return -EPROTONOSUPPORT;
-+#endif
-+
- 	if (vlan || qos) {
- 		err = igb_vlvf_set(adapter, vlan, !!vlan, vf);
- 		if (err)
-@@ -6580,7 +6594,12 @@ static inline void igb_vf_reset(struct igb_adapter *adapter, u32 vf)
- 	if (adapter->vf_data[vf].pf_vlan)
- 		igb_ndo_set_vf_vlan(adapter->netdev, vf,
- 				    adapter->vf_data[vf].pf_vlan,
-+#ifdef HAVE_VF_VLAN_PROTO
-+				    adapter->vf_data[vf].pf_qos,
-+				    htons(ETH_P_8021Q));
-+#else
- 				    adapter->vf_data[vf].pf_qos);
-+#endif
- 	else
- 		igb_clear_vf_vfta(adapter, vf);
- #endif
-diff --git a/src/kcompat.h b/src/kcompat.h
-index 69e0e7a..84826b2 100644
--- a/src/kcompat.h
-+++ b/src/kcompat.h
-@@ -3929,4 +3929,8 @@ skb_set_hash(struct sk_buff *skb, __u32 hash, __always_unused int type)
- #define vlan_tx_tag_present skb_vlan_tag_present
- #endif
- 
-+#if ( LINUX_VERSION_CODE >= KERNEL_VERSION(4,9,0) )
-+#define HAVE_VF_VLAN_PROTO
-+#endif /* >= 4.9.0 */
-+
- #endif /* _KCOMPAT_H_ */
-- 
-cgit v1.0
-
--- a/intel-module-gcc6-compat.patch
+++ b/intel-module-gcc6-compat.patch
@ -1,18 +0,0 @@
-diff --git a/src/Makefile.orig b/src/Makefile
-index 8e962f7..50bcdcc 100644
--- a/src/Makefile.orig
-+++ b/src/Makefile
-@@ -123,6 +123,13 @@ ifeq (,$(CC))
-   $(error Compiler not found)
- endif
- 
-+# workaround for GCC6's default PIE
-+ifeq ($(CC),gcc)
-+  PIE_TEST = [ -z "`$(CC) -fno-PIE -no-pie -x c -c /dev/null -o /dev/null 2>&1`" ]
-+  PIE_FLAGS := $(shell $(PIE_TEST) && echo '-fno-PIE -no-pie')
-+  EXTRA_CFLAGS += $(PIE_FLAGS)
-+endif
-+
- # we need to know what platform the driver is being built on
- # some additional features are only built on Intel platforms
- ARCH := $(shell uname -m | sed 's/i.86/i386/')
--- a/ixgbe-5.0.4.tar.gz
+++ b/ixgbe-5.0.4.tar.gz
--- a/ixgbe_4.10_compat.patch
+++ b/ixgbe_4.10_compat.patch
@ -1,25 +0,0 @@
- src/{ixgbe_ptp.c.orig => ixgbe_ptp.c} | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/ixgbe_ptp.c.orig b/src/ixgbe_ptp.c
-index fb832f0..b868c68 100644
--- a/src/ixgbe_ptp.c.orig
-+++ b/src/ixgbe_ptp.c
-@@ -244,7 +244,7 @@ static void ixgbe_ptp_setup_sdp_X540(struct ixgbe_adapter *adapter)
-  * result of SYSTIME is 32bits of "billions of cycles" and 32 bits of
-  * "cycles", rather than seconds and nanoseconds.
-  */
-static cycle_t ixgbe_ptp_read_X550(const struct cyclecounter *hw_cc) {
-+static u64 ixgbe_ptp_read_X550(const struct cyclecounter *hw_cc) {
- 	struct ixgbe_adapter *adapter =
- 		container_of(hw_cc, struct ixgbe_adapter, hw_cc);
- 	struct ixgbe_hw *hw = &adapter->hw;
-@@ -280,7 +280,7 @@ static cycle_t ixgbe_ptp_read_X550(const struct cyclecounter *hw_cc) {
-  * cyclecounter structure used to construct a ns counter from the
-  * arbitrary fixed point registers
-  */
-static cycle_t ixgbe_ptp_read_82599(const struct cyclecounter *hw_cc)
-+static u64 ixgbe_ptp_read_82599(const struct cyclecounter *hw_cc)
- {
- 	struct ixgbe_adapter *adapter =
- 		container_of(hw_cc, struct ixgbe_adapter, hw_cc);
--- a/ixgbe_4.10_max-mtu.patch
+++ b/ixgbe_4.10_max-mtu.patch
@ -1,37 +0,0 @@
-diff --git a/src/ixgbe_main.c b/src/ixgbe_main.c
-index 83c6250..fe226cd 100644
--- a/src/ixgbe_main.c
-+++ b/src/ixgbe_main.c
-@@ -6379,11 +6379,6 @@ static void ixgbe_free_all_rx_resources(struct ixgbe_adapter *adapter)
- static int ixgbe_change_mtu(struct net_device *netdev, int new_mtu)
- {
- 	struct ixgbe_adapter *adapter = netdev_priv(netdev);
-	int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN;
-
-	/* MTU < 68 is an error and causes problems on some kernels */
-	if ((new_mtu < 68) || (max_frame > IXGBE_MAX_JUMBO_FRAME_SIZE))
-		return -EINVAL;
- 
- 	/*
- 	 * For 82599EB we cannot allow legacy VFs to enable their receive
-@@ -6392,7 +6387,7 @@ static int ixgbe_change_mtu(struct net_device *netdev, int new_mtu)
- 	 */
- 	if ((adapter->flags & IXGBE_FLAG_SRIOV_ENABLED) &&
- 	    (adapter->hw.mac.type == ixgbe_mac_82599EB) &&
-	    (max_frame > (ETH_FRAME_LEN + ETH_FCS_LEN)))
-+	    (new_mtu > ETH_DATA_LEN))
- 		e_warn(probe, "Setting MTU > 1500 will disable legacy VFs\n");
- 
- 	e_info(probe, "changing MTU from %d to %d\n", netdev->mtu, new_mtu);
-@@ -10134,6 +10129,11 @@ static int __devinit ixgbe_probe(struct pci_dev *pdev,
- #ifdef IFF_SUPP_NOFCS
- 	netdev->priv_flags |= IFF_SUPP_NOFCS;
- #endif
-+
-+	/* MTU range: 68 - 9710 */
-+	netdev->min_mtu = ETH_MIN_MTU;
-+	netdev->max_mtu = IXGBE_MAX_JUMBO_FRAME_SIZE - (ETH_HLEN + ETH_FCS_LEN);
-+
- #if IS_ENABLED(CONFIG_DCB)
- 	if (adapter->flags & IXGBE_FLAG_DCB_CAPABLE)
- 		netdev->dcbnl_ops = &dcbnl_ops;
--- a/kvm-dynamic-halt-polling-disable-default.patch
+++ b/kvm-dynamic-halt-polling-disable-default.patch
@ -1,12 +0,0 @@
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
--- a/virt/kvm/kvm_main.c 2016-05-12 10:39:37.540387127 +0200
-+++ b/virt/kvm/kvm_main.c 2016-05-04 10:43:38.063996221 +0200
-@@ -75,7 +75,7 @@ static unsigned int halt_poll_ns = KVM_H
- EXPORT_SYMBOL_GPL(halt_poll_ns);
- 
- /* Default doubles per-vcpu halt_poll_ns. */
-unsigned int halt_poll_ns_grow = 2;
-+unsigned int halt_poll_ns_grow = 0;
- module_param(halt_poll_ns_grow, uint, S_IRUGO | S_IWUSR);
- EXPORT_SYMBOL_GPL(halt_poll_ns_grow);
- 
--- a/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
+++ b/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 12 May 2015 19:29:22 +0100
+Subject: [PATCH] Make mkcompile_h accept an alternate timestamp string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We want to include the Debian version in the utsname::version string
+instead of a full timestamp string.  However, we still need to provide
+a standard timestamp string for gen_initramfs_list.sh to make the
+kernel image reproducible.
+
+Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
+$KBUILD_BUILD_TIMESTAMP.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ init/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/Makefile b/init/Makefile
+index cbac576c57d6..479b1253fcbe 100644
+--- a/init/Makefile
+++ b/init/Makefile
+@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
+ preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
+ 
+ build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
+-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+ 
+ # Maximum length of UTS_VERSION is 64 chars
+ filechk_uts_version = \
--- a/patches/kernel/0002-wireless-Add-Debian-wireless-regdb-certificates.patch
+++ b/patches/kernel/0002-wireless-Add-Debian-wireless-regdb-certificates.patch
--- a/patches/kernel/0003-bridge-keep-MAC-of-first-assigned-port.patch
+++ b/patches/kernel/0003-bridge-keep-MAC-of-first-assigned-port.patch
@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Thu, 14 Sep 2017 11:02:18 +0200
+Subject: [PATCH] bridge: keep MAC of first assigned port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+original commit message:
+
+Default bridge changes MAC dynamically using smallest MAC of all
+connected ports (for no real reason). To avoid problems with ARP
+we simply use the MAC of the first connected port.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ net/bridge/br_stp_if.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
+index 75204d36d7f9..1fb5ff73ec1e 100644
+--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
+@@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
+ 		return false;
+ 
+ 	list_for_each_entry(p, &br->port_list, list) {
+-		if (addr == br_mac_zero ||
+-		    memcmp(p->dev->dev_addr, addr, ETH_ALEN) < 0)
+-			addr = p->dev->dev_addr;
+-
+		addr = p->dev->dev_addr;
+ 	}
+ 
+ 	if (ether_addr_equal(br->bridge_id.addr, addr))
--- a/patches/kernel/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
+++ b/patches/kernel/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
@ -1,13 +1,15 @@
-From 866f4c5de45ae13aa590de0d40819a0c38f3f682 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Mark Weiman <mark.weiman@markzz.com>
-Date: Sun, 23 Oct 2016 12:57:37 -0400
-Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.8+)
+Date: Wed, 7 Feb 2018 16:04:03 -0500
+Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.15)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit

 This an updated version of Alex Williamson's patch from:
 https://lkml.org/lkml/2013/5/30/513

 Original commit message follows:
---
 PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that
 allows us to control whether transactions are allowed to be redirected
 in various subnodes of a PCIe topology.  For instance, if two
@ -45,38 +47,39 @@ specific devices which enforce isolation but not provide an ACS
 capability.  Please contact me to have your devices added and save
 your customers the hassle of this boot option.

-Signed-off-by: Mark Weiman <mark.weiman@markzz.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- Documentation/admin-guide/kernel-parameters.txt |   9 ++++
- drivers/pci/quirks.c                | 101 ++++++++++++++++++++++++++++++++++++
- 2 files changed, 110 insertions(+)
+ .../admin-guide/kernel-parameters.txt         |   9 ++
+ drivers/pci/quirks.c                          | 102 ++++++++++++++++++
+ 2 files changed, 111 insertions(+)

 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index a4f4d69..d68cfab 100644
+index 4272acb3d047..d18cc2c1f9c3 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2928,6 +2928,15 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
- 		nomsi		[MSI] If the PCI_MSI kernel config parameter is
- 				enabled, this kernel boot option can be used to
- 				disable the use of MSI interrupts system-wide.
+@@ -4400,6 +4400,15 @@
+ 				Also, it enforces the PCI Local Bus spec
+ 				rule that those bits should be 0 in system reset
+ 				events (useful for kexec/kdump cases).
 +		pci_acs_override =
-+					[PCIE] Override missing PCIe ACS support for:
+				[PCIE] Override missing PCIe ACS support for:
 +				downstream
 +					All downstream ports - full ACS capabilities
-+				multfunction
-+					All multifunction devices - multifunction ACS subset
+				multifunction
+					Add multifunction devices - multifunction ACS subset
 +				id:nnnn:nnnn
-+					Specfic device - full ACS capabilities
+					Specific device - full ACS capabilities
 +					Specified as vid:did (vendor/device ID) in hex
 		noioapicquirk	[APIC] Disable all boot interrupt quirks.
 				Safety option to keep boot IRQs enabled. This
 				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 44e0ff3..32016cb 100644
+index ce469d84ebae..4f163ef55e7b 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -3487,6 +3487,106 @@ static int __init pci_apply_final_quirks(void)
- 
+@@ -287,6 +287,106 @@ static int __init pci_apply_final_quirks(void)
+ }
 fs_initcall_sync(pci_apply_final_quirks);
 
 +static bool acs_on_downstream;
@ -119,7 +122,6 @@ index 44e0ff3..32016cb 100644
 +				goto next;
 +			}
 +			acs_on_ids[max_acs_id].vendor = val;
-+
 +			p += strcspn(p, ":");
 +			if (*p != ':') {
 +				pr_warn("PCIe ACS invalid ID\n");
@ -164,32 +166,31 @@ index 44e0ff3..32016cb 100644
 +				return 1;
 +
 +	switch (pci_pcie_type(dev)) {
-+	case PCI_EXP_TYPE_DOWNSTREAM:
-+	case PCI_EXP_TYPE_ROOT_PORT:
-+		if (acs_on_downstream)
-+			return 1;
-+		break;
-+	case PCI_EXP_TYPE_ENDPOINT:
-+	case PCI_EXP_TYPE_UPSTREAM:
-+	case PCI_EXP_TYPE_LEG_END:
-+	case PCI_EXP_TYPE_RC_END:
-+		if (acs_on_multifunction && dev->multifunction)
-+			return 1;
+		case PCI_EXP_TYPE_DOWNSTREAM:
+		case PCI_EXP_TYPE_ROOT_PORT:
+			if (acs_on_downstream)
+				return 1;
+			break;
+		case PCI_EXP_TYPE_ENDPOINT:
+		case PCI_EXP_TYPE_UPSTREAM:
+		case PCI_EXP_TYPE_LEG_END:
+		case PCI_EXP_TYPE_RC_END:
+			if (acs_on_multifunction && dev->multifunction)
+				return 1;
 +	}
 +
 +	return -ENOTTY;
 +}
+
 /*
-  * Followings are device-specific reset methods which can be used to
-  * reset a single function if other methods (e.g. FLR, PM D0->D3) are
-@@ -4160,6 +4260,7 @@ static const struct pci_dev_acs_enabled {
- 	{ 0x10df, 0x720, pci_quirk_mf_endpoint_acs }, /* Emulex Skyhawk-R */
- 	/* Cavium ThunderX */
- 	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
+  * Decoding should be disabled for a PCI device during BAR sizing to avoid
+  * conflict. But doing so may cause problems on host bridge and perhaps other
+@@ -5100,6 +5200,8 @@ static const struct pci_dev_acs_enabled {
+ 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
+ 	/* APM X-Gene */
+ 	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
+	/* Enable overrides for missing ACS capabilities */
 +	{ PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides },
- 	{ 0 }
- };
- 
-- 
-2.10.1
-
+ 	/* Ampere Computing */
+ 	{ PCI_VENDOR_ID_AMPERE, 0xE005, pci_quirk_xgene_acs },
+ 	{ PCI_VENDOR_ID_AMPERE, 0xE006, pci_quirk_xgene_acs },
--- a/patches/kernel/0005-kvm-disable-default-dynamic-halt-polling-growth.patch
+++ b/patches/kernel/0005-kvm-disable-default-dynamic-halt-polling-growth.patch
@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Thu, 14 Sep 2017 11:09:58 +0200
+Subject: [PATCH] kvm: disable default dynamic halt polling growth
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ virt/kvm/kvm_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 0f50960b0e3a..37f840f57f32 100644
+--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
+@@ -82,7 +82,7 @@ module_param(halt_poll_ns, uint, 0644);
+ EXPORT_SYMBOL_GPL(halt_poll_ns);
+ 
+ /* Default doubles per-vcpu halt_poll_ns. */
+-unsigned int halt_poll_ns_grow = 2;
+unsigned int halt_poll_ns_grow = 0;
+ module_param(halt_poll_ns_grow, uint, 0644);
+ EXPORT_SYMBOL_GPL(halt_poll_ns_grow);
+ 
--- a/patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch
+++ b/patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch
@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 7 Oct 2020 17:18:28 +0200
+Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
+ emergency to error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index c365aa06f886..c9066a7aa4c5 100644
+--- a/net/core/dev.c
+++ b/net/core/dev.c
+@@ -10470,7 +10470,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
+ 		if (time_after(jiffies, warning_time +
+ 			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
+ 			list_for_each_entry(dev, list, todo_list) {
+-				pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+				pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+ 					 dev->name, netdev_refcnt_read(dev));
+ 				ref_tracker_dir_print(&dev->refcnt_tracker, 10);
+ 			}
--- a/patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch
+++ b/patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch
@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Tue, 10 Jan 2023 08:52:40 +0100
+Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index 89a6888f2f9e..66e0b60dcabb 100644
+--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
+@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ 
+ #define __compiletime_strlen(p)					\
+ ({								\
+-	char *__p = (char *)(p);				\
+	unsigned char *__p = (unsigned char *)(p);		\
+ 	size_t __ret = SIZE_MAX;				\
+ 	const size_t __p_size = __member_size(p);		\
+ 	if (__p_size != SIZE_MAX &&				\
--- a/patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch
+++ b/patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch
@ -0,0 +1,133 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 14 Jul 2023 18:10:32 +0200
+Subject: [PATCH] kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no
+ support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes live-migrations & snapshot-rollback of VMs with a restricted
+CPU type (e.g., qemu64) from our 5.15 based kernel (default Proxmox
+VE 7.4) to the 6.2 (and future newer) of Proxmox VE 8.0.
+
+Previous to ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to
+supported bits of XCR0") the PKRU bit of the host could leak into the
+state from the guest, which caused trouble when migrating between
+hosts with different CPUs, i.e., where the source supported it but
+the target did not, causing a general protection fault when the guest
+tried to use a pkru related instruction after the migration.
+
+But the fix, while welcome, caused a temporary out-of-sync state when
+migrating such a VM from a kernel without the fix to a kernel with
+the fix, as it threw of KVM when the CPUID of the guest and most of
+the state doesn't report XSAVE and thus any xfeatures, but PKRU and
+the related state is set as enabled, causing the vCPU to spin at 100%
+without any progress forever.
+
+The fix could be at two sites, either in QEMU or in the kernel, I
+choose the kernel as we have all the info there for a targeted
+heuristic so that we don't have to adapt QEMU and qemu-server, the
+latter even on both sides.
+
+Still, a short summary of the possible fixes and short drawbacks:
+* on QEMU-side either
+  - clear the PKRU state in the migration saved state would be rather
+    complicated to implement as the vCPU is initialised way before we
+    have the saved xfeature state available to check what we'd need
+    to do, plus the user-space only gets a memory blob from ioctl
+    KVM_GET_XSAVE2 that it passes to KVM_SET_XSAVE ioctl, there are
+    no ABI guarantees, and while the struct seem stable for 5.15 to
+    6.5-rc1, that doesn't has to be for future kernels, so off the
+    table.
+  - enforce that the CPUID reports PKU support even if it normally
+    wouldn't. While this works (tested by hard-coding it as POC) it
+    is a) not really nice and b) needs some interaction from
+    qemu-server to enable this flag as otherwise we have no good info
+    to decide when it's OK to do this, which means we need to adapt
+    both PVE 7 and 8's qemu-server and also pve-qemu, workable but
+    not optimal
+
+* on Kernel/KVM-side we can hook into the set XSAVE ioctl specific to
+  the KVM subsystem, which already reduces chance of regression for
+  all other places. There we have access to the union/struct
+  definitions of the saved state and thus can savely cast to that.
+  We also got access to the vCPU's CPUID capabilities, meaning we can
+  check if the XCR0 (first XSAVE Control Register) reports
+  that it support the PKRU feature, and if it does *NOT* but the
+  saved xfeatures register from XSAVE *DOES* report it, we can safely
+  assume that this combination is due to an migration from an older,
+  leaky kernel – and clear the bit in the xfeature register before
+  restoring it to the guest vCPU KVM state, avoiding the confusing
+  situation that made the vCPU spin at 100%.
+  This should be safe to do, as the guest vCPU CPUID never reported
+  support for the PKRU feature, and it's also a relatively niche and
+  newish feature.
+
+If it gains us something we can drop this patch a bit in the future
+Proxmox VE 9 major release, but we should ensure that VMs that where
+started before PVE 8 cannot be directly live-migrated to the release
+that includes that change; so we should rather only drop it if the
+maintenance burden is high.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/cpuid.c |  6 ++++++
+ arch/x86/kvm/cpuid.h |  2 ++
+ arch/x86/kvm/x86.c   | 13 +++++++++++++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 3a02276899db..e07a6089ba4b 100644
+--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
+@@ -262,6 +262,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
+ 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
+ }
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu) {
+	u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(
+	    vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
+	return (guest_supported_xcr0 & XFEATURE_MASK_PKRU) != 0;
+}
+
+ static void __kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *entries,
+ 				       int nent)
+ {
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
+index 23dbb9eb277c..07da153802e4 100644
+--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
+@@ -32,6 +32,8 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
+ 	       u32 *ecx, u32 *edx, bool exact_only);
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu);
+
+ u32 xstate_required_size(u64 xstate_bv, bool compacted);
+ 
+ int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index c84927216fad..880e2b87777e 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5580,6 +5580,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return 0;
+ 
+	if (!vcpu_supports_xsave_pkru(vcpu)) {
+		void *buf = guest_xsave->region;
+		union fpregs_state *ustate = buf;
+		if (ustate->xsave.header.xfeatures & XFEATURE_MASK_PKRU) {
+			printk(
+				KERN_NOTICE "clearing PKRU xfeature bit as vCPU from PID %d"
+				" reports no PKRU support - migration from fpu-leaky kernel?",
+				current->pid
+			);
+			ustate->xsave.header.xfeatures &= ~XFEATURE_MASK_PKRU;
+		}
+	}
+
+ 	return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
+ 					      guest_xsave->region,
+ 					      kvm_caps.supported_xcr0,
--- a/patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
+++ b/patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: kiler129 <grzegorz@noflash.pl>
+Date: Mon, 18 Sep 2023 15:19:26 +0200
+Subject: [PATCH] allow opt-in to allow pass-through on broken hardware..
+
+adapted from https://github.com/kiler129/relax-intel-rmrr , licensed under MIT or GPL 2.0+
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/iommu/intel/iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index c4c6240d14f9..5e037a9ea6a6 100644
+--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
+@@ -234,6 +234,7 @@ static int dmar_map_gfx = 1;
+ static int dmar_map_ipu = 1;
+ static int intel_iommu_superpage = 1;
+ static int iommu_identity_mapping;
+static int intel_relaxable_rmrr = 0;
+ static int iommu_skip_te_disable;
+ 
+ #define IDENTMAP_GFX		2
+@@ -296,6 +297,9 @@ static int __init intel_iommu_setup(char *str)
+ 		} else if (!strncmp(str, "tboot_noforce", 13)) {
+ 			pr_info("Intel-IOMMU: not forcing on after tboot. This could expose security risk for tboot\n");
+ 			intel_iommu_tboot_noforce = 1;
+		} else if (!strncmp(str, "relax_rmrr", 10)) {
+			pr_info("Intel-IOMMU: assuming all RMRRs are relaxable. This can lead to instability or data loss\n");
+			intel_relaxable_rmrr = 1;
+ 		} else {
+ 			pr_notice("Unknown option - '%s'\n", str);
+ 		}
+@@ -2470,7 +2474,7 @@ static bool device_rmrr_is_relaxable(struct device *dev)
+ 		return false;
+ 
+ 	pdev = to_pci_dev(dev);
+-	if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+	if (intel_relaxable_rmrr || IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+ 		return true;
+ 	else
+ 		return false;
--- a/patches/kernel/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
+++ b/patches/kernel/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 18 Oct 2023 12:41:04 -0700
+Subject: [PATCH] KVM: nSVM: Advertise support for flush-by-ASID
+
+Advertise support for FLUSHBYASID when nested SVM is enabled, as KVM can
+always emulate flushing TLB entries for a vmcb12 ASID, e.g. by running L2
+with a new, fresh ASID in vmcb02.  Some modern hypervisors, e.g. VMWare
+Workstation 17, require FLUSHBYASID support and will refuse to run if it's
+not present.
+
+Punt on proper support, as "Honor L1's request to flush an ASID on nested
+VMRUN" is one of the TODO items in the (incomplete) list of issues that
+need to be addressed in order for KVM to NOT do a full TLB flush on every
+nested SVM transition (see nested_svm_transition_tlb_flush()).
+
+Reported-by: Stefan Sterz <s.sterz@proxmox.com>
+Closes: https://lkml.kernel.org/r/b9915c9c-4cf6-051a-2d91-44cc6380f455%40proxmox.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/svm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index e90b429c84f1..5c7faf7c447f 100644
+--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
+@@ -5085,6 +5085,7 @@ static __init void svm_set_cpu_caps(void)
+ 	if (nested) {
+ 		kvm_cpu_cap_set(X86_FEATURE_SVM);
+ 		kvm_cpu_cap_set(X86_FEATURE_VMCBCLEAN);
+		kvm_cpu_cap_set(X86_FEATURE_FLUSHBYASID);
+ 
+ 		/*
+ 		 * KVM currently flushes TLBs on *every* nested SVM transition,
--- a/patches/kernel/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
+++ b/patches/kernel/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Mon, 6 Nov 2023 10:17:02 +0100
+Subject: [PATCH] revert "memfd: improve userspace warnings for missing
+ exec-related flags".
+
+This warning is telling userspace developers to pass MFD_EXEC and
+MFD_NOEXEC_SEAL to memfd_create().  Commit 434ed3350f57 ("memfd: improve
+userspace warnings for missing exec-related flags") made the warning more
+frequent and visible in the hope that this would accelerate the fixing of
+errant userspace.
+
+But the overall effect is to generate far too much dmesg noise.
+
+Fixes: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags")
+Reported-by: Damian Tometzki <dtometzki@fedoraproject.org>
+Closes: https://lkml.kernel.org/r/ZPFzCSIgZ4QuHsSC@fedora.fritz.box
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Daniel Verkamp <dverkamp@chromium.org>
+Cc: Jeff Xu <jeffxu@google.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ (cherry picked from commit 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ mm/memfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/memfd.c b/mm/memfd.c
+index d3a1ba4208c9..6a9de5d9105e 100644
+--- a/mm/memfd.c
+++ b/mm/memfd.c
+@@ -282,7 +282,7 @@ static int check_sysctl_memfd_noexec(unsigned int *flags)
+ 	}
+ 
+ 	if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) {
+-		pr_err_ratelimited(
+		pr_warn_once(
+ 			"%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n",
+ 			current->comm, task_pid_nr(current), sysctl);
+ 		return -EACCES;
--- a/patches/kernel/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
+++ b/patches/kernel/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 10 Apr 2024 13:21:59 +0200
+Subject: [PATCH] apparmor: expect msg_namelen=0 for recvmsg calls
+
+When coming from sys_recvmsg, msg->msg_namelen is explicitly set to
+zero early on. (see ____sys_recvmsg in net/socket.c)
+We still end up in 'map_addr' where the assumption is that addr !=
+NULL means addrlen has a valid size.
+
+This is likely not a final fix, it was suggested by jjohansen on irc
+to get things going until this is resolved properly.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ security/apparmor/af_inet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/af_inet.c b/security/apparmor/af_inet.c
+index 57b710054a76..35f905d9b960 100644
+--- a/security/apparmor/af_inet.c
+++ b/security/apparmor/af_inet.c
+@@ -766,7 +766,7 @@ int aa_inet_msg_perm(const char *op, u32 request, struct socket *sock,
+ 	/* do we need early bailout for !family ... */
+ 	return sk_has_perm2(sock->sk, op, request, profile, ad,
+ 			    map_sock_addr(sock, ADDR_LOCAL, &laddr, &ad),
+-			    map_addr(msg->msg_name, msg->msg_namelen, 0,
+			    map_addr(msg->msg_namelen == 0 ? NULL : msg->msg_name, msg->msg_namelen, 0,
+ 				     ADDR_REMOTE, &raddr, &ad),
+ 			    profile_remote_perm(profile, sock->sk, request,
+ 						&raddr, &laddr.maddr, &ad));
--- a/patches/kernel/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch
+++ b/patches/kernel/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch
@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sun, 24 Mar 2024 20:51:35 +0100
+Subject: [PATCH] x86/CPU/AMD: Improve the erratum 1386 workaround
+
+Disable XSAVES only on machines which haven't loaded the microcode
+revision containing the erratum fix.
+
+This will come in handy when running archaic OSes as guests. OSes whose
+brilliant programmers thought that CPUID is overrated and one should not
+query it but use features directly, ala shoot first, ask questions
+later... but only if you're alive after the shooting.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20240324200525.GBZgCHhYFsBj12PrKv@fat_crate.local
+---
+ arch/x86/include/asm/cpu_device_id.h |  8 ++++++++
+ arch/x86/kernel/cpu/amd.c            | 12 ++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
+index eb8fcede9e3b..bf4e065cf1e2 100644
+--- a/arch/x86/include/asm/cpu_device_id.h
+++ b/arch/x86/include/asm/cpu_device_id.h
+@@ -190,6 +190,14 @@ struct x86_cpu_desc {
+ 	.x86_microcode_rev	= (revision),			\
+ }
+ 
+#define AMD_CPU_DESC(fam, model, stepping, revision) {		\
+	.x86_family		= (fam),			\
+	.x86_vendor		= X86_VENDOR_AMD,		\
+	.x86_model		= (model),			\
+	.x86_stepping		= (stepping),			\
+	.x86_microcode_rev	= (revision),			\
+}
+
+ extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
+ extern bool x86_cpu_has_min_microcode_rev(const struct x86_cpu_desc *table);
+ 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index dfa8d0cf5e18..22a263b1a884 100644
+--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
+@@ -13,6 +13,7 @@
+ #include <asm/apic.h>
+ #include <asm/cacheinfo.h>
+ #include <asm/cpu.h>
+#include <asm/cpu_device_id.h>
+ #include <asm/spec-ctrl.h>
+ #include <asm/smp.h>
+ #include <asm/numa.h>
+@@ -926,6 +927,11 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
+ 	clear_rdrand_cpuid_bit(c);
+ }
+ 
+static const struct x86_cpu_desc erratum_1386_microcode[] = {
+	AMD_CPU_DESC(0x17,  0x1, 0x2, 0x0800126e),
+	AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052),
+};
+
+ static void fix_erratum_1386(struct cpuinfo_x86 *c)
+ {
+ 	/*
+@@ -935,7 +941,13 @@ static void fix_erratum_1386(struct cpuinfo_x86 *c)
+ 	 *
+ 	 * Affected parts all have no supervisor XSAVE states, meaning that
+ 	 * the XSAVEC instruction (which works fine) is equivalent.
+	 *
+	 * Clear the feature flag only on microcode revisions which
+	 * don't have the fix.
+ 	 */
+	if (x86_cpu_has_min_microcode_rev(erratum_1386_microcode))
+		return;
+
+ 	clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+ 
--- a/patches/kernel/0014-block-fix-request.queuelist-usage-in-flush.patch
+++ b/patches/kernel/0014-block-fix-request.queuelist-usage-in-flush.patch
@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chengming Zhou <chengming.zhou@linux.dev>
+Date: Sat, 8 Jun 2024 22:31:15 +0800
+Subject: [PATCH] block: fix request.queuelist usage in flush
+
+Friedrich Weber reported a kernel crash problem and bisected to commit
+81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine").
+
+The root cause is that we use "list_move_tail(&rq->queuelist, pending)"
+in the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since
+it's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch().
+We don't initialize its queuelist just for this first request, although
+the queuelist of all later popped requests will be initialized.
+
+Fix it by changing to use "list_add_tail(&rq->queuelist, pending)" so
+rq->queuelist doesn't need to be initialized. It should be ok since rq
+can't be on any list when PREFLUSH or POSTFLUSH, has no move actually.
+
+Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in
+flush state machine") also has another requirement that no drivers would
+touch rq->queuelist after blk_mq_end_request() since we will reuse it to
+add rq to the post-flush pending list in POSTFLUSH. If this is not true,
+we will have to revert that commit IMHO.
+
+This updated version adds "list_del_init(&rq->queuelist)" in flush rq
+callback since the dm layer may submit request of a weird invalid format
+(REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add
+if without this "list_del_init(&rq->queuelist)". The weird invalid format
+problem should be fixed in dm layer.
+
+Reported-by: Friedrich Weber <f.weber@proxmox.com>
+Closes: https://lore.kernel.org/lkml/14b89dfb-505c-49f7-aebb-01c54451db40@proxmox.com/
+Closes: https://lore.kernel.org/lkml/c9d03ff7-27c5-4ebd-b3f6-5a90d96f35ba@proxmox.com/
+Fixes: 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine")
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: ming.lei@redhat.com
+Cc: bvanassche@acm.org
+Tested-by: Friedrich Weber <f.weber@proxmox.com>
+Signed-off-by: Chengming Zhou <chengming.zhou@linux.dev>
+---
+ block/blk-flush.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-flush.c b/block/blk-flush.c
+index 3f4d41952ef2..d72b57898b23 100644
+--- a/block/blk-flush.c
+++ b/block/blk-flush.c
+@@ -183,7 +183,7 @@ static void blk_flush_complete_seq(struct request *rq,
+ 		/* queue for flush */
+ 		if (list_empty(pending))
+ 			fq->flush_pending_since = jiffies;
+-		list_move_tail(&rq->queuelist, pending);
+		list_add_tail(&rq->queuelist, pending);
+ 		break;
+ 
+ 	case REQ_FSEQ_DATA:
+@@ -261,6 +261,7 @@ static enum rq_end_io_ret flush_end_io(struct request *flush_rq,
+ 		unsigned int seq = blk_flush_cur_seq(rq);
+ 
+ 		BUG_ON(seq != REQ_FSEQ_PREFLUSH && seq != REQ_FSEQ_POSTFLUSH);
+		list_del_init(&rq->queuelist);
+ 		blk_flush_complete_seq(rq, fq, seq, error);
+ 	}
+ 
--- a/patches/kernel/0015-scsi-core-Handle-devices-which-return-an-unusually-l.patch
+++ b/patches/kernel/0015-scsi-core-Handle-devices-which-return-an-unusually-l.patch
@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Mon, 20 May 2024 22:30:40 -0400
+Subject: [PATCH] scsi: core: Handle devices which return an unusually large
+ VPD page count
+
+Peter Schneider reported that a system would no longer boot after
+updating to 6.8.4.  Peter bisected the issue and identified commit
+b5fc07a5fb56 ("scsi: core: Consult supported VPD page list prior to
+fetching page") as being the culprit.
+
+Turns out the enclosure device in Peter's system reports a byteswapped
+page length for VPD page 0. It reports "02 00" as page length instead
+of "00 02". This causes us to attempt to access 516 bytes (page length
+ header) of information despite only 2 pages being present.
+
+Limit the page search scope to the size of our VPD buffer to guard
+against devices returning a larger page count than requested.
+
+Link: https://lore.kernel.org/r/20240521023040.2703884-1-martin.petersen@oracle.com
+Fixes: b5fc07a5fb56 ("scsi: core: Consult supported VPD page list prior to fetching page")
+Cc: stable@vger.kernel.org
+Reported-by: Peter Schneider <pschneider1968@googlemail.com>
+Closes: https://lore.kernel.org/all/eec6ebbf-061b-4a7b-96dc-ea748aa4d035@googlemail.com/
+Tested-by: Peter Schneider <pschneider1968@googlemail.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/scsi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
+index 8cad9792a562..b3ff3a633a1e 100644
+--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
+@@ -350,6 +350,13 @@ static int scsi_get_vpd_size(struct scsi_device *sdev, u8 page)
+ 		if (result < SCSI_VPD_HEADER_SIZE)
+ 			return 0;
+ 
+		if (result > sizeof(vpd)) {
+			dev_warn_once(&sdev->sdev_gendev,
+				      "%s: long VPD page 0 length: %d bytes\n",
+				      __func__, result);
+			result = sizeof(vpd);
+		}
+
+ 		result -= SCSI_VPD_HEADER_SIZE;
+ 		if (!memchr(&vpd[SCSI_VPD_HEADER_SIZE], page, result))
+ 			return 0;
--- a/patches/kernel/0016-e1000e-change-usleep_range-to-udelay-in-PHY-mdic-acc.patch
+++ b/patches/kernel/0016-e1000e-change-usleep_range-to-udelay-in-PHY-mdic-acc.patch
@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Date: Mon, 29 Apr 2024 10:10:40 -0700
+Subject: [PATCH] e1000e: change usleep_range to udelay in PHY mdic access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a partial revert of commit 6dbdd4de0362 ("e1000e: Workaround
+for sporadic MDI error on Meteor Lake systems"). The referenced commit
+used usleep_range inside the PHY access routines, which are sometimes
+called from an atomic context. This can lead to a kernel panic in some
+scenarios, such as cable disconnection and reconnection on vPro systems.
+
+Solve this by changing the usleep_range calls back to udelay.
+
+Fixes: 6dbdd4de0362 ("e1000e: Workaround for sporadic MDI error on Meteor Lake systems")
+Cc: stable@vger.kernel.org
+Reported-by: Jérôme Carretero <cJ@zougloub.eu>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218740
+Closes: https://lore.kernel.org/lkml/a7eb665c74b5efb5140e6979759ed243072cb24a.camel@zougloub.eu/
+Co-developed-by: Sasha Neftin <sasha.neftin@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Tested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240429171040.1152516-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/phy.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/phy.c b/drivers/net/ethernet/intel/e1000e/phy.c
+index 93544f1cc2a5..f7ae0e0aa4a4 100644
+--- a/drivers/net/ethernet/intel/e1000e/phy.c
+++ b/drivers/net/ethernet/intel/e1000e/phy.c
+@@ -157,7 +157,7 @@ s32 e1000e_read_phy_reg_mdic(struct e1000_hw *hw, u32 offset, u16 *data)
+ 		 * the lower time out
+ 		 */
+ 		for (i = 0; i < (E1000_GEN_POLL_TIMEOUT * 3); i++) {
+-			usleep_range(50, 60);
+			udelay(50);
+ 			mdic = er32(MDIC);
+ 			if (mdic & E1000_MDIC_READY)
+ 				break;
+@@ -181,7 +181,7 @@ s32 e1000e_read_phy_reg_mdic(struct e1000_hw *hw, u32 offset, u16 *data)
+ 		 * reading duplicate data in the next MDIC transaction.
+ 		 */
+ 		if (hw->mac.type == e1000_pch2lan)
+-			usleep_range(100, 150);
+			udelay(100);
+ 
+ 		if (success) {
+ 			*data = (u16)mdic;
+@@ -237,7 +237,7 @@ s32 e1000e_write_phy_reg_mdic(struct e1000_hw *hw, u32 offset, u16 data)
+ 		 * the lower time out
+ 		 */
+ 		for (i = 0; i < (E1000_GEN_POLL_TIMEOUT * 3); i++) {
+-			usleep_range(50, 60);
+			udelay(50);
+ 			mdic = er32(MDIC);
+ 			if (mdic & E1000_MDIC_READY)
+ 				break;
+@@ -261,7 +261,7 @@ s32 e1000e_write_phy_reg_mdic(struct e1000_hw *hw, u32 offset, u16 data)
+ 		 * reading duplicate data in the next MDIC transaction.
+ 		 */
+ 		if (hw->mac.type == e1000_pch2lan)
+-			usleep_range(100, 150);
+			udelay(100);
+ 
+ 		if (success)
+ 			return 0;
--- a/patches/kernel/0017-virtio-pci-Check-if-is_avq-is-NULL.patch
+++ b/patches/kernel/0017-virtio-pci-Check-if-is_avq-is-NULL.patch
@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Li Zhang <zhanglikernel@gmail.com>
+Date: Tue, 18 Jun 2024 07:28:00 +0200
+Subject: [PATCH] virtio-pci: Check if is_avq is NULL
+
+BugLink: https://bugs.launchpad.net/bugs/2067862
+
+[bug]
+In the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved
+to determine whether it is admin virtqueue, but this function vp_dev->is_avq
+ may be empty. For installations, virtio_pci_legacy does not assign a value
+ to vp_dev->is_avq.
+
+[fix]
+Check whether it is vp_dev->is_avq before use.
+
+[test]
+Test with virsh Attach device
+Before this patch, the following command would crash the guest system
+
+After applying the patch, everything seems to be working fine.
+
+Signed-off-by: Li Zhang <zhanglikernel@gmail.com>
+Message-Id: <1710566754-3532-1-git-send-email-zhanglikernel@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit c8fae27d141a32a1624d0d0d5419d94252824498)
+Signed-off-by: Matthew Ruffell <matthew.ruffell@canonical.com>
+Acked-by: Paolo Pisati <paolo.pisati@canonical.com>
+Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+---
+ drivers/virtio/virtio_pci_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
+index b655fccaf773..3c18fc14cd66 100644
+--- a/drivers/virtio/virtio_pci_common.c
+++ b/drivers/virtio/virtio_pci_common.c
+@@ -236,7 +236,7 @@ void vp_del_vqs(struct virtio_device *vdev)
+ 	int i;
+ 
+ 	list_for_each_entry_safe(vq, n, &vdev->vqs, list) {
+-		if (vp_dev->is_avq(vdev, vq->index))
+		if (vp_dev->is_avq && vp_dev->is_avq(vdev, vq->index))
+ 			continue;
+ 
+ 		if (vp_dev->per_vq_vectors) {
--- a/patches/kernel/9998-rdtsc-spoof-hook-0.patch
+++ b/patches/kernel/9998-rdtsc-spoof-hook-0.patch
@ -0,0 +1,14 @@
+diff -Naur --no-dereference a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+--- a/arch/x86/kvm/vmx/vmx.c     2024-07-01 21:03:34.000000000 +0300
+++ b/arch/x86/kvm/vmx/vmx.c     2024-07-01 20:24:05.000000000 +0300
+@@ -6137,6 +6137,10 @@
+ 	[EXIT_REASON_ENCLS]		      = handle_encls,
+ 	[EXIT_REASON_BUS_LOCK]                = handle_bus_lock_vmexit,
+ 	[EXIT_REASON_NOTIFY]		      = handle_notify,
+	[EXIT_REASON_RDTSC]                        = handle_rdtsc,
+	[EXIT_REASON_RDTSCP]               = handle_rdtscp,
+	[EXIT_REASON_UMWAIT]                  = handle_umwait,
+	[EXIT_REASON_TPAUSE]                  = handle_tpause,
+ };
+ 
+ static const int kvm_vmx_max_exit_handlers =
--- a/patches/kernel/9999-rdtsc-spoof-hook-1.patch
+++ b/patches/kernel/9999-rdtsc-spoof-hook-1.patch
@ -0,0 +1,40 @@
+diff -Naur --no-dereference a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+--- a/arch/x86/kvm/vmx/vmx.c     2024-07-01 21:03:34.000000000 +0300
+++ b/arch/x86/kvm/vmx/vmx.c     2024-07-01 20:24:05.000000000 +0300
+@@ -6079,6 +6079,36 @@
+ 	return 1;
+ }
+ 
+static int handle_rdtsc(struct kvm_vcpu *vcpu)
+{
+	u64 _rdtsc = rdtsc();
+	printk_once("[HookEntry] hook entry function handle_rdtsc is working, return the rdtsc() if no hook , you can hook here!\n");
+	vcpu->arch.regs[VCPU_REGS_RAX] = _rdtsc & -1u;
+	vcpu->arch.regs[VCPU_REGS_RDX] = (_rdtsc >> 32) & -1u;
+	return kvm_skip_emulated_instruction(vcpu);
+}
+
+static int handle_rdtscp(struct kvm_vcpu *vcpu)
+{
+	u64 _rdtsc = rdtsc();
+	printk_once("[HookEntry] hook entry function handle_rdtscp is working, return the rdtsc() if no hook , you can hook here!\n");
+	vcpu->arch.regs[VCPU_REGS_RAX] = _rdtsc & -1u;
+	vcpu->arch.regs[VCPU_REGS_RDX] = (_rdtsc >> 32) & -1u;
+	return kvm_skip_emulated_instruction(vcpu);
+}
+
+static int handle_umwait(struct kvm_vcpu *vcpu)
+{
+	kvm_skip_emulated_instruction(vcpu);
+	return 1;
+}
+
+static int handle_tpause(struct kvm_vcpu *vcpu)
+{
+	kvm_skip_emulated_instruction(vcpu);
+	return 1;
+}
+
+ /*
+  * The exit handlers return 1 if the exit was handled fully and guest execution
+  * may resume.  Otherwise they set the kvm_run parameter to indicate what needs
--- a/postrm.in
+++ b/postrm.in
@ -1,46 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-# Ignore all 'upgrade' invocations .
-exit 0 if $ARGV[0] =~ /upgrade/;
-
-my $imagedir = "/boot";
-
-my $version = "@@KVNAME@@";
-
-if (-d "/etc/kernel/postrm.d") {
-  print STDERR "Examining /etc/kernel/postrm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postrm.d") &&
-            die "Failed to process /etc/kernel/postrm.d";
-}
-
-unlink "$imagedir/initrd.img-$version";
-unlink "$imagedir/initrd.img-$version.bak";
-unlink "/var/lib/initramfs-tools/$version";
-
-# Ignore all invocations except when called on to purge.
-exit 0 unless $ARGV[0] =~ /purge/;
-
-my @files_to_remove = qw{
-                         modules.dep modules.isapnpmap modules.pcimap
-                         modules.usbmap modules.parportmap
-                         modules.generic_string modules.ieee1394map
-                         modules.ieee1394map modules.pnpbiosmap
-                         modules.alias modules.ccwmap modules.inputmap
-                         modules.symbols modules.ofmap
-                         modules.seriomap modules.*.bin
-			 modules.softdep modules.devname
-                       };
-
-foreach my $extra_file (@files_to_remove) {
-    for (glob("/lib/modules/$version/$extra_file")) {
-	unlink;
-    }
-}
-
-system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
-
-exit 0
--- a/proxmox-ve/changelog.Debian
+++ b/proxmox-ve/changelog.Debian
@ -1,194 +0,0 @@
-proxmox-ve (5.0-21) unstable; urgency=medium
-
-  * depend on newest 4.10.17-3-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Aug 2017 14:57:17 +0200
-
-proxmox-ve (5.0-16) unstable; urgency=medium
-
-  * depend on newest 4.10.17-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 11 Jul 2017 11:11:35 +0200
-
-proxmox-ve (5.0-10) unstable; urgency=medium
-
-  * depend on newest 4.10.15-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 7 Jun 2017 10:36:33 +0200
-
-proxmox-ve (5.0-8) unstable; urgency=medium
-
-  * depend on newest 4.10.11-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 18 May 2017 09:14:18 +0200
-
-proxmox-ve (5.0-6) unstable; urgency=medium
-
-  * depend on newest 4.10.8-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 13 Apr 2017 11:24:12 +0200
-
-proxmox-ve (5.0-5) unstable; urgency=medium
-
-  * depend on newest 4.10.5-1-pve kernel
-
-  * remove old 4.x release key
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 28 Mar 2017 10:14:00 +0200
-
-proxmox-ve (5.0-3) unstable; urgency=medium
-
-  * depend on newest 4.10.3-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 24 Mar 2017 13:44:18 +0100
-
-proxmox-ve (5.0-2) unstable; urgency=medium
-
-  * depend on newest 4.10.1-2-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 10 Mar 2017 10:20:14 +0100
-
-proxmox-ve (5.0-1) unstable; urgency=medium
-
-  * Proxmox VE package for Debian Stretch
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 3 Mar 2017 15:56:11 +0100
-
-proxmox-ve (4.4-83) unstable; urgency=medium
-
-  * depend on newest 4.4.44-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 1 Mar 2017 09:22:26 +0100
-
-proxmox-ve (4.4-82) unstable; urgency=medium
-
-  * install PVE release keys in a Debian Stretch compatible way
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 23 Feb 2017 15:14:06 +0100
-
-proxmox-ve (4.4-80) unstable; urgency=medium
-
-  * depend on newest 4.4.40-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 8 Feb 2017 13:10:57 +0100
-
-proxmox-ve (4.4-76) unstable; urgency=medium
-
-  * update version for 4.4 release
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 8 Feb 2017 10:38:33 +0100
-
-proxmox-ve (4.3-74) unstable; urgency=medium
-
-  * depend on newest 4.4.35-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 5 Dec 2016 10:20:03 +0100
-
-proxmox-ve (4.3-73) unstable; urgency=medium
-
-  * depend on newest 4.4.30-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 30 Nov 2016 09:43:29 +0100
-
-proxmox-ve (4.3-72) unstable; urgency=medium
-
-  * depend on newest 4.4.24-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 14 Nov 2016 12:17:16 +0100
-
-proxmox-ve (4.3-67) unstable; urgency=medium
-
-  * depend on newest 4.4.21-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 10 Oct 2016 13:58:20 +0200
-
-proxmox-ve (4.3-66) unstable; urgency=medium
-
-  * depend on newest 4.4.19-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 14 Sep 2016 13:23:43 +0200
-
-proxmox-ve (4.2-63) unstable; urgency=medium
-
-  * use /etc/apt/trusted.gpg.d/ mechanism to install trusted apt keys
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Aug 2016 12:08:43 +0200
-
-proxmox-ve (4.2-61) unstable; urgency=medium
-
-  * depend on newest 4.4.16-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 24 Aug 2016 15:11:08 +0200
-
-proxmox-ve (4.2-58) unstable; urgency=medium
-
-  * depend on newest 4.4.13-2-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 15 Jul 2016 06:03:16 +0200
-
-proxmox-ve (4.2-55) unstable; urgency=medium
-
-  * depend on newest 4.4.13-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 25 Jun 2016 11:52:14 +0200
-
-proxmox-ve (4.2-54) unstable; urgency=medium
-
-  * depend on newest 4.4.10-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 10 Jun 2016 20:56:08 +0200
-
-proxmox-ve (4.0-49) unstable; urgency=medium
-
-  * depend on newest 4.4.8-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 09 May 2016 10:29:57 +0200
-
-proxmox-ve (4.0-43) unstable; urgency=medium
-
-  * depend on newest 4.4.6-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 11 Apr 2016 09:35:06 +0200
-
-proxmox-ve (4.0-32) unstable; urgency=medium
-
-  * depend on newest 4.2.8-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 03 Feb 2016 16:15:41 +0100
-
-proxmox-ve (4.0-31) unstable; urgency=medium
-
-  * setup kernel links for installation CD (rescue boot)
-
- -- Proxmox Support Team <support@proxmox.com>  Sun, 10 Jan 2016 10:10:37 +0100
-
-proxmox-ve (4.0-29) unstable; urgency=medium
-
-  * depend on newest 4.2.6-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Dec 2015 12:46:00 +0100
-
-proxmox-ve (4.0-8) unstable; urgency=medium
-
-  * depend on newest 4.2.3-2-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 03 Nov 2015 10:40:01 +0100
-
-proxmox-ve (4.0-7) unstable; urgency=medium
-
-  * depend on newest 4.2.3-1-pve kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Sun, 18 Oct 2015 10:58:21 +0200
-
-proxmox-ve (4.0-6) unstable; urgency=medium
-
-  * depend on newest 4.1.3 kernel
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 30 Jul 2015 09:17:30 +0200
-
-proxmox-ve (4.0-1) unstable; urgency=medium
-
-  * Proxmox VE package for Debian Jessie
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 28 Feb 2015 17:25:14 +0100
-
--- a/proxmox-ve/control
+++ b/proxmox-ve/control
@ -1,16 +0,0 @@
-Package: proxmox-ve
-Version: @RELEASE@-@PKGREL@
-Architecture: all
-Section: admin
-Priority: optional
-Provides: proxmox-virtual-environment
-Conflicts: pve-kernel, proxmox-virtual-environment, proxmox-ve-3.10.0
-Replaces: pve-kernel, proxmox-virtual-environment, proxmox-ve-3.10.0
-Depends: libc6 (>= 2.7-18), pve-kernel-@KVNAME@, pve-firmware, pve-manager, qemu-server, pve-qemu-kvm, openssh-client, openssh-server, apt, vncterm, spiceterm
-Maintainer: Proxmox Support Team <support@proxmox.com>
-Description: The Proxmox Virtual Environment
- The Proxmox Virtual Environment is an easy to use Open Source
- virtualization platform for running Virtual Appliances and Virtual
- Machines. This is a meta package which will install everything
- needed. This package also depends on the latest available Proxmox
- kernel from the @KERNEL_VER@ series.
--- a/proxmox-ve/copyright
+++ b/proxmox-ve/copyright
@ -1,21 +0,0 @@
-Copyright (C) 2016 Proxmox Server Solutions GmbH
-
-This software is written by Proxmox Server Solutions GmbH <support@proxmox.com>
-
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; version 2 dated June, 1991.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 
-   MA 02110-1301 USA
-
-The complete text of the GNU General
-Public License can be found in `/usr/share/common-licenses/GPL-2'.
--- a/proxmox-ve/postinst
+++ b/proxmox-ve/postinst
@ -1,81 +0,0 @@
-#! /bin/sh
-
-# Abort if any command returns an error value 
-set -e 
-
-# This script is called as the last step of the installation of the 
-# package.  All the package's files are in place, dpkg has already
-# done its automatic conffile handling, and all the packages we depend
-# of are already fully installed and configured.
-
-# The following idempotent stuff doesn't generally need protecting 
-# against being run in the abort-* cases.
-
-case "$1" in
-  configure)
-    # Configure this package.  If the package must prompt the user for
-    # information, do it here.
-
-    # cleanup - remove Proxmox Release Key key from /etc/apt/trusted.gpg
-    /usr/bin/apt-key --keyring /etc/apt/trusted.gpg del 9887F95A >/dev/null 2>&1 || /bin/true
-
-    # cleanup - remove old stretch-incompatible variant of installing release key
-    rm -f /etc/apt/trusted.gpg.d/proxmox-ve.gpg /etc/apt/trusted.gpg.d/proxmox-ve.gpg~
-
-    # setup kernel links for installation CD (rescue boot)
-    mkdir -p /boot/pve
-    ln -sf /boot/vmlinuz-@KVNAME@ /boot/pve/vmlinuz
-    ln -sf /boot/initrd.img-@KVNAME@ /boot/pve/initrd.img
-    
-    # There are three sub-cases:
-    if test "${2+set}" != set; then
-      # We're being installed by an ancient dpkg which doesn't remember
-      # which version was most recently configured, or even whether
-      # there is a most recently configured version.
-      :
-
-    elif test -z "$2" -o "$2" = "<unknown>"; then
-      # The package has not ever been configured on this system, or was
-      # purged since it was last configured.
-      :
-
-    else
-      # Version $2 is the most recently configured version of this
-      # package.
-      :
-
-    fi ;;
-  abort-upgrade)
-    # Back out of an attempt to upgrade this package FROM THIS VERSION
-    # to version $2.  Undo the effects of "prerm upgrade $2".
-    :
-
-    ;;
-  abort-remove)
-    if test "$2" != in-favour; then
-      echo "$0: undocumented call to \`postinst $*'" 1>&2
-      exit 0
-    fi
-    # Back out of an attempt to remove this package, which was due to
-    # a conflict with package $3 (version $4).  Undo the effects of
-    # "prerm remove in-favour $3 $4".
-    :
-
-    ;;
-  abort-deconfigure)
-    if test "$2" != in-favour -o "$5" != removing; then
-      echo "$0: undocumented call to \`postinst $*'" 1>&2
-      exit 0
-    fi
-    # Back out of an attempt to deconfigure this package, which was
-    # due to package $6 (version $7) which we depend on being removed
-    # to make way for package $3 (version $4).  Undo the effects of
-    # "prerm deconfigure in-favour $3 $4 removing $6 $7".
-    :
-
-    ;;
-  *) echo "$0: didn't understand being called with \`$1'" 1>&2
-     exit 0;;
-esac
-
-exit 0
--- a/proxmox-ve/proxmox-release-5.x.pubkey
+++ b/proxmox-ve/proxmox-release-5.x.pubkey
--- a/proxmox-ve/pve-headers.control
+++ b/proxmox-ve/pve-headers.control
@ -1,11 +0,0 @@
-Package: pve-headers
-Version: @RELEASE@-@PKGREL@
-Architecture: all
-Section: admin
-Priority: optional
-Depends: pve-headers-@KVNAME@
-Maintainer: Proxmox Support Team <support@proxmox.com>
-Description: Latest Proxmox VE Kernel Headers
- This is a virtual package which will install the kernel headers
- for the latest available proxmox kernel from the @KERNEL_VER@
- series.
--- a/submodules/spl-module
+++ b/submodules/spl-module
@ -1 +0,0 @@
-Subproject commit b6358351cca47024ffb421bf986f2a949608188e
--- a/submodules/ubuntu-kernel
+++ b/submodules/ubuntu-kernel
@ -0,0 +1 @@
+Subproject commit 52a389ffcb4a5a544790d46c53f79c845364692e
--- a/submodules/ubuntu-zesty
+++ b/submodules/ubuntu-zesty
@ -1 +0,0 @@
-Subproject commit 0f390669d7a35ae963c4d41c1d7134a8450e2a1d
--- a/submodules/zfs-module
+++ b/submodules/zfs-module
@ -1 +0,0 @@
-Subproject commit a540f8d7eff8fa1d79909c4f2e8a3a03535ede74
--- a/submodules/zfsonlinux
+++ b/submodules/zfsonlinux
@ -0,0 +1 @@
+Subproject commit f5c9e3a9a85e73ef96f02375a745b10115a319b3
--- a/uname-version-timestamp.patch
+++ b/uname-version-timestamp.patch
@ -1,33 +0,0 @@
-From: Ben Hutchings <ben@decadent.org.uk>
-Subject: Make mkcompile_h accept an alternate timestamp string
-Date: Tue, 12 May 2015 19:29:22 +0100
-Forwarded: not-needed
-
-We want to include the Debian version in the utsname::version string
-instead of a full timestamp string.  However, we still need to provide
-a standard timestamp string for gen_initramfs_list.sh to make the
-kernel image reproducible.
-
-Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
-$KBUILD_BUILD_TIMESTAMP.
-
--- a/scripts/mkcompile_h
-+++ b/scripts/mkcompile_h
-@@ -37,10 +37,14 @@ else
- 	VERSION=$KBUILD_BUILD_VERSION
- fi
- 
-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-	TIMESTAMP=`date`
-+if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
-+	if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-+		TIMESTAMP=`date`
-+	else
-+		TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	fi
- else
-	TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
- fi
- if test -z "$KBUILD_BUILD_USER"; then
- 	LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')
				`@ -1 +0,0 @@`
				`Subproject commit b6358351cca47024ffb421bf986f2a949608188e`
				`@ -0,0 +1 @@`
				`Subproject commit 52a389ffcb4a5a544790d46c53f79c845364692e`
				`@ -1 +0,0 @@`
				`Subproject commit 0f390669d7a35ae963c4d41c1d7134a8450e2a1d`
				`@ -1 +0,0 @@`
				`Subproject commit a540f8d7eff8fa1d79909c4f2e8a3a03535ede74`
				`@ -0,0 +1 @@`
				`Subproject commit f5c9e3a9a85e73ef96f02375a745b10115a319b3`