cherry-pick improved erratum 1386 workaround

The original fix disabled the xsaves feature for zen1/2. The issue has since been fixed in the cpus microcode and this patch keeps the feature enabled if the microcode version is recent enough to contain the fix. The patch had to be altered slightly to apply cleanly on 6.5, but no changes content-wise. Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
config: disable CONFIG_N_GSM
2024-04-17 16:51:43 +02:00 · 2024-04-17 11:56:34 +02:00 · 2024-04-15 09:37:08 +02:00 · 2024-04-05 14:02:41 +02:00 · 2024-04-05 13:04:13 +02:00 · 2024-04-05 12:21:20 +02:00
80 changed files with 35334 additions and 26048 deletions
@@ -1 +1,2 @@
 ubuntu-zesty
+*.prepared
@@ -1,6 +1,6 @@
-[submodule "submodules/ubuntu-artful"]
-	path = submodules/ubuntu-artful
-	url = ../mirror_ubuntu-artful-kernel
 [submodule "submodules/zfsonlinux"]
 	path = submodules/zfsonlinux
 	url = ../zfsonlinux
+[submodule "submodules/ubuntu-kernel"]
+	path = submodules/ubuntu-kernel
+	url = ../mirror_ubuntu-kernels
@@ -1,164 +1,134 @@
-RELEASE=5.1
+include /usr/share/dpkg/pkg-info.mk

-# also update pve-kernel-meta.git if either of these change
-KERNEL_MAJ=4
-KERNEL_MIN=13
-KERNEL_PATCHLEVEL=16
-KREL=4
-
-PKGREL=51
+# also bump proxmox-kernel-meta if the default MAJ.MIN version changes!
+KERNEL_MAJ=6
+KERNEL_MIN=5
+KERNEL_PATCHLEVEL=13
+# increment KREL for every published package release!
+# rebuild packages with new KREL and run 'make abiupdate'
+KREL=5

 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

-EXTRAVERSION=-${KREL}-pve
-KVNAME=${KERNEL_VER}${EXTRAVERSION}
-PACKAGE=pve-kernel-${KVNAME}
-HDRPACKAGE=pve-headers-${KVNAME}
+EXTRAVERSION=-$(KREL)-pve
+KVNAME=$(KERNEL_VER)$(EXTRAVERSION)
+PACKAGE=proxmox-kernel-$(KVNAME)
+HDRPACKAGE=proxmox-headers-$(KVNAME)

 ARCH=$(shell dpkg-architecture -qDEB_BUILD_ARCH)

 # amd64/x86_64/x86 share the arch subdirectory in the kernel, 'x86' so we need
 # a mapping
 KERNEL_ARCH=x86
-ifneq (${ARCH}, amd64)
-KERNEL_ARCH=${ARCH}
+ifneq ($(ARCH), amd64)
+KERNEL_ARCH=$(ARCH)
 endif

-GITVERSION:=$(shell git rev-parse HEAD)
-
 SKIPABI=0

-ifeq    ($(CC), cc)
-GCC=gcc
-else
-GCC=$(CC)
-endif
+BUILD_DIR=proxmox-kernel-$(KERNEL_VER)

-BUILD_DIR=build
-
-KERNEL_SRC=ubuntu-artful
+KERNEL_SRC=ubuntu-kernel
 KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
-KERNEL_CFG_ORG=config-${KERNEL_VER}.org
-
-E1000EDIR=e1000e-3.3.6
-E1000ESRC=${E1000EDIR}.tar.gz
-
-IGBDIR=igb-5.3.5.10
-IGBSRC=${IGBDIR}.tar.gz
-
-IXGBEDIR=ixgbe-5.3.3
-IXGBESRC=${IXGBEDIR}.tar.gz
+KERNEL_CFG_ORG=config-$(KERNEL_VER).org

 ZFSONLINUX_SUBMODULE=submodules/zfsonlinux
-SPLDIR=pkg-spl
-SPLSRC=${ZFSONLINUX_SUBMODULE}/spl-debian
 ZFSDIR=pkg-zfs
-ZFSSRC=${ZFSONLINUX_SUBMODULE}/zfs-debian

 MODULES=modules
-MODULE_DIRS=${E1000EDIR} ${IGBDIR} ${IXGBEDIR} ${SPLDIR} ${ZFSDIR}
+MODULE_DIRS=$(ZFSDIR)

 # exported to debian/rules via debian/rules.d/dirs.mk
-DIRS=KERNEL_SRC E1000EDIR IGBDIR IXGBEDIR SPLDIR ZFSDIR MODULES
+DIRS=KERNEL_SRC ZFSDIR MODULES

-DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+DSC=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL).dsc
+DST_DEB=$(PACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+SIGNED_TEMPLATE_DEB=$(PACKAGE)-signed-template_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_DEB=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+HDR_DEB=$(HDRPACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_HDR_DEB=proxmox-headers-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+USR_HDR_DEB=proxmox-kernel-libc-dev_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_$(KERNEL_VER)-$(KREL)_$(ARCH).deb

-DEBS=${DST_DEB} ${HDR_DEB} ${LINUX_TOOLS_DEB}
+DEBS=$(DST_DEB) $(META_DEB) $(HDR_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) $(SIGNED_TEMPLATE_DEB) # $(USR_HDR_DEB)

-all: check_gcc deb
-deb: ${DEBS}
+all: deb
+deb: $(DEBS)

-check_gcc:
-	$(GCC) --version|grep "6\.3" || false
-	@$(GCC) -Werror -mindirect-branch=thunk-extern -mindirect-branch-register -c -x c /dev/null -o check_gcc.o \
-		|| ( rm -f check_gcc.o; \
-		     echo "Please install gcc-6 packages with indirect thunk / RETPOLINE support"; \
-		     false)
-	@rm -f check_gcc.o
+$(META_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
+$(DST_DEB): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage --jobs=auto -b -uc -us
+	lintian $(DST_DEB)
+	#lintian $(HDR_DEB)
+	lintian $(LINUX_TOOLS_DEB)

-${LINUX_TOOLS_DEB} ${HDR_DEB}: ${DST_DEB}
-${DST_DEB}: ${BUILD_DIR}.prepared
-	cd ${BUILD_DIR}; dpkg-buildpackage --jobs=auto -b -uc -us
-	lintian ${DST_DEB}
-	#lintian ${HDR_DEB}
-	lintian ${LINUX_TOOLS_DEB}
+dsc:
+	$(MAKE) $(DSC)
+	lintian $(DSC)

-${BUILD_DIR}.prepared: $(addsuffix .prepared,${KERNEL_SRC} ${MODULES} debian)
-	cp -a fwlist-previous ${BUILD_DIR}/
-	cp -a abi-prev-* ${BUILD_DIR}/
-	cp -a abi-blacklist ${BUILD_DIR}/
+$(DSC): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage -S -uc -us -d
+
+sbuild: $(DSC)
+	sbuild $(DSC)
+
+$(BUILD_DIR).prepared: $(addsuffix .prepared,$(KERNEL_SRC) $(MODULES) debian)
+	cp -a fwlist-previous $(BUILD_DIR)/
+	cp -a abi-prev-* $(BUILD_DIR)/
+	cp -a abi-blacklist $(BUILD_DIR)/
 	touch $@

+.PHONY: build-dir-fresh
+build-dir-fresh:
+	$(MAKE) clean
+	$(MAKE) $(BUILD_DIR).prepared
+	echo "created build-directory: $(BUILD_DIR).prepared/"
+
 debian.prepared: debian
-	rm -rf ${BUILD_DIR}/debian
-	mkdir -p ${BUILD_DIR}
-	cp -a debian ${BUILD_DIR}/debian
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > ${BUILD_DIR}/debian/SOURCE
-	@$(foreach dir, ${DIRS},echo "${dir}=${${dir}}" >> ${BUILD_DIR}/debian/rules.d/env.mk;)
-	echo "KVNAME=${KVNAME}" >> ${BUILD_DIR}/debian/rules.d/env.mk
-	echo "KERNEL_MAJMIN=${KERNEL_MAJMIN}" >> ${BUILD_DIR}/debian/rules.d/env.mk
-	cd ${BUILD_DIR}; debian/rules debian/control
+	rm -rf $(BUILD_DIR)/debian
+	mkdir -p $(BUILD_DIR)
+	cp -a debian $(BUILD_DIR)/debian
+	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout $(shell git rev-parse HEAD)" \
+	    >$(BUILD_DIR)/debian/SOURCE
+	@$(foreach dir, $(DIRS),echo "$(dir)=$($(dir))" >> $(BUILD_DIR)/debian/rules.d/env.mk;)
+	echo "KVNAME=$(KVNAME)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	echo "KERNEL_MAJMIN=$(KERNEL_MAJMIN)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	cd $(BUILD_DIR); debian/rules debian/control
 	touch $@

-${KERNEL_SRC}.prepared: ${KERNEL_SRC_SUBMODULE} | submodule
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC} $@
-	mkdir -p ${BUILD_DIR}
-	cp -a ${KERNEL_SRC_SUBMODULE} ${BUILD_DIR}/${KERNEL_SRC}
+$(KERNEL_SRC).prepared: $(KERNEL_SRC_SUBMODULE) | submodule
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC) $@
+	mkdir -p $(BUILD_DIR)
+	cp -a $(KERNEL_SRC_SUBMODULE) $(BUILD_DIR)/$(KERNEL_SRC)
 # TODO: split for archs, track and diff in our repository?
-	cat ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/config.common.ubuntu ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.common.${ARCH} ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.flavour.generic > ${KERNEL_CFG_ORG}
-	cp ${KERNEL_CFG_ORG} ${BUILD_DIR}/${KERNEL_SRC}/.config
-	sed -i ${BUILD_DIR}/${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC}/debian ${BUILD_DIR}/${KERNEL_SRC}/debian.master
-	cd ${BUILD_DIR}/${KERNEL_SRC}; for patch in ../../patches/kernel/*.patch; do patch -p1 < $${patch}; done
+	cd $(BUILD_DIR)/$(KERNEL_SRC); python3 debian/scripts/misc/annotations --arch amd64 --export >../../$(KERNEL_CFG_ORG)
+	cp $(KERNEL_CFG_ORG) $(BUILD_DIR)/$(KERNEL_SRC)/.config
+	sed -i $(BUILD_DIR)/$(KERNEL_SRC)/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=$(EXTRAVERSION)/'
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC)/debian $(BUILD_DIR)/$(KERNEL_SRC)/debian.master
+	set -e; cd $(BUILD_DIR)/$(KERNEL_SRC); \
+	  for patch in ../../patches/kernel/*.patch; do \
+	    echo "applying patch '$$patch'"; \
+	    patch --batch -p1 < "$${patch}"; \
+	  done
 	touch $@

-${MODULES}.prepared: $(addsuffix .prepared,${MODULE_DIRS})
+$(MODULES).prepared: $(addsuffix .prepared,$(MODULE_DIRS))
 	touch $@

-${E1000EDIR}.prepared: ${E1000ESRC}
-	rm -rf ${BUILD_DIR}/${MODULES}/${E1000EDIR} $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/${E1000EDIR}
-	tar --strip-components=1 -C ${BUILD_DIR}/${MODULES}/${E1000EDIR} -xf ${E1000ESRC}
-	cd ${BUILD_DIR}/${MODULES}/${E1000EDIR}; patch -p1 < ../../../patches/intel/intel-module-gcc6-compat.patch
-	cd ${BUILD_DIR}/${MODULES}/${E1000EDIR}; patch -p1 < ../../../patches/intel/e1000e/e1000e_4.10_max-mtu.patch
-	touch $@
-
-${IGBDIR}.prepared: ${IGBSRC}
-	rm -rf ${BUILD_DIR}/${MODULES}/${IGBDIR} $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/${IGBDIR}
-	tar --strip-components=1 -C ${BUILD_DIR}/${MODULES}/${IGBDIR} -xf ${IGBSRC}
-	cd ${BUILD_DIR}/${MODULES}/${IGBDIR}; patch -p1 < ../../../patches/intel/igb/igb_4.10_max-mtu.patch
-	cd ${BUILD_DIR}/${MODULES}/${IGBDIR}; patch -p1 < ../../../patches/intel/igb/igb_4.12_compat.patch
-	touch $@
-
-${IXGBEDIR}.prepared: ${IXGBESRC}
-	rm -rf ${BUILD_DIR}/${MODULES}/${IXGBEDIR} $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/${IXGBEDIR}
-	tar --strip-components=1 -C ${BUILD_DIR}/${MODULES}/${IXGBEDIR} -xf ${IXGBESRC}
-	touch $@
-
-$(SPLDIR).prepared: ${SPLSRC}
-	rm -rf ${BUILD_DIR}/${MODULES}/${SPLDIR} $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/${SPLDIR}
-	cp -a ${SPLSRC}/* ${BUILD_DIR}/${MODULES}/${SPLDIR}
-	cd ${BUILD_DIR}/${MODULES}/${SPLDIR}; for patch in ../../../${SPLSRC}/../spl-patches/*.patch; do patch -p1 < $${patch}; done
-	touch $@
-
-$(ZFSDIR).prepared: ${ZFSSRC}
-	rm -rf ${BUILD_DIR}/${MODULES}/${ZFSDIR} $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/${ZFSDIR}
-	cp -a ${ZFSSRC}/* ${BUILD_DIR}/${MODULES}/${ZFSDIR}
-	cd ${BUILD_DIR}/${MODULES}/${ZFSDIR}; for patch in ../../../${ZFSSRC}/../zfs-patches/*.patch; do patch -p1 < $${patch}; done
-	# temporarily since patch does not know about permissions, remove after 0.7.7 was merged properly
-	chmod +x ${BUILD_DIR}/${MODULES}/${ZFSDIR}/scripts/enum-extract.pl
-	touch $@
+$(ZFSDIR).prepared: $(ZFSONLINUX_SUBMODULE)
+	rm -rf $(BUILD_DIR)/$(MODULES)/$(ZFSDIR) $(BUILD_DIR)/$(MODULES)/tmp $@
+	mkdir -p $(BUILD_DIR)/$(MODULES)/tmp
+	cp -a $(ZFSONLINUX_SUBMODULE)/* $(BUILD_DIR)/$(MODULES)/tmp
+	cd $(BUILD_DIR)/$(MODULES)/tmp; make kernel
+	rm -rf $(BUILD_DIR)/$(MODULES)/tmp
+	touch $(ZFSDIR).prepared

 .PHONY: upload
-upload: ${DEBS}
-	tar cf - ${DEBS}|ssh repoman@repo.proxmox.com -- upload --product pve,pmg --dist stretch --arch ${ARCH}
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
+upload: $(DEBS)
+	tar cf - $(DEBS)|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist $(UPLOAD_DIST) --arch $(ARCH)

 .PHONY: distclean
 distclean: clean
@@ -168,20 +138,18 @@ distclean: clean
 .PHONY: update_modules
 update_modules: submodule
 	git submodule foreach 'git pull --ff-only origin master'
-	cd ${ZFSSRC}; git pull --ff-only origin master
-	cd ${SPLSRC}; git pull --ff-only origin master
+	cd $(ZFSONLINUX_SUBMODULE); git pull --ff-only origin master

 # make sure submodules were initialized
 .PHONY: submodule
 submodule:
-	test -f "${KERNEL_SRC_SUBMODULE}/README" || git submodule update --init ${KERNEL_SRC_SUBMODULE}
-	test -f "${ZFSONLINUX_SUBMODULE}/Makefile" || git submodule update --init ${ZFSONLINUX_SUBMODULE}
-	(test -f "${ZFSSRC}/debian/changelog" && test -f "${SPLZRC}/debian/changelog") || (cd ${ZFSONLINUX_SUBMODULE}; git submodule update --init)
+	test -f "$(KERNEL_SRC_SUBMODULE)/README" || git submodule update --init $(KERNEL_SRC_SUBMODULE)
+	test -f "$(ZFSONLINUX_SUBMODULE)/Makefile" || git submodule update --init --recursive $(ZFSONLINUX_SUBMODULE)

 # call after ABI bump with header deb in working directory
 .PHONY: abiupdate
-abiupdate: abi-prev-${KVNAME}
-abi-prev-${KVNAME}: abi-tmp-${KVNAME}
+abiupdate: abi-prev-$(KVNAME)
+abi-prev-$(KVNAME): abi-tmp-$(KVNAME)
 ifneq ($(strip $(shell git status --untracked-files=no --porcelain -z)),)
 	@echo "working directory unclean, aborting!"
 	@false
@@ -189,15 +157,15 @@ else
 	git rm "abi-prev-*"
 	mv $< $@
 	git add $@
-	git commit -s -m "update ABI file for ${KVNAME}" -m "(generated with debian/scripts/abi-generate)"
-	@echo "update abi-prev-${KVNAME} committed!"
+	git commit -s -m "update ABI file for $(KVNAME)" -m "(generated with debian/scripts/abi-generate)"
+	@echo "update abi-prev-$(KVNAME) committed!"
 endif

-abi-tmp-${KVNAME}:
-	@ test -e ${HDR_DEB} || (echo "need ${HDR_DEB} to extract ABI data!" && false)
-	debian/scripts/abi-generate ${HDR_DEB} $@ ${KVNAME} 1
+abi-tmp-$(KVNAME):
+	@ test -e $(HDR_DEB) || (echo "need $(HDR_DEB) to extract ABI data!" && false)
+	debian/scripts/abi-generate $(HDR_DEB) $@ $(KVNAME) 1

 .PHONY: clean
 clean:
-	rm -rf *~ build *.prepared ${KERNEL_CFG_ORG}
-	rm -f *.deb *.changes *.buildinfo
+	rm -rf *~ proxmox-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
+	rm -f *.deb *.dsc *.changes *.buildinfo *.build proxmox-kernel*.tar.*
@@ -1,24 +1,22 @@
 KERNEL SOURCE:
 ==============

-We currently use the Ubuntu kernel sources, available from:
+We currently use the Ubuntu kernel sources, available from our mirror:

- http://kernel.ubuntu.com/git/ubuntu/ubuntu-artful.git/
+ https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary

 Ubuntu will maintain those kernels till:

 https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
+ or
+ https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
+
+ whatever happens to be earlier.


 Additional/Updated Modules:
 ---------------------------

- include latest e1000e driver from intel/sourceforge
-
- include latest ixgbe driver from intel/sourceforge
-
- include latest igb driver from intel/sourceforge
-
 - include native OpenZFS filesystem kernel modules for Linux

  * https://github.com/zfsonlinux/
@@ -26,6 +24,93 @@ Additional/Updated Modules:
  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ


+BUILD
+=====
+
+As this is packaging for the Linux kernel with some extra integrations, like
+ZFS, this repo cannot be handled like a plain Linux kernel git repository.
+
+The actual Linux kernel source lives in a git submodule.
+
+For a build you should init the submodules and then handle it like most our
+Debian packaging builds. If unsure you can follow this:
+
+Installing Build-Dependencies
+-----------------------------
+
+You can either just check the package metadata template `debian/control.in`
+and install the packages listed in the `Build-Depends` section manually
+(replace `debhelper-compat` with just `debhelper`) or use a more automated way
+described below:
+
+ # install base build-dependencies and helpers
+ apt update
+ apt install devscripts
+
+ # create build-directory so that we got final packaging control files from the
+ # .in templates generated
+ make build-dir-fresh
+
+ # install build-dependencies (replace BUILD-DIR with actual one)
+ mk-build-deps -ir BUILD-DIR/debian/control
+
+
+Package Build
+-------------
+
+ # start the actual build
+ make deb
+
+For simple KConfig modifications you can adapt the list in `debian/rules` file.
+For quick code changes to the actual kernel code you can do them directly in
+the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:
+
+ make clean
+ # now build again, explicitly creating the build-dir isn't required anymore
+ # after one has the build-dependencies already installed.
+ make deb
+
+
+Modify-Build-Test Cycles
+------------------------
+
+Ideally you avoid the need for doing a full package build and just directly
+build linux from the ubuntu-kernels or the mainline (stable) repo with copying
+over a build-config of a proxmox-kernel to that as .config and then using the
+`make olddefconfig` target.
+
+If you need full package builds you can try to make changes inside the
+BUILD-DIR directly and then continue build from there, e.g., using
+`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
+to continue build you might need to touch, or remove some *.prepared files.
+Just check `debian/rules` for how kernel build progress is tracked by make.
+
+SUBMODULE
+=========
+
+We track the current upstream repository as submodule. Besides obvious
+advantages over tracking binary tar archives this also has some implications.
+
+For building the submodule directory gets copied into build/ and a few patches
+get applied with the `patch` tool. From a git point-of-view, the copied
+directory remains clean even with extra patches applied since it does not
+contain a .git directory, but a reference to the (still pristine) submodule:
+
+$ cat build/ubuntu-kernel/.git
+
+If you mistakenly cloned the upstream repo as "normal" clone (not via the
+submodule mechanics) this means that you have a real .git directory with its
+independent objects and tracking info when copying for building, thus git
+operates on the copied directory - and "sees" that it was dirtied by `patch`,
+and thus the kernel buildsystem sees this too and will add a '+' to the version
+as a result. This changes the output directories for modules and other build
+artefacts and let's then the build fail on packaging.
+
+So always ensure that you really checked it out as submodule, not as full
+"normal" clone. You can also explicitly set the LOCALVERSION variable to
+undefined with: `export LOCALVERSION= but that should only be done for test
+builds.
+
 RELATED PACKAGES:
 =================

@@ -36,18 +121,30 @@ top level meta package, depends on current default kernel series meta package.

 git clone git://git.proxmox.com/git/proxmox-ve.git

-pve-kernel-meta
---------------
+proxmox-default-kernel
+----------------------

-depends on latest kernel and header package within a certain kernel series,
-e.g., pve-kernel-4.13 / pve-headers-4.13
+Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
+proxmox-headers-6.2.

 git clone git://git.proxmox.com/git/pve-kernel-meta.git

+proxmox-kernel-X.Y
+------------------
+
+Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
+package within a certain series.
+
+e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve
+
+NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
+with every version bump due to module signing. Since then the meta package was
+pulled into the kernel repo, before that it lived in pve-kernel-meta.git.
+
 pve-firmware
 ------------

-contains the firmware for all released PVE kernels.
+Contains the firmware for all released PVE kernels.

 git clone git://git.proxmox.com/git/pve-firmware.git

@@ -55,21 +152,48 @@ git clone git://git.proxmox.com/git/pve-firmware.git
 NOTES:
 ======

+ABI versions, package versions and package name:
+------------------------------------------------
+
+We follow debian's versioning w.r.t ABI changes:
+
+https://kernel-team.pages.debian.net/kernel-handbook/ch-versions.html
+https://wiki.debian.org/DebianKernelABIChanges
+
+The debian/rules file has a target comparing the build kernel's ABI against the
+version stored in the repository and indicates when an ABI bump is necessary.
+An ABI bump within one upstream version consists of incrementing the KREL
+variable in the Makefile, rebuilding the packages and running 'make abiupdate'
+(the 'abiupdate' target in 'Makefile' contains the steps for consistently
+updating the repository).
+
 Watchdog blacklist
 ------------------

 By default, all watchdog modules are black-listed because it is totally undefined
 which device is actually used for /dev/watchdog.
-We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
+We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
 The user typically edit /etc/modules to enable a specific watchdog device.

+Debug kernel and modules
+------------------------
+
+In order to build a -dbgsym package containing an unstripped copy of the kernel
+image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
+exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
+be used together with 'crash'/'kdump-tools' to debug kernel crashes.
+
+Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
+the same build. A kernel/module from a different build will likely not match,
+even if both builds are of the same kernel and package version.
+
 Additional information
 ----------------------

 We use the default configuration provided by Ubuntu, and apply
 the following modifications:

-see debian/rules (PVE_CONFIG_OPTS)
+NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)

 - enable INTEL_MEI_WDT=m (to allow disabling via patch)

@@ -80,68 +204,45 @@ see debian/rules (PVE_CONFIG_OPTS)
 - enable CONFIG_CEPH_FS=m (request from user)

 - enable common CONFIG_BLK_DEV_XXX to avoid hardware detection
-  problems (udev, undate-initramfs have serious problems without that)
+  problems (udev, update-initramfs have serious problems without that)

  	 CONFIG_BLK_DEV_SD=y
  	 CONFIG_BLK_DEV_SR=y
  	 CONFIG_BLK_DEV_DM=y

- add workaround for Debian bug #807000 (see
-  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)
-
-  	 CONFIG_BLK_DEV_NVME=y
-
 - compile NBD and RBD modules
 	 CONFIG_BLK_DEV_NBD=m
 	 CONFIG_BLK_DEV_RBD=m

- set LOOP_MIN_COUNT to 8 (debian defaults)
-	 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+- enable IBM JFS file system as module
+  requested by users (bug #64)

- disable module signatures (CONFIG_MODULE_SIG)
-
- enable IBM JFS file system
-
-  This is disabled in RHEL kernel for no real reason, so we enable
-  it as requested by users (bug #64)
-
- enable apple HFS and HFSPLUS
-
-  This is disabled in RHEL kernel for no real reason, so we enable
-  it as requested by users
+- enable apple HFS and HFSPLUS as module
+  requested by users

 - enable CONFIG_BCACHE=m (requested by user)

 - enable CONFIG_BRIDGE=y
-
-  Else we get warnings on boot, that
-  net.bridge.bridge-nf-call-iptables is an unknown key
+  to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key

 - enable CONFIG_DEFAULT_SECURITY_APPARMOR
-
  We need this for lxc

 - set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
-
  because if not set, it can give some dynamic memory or cpu frequencies 
  change, and vms can crash (mainly windows guest).
-
  see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273

 - use 'deadline' as default scheduler
-
-  This is the suggested setting for KVM. We also measure bad fsync
-  performance with ext4 and cfq.
+  This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.

 - disable CONFIG_INPUT_EVBUG
-
-  Module evbug is not blacklisted on debian, so we simply disable it
-  to avoid key-event logs (which is a big security problem)
+  Module evbug is not blacklisted on debian, so we simply disable it to avoid
+  key-event logs (which is a big security problem)

 - enable CONFIG_MODVERSIONS (needed for ABI tracking)

 - switch default UNWINDER to FRAME_POINTER
-
  the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS

 - enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbjCCBFagAwIBAgIUTVo8veNlt0qzt14J+H2mhEB2SNUwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTM1MTM0WhcNMzMwMzAzMTM1MTM0WjCBkzELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEXMBUGA1UEAwwOU2Vj
+dXJlIEJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEm9mZmljZUBwcm94bW94LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ59mP8gRLqsA6P53ejy0wMk
+0qLlICtDkPXsJoi4QRHjlPErxXv5zsZ4WqSG2bQ8EW95FAf8EOF6ge+G17neYt1w
+DmlvHzLBfqTJj5EBRgVjdWOjX3AkS/elOyzHdq4rKOteUSpQlMP4ub2cAUdy/8rp
+ouTbduttNv8mymAO89/kbXCEmKFiRS+av+hykFFyXH/KTRa2QnvLVadMEkmtA+vm
+yQhYWCTD8hdisa1o3dKM0Z2l8LyzfIOsVXcwHHB7AhtR4tbLR9Tz2p/m9Gz//vj
+82dBaChh6kxIMZ8kACP28dA561R2P6ZcjzLSJ0Tq5e4tiW9SNEzuTYKTRvFeQoQh
+4usDdSF3ifXDuimShpv8Yaf4fntyIaUfnm6H5tvNr9b9Rw6ZL200LV5VugQ1EpfE
+F0+c3LQfurwT7svISgXSY62Fe/TiHFANOVXM5j3/Dr2ktKyce7BUGN4ewpWPvP99
+io+rdd4bTReuDh8j0nhsSdYKfvuOmvQpgL8Smzno54/hdpuO6cv+slCr1ApDexl8
+gAPPwCZRsH7aPc92g+YPzDm3k77RqkCXPA19KKQLYKvL7a+H3rnqgO81CdGFPHOz
+I5UruKLLeDGAWR0bo0JqDMEL8/oPh9IvGo8lFcTros0NEof6A7p8SGmxM2NodTo9
+spDVs84xDPlp4yX4u8A9AgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFLXxsR5I
+LbWGkynLl1qjUgX4cs16MB8GA1UdIwQYMBaAFLXxsR5ILbWGkynLl1qjUgX4cs16
+MB0GA1UdEQQWMBSBEm9mZmljZUBwcm94bW94LmNvbTAdBgNVHRIEFjAUgRJvZmZp
+Y2VAcHJveG1veC5jb20wDQYJKoZIhvcNAQELBQADggIBAAUGWTt792ibVtE9yKgq
+9YtmybKGWjDHdMKl5AcnxLD60z7cEgcUBpEXaUbTzic5rz7fYhUM29LZkF8NIA2a
+rzrF0w+J1zZZKG2VvTWmdgynNNKQ/iTRbhgSZ94hEWOwumlEW4O6HwUN+VYFx8wf
+jvyWc1K6cdCc70IeC5POjYTlXKPoDq8ysPMLhxm7dsk7DDWcR0siMbYqGLLK5cJB
+lZE+9Q3Nj/q4m3odjK1ILrDGKqWWJgxopE21e903Ej+TNw+TduXygHqwVloEXUi4
+clmMMwCfhEBI9Vuy0+QSLxvrHKbwYpWd59RBQEsUubi8sT8Oh7njgmEd/Pf9uD7U
+1Rd9I+1MkNOZXyoyvaJQl9NZ9RpyG+ZbeQoFcL2CeCy0jJQQSilI5k4RtiDrGn6R
+GxlRL/FTvGWBkQGNwvoeFwD6i7zYainf1Z7f1Dh83MxKarxpAwX61K+rHpvAvjN/
+Hd4dslj5C+p188FnGaqiFlFAgVcF//F+yZFGYu1sTIQJ5f0C3LiFLeQYi3SPTf0L
+wk78eHgo6x1cIOM3/Ct4mflHBxnrfOJ9YdEAn2MklpDT5dif+9+zpN1myCQn4HoW
+OgoWIacSuvuFczHTQf2IX4ZEEE5SZwE31f7E0cqjgXmwbz1a81UMZHzvr71rDeWi
+oRgE3Pe1htzpOmw5Ygvjtn8k
+-----END CERTIFICATE-----
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbzCCBFegAwIBAgIUakjebPHbd0vTEj9dEa3OF+gioGMwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTQwNTI1WhcNMjcwNDE0MTQwNTI1WjCBmjELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEeMBwGA1UEAwwVU2Vj
+dXJlIEJvb3QgU2lnbiAyMDIzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1v
+eC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJGReH5i3aihb/
+frdbzzNueHBt7DC9W2/GXYf0wfl8izCXz2SYM/UIZavbpzF2uhgxli3Dj4M0FyR2
+oTKRseWyy+YMiwuhQcqCw0KRS6uOUiGjOtPHsEqDFO6DP8d1gNjYkF0jzY/CNf0N
+5Sc+w8jknQJgZ9G1RGcC2ihZATx2pgG9nYA30Op8qHyhcF2KrUmh8wpXky21u0Ja
+0/whsNFNSfQrvosgUroxLd2TvBdcBJu3SXt0B15jfY4Qssjmwgfs/oU8YGaAYnIp
+PLJRqzho/kpDA3PH2lsgxv5BJHQgDuODLj3Q3dx09C71Qdb3FlQ6z9hIdFUoPrvC
+kUpZ5lEwGUyvFZtJJQvGm/1BpDj1G7P8lqODyfkJ4c77XoH7M9z945HmxrfAyjP7
+9Jk8NXA9bSy+ygPHPHlTLEc10HKvk/SRg/sGGUveTr9C6rObfP8EmvXogpS46xSn
+W9s2vFSVFyOBvLpdIhU91McBFinvQaqY0r2XTNrsU3Zp5YG3z6hh6BOLCpD/pixc
+BQyfT8wGeI59dobVSSrWqt+1vNxO02I5t7Mlam687Ix1e3C/nk7+i44WMcmB8n+x
+Dq/v/L+UJlQ75u2dsaAiYUrGcsHQWAZ34oIAfec9qCgG+OLTwobwXXiOlaWiO51n
+0xCQ4ePK+vZuDxRHaXL7hOxFCe3iKwIDAQABo4GxMIGuMB0GA1UdDgQWBBRr/2t+
+Hu0KTVTbNhd31p7aJH15IjAfBgNVHSMEGDAWgBS18bEeSC21hpMpy5dao1IF+HLN
+ejAdBgNVHREEFjAUgRJvZmZpY2VAcHJveG1veC5jb20wHQYDVR0SBBYwFIESb2Zm
+aWNlQHByb3htb3guY29tMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwMwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQBYmLgWPJSK/pP/CkZE
+iYttW1Vd0Wm4DeZVSyUh2c9AI+A+IT5otEXjCflU8sYU4vm0eEtNwhmGdVf8oZe4
+tS/2eFawDAqEQ8xMsinbMJoqvcYx9uEZPiOOo3GS2YjfUy03Q3BAOV3rMFOjP4y+
+dfYF3IWnKQxvUV0wapRyDbT62plKt4UCtBagUPcm838YRD6ax+4yK/5sojMQM1IW
+2yGgEz8jeCyPI19Ots2RBZTJU2BZ1QqRPLybvLfsENtKgKqOE14BEp6WqtYBaj89
+QZD4tbP9Mqcmnj8AfG89pb1Fj6tq0MLZsboF6i0J7uuQ6CKkb5ksQhLODLMwAZi1
+1EAgWk5btwj6ZvoOHFOjAXGJ13tmUeYt/Zipyy/ie+5LSEdFevQ+zmZzsglfX3QK
+6skoBpHs3kLcuPsoe8uhCvn/b22lHkFdYYkIwIUQFPJgdvBzD8LYHnD8P60UdsQO
+vSSt9qzsq04DCEjwhmNJUeddL9ESGNL8vgpB9GvNjFEq6QMncELkdXDoAeqGFolE
+/dj+8sVq+34plRsvD1GDDx70UWk0ZtQlvhqDJ0kxeT+yYASrwLoujK44SLq8cMJr
+JYxDoxFOy5MSw+EzEXTP9LLkYNdPv/nzPbEz3lEctczyOgBWr22272Kdv3QCHBdP
+v4+vFbHnrXmu8cC9T45r2aX3rQ==
+-----END CERTIFICATE-----
@@ -1 +0,0 @@
-10
@@ -1,19 +1,39 @@
-Source: pve-kernel
+Source: proxmox-kernel-@KVMAJMIN@
 Section: devel
 Priority: optional
 Maintainer: Proxmox Support Team <support@proxmox.com>
-Build-Depends: asciidoc,
+Build-Depends: asciidoc-base,
+               automake,
               bc,
               bison,
+               cpio,
+               debhelper-compat (= 13),
+               dh-python,
+               dwarves,
+               file,
               flex,
-               gcc-6 (>= 6.3.0-18+deb9u1),
+               gcc (>= 8.3.0-6),
+               git,
+               kmod,
+               libdw-dev,
+               libelf-dev,
               libiberty-dev,
+               libnuma-dev,
+               libpve-common-perl,
+               libslang2-dev,
               libssl-dev,
+               libtool,
               lintian,
-               sed,
-               tar,
+               lz4,
+               python3-dev,
+               python3-minimal,
+               rsync,
+               sphinx-common,
               xmlto,
-Build-Conflicts: pve-headers-@KVNAME@,
+               zlib1g-dev,
+               zstd,
+Build-Conflicts: proxmox-headers-@KVNAME@,
+Standards-Version: 4.6.2
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git

@@ -21,32 +41,84 @@ Package: linux-tools-@KVMAJMIN@
 Architecture: any
 Section: devel
 Priority: optional
-Depends: linux-base,
-         ${misc:Depends},
-         ${shlibs:Depends},
+Depends: linux-base, ${misc:Depends}, ${shlibs:Depends},
 Description: Linux kernel version specific tools for version @KVMAJMIN@
 This package provides the architecture dependent parts for kernel
 version locked tools (such as perf and x86_energy_perf_policy)

-Package: pve-headers-@KVNAME@
+Package: proxmox-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers,
-          linux-headers-2.6,
-Depends: coreutils | fileutils (>= 4.0),
-Description: The Proxmox PVE Kernel Headers
+Provides: linux-headers-@KVNAME@-amd64, pve-headers-@KVNAME@
+Depends: ${misc:Depends},
+Description: Proxmox Kernel Headers
 This package contains the linux kernel headers

-Package: pve-kernel-@KVNAME@
+Package: proxmox-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image,
-          linux-image-2.6,
+Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
 Suggests: pve-firmware,
-Depends: busybox,
-         grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
-         initramfs-tools,
-Description: The Proxmox PVE Kernel Image
+Depends: busybox, initramfs-tools | linux-initramfs-tool, ${misc:Depends},
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
+Description: Proxmox Kernel Image
 This package contains the linux kernel and initial ramdisk used for booting
+
+Package: proxmox-kernel-@KVNAME@-dbgsym
+Architecture: any
+Provides: linux-debug, pve-kernel-@KVNAME@-dbgsym
+Section: devel
+Priority: optional
+Build-Profiles: <pkg.proxmox-kernel.debug>
+Depends: ${misc:Depends},
+Description: Proxmox Kernel debug image
+ This package provides the kernel debug image for version @KVNAME@. The debug
+ kernel image contained in this package is NOT meant to boot from - it is
+ uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
+ to analyze kernel crashes. This package also contains the proxmox-kernel modules
+ in their unstripped version.
+
+Package: proxmox-kernel-@KVNAME@-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed kernel package
+ This package is used to control code signing by the Proxmox signing
+ service.
+
+Package: proxmox-kernel-libc-dev
+Section: devel
+Priority: optional
+Architecture: any
+Provides: linux-libc-dev (=${binary:Version}), pve-kernel-libc-dev
+Conflicts: linux-libc-dev,
+Replaces: linux-libc-dev, pve-kernel-libc-dev
+Breaks: pve-kernel-libc-dev
+Depends: ${misc:Depends},
+Description: Linux support headers for userspace development
+ This package provides userspaces headers from the Linux kernel.  These headers
+ are used by the installed headers for GNU libc and other system libraries.
+
+Package: proxmox-headers-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-headers-amd64, linux-headers-generic, pve-headers-@KVMAJMIN@
+Replaces: pve-headers-@KVMAJMIN@
+Priority: optional
+Depends: proxmox-headers-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Headers
+ This is a metapackage which will install the kernel headers
+ for the latest available proxmox kernel from the @KVMAJMIN@
+ series.
+
+Package: proxmox-kernel-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-image-amd64, linux-image-generic, wireguard-modules (=1.0.0), pve-kernel-@KVMAJMIN@
+Replaces: pve-kernel-@KVMAJMIN@
+Priority: optional
+Depends: pve-firmware, proxmox-kernel-@KVNAME@-signed | proxmox-kernel-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Image
+ This is a metapackage which will install the latest available
+ proxmox kernel from the @KVMAJMIN@ series.
@@ -1,11 +1,8 @@
 This is a prepackaged version of the Linux kernel binary image.

-This package was put together by Proxmox Server
-Solutions GmbH <support@proxmox.com>.
-
-We use the RHEL7 kernel sources, available from:
-
-ftp://ftp.redhat.com/redhat/rhel/
+For the packaging and all files in the debian/ folder consider:
+ Copyright (C) 2007-2022 Proxmox Server Solutions GmbH
+ Licensed under the AGPL-3.0-or-later

 Linux is copyrighted by Linus Torvalds and others.

@@ -0,0 +1,17 @@
+#! /bin/sh
+
+# Abort if any command returns an error value 
+set -e
+
+case "$1" in
+  configure)
+    # setup kernel links for installation CD (rescue boot)
+    mkdir -p /boot/pve
+    ln -sf /boot/vmlinuz-@@KVNAME@@ /boot/pve/vmlinuz-@@KVMAJMIN@@
+    ln -sf /boot/initrd.img-@@KVNAME@@ /boot/pve/initrd.img-@@KVMAJMIN@@
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+# Abort if any command returns an error value
+set -e
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # remove kernel symlinks
+        rm -f /boot/pve/vmlinuz-@@KVNAME@@
+        rm -f /boot/pve/initrd.img-@@KVNAME@@
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations except when called on to configure.
 exit 0 unless $ARGV[0] =~ /configure/;
@@ -16,10 +17,9 @@ system("depmod $version");

 if (-d "/etc/kernel/postinst.d") {
  print STDERR "Examining /etc/kernel/postinst.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postinst.d") &&
-            die "Failed to process /etc/kernel/postinst.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postinst.d"
+  ) && die "Failed to process /etc/kernel/postinst.d";
 }

 exit 0
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+# Ignore all 'upgrade' invocations .
+exit 0 if $ARGV[0] =~ /upgrade/;
+
+my $imagedir = "/boot";
+
+my $version = "@@KVNAME@@";
+
+if (-d "/etc/kernel/postrm.d") {
+  print STDERR "Examining /etc/kernel/postrm.d.\n";
+  system (
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postrm.d"
+  ) && die "Failed to process /etc/kernel/postrm.d";
+}
+
+unlink "$imagedir/initrd.img-$version";
+unlink "$imagedir/initrd.img-$version.bak";
+unlink "/var/lib/initramfs-tools/$version";
+
+# Ignore all invocations except when called on to purge.
+exit 0 unless $ARGV[0] =~ /purge/;
+
+my @files_to_remove = qw{
+    modules.dep modules.isapnpmap modules.pcimap
+    modules.usbmap modules.parportmap
+    modules.generic_string modules.ieee1394map
+    modules.ieee1394map modules.pnpbiosmap
+    modules.alias modules.ccwmap modules.inputmap
+    modules.symbols modules.ofmap
+    modules.seriomap modules.*.bin
+    modules.softdep modules.devname
+};
+
+foreach my $extra_file (@files_to_remove) {
+    for (glob("/lib/modules/$version/$extra_file")) {
+	unlink;
+    }
+}
+
+system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
+
+exit 0
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations uxcept when called on to remove
 exit 0 unless ($ARGV[0] && $ARGV[0] =~ /remove/) ;
@@ -14,10 +15,9 @@ my $version = "@@KVNAME@@";

 if (-d "/etc/kernel/prerm.d") {
  print STDERR "Examining /etc/kernel/prerm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " . 
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/prerm.d") &&
-	  die "Failed to process /etc/kernel/prerm.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/prerm.d"
+  ) && die "Failed to process /etc/kernel/prerm.d";
 }

 exit 0
@@ -1,46 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-# Ignore all 'upgrade' invocations .
-exit 0 if $ARGV[0] =~ /upgrade/;
-
-my $imagedir = "/boot";
-
-my $version = "@@KVNAME@@";
-
-if (-d "/etc/kernel/postrm.d") {
-  print STDERR "Examining /etc/kernel/postrm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postrm.d") &&
-            die "Failed to process /etc/kernel/postrm.d";
-}
-
-unlink "$imagedir/initrd.img-$version";
-unlink "$imagedir/initrd.img-$version.bak";
-unlink "/var/lib/initramfs-tools/$version";
-
-# Ignore all invocations except when called on to purge.
-exit 0 unless $ARGV[0] =~ /purge/;
-
-my @files_to_remove = qw{
-                         modules.dep modules.isapnpmap modules.pcimap
-                         modules.usbmap modules.parportmap
-                         modules.generic_string modules.ieee1394map
-                         modules.ieee1394map modules.pnpbiosmap
-                         modules.alias modules.ccwmap modules.inputmap
-                         modules.symbols modules.ofmap
-                         modules.seriomap modules.*.bin
-			 modules.softdep modules.devname
-                       };
-
-foreach my $extra_file (@files_to_remove) {
-    for (glob("/lib/modules/$version/$extra_file")) {
-	unlink;
-    }
-}
-
-system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
-
-exit 0
@@ -9,16 +9,25 @@ BUILD_DIR=$(shell pwd)

 include /usr/share/dpkg/default.mk
 include debian/rules.d/env.mk
-include debian/rules.d/${DEB_BUILD_ARCH}.mk
+include debian/rules.d/$(DEB_BUILD_ARCH).mk
+
+MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))

 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
+CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)

-PVE_KERNEL_PKG=pve-kernel-${KVNAME}
-PVE_HEADER_PKG=pve-headers-${KVNAME}
-LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
+PMX_KERNEL_PKG=proxmox-kernel-$(KVNAME)
+PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
+PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
+PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
+PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template
+PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
+LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
+KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp

 # TODO: split for archs, move to files?
-PVE_CONFIG_OPTS= \
+PMX_CONFIG_OPTS= \
 -m INTEL_MEI_WDT \
 -d CONFIG_SND_PCM_OSS \
 -e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
@@ -26,48 +35,105 @@ PVE_CONFIG_OPTS= \
 -m CONFIG_CEPH_FS \
 -m CONFIG_BLK_DEV_NBD \
 -m CONFIG_BLK_DEV_RBD \
+-m CONFIG_BLK_DEV_UBLK \
+-d CONFIG_SND_PCSP \
 -m CONFIG_BCACHE \
 -m CONFIG_JFS_FS \
 -m CONFIG_HFS_FS \
 -m CONFIG_HFSPLUS_FS \
+-e CIFS_SMB_DIRECT \
+-e CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU \
 -e CONFIG_BRIDGE \
 -e CONFIG_BRIDGE_NETFILTER \
 -e CONFIG_BLK_DEV_SD \
 -e CONFIG_BLK_DEV_SR \
 -e CONFIG_BLK_DEV_DM \
-e CONFIG_BLK_DEV_NVME \
+-m CONFIG_BLK_DEV_NVME \
+-e CONFIG_NLS_ISO8859_1 \
 -d CONFIG_INPUT_EVBUG \
 -d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
+-d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-d CONFIG_MODULE_SIG \
+-e CONFIG_SYSFB_SIMPLEFB \
+-e CONFIG_DRM_SIMPLEDRM \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
+-e CONFIG_HYPERV \
+-m CONFIG_VFIO_IOMMU_TYPE1 \
+-e CONFIG_VFIO_VIRQFD \
+-m CONFIG_VFIO \
+-m CONFIG_VFIO_PCI \
+-m CONFIG_USB_XHCI_HCD \
+-m CONFIG_USB_XHCI_PCI \
+-m CONFIG_USB_EHCI_HCD \
+-m CONFIG_USB_EHCI_PCI \
+-m CONFIG_USB_EHCI_HCD_PLATFORM \
+-m CONFIG_USB_OHCI_HCD \
+-m CONFIG_USB_OHCI_HCD_PCI \
+-m CONFIG_USB_OHCI_HCD_PLATFORM \
+-d CONFIG_USB_OHCI_HCD_SSB \
+-m CONFIG_USB_UHCI_HCD \
+-d CONFIG_USB_SL811_HCD_ISO \
 -e CONFIG_MEMCG_KMEM \
 -d CONFIG_DEFAULT_CFQ \
 -e CONFIG_DEFAULT_DEADLINE \
 -e CONFIG_MODVERSIONS \
+-e CONFIG_ZSTD_COMPRESS \
 -d CONFIG_DEFAULT_SECURITY_DAC \
 -e CONFIG_DEFAULT_SECURITY_APPARMOR \
 --set-str CONFIG_DEFAULT_SECURITY apparmor \
+-e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
 -d CONFIG_UNWINDER_ORC \
 -d CONFIG_UNWINDER_GUESS \
 -e CONFIG_UNWINDER_FRAME_POINTER \
-e CONFIG_PAGE_TABLE_ISOLATION
+--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
+--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
+-e CONFIG_PAGE_TABLE_ISOLATION \
+-e CONFIG_ARCH_HAS_CPU_FINALIZE_INIT \
+-d CONFIG_GDS_FORCE_MITIGATION \
+-d CONFIG_WQ_CPU_INTENSIVE_REPORT \
+-d CONFIG_N_GSM \
+-d UBSAN_BOUNDS \

 debian/control: $(wildcard debian/*.in)
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/${PVE_KERNEL_PKG}.prerm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/${PVE_KERNEL_PKG}.postrm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/${PVE_KERNEL_PKG}.postinst
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-headers.postinst.in > debian/${PVE_HEADER_PKG}.postinst
-	chmod +x debian/${PVE_KERNEL_PKG}.prerm
-	chmod +x debian/${PVE_KERNEL_PKG}.postrm
-	chmod +x debian/${PVE_KERNEL_PKG}.postinst
-	chmod +x debian/${PVE_HEADER_PKG}.postinst
-	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PMX_KERNEL_PKG).postrm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PMX_KERNEL_PKG).postinst
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_PKG).prerm
+	chmod +x debian/$(PMX_KERNEL_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
+
+	# signing-template
+	sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+	sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst
+	rm debian/signing-template/*.in
+	cp debian/SOURCE debian/signing-template/

 build: .compile_mark .tools_compile_mark .modules_compile_mark

-install: .install_mark .tools_install_mark .headers_install_mark
+install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
 	dh_installdocs -A debian/copyright debian/SOURCE
 	dh_installchangelogs
 	dh_installman
@@ -77,7 +143,7 @@ install: .install_mark .tools_install_mark .headers_install_mark

 binary: install
 	debian/rules fwcheck abicheck
-	dh_strip -N${PVE_HEADER_PKG}
+	dh_strip -N$(PMX_HEADER_PKG) -N$(PMX_USR_HEADER_PKG)
 	dh_makeshlibs
 	dh_shlibdeps
 	dh_installdeb
@@ -85,69 +151,107 @@ binary: install
 	dh_md5sums
 	dh_builddeb

-.compile_mark: ${KERNEL_SRC}/.config
-	cd ${KERNEL_SRC}; scripts/config ${PVE_CONFIG_OPTS}
-	${MAKE} -C ${KERNEL_SRC} oldconfig
-	${MAKE} -C ${KERNEL_SRC} KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${DEB_VERSION} (${CHANGELOG_DATE})"
+.config_mark:
+	cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
+	$(MAKE) -C $(KERNEL_SRC) olddefconfig
+	# copy to allow building in parallel to kernel/module compilation without interference
+	rm -rf $(KERNEL_SRC_COPY)
+	cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
+	touch $@
+
+.compile_mark: .config_mark
+	$(MAKE) -C $(KERNEL_SRC) KBUILD_BUILD_VERSION_TIMESTAMP="PMX $(DEB_VERSION) ($(CHANGELOG_DATE_UTC_ISO))"
 	touch $@

 .install_mark: .compile_mark .modules_compile_mark
-	rm -rf debian/${PVE_KERNEL_PKG}
-	mkdir -p debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}
-	mkdir debian/${PVE_KERNEL_PKG}/boot
-	install -m 644 ${KERNEL_SRC}/.config debian/${PVE_KERNEL_PKG}/boot/config-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/System.map debian/${PVE_KERNEL_PKG}/boot/System.map-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/${KERNEL_IMAGE_PATH} debian/${PVE_KERNEL_PKG}/boot/${KERNEL_INSTALL_FILE}-${KVNAME}
-	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
-	## install latest ibg driver
-	install -m 644 ${MODULES}/igb.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/igb/
-	# install latest ixgbe driver
-	install -m 644 ${MODULES}/ixgbe.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/ixgbe/
-	# install latest e1000e driver
-	install -m 644 ${MODULES}/e1000e.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/net/ethernet/intel/e1000e/
+	rm -rf debian/$(PMX_KERNEL_PKG)
+	mkdir -p debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_KERNEL_PKG)/boot
+	install -m 644 $(KERNEL_SRC)/.config debian/$(PMX_KERNEL_PKG)/boot/config-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/System.map debian/$(PMX_KERNEL_PKG)/boot/System.map-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/$(KERNEL_IMAGE_PATH) debian/$(PMX_KERNEL_PKG)/boot/$(KERNEL_INSTALL_FILE)-$(KVNAME)
+	$(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
 	# install zfs drivers
-	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 $(addprefix ${MODULES}/,spl.ko splat.ko zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko zpios.ko icp.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+	install -m 644 $(MODULES)/zfs.ko $(MODULES)/spl.ko debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
 	# remove firmware
-	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
+	rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware
+
+ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
+	echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
+else
+	echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
+	mkdir -p debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
+	install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
+	cp -r debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/build
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/modules.*
+endif
+
 	# strip debug info
-	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+	find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+	# sign modules using ephemeral, embedded key
+	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+		find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+		done; \
+		rm ./ubuntu-kernel/certs/signing_key.pem ; \
+	fi
 	# finalize
-	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
+	/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
 	# Autogenerate blacklist for watchdog devices (see README)
-	install -m 0755 -d debian/${PVE_KERNEL_PKG}/lib/modprobe.d
-	ls debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
+	install -m 0755 -d debian/$(PMX_KERNEL_PKG)/lib/modprobe.d
+	ls debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
 	echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
-	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
-	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
-	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
+	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+
+	# copy signing template contents
+	rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}
+	mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp -R debian/copyright \
+		debian/signing-template/rules \
+		debian/signing-template/control \
+		debian/signing-template/source \
+		debian/signing-template/changelog \
+		debian/signing-template/prerm \
+		debian/signing-template/postrm \
+		debian/signing-template/postinst \
+		debian/signing-template/SOURCE \
+		debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/
+
 	touch $@

 .tools_compile_mark: .compile_mark
-	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python2.7
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr NO_LIBTRACEEVENT=1 HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
 	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
-	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
-	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
-	${MAKE} -C ${KERNEL_SRC}/tools/perf man
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf NO_LIBTRACEEVENT=1 man
 	touch $@

 .tools_install_mark: .tools_compile_mark
-	rm -rf debian/${LINUX_TOOLS_PKG}
-	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/bin
-	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/share/man/man1
-	install -m 755 ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/perf debian/${LINUX_TOOLS_PKG}/usr/bin/perf_$(KERNEL_MAJMIN)
-	for i in ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/Documentation/*.1; do \
+	rm -rf debian/$(LINUX_TOOLS_PKG)
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/bin
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1
+	install -m 755 $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/perf debian/$(LINUX_TOOLS_PKG)/usr/bin/perf_$(KERNEL_MAJMIN)
+	for i in $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/Documentation/*.1; do \
 	    fname="$${i##*/}"; manname="$${fname%.1}"; \
-	    install -m644 "$$i" "debian/${LINUX_TOOLS_PKG}/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
+	    install -m644 "$$i" "debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
 	done
 	touch $@

-.headers_install_mark: .compile_mark .modules_compile_mark
-	rm -rf debian/${PVE_HEADER_PKG}
-	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	install -m 0644 ${KERNEL_SRC}/Module.symvers debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	cd ${KERNEL_SRC}; find . -path './debian/*' -prune \
+.headers_prepare_mark: .config_mark
+	rm -rf debian/$(PMX_HEADER_PKG)
+	mkdir -p debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	install -m 0644 $(KERNEL_SRC)/.config debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	make -C $(KERNEL_SRC_COPY) mrproper
+	cd $(KERNEL_SRC_COPY); find . -path './debian/*' -prune \
 	    -o -path './include/*' -prune \
 	    -o -path './Documentation' -prune \
 	    -o -path './scripts' -prune \
@@ -159,72 +263,80 @@ binary: install
 	        -o -name '*.sh' \
 	        -o -name '*.pl' \
 	    \) \
-	    -print | cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	cd ${KERNEL_SRC}; cp -a include scripts ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	cd ${KERNEL_SRC}; \
+	    -print | cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	cd $(KERNEL_SRC_COPY); \
 	    ( \
-	        find arch/${KERNEL_HEADER_ARCH} -name include -type d -print | \
+	        find arch/$(KERNEL_HEADER_ARCH) -name include -type d -print | \
 	        xargs -n1 -i: find : -type f \
 	    ) | \
-	    cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	mkdir -p debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}
-	ln -sf /usr/src/linux-headers-${KVNAME} debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}/build
+	    cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
 	touch $@

-.modules_compile_mark: $(addprefix ${MODULES}/,igb.ko ixgbe.ko e1000e.ko spl.ko zfs.ko)
+.headers_compile_mark: .headers_prepare_mark
+	# set output to subdir of source to reduce number of hardcoded paths in output files
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	mkdir -p $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	cp $(KERNEL_SRC)/.config $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/.config
+	$(MAKE) -C $(KERNEL_SRC_COPY) O=$(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -j1 syncconfig modules_prepare prepare scripts
+	cd $(KERNEL_SRC_COPY); cp -a include scripts $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	find $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
+	rsync --ignore-existing -r -v -a $(addprefix $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/,arch include kernel scripts tools) $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)
 	touch $@

-${MODULES}/spl.ko: .compile_mark
-	cd ${MODULES}/${SPLDIR}; ./autogen.sh
-	cd ${MODULES}/${SPLDIR}; ./configure --with-config=kernel --with-linux=${BUILD_DIR}/${KERNEL_SRC} --with-linux-obj=${BUILD_DIR}/${KERNEL_SRC}
-	${MAKE} -C ${MODULES}/${SPLDIR}
-	cp ${MODULES}/${SPLDIR}/module/splat/splat.ko ${MODULES}/
-	cp ${MODULES}/${SPLDIR}/module/spl/spl.ko ${MODULES}/
+.headers_install_mark: .compile_mark .modules_compile_mark .headers_compile_mark
+	cp $(KERNEL_SRC)/include/generated/compile.h debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/include/generated/compile.h
+	install -m 0644 $(KERNEL_SRC)/Module.symvers debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	mkdir -p debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)
+	ln -sf /usr/src/linux-headers-$(KVNAME) debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)/build
+	touch $@

-${MODULES}/zfs.ko: .compile_mark ${MODULES}/spl.ko
-	cd ${MODULES}/${ZFSDIR}; ./autogen.sh
-	cd ${MODULES}/${ZFSDIR}; ./configure --with-spl=${BUILD_DIR}/${MODULES}/${SPLDIR} --with-spl-obj=${BUILD_DIR}/${MODULES}/${SPLDIR} --with-config=kernel --with-linux=${BUILD_DIR}/${KERNEL_SRC} --with-linux-obj=${BUILD_DIR}/${KERNEL_SRC}
-	${MAKE} -C ${MODULES}/${ZFSDIR}
-	cp ${MODULES}/${ZFSDIR}/module/avl/zavl.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/nvpair/znvpair.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/unicode/zunicode.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zcommon/zcommon.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zpios/zpios.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/icp/icp.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zfs/zfs.ko ${MODULES}/
+.usr_headers_install_mark: PKG_DIR = debian/$(PMX_USR_HEADER_PKG)
+.usr_headers_install_mark: OUT_DIR = $(PKG_DIR)/usr
+.usr_headers_install_mark: .config_mark
+	rm -rf '$(PKG_DIR)'
+	mkdir -p  '$(PKG_DIR)'
+	$(MAKE) -C $(KERNEL_SRC) headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
+	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
+	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +

-${MODULES}/igb.ko: .compile_mark
-	${MAKE} -C ${MODULES}/${IGBDIR}/src BUILD_KERNEL=${KVNAME} KSRC=${BUILD_DIR}/${KERNEL_SRC}
-	cp ${MODULES}/${IGBDIR}/src/igb.ko ${MODULES}/
+# Move include/asm to arch-specific directory
+	mkdir -p $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)
+	mv $(OUT_DIR)/include/asm $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+	test ! -d $(OUT_DIR)/include/arch || \
+		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+	touch $@

-${MODULES}/ixgbe.ko: .compile_mark
-	${MAKE} -C ${MODULES}/${IXGBEDIR}/src CFLAGS_EXTRA="-DIXGBE_NO_LRO" BUILD_KERNEL=${KVNAME} KSRC=${BUILD_DIR}/${KERNEL_SRC}
-	cp ${MODULES}/${IXGBEDIR}/src/ixgbe.ko ${MODULES}/
+.modules_compile_mark: $(MODULES)/zfs.ko
+	touch $@

-${MODULES}/e1000e.ko: .compile_mark
-	${MAKE} -C ${MODULES}/${E1000EDIR}/src BUILD_KERNEL=${KVNAME} KSRC=${BUILD_DIR}/${KERNEL_SRC}
-	cp ${MODULES}/${E1000EDIR}/src/e1000e.ko ${MODULES}/
+$(MODULES)/zfs.ko: .compile_mark
+	cd $(MODULES)/$(ZFSDIR); ./autogen.sh
+	cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
+	$(MAKE) -C $(MODULES)/$(ZFSDIR)
+	cp $(MODULES)/$(ZFSDIR)/module/zfs.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/spl.ko $(MODULES)/

-fwlist-${KVNAME}: .compile_mark .modules_compile_mark
-	debian/scripts/find-firmware.pl debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} >fwlist.tmp
+fwlist-$(KVNAME): .compile_mark .modules_compile_mark
+	debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp
 	mv fwlist.tmp $@

 .PHONY: fwcheck
-fwcheck: fwlist-${KVNAME} fwlist-previous
+fwcheck: fwlist-$(KVNAME) fwlist-previous
 	@echo "checking fwlist for changes since last built firmware package.."
-	@echo "if this check fails, add fwlist-${KVNAME} to the pve-firmware repository and upload a new firmware package together with the ${KVNAME} kernel"
+	@echo "if this check fails, add fwlist-$(KVNAME) to the pve-firmware repository and upload a new firmware package together with the $(KVNAME) kernel"
 	sort fwlist-previous | uniq > fwlist-previous.sorted
-	sort fwlist-${KVNAME} | uniq > fwlist-${KVNAME}.sorted
-	diff -up -N fwlist-previous.sorted fwlist-${KVNAME}.sorted > fwlist.diff
-	rm fwlist.diff fwlist-previous.sorted fwlist-${KVNAME}.sorted
+	sort fwlist-$(KVNAME) | uniq > fwlist-$(KVNAME).sorted
+	diff -up -N fwlist-previous.sorted fwlist-$(KVNAME).sorted > fwlist.diff
+	rm fwlist.diff fwlist-previous.sorted fwlist-$(KVNAME).sorted
 	@echo "done, no need to rebuild pve-firmware"


-abi-${KVNAME}: .compile_mark
-	debian/scripts/abi-generate debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/Module.symvers abi-${KVNAME} ${KVNAME}
+abi-$(KVNAME): .compile_mark
+	debian/scripts/abi-generate debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/Module.symvers abi-$(KVNAME) $(KVNAME)

 .PHONY: abicheck
-abicheck: debian/scripts/abi-check abi-${KVNAME} abi-prev-* abi-blacklist
-	debian/scripts/abi-check abi-${KVNAME} abi-prev-* ${SKIPABI}
+abicheck: debian/scripts/abi-check abi-$(KVNAME) abi-prev-* abi-blacklist
+	debian/scripts/abi-check abi-$(KVNAME) abi-prev-* $(SKIPABI)

 .PHONY: clean
@@ -1,12 +1,14 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl
+
+use strict;
+use warnings;

 my $abinew = shift;
 my $abiold = shift;
 my $skipabi = shift;

 # to catch multiple abi-prev-* files being passed in
-die "invalid value for skipabi parameter\n"
-	if (defined($skipabi) && $skipabi !~ /^[01]$/);
+die "invalid value '$skipabi' for skipabi parameter\n" if defined($skipabi) && $skipabi !~ /^[01]$/;

 $abinew =~ /abi-(.*)/;
 my $abistr = $1;
@@ -23,30 +25,30 @@ my $count;
 print "II: Checking ABI...\n";

 if ($skipabi) {
-	print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
-	$fail_exit = 0;
-	$abiskip = 1;
-	$EE = "WW:";
+    print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
+    $fail_exit = 0;
+    $abiskip = 1;
+    $EE = "WW:";
 }

 if ($prev_abistr ne $abistr) {
-	print "II: Different ABI's, running in no-fail mode\n";
-	$fail_exit = 0;
-	$EE = "WW:";
+    print "II: Different ABI's, running in no-fail mode\n";
+    $fail_exit = 0;
+    $EE = "WW:";
 }

 if (not -f "$abinew" or not -f "$abiold") {
-	print "EE: Previous or current ABI file missing!\n";
-	print "    $abinew\n" if not -f "$abinew";
-	print "    $abiold\n" if not -f "$abiold";
+    print "EE: Previous or current ABI file missing!\n";
+    print "    $abinew\n" if not -f "$abinew";
+    print "    $abiold\n" if not -f "$abiold";

-	# Exit if the ABI files are missing, but return status based on whether
-	# skip ABI was indicated.
-	if ("$abiskip" eq "1") {
-		exit(0);
-	} else {
-		exit(1);
-	}
+    # Exit if the ABI files are missing, but return status based on whether
+    # skip ABI was indicated.
+    if ("$abiskip" eq "1") {
+	exit(0);
+    } else {
+	exit(1);
+    }
 }

 my %symbols;
@@ -58,101 +60,97 @@ my %module_syms;
 my $ignore = 0;
 print "    Reading symbols/modules to ignore...";

-for $file ("abi-blacklist") {
-	if (-f $file) {
-		open(IGNORE, "< $file") or
-			die "Could not open $file";
-		while (<IGNORE>) {
-			chomp;
-			if ($_ =~ m/M: (.*)/) {
-				$modules_ignore{$1} = 1;
-			} else {
-				$symbols_ignore{$_} = 1;
-			}
-			$ignore++;
-		}
-		close(IGNORE);
+for my $file ("abi-blacklist") {
+    next if !-f $file;
+    open(my $IGNORE_FH, '<', $file) or die "Could not open $file - $!";
+
+    while (<$IGNORE_FH>) {
+	chomp;
+	if ($_ =~ m/M: (.*)/) {
+	    $modules_ignore{$1} = 1;
+	} else {
+	    $symbols_ignore{$_} = 1;
 	}
+	$ignore++;
+    }
+    close($IGNORE_FH);
 }
 print "read $ignore symbols/modules.\n";

 sub is_ignored($$) {
-	my ($mod, $sym) = @_;
+    my ($mod, $sym) = @_;

-	die "Missing module name in is_ignored()" if not defined($mod);
-	die "Missing symbol name in is_ignored()" if not defined($sym);
+    die "Missing module name in is_ignored()" if not defined($mod);
+    die "Missing symbol name in is_ignored()" if not defined($sym);

-	if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
-		return 1;
-	}
-	return 0;
+    if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
+	return 1;
+    }
+    return 0;
 }

 # Read new syms first
 print "    Reading new symbols ($abistr)...";
 $count = 0;
-open(NEW, "< $abinew") or
-	die "Could not open $abinew";
-while (<NEW>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'type'} = $1;
-	$symbols{$4}{'loc'} = $2;
-	$symbols{$4}{'hash'} = $3;
-	$module_syms{$2} = 0;
-	$count++;
+open(my $NEW_FH, '<', $abinew) or die "Could not open $abinew - $!";
+while (<$NEW_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'type'} = $1;
+    $symbols{$4}{'loc'} = $2;
+    $symbols{$4}{'hash'} = $3;
+    $module_syms{$2} = 0;
+    $count++;
 }
-close(NEW);
+close($NEW_FH);
 print "read $count symbols.\n";

 # Now the old symbols, checking for missing ones
 print "    Reading old symbols...";
 $count = 0;
-open(OLD, "< $abiold") or
-	die "Could not open $abiold";
-while (<OLD>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'old_type'} = $1;
-	$symbols{$4}{'old_loc'} = $2;
-	$symbols{$4}{'old_hash'} = $3;
-	$count++;
+open(my $OLD_FH, '<', $abiold) or die "Could not open $abiold - $!";
+while (<$OLD_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'old_type'} = $1;
+    $symbols{$4}{'old_loc'} = $2;
+    $symbols{$4}{'old_hash'} = $3;
+    $count++;
 }
-close(OLD);
+close($OLD_FH);

 print "read $count symbols.\n";

 print "II: Checking for missing symbols in new ABI...";
 $count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'type'})) {
-		print "\n" if not $count;
-		printf("    MISS : %s%s\n", $sym,
-			is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
-		$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'type'})) {
+	print "\n" if not $count;
+	printf("    MISS : %s%s\n", $sym, is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
+	$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
+    }
 }
 print "    " if $count;
 print "found $count missing symbols\n";
 if ($count) {
-	print "$EE Symbols gone missing (what did you do!?!)\n";
-	$errors++;
+    print "$EE Symbols gone missing (what did you do!?!)\n";
+    $errors++;
 }


 print "II: Checking for new symbols in new ABI...";
 $count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'})) {
-		print "\n" if not $count;
-		print "    NEW : $sym\n";
-		$count++;
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'})) {
+	print "\n" if not $count;
+	print "    NEW : $sym\n";
+	$count++;
+    }
 }
 print "    " if $count;
 print "found $count new symbols\n";
 if ($count) {
-	print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
+    print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
 }

 print "II: Checking for changes to ABI...\n";
@@ -160,37 +158,34 @@ $count = 0;
 my $moved = 0;
 my $changed_type = 0;
 my $changed_hash = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'}) or
-	    !defined($symbols{$sym}{'type'})) {
-		next;
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'}) or !defined($symbols{$sym}{'type'})) {
+	next;
+    }

-	# Changes in location don't hurt us, but log it anyway
-	if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
-		printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'},
-			$symbols{$sym}{'loc'});
-		$moved++;
-	}
+    # Changes in location don't hurt us, but log it anyway
+    if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
+	printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'}, $symbols{$sym}{'loc'});
+	$moved++;
+    }

-	# Changes to export type are only bad if new type isn't
-	# EXPORT_SYMBOL. Changing things to GPL are bad.
-	if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
-		printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
-			$symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL"
-			and !is_ignored($symbols{$sym}{'loc'}, $sym);
-	}
+    # Changes to export type are only bad if new type isn't
+    # EXPORT_SYMBOL. Changing things to GPL are bad.
+    if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
+	printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
+	    $symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL" and !is_ignored($symbols{$sym}{'loc'}, $sym);
+    }

-	# Changes to the hash are always bad
-	if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
-		printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
-			$symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
-		$module_syms{$symbols{$sym}{'loc'}}++;
-	}
+    # Changes to the hash are always bad
+    if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
+	printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
+	    $symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
+	$module_syms{$symbols{$sym}{'loc'}}++;
+    }
 }

 print "WW: $moved symbols changed location\n" if $moved;
@@ -199,17 +194,17 @@ print "$EE $changed_hash symbols changed hash and weren't ignored\n" if $changed

 $errors++ if $changed_hash or $changed_type;
 if ($changed_hash) {
-	print "II: Module hash change summary...\n";
-	foreach $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
-		next if ! $module_syms{$mod};
-		printf("    %-40s: %d\n", $mod, $module_syms{$mod});
-	}
+    print "II: Module hash change summary...\n";
+    for my $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
+	next if ! $module_syms{$mod};
+	printf("    %-40s: %d\n", $mod, $module_syms{$mod});
+    }
 }

 print "II: Done\n";

 if ($errors) {
-	exit($fail_exit);
+    exit($fail_exit);
 } else {
-	exit(0);
+    exit(0);
 }
@@ -1,8 +1,11 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

-use PVE::Tools;
+use strict;
+use warnings;

-use IO::File;
+use PVE::Tools ();
+
+use IO::File ();

 sub usage {
    die "USAGE: $0 INFILE OUTFILE [ABI INFILE-IS-DEB]\n";
@@ -6,7 +6,7 @@ top=$(pwd)

 if [ "$#" -ne 3 ]; then
    echo "USAGE: $0 repo patchdir ref"
-    echo "\t exports patches from 'repo' to 'patchdir' based on 'ref'"
+    printf "\t exports patches from 'repo' to 'patchdir' based on 'ref'\n"
    exit 1
 fi

@@ -25,10 +25,10 @@ git format-patch \
    --no-cover-letter \
    --zero-commit \
    --no-signature \
-    --output-dir \
-    "${top}/${kernel_patchdir}" \
+    --diff-algorithm=myers \
+    --output-directory="${top}/${kernel_patchdir}" \
    "${base_ref}.."

-git checkout ${base_ref}
+git checkout "${base_ref}"

 cd "${top}"
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 my $dir = shift;

@@ -8,25 +9,25 @@ die "no directory to scan" if !$dir;

 die "no such directory" if ! -d $dir;

-die "strange directory name" if $dir !~ m|^(.*/)?(4.13.\d+\-\d+\-pve)(/+)?$|;
+warn "\n\nNOTE: strange directory name: $dir\n\n" if $dir !~ m|^(.*/)?(\d+.\d+.\d+\-\d+\-pve)(/+)?$|;

 my $apiver = $2;

-open(TMP, "find '$dir' -name '*.ko'|");
-while (defined(my $fn = <TMP>)) {
+open(my $FIND_KO_FH, "find '$dir' -name '*.ko'|");
+while (defined(my $fn = <$FIND_KO_FH>)) {
    chomp $fn;
    my $relfn = $fn;
    $relfn =~ s|^$dir/*||;

    my $cmd = "/sbin/modinfo -F firmware '$fn'";
-    open(MOD, "$cmd|");
-    while (defined(my $fw = <MOD>)) {
+    open(my $MOD_FH, "$cmd|");
+    while (defined(my $fw = <$MOD_FH>)) {
 	chomp $fw;
 	print "$fw $relfn\n";
    }
-    close(MOD);
+    close($MOD_FH);

 }
-close TMP;
+close($FIND_KO_FH);

 exit 0;
@@ -0,0 +1,25 @@
+Source: proxmox-kernel-signed-@KVMAJMIN@
+Section: kernel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.2.0
+Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, proxmox-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
+Rules-Requires-Root: no
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: proxmox-kernel-@KVNAME@-signed
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, proxmox-kernel-@KVNAME@
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: proxmox-kernel-@KVNAME@
+Replaces: proxmox-kernel-@KVNAME@
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ This package contains the kernel image signed by the Proxmox Secure Boot CA.
@@ -0,0 +1,13 @@
+{
+	"packages": {
+		"proxmox-kernel-@KVNAME@": {
+			"trusted_certs": [],
+			"files": [
+				{
+					"sig_type": "efi",
+					"file": "boot/vmlinuz-@KVNAME@"
+				}
+			]
+		}
+	}
+}
@@ -0,0 +1,58 @@
+#!/usr/bin/make -f
+
+SHELL := bash -e
+
+export DH_OPTIONS
+
+include /usr/share/dpkg/architecture.mk
+
+KERNEL_VERSION=@KVNAME@
+IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION)
+PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
+PACKAGE_VERSION=@PKG_VERSION@
+PACKAGE_DIR=debian/$(PACKAGE_NAME)
+SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+	dh_testdir
+	dh_clean
+
+binary: binary-arch binary-indep
+binary-arch:
+	dh_testdir
+	mkdir -p $(PACKAGE_DIR)/boot
+	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
+	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+	else \
+		echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
+		false; \
+	fi
+	mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+	rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+	mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
+	cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
+	dh_install
+	dh_installchangelogs
+	dh_installdocs -A debian/copyright debian/SOURCE
+	dh_lintian
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	# Copy most package relations and description from unsigned package
+	for field in Depends Suggests Recommends Breaks; do \
+		echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+	done
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+	dh_gencontrol -- -v$(PACKAGE_VERSION)
+	dh_md5sums
+	dh_builddeb
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
@@ -0,0 +1 @@
+3.0 (native)
@@ -0,0 +1,2 @@
+debian-control-has-dbgsym-package (in section for proxmox-kernel-*-pve-dbgsym) Package [debian/control:*]
+license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]
@@ -1,37 +0,0 @@
-diff --git a/src/netdev.c b/src/netdev.c
-index 73b0f9a..aef1bc2 100644
--- a/src/netdev.c
-+++ b/src/netdev.c
-@@ -6724,19 +6724,12 @@ static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
- 	int max_frame = new_mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
- 
- 	/* Jumbo frame support */
-	if ((max_frame > (VLAN_ETH_FRAME_LEN + ETH_FCS_LEN)) &&
-+	if ((new_mtu > ETH_DATA_LEN) &&
- 	    !(adapter->flags & FLAG_HAS_JUMBO_FRAMES)) {
- 		e_err("Jumbo Frames not supported.\n");
- 		return -EINVAL;
- 	}
- 
-	/* Supported frame sizes */
-	if ((new_mtu < (VLAN_ETH_ZLEN + ETH_FCS_LEN)) ||
-	    (max_frame > adapter->max_hw_frame_size)) {
-		e_err("Unsupported MTU setting\n");
-		return -EINVAL;
-	}
-
- 	/* Jumbo frame workaround on 82579 and newer requires CRC be stripped */
- 	if ((adapter->hw.mac.type >= e1000_pch2lan) &&
- 	    !(adapter->flags2 & FLAG2_CRC_STRIPPING) &&
-@@ -8262,6 +8255,11 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
- #endif /* HAVE_NETDEV_VLAN_FEATURES */
- 	}
- 
-+	/* MTU range: 68 - max_hw_frame_size */
-+	netdev->min_mtu = ETH_MIN_MTU;
-+	netdev->max_mtu = adapter->max_hw_frame_size -
-+	                  (VLAN_ETH_HLEN + ETH_FCS_LEN);
-+
- 	if (e1000e_enable_mng_pass_thru(&adapter->hw))
- 		adapter->flags |= FLAG_MNG_PT_ENABLED;
- 
@@ -1,47 +0,0 @@
-diff --git a/src/e1000_defines.h b/src/e1000_defines.h
-index 6de3988..d58e12f 100644
--- a/src/e1000_defines.h
-+++ b/src/e1000_defines.h
-@@ -423,7 +423,8 @@
- #define ETHERNET_IEEE_VLAN_TYPE		0x8100  /* 802.3ac packet */
- 
- #define ETHERNET_FCS_SIZE		4
-#define MAX_JUMBO_FRAME_SIZE		0x3F00
-+#define MAX_JUMBO_FRAME_SIZE		0x2600
-+#define MAX_STD_JUMBO_FRAME_SIZE	9216
- /* The datasheet maximum supported RX size is 9.5KB (9728 bytes) */
- #define MAX_RX_JUMBO_FRAME_SIZE		0x2600
- #define E1000_TX_PTR_GAP		0x1F
-diff --git a/src/igb_main.c b/src/igb_main.c
-index 2dff0f4..bbfe87e 100644
--- a/src/igb_main.c
-+++ b/src/igb_main.c
-@@ -2852,6 +2852,10 @@ static int igb_probe(struct pci_dev *pdev,
- 	if (pci_using_dac)
- 		netdev->features |= NETIF_F_HIGHDMA;
- 
-+	/* MTU range: 68 - 9216 */
-+	netdev->min_mtu = ETH_MIN_MTU;
-+	netdev->max_mtu = MAX_STD_JUMBO_FRAME_SIZE;
-+
- 	adapter->en_mng_pt = e1000_enable_mng_pass_thru(hw);
- #ifdef DEBUG
- 	if (adapter->dmac != IGB_DMAC_DISABLE)
-@@ -5832,17 +5836,6 @@ static int igb_change_mtu(struct net_device *netdev, int new_mtu)
- 	struct pci_dev *pdev = adapter->pdev;
- 	int max_frame = new_mtu + ETH_HLEN + ETH_FCS_LEN + VLAN_HLEN;
- 
-	if ((new_mtu < 68) || (max_frame > MAX_JUMBO_FRAME_SIZE)) {
-		dev_err(pci_dev_to_dev(pdev), "Invalid MTU setting\n");
-		return -EINVAL;
-	}
-
-#define MAX_STD_JUMBO_FRAME_SIZE 9238
-	if (max_frame > MAX_STD_JUMBO_FRAME_SIZE) {
-		dev_err(pci_dev_to_dev(pdev), "MTU > 9216 not supported.\n");
-		return -EINVAL;
-	}
-
- 	/* adjust max frame to be at least the size of a standard frame */
- 	if (max_frame < (ETH_FRAME_LEN + ETH_FCS_LEN))
- 		max_frame = ETH_FRAME_LEN + ETH_FCS_LEN;
@@ -1,17 +0,0 @@
-diff --git a/src/igb_main.c.orig b/src/igb_main.c
-index 3ee1ec7..c8adf04 100644
--- a/src/igb_main.c.orig
-+++ b/src/igb_main.c
-@@ -1047,8 +1047,10 @@ static void igb_set_interrupt_capability(struct igb_adapter *adapter, bool msix)
- 			for (i = 0; i < numvecs; i++)
- 				adapter->msix_entries[i].entry = i;
- 
-			err = pci_enable_msix(pdev,
-					      adapter->msix_entries, numvecs);
-+			err = pci_enable_msix_range(pdev,
-+						    adapter->msix_entries,
-+						    numvecs,
-+						    numvecs);
- 			if (err == 0)
- 				break;
- 		}
@@ -1,18 +0,0 @@
-diff --git a/src/Makefile.orig b/src/Makefile
-index 8e962f7..50bcdcc 100644
--- a/src/Makefile.orig
-+++ b/src/Makefile
-@@ -123,6 +123,13 @@ ifeq (,$(CC))
-   $(error Compiler not found)
- endif
- 
-+# workaround for GCC6's default PIE
-+ifeq ($(CC),gcc)
-+  PIE_TEST = [ -z "`$(CC) -fno-PIE -no-pie -x c -c /dev/null -o /dev/null 2>&1`" ]
-+  PIE_FLAGS := $(shell $(PIE_TEST) && echo '-fno-PIE -no-pie')
-+  EXTRA_CFLAGS += $(PIE_FLAGS)
-+endif
-+
- # we need to know what platform the driver is being built on
- # some additional features are only built on Intel platforms
- ARCH := $(shell uname -m | sed 's/i.86/i386/')
@@ -15,29 +15,21 @@ Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
 $KBUILD_BUILD_TIMESTAMP.

 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- scripts/mkcompile_h | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
+ init/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

-diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
-index fd8fdb91581d..1e35ac9fc810 100755
--- a/scripts/mkcompile_h
-+++ b/scripts/mkcompile_h
-@@ -37,10 +37,14 @@ else
- 	VERSION=$KBUILD_BUILD_VERSION
- fi
+diff --git a/init/Makefile b/init/Makefile
+index cbac576c57d6..479b1253fcbe 100644
+--- a/init/Makefile
+++ b/init/Makefile
+@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
+ preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
 
-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-	TIMESTAMP=`date`
-+if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
-+	if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-+		TIMESTAMP=`date`
-+	else
-+		TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	fi
- else
-	TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
- fi
- if test -z "$KBUILD_BUILD_USER"; then
- 	LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')
+ build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
+-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+ 
+ # Maximum length of UTS_VERSION is 64 chars
+ filechk_uts_version = \
@@ -13,15 +13,16 @@ connected ports (for no real reason). To avoid problems with ARP
 we simply use the MAC of the first connected port.

 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 net/bridge/br_stp_if.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

 diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index 89110319ef0f..5e73fff65f47 100644
+index 75204d36d7f9..1fb5ff73ec1e 100644
 --- a/net/bridge/br_stp_if.c
 +++ b/net/bridge/br_stp_if.c
-@@ -259,10 +259,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
+@@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
 		return false;
 
 	list_for_each_entry(p, &br->port_list, list) {
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Mark Weiman <mark.weiman@markzz.com>
-Date: Sat, 29 Jul 2017 09:15:32 -0400
-Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.12+)
+Date: Wed, 7 Feb 2018 16:04:03 -0500
+Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.15)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -48,37 +48,38 @@ capability.  Please contact me to have your devices added and save
 your customers the hassle of this boot option.

 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- Documentation/admin-guide/kernel-parameters.txt |   9 +++
- drivers/pci/quirks.c                            | 102 ++++++++++++++++++++++++
+ .../admin-guide/kernel-parameters.txt         |   9 ++
+ drivers/pci/quirks.c                          | 102 ++++++++++++++++++
 2 files changed, 111 insertions(+)

 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index ce24cb1e8f46..0cc1d4200c24 100644
+index 90ddf08e8409..eedfabda597f 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2938,6 +2938,15 @@
- 		nomsi		[MSI] If the PCI_MSI kernel config parameter is
- 				enabled, this kernel boot option can be used to
- 				disable the use of MSI interrupts system-wide.
+@@ -4285,6 +4285,15 @@
+ 				Also, it enforces the PCI Local Bus spec
+ 				rule that those bits should be 0 in system reset
+ 				events (useful for kexec/kdump cases).
 +		pci_acs_override =
-+					[PCIE] Override missing PCIe ACS support for:
+				[PCIE] Override missing PCIe ACS support for:
 +				downstream
 +					All downstream ports - full ACS capabilities
-+				multfunction
-+					All multifunction devices - multifunction ACS subset
+				multifunction
+					Add multifunction devices - multifunction ACS subset
 +				id:nnnn:nnnn
-+					Specfic device - full ACS capabilities
+					Specific device - full ACS capabilities
 +					Specified as vid:did (vendor/device ID) in hex
 		noioapicquirk	[APIC] Disable all boot interrupt quirks.
 				Safety option to keep boot IRQs enabled. This
 				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 9dcd5ed5a05b..8882b8d38d7d 100644
+index c7a5718e5729..901f55b9ac64 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -3694,6 +3694,107 @@ static int __init pci_apply_final_quirks(void)
- 
+@@ -287,6 +287,106 @@ static int __init pci_apply_final_quirks(void)
+ }
 fs_initcall_sync(pci_apply_final_quirks);
 
 +static bool acs_on_downstream;
@@ -121,7 +122,6 @@ index 9dcd5ed5a05b..8882b8d38d7d 100644
 +				goto next;
 +			}
 +			acs_on_ids[max_acs_id].vendor = val;
-+
 +			p += strcspn(p, ":");
 +			if (*p != ':') {
 +				pr_warn("PCIe ACS invalid ID\n");
@@ -166,30 +166,31 @@ index 9dcd5ed5a05b..8882b8d38d7d 100644
 +				return 1;
 +
 +	switch (pci_pcie_type(dev)) {
-+	case PCI_EXP_TYPE_DOWNSTREAM:
-+	case PCI_EXP_TYPE_ROOT_PORT:
-+		if (acs_on_downstream)
-+			return 1;
-+		break;
-+	case PCI_EXP_TYPE_ENDPOINT:
-+	case PCI_EXP_TYPE_UPSTREAM:
-+	case PCI_EXP_TYPE_LEG_END:
-+	case PCI_EXP_TYPE_RC_END:
-+		if (acs_on_multifunction && dev->multifunction)
-+			return 1;
+		case PCI_EXP_TYPE_DOWNSTREAM:
+		case PCI_EXP_TYPE_ROOT_PORT:
+			if (acs_on_downstream)
+				return 1;
+			break;
+		case PCI_EXP_TYPE_ENDPOINT:
+		case PCI_EXP_TYPE_UPSTREAM:
+		case PCI_EXP_TYPE_LEG_END:
+		case PCI_EXP_TYPE_RC_END:
+			if (acs_on_multifunction && dev->multifunction)
+				return 1;
 +	}
 +
 +	return -ENOTTY;
 +}
 +
 /*
-  * Following are device-specific reset methods which can be used to
-  * reset a single function if other methods (e.g. FLR, PM D0->D3) are
-@@ -4536,6 +4637,7 @@ static const struct pci_dev_acs_enabled {
- 	{ 0x10df, 0x720, pci_quirk_mf_endpoint_acs }, /* Emulex Skyhawk-R */
- 	/* Cavium ThunderX */
- 	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
+  * Decoding should be disabled for a PCI device during BAR sizing to avoid
+  * conflict. But doing so may cause problems on host bridge and perhaps other
+@@ -5091,6 +5191,8 @@ static const struct pci_dev_acs_enabled {
+ 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
+ 	/* APM X-Gene */
+ 	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
+	/* Enable overrides for missing ACS capabilities */
 +	{ PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides },
- 	{ 0 }
- };
- 
+ 	/* Ampere Computing */
+ 	{ PCI_VENDOR_ID_AMPERE, 0xE005, pci_quirk_xgene_acs },
+ 	{ PCI_VENDOR_ID_AMPERE, 0xE006, pci_quirk_xgene_acs },
@@ -1,63 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Waiman Long <longman@redhat.com>
-Date: Thu, 17 Aug 2017 15:33:09 -0400
-Subject: [PATCH] cgroup: Add mount flag to enable cpuset to use v2 behavior in
- v1 cgroup
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A new mount option "cpuset_v2_mode" is added to the v1 cgroupfs
-filesystem to enable cpuset controller to use v2 behavior in a v1
-cgroup. This mount option applies only to cpuset controller and have
-no effect on other controllers.
-
-Signed-off-by: Waiman Long <longman@redhat.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-(cherry-picked from e1cba4b85daa71b710384d451ff6238d5e4d1ff6)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- include/linux/cgroup-defs.h | 5 +++++
- kernel/cgroup/cgroup-v1.c   | 6 ++++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
-index 09f4c7df1478..c344e77707a5 100644
--- a/include/linux/cgroup-defs.h
-+++ b/include/linux/cgroup-defs.h
-@@ -74,6 +74,11 @@ enum {
- 	 * aren't writeable from inside the namespace.
- 	 */
- 	CGRP_ROOT_NS_DELEGATE	= (1 << 3),
-+
-+	/*
-+	 * Enable cpuset controller in v1 cgroup to use v2 behavior.
-+	 */
-+	CGRP_ROOT_CPUSET_V2_MODE = (1 << 4),
- };
- 
- /* cftype->flags */
-diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
-index 7bf4b1533f34..ce7426b875f5 100644
--- a/kernel/cgroup/cgroup-v1.c
-+++ b/kernel/cgroup/cgroup-v1.c
-@@ -846,6 +846,8 @@ static int cgroup1_show_options(struct seq_file *seq, struct kernfs_root *kf_roo
- 		seq_puts(seq, ",noprefix");
- 	if (root->flags & CGRP_ROOT_XATTR)
- 		seq_puts(seq, ",xattr");
-+	if (root->flags & CGRP_ROOT_CPUSET_V2_MODE)
-+		seq_puts(seq, ",cpuset_v2_mode");
- 
- 	spin_lock(&release_agent_path_lock);
- 	if (strlen(root->release_agent_path))
-@@ -900,6 +902,10 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
- 			opts->cpuset_clone_children = true;
- 			continue;
- 		}
-+		if (!strcmp(token, "cpuset_v2_mode")) {
-+			opts->flags |= CGRP_ROOT_CPUSET_V2_MODE;
-+			continue;
-+		}
- 		if (!strcmp(token, "xattr")) {
- 			opts->flags |= CGRP_ROOT_XATTR;
- 			continue;
@@ -7,15 +7,16 @@ Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
 virt/kvm/kvm_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 3b3e54742263..d0085c9d6297 100644
+index 5bbb5612b207..691ce10e7647 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -77,7 +77,7 @@ module_param(halt_poll_ns, uint, 0644);
+@@ -82,7 +82,7 @@ module_param(halt_poll_ns, uint, 0644);
 EXPORT_SYMBOL_GPL(halt_poll_ns);
 
 /* Default doubles per-vcpu halt_poll_ns. */
@@ -1,138 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Waiman Long <longman@redhat.com>
-Date: Thu, 17 Aug 2017 15:33:10 -0400
-Subject: [PATCH] cpuset: Allow v2 behavior in v1 cgroup
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Cpuset v2 has some useful behaviors that are not present in v1 because
-of backward compatibility concern. One of that is the restoration of
-the original cpu and memory node mask after a hot removal and addition
-event sequence.
-
-This patch makes the cpuset controller to check the
-CGRP_ROOT_CPUSET_V2_MODE flag and use the v2 behavior if it is set.
-
-Signed-off-by: Waiman Long <longman@redhat.com>
-Signed-off-by: Tejun Heo <tj@kernel.org>
-(cherry-picked from b8d1b8ee93df8ffbabbeadd65d39853cfad6d698)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- kernel/cgroup/cpuset.c | 33 ++++++++++++++++++++-------------
- 1 file changed, 20 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
-index e8cb34193433..f76c4bf3d46a 100644
--- a/kernel/cgroup/cpuset.c
-+++ b/kernel/cgroup/cpuset.c
-@@ -300,6 +300,16 @@ static DECLARE_WORK(cpuset_hotplug_work, cpuset_hotplug_workfn);
- static DECLARE_WAIT_QUEUE_HEAD(cpuset_attach_wq);
- 
- /*
-+ * Cgroup v2 behavior is used when on default hierarchy or the
-+ * cgroup_v2_mode flag is set.
-+ */
-+static inline bool is_in_v2_mode(void)
-+{
-+	return cgroup_subsys_on_dfl(cpuset_cgrp_subsys) ||
-+	      (cpuset_cgrp_subsys.root->flags & CGRP_ROOT_CPUSET_V2_MODE);
-+}
-+
-+/*
-  * This is ugly, but preserves the userspace API for existing cpuset
-  * users. If someone tries to mount the "cpuset" filesystem, we
-  * silently switch it to mount "cgroup" instead
-@@ -489,8 +499,7 @@ static int validate_change(struct cpuset *cur, struct cpuset *trial)
- 
- 	/* On legacy hiearchy, we must be a subset of our parent cpuset. */
- 	ret = -EACCES;
-	if (!cgroup_subsys_on_dfl(cpuset_cgrp_subsys) &&
-	    !is_cpuset_subset(trial, par))
-+	if (!is_in_v2_mode() && !is_cpuset_subset(trial, par))
- 		goto out;
- 
- 	/*
-@@ -896,8 +905,7 @@ static void update_cpumasks_hier(struct cpuset *cs, struct cpumask *new_cpus)
- 		 * If it becomes empty, inherit the effective mask of the
- 		 * parent, which is guaranteed to have some CPUs.
- 		 */
-		if (cgroup_subsys_on_dfl(cpuset_cgrp_subsys) &&
-		    cpumask_empty(new_cpus))
-+		if (is_in_v2_mode() && cpumask_empty(new_cpus))
- 			cpumask_copy(new_cpus, parent->effective_cpus);
- 
- 		/* Skip the whole subtree if the cpumask remains the same. */
-@@ -914,7 +922,7 @@ static void update_cpumasks_hier(struct cpuset *cs, struct cpumask *new_cpus)
- 		cpumask_copy(cp->effective_cpus, new_cpus);
- 		spin_unlock_irq(&callback_lock);
- 
-		WARN_ON(!cgroup_subsys_on_dfl(cpuset_cgrp_subsys) &&
-+		WARN_ON(!is_in_v2_mode() &&
- 			!cpumask_equal(cp->cpus_allowed, cp->effective_cpus));
- 
- 		update_tasks_cpumask(cp);
-@@ -1150,8 +1158,7 @@ static void update_nodemasks_hier(struct cpuset *cs, nodemask_t *new_mems)
- 		 * If it becomes empty, inherit the effective mask of the
- 		 * parent, which is guaranteed to have some MEMs.
- 		 */
-		if (cgroup_subsys_on_dfl(cpuset_cgrp_subsys) &&
-		    nodes_empty(*new_mems))
-+		if (is_in_v2_mode() && nodes_empty(*new_mems))
- 			*new_mems = parent->effective_mems;
- 
- 		/* Skip the whole subtree if the nodemask remains the same. */
-@@ -1168,7 +1175,7 @@ static void update_nodemasks_hier(struct cpuset *cs, nodemask_t *new_mems)
- 		cp->effective_mems = *new_mems;
- 		spin_unlock_irq(&callback_lock);
- 
-		WARN_ON(!cgroup_subsys_on_dfl(cpuset_cgrp_subsys) &&
-+		WARN_ON(!is_in_v2_mode() &&
- 			!nodes_equal(cp->mems_allowed, cp->effective_mems));
- 
- 		update_tasks_nodemask(cp);
-@@ -1460,7 +1467,7 @@ static int cpuset_can_attach(struct cgroup_taskset *tset)
- 
- 	/* allow moving tasks into an empty cpuset if on default hierarchy */
- 	ret = -ENOSPC;
-	if (!cgroup_subsys_on_dfl(cpuset_cgrp_subsys) &&
-+	if (!is_in_v2_mode() &&
- 	    (cpumask_empty(cs->cpus_allowed) || nodes_empty(cs->mems_allowed)))
- 		goto out_unlock;
- 
-@@ -1979,7 +1986,7 @@ static int cpuset_css_online(struct cgroup_subsys_state *css)
- 	cpuset_inc();
- 
- 	spin_lock_irq(&callback_lock);
-	if (cgroup_subsys_on_dfl(cpuset_cgrp_subsys)) {
-+	if (is_in_v2_mode()) {
- 		cpumask_copy(cs->effective_cpus, parent->effective_cpus);
- 		cs->effective_mems = parent->effective_mems;
- 	}
-@@ -2056,7 +2063,7 @@ static void cpuset_bind(struct cgroup_subsys_state *root_css)
- 	mutex_lock(&cpuset_mutex);
- 	spin_lock_irq(&callback_lock);
- 
-	if (cgroup_subsys_on_dfl(cpuset_cgrp_subsys)) {
-+	if (is_in_v2_mode()) {
- 		cpumask_copy(top_cpuset.cpus_allowed, cpu_possible_mask);
- 		top_cpuset.mems_allowed = node_possible_map;
- 	} else {
-@@ -2250,7 +2257,7 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs)
- 	cpus_updated = !cpumask_equal(&new_cpus, cs->effective_cpus);
- 	mems_updated = !nodes_equal(new_mems, cs->effective_mems);
- 
-	if (cgroup_subsys_on_dfl(cpuset_cgrp_subsys))
-+	if (is_in_v2_mode())
- 		hotplug_update_tasks(cs, &new_cpus, &new_mems,
- 				     cpus_updated, mems_updated);
- 	else
-@@ -2288,7 +2295,7 @@ static void cpuset_hotplug_workfn(struct work_struct *work)
- 	static cpumask_t new_cpus;
- 	static nodemask_t new_mems;
- 	bool cpus_updated, mems_updated;
-	bool on_dfl = cgroup_subsys_on_dfl(cpuset_cgrp_subsys);
-+	bool on_dfl = is_in_v2_mode();
- 
- 	mutex_lock(&cpuset_mutex);
- 
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 7 Oct 2020 17:18:28 +0200
+Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
+ emergency to error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 4811937f572d..8850f9be9044 100644
+--- a/net/core/dev.c
+++ b/net/core/dev.c
+@@ -10355,7 +10355,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
+ 		if (time_after(jiffies, warning_time +
+ 			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
+ 			list_for_each_entry(dev, list, todo_list) {
+-				pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+				pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+ 					 dev->name, netdev_refcnt_read(dev));
+ 				ref_tracker_dir_print(&dev->refcnt_tracker, 10);
+ 			}
@@ -1,90 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Parav Pandit <parav@mellanox.com>
-Date: Fri, 5 Jan 2018 23:51:12 +0100
-Subject: [PATCH] IB/core: Avoid crash on pkey enforcement failed in received
- MADs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 89548bcafec7ecfeea58c553f0834b5d575a66eb upstream.
-
-Below kernel crash is observed when Pkey security enforcement fails on
-received MADs. This issue is reported in [1].
-
-ib_free_recv_mad() accesses the rmpp_list, whose initialization is
-needed before accessing it.
-When security enformcent fails on received MADs, MAD processing avoided
-due to security checks failed.
-
-OpenSM[3770]: SM port is down
-kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
-kernel: IP: ib_free_recv_mad+0x44/0xa0 [ib_core]
-kernel: PGD 0
-kernel: P4D 0
-kernel:
-kernel: Oops: 0002 [#1] SMP
-kernel: CPU: 0 PID: 2833 Comm: kworker/0:1H Tainted: P          IO    4.13.4-1-pve #1
-kernel: Hardware name: Dell       XS23-TY3        /9CMP63, BIOS 1.71 09/17/2013
-kernel: Workqueue: ib-comp-wq ib_cq_poll_work [ib_core]
-kernel: task: ffffa069c6541600 task.stack: ffffb9a729054000
-kernel: RIP: 0010:ib_free_recv_mad+0x44/0xa0 [ib_core]
-kernel: RSP: 0018:ffffb9a729057d38 EFLAGS: 00010286
-kernel: RAX: ffffa069cb138a48 RBX: ffffa069cb138a10 RCX: 0000000000000000
-kernel: RDX: ffffb9a729057d38 RSI: 0000000000000000 RDI: ffffa069cb138a20
-kernel: RBP: ffffb9a729057d60 R08: ffffa072d2d49800 R09: ffffa069cb138ae0
-kernel: R10: ffffa069cb138ae0 R11: ffffa072b3994e00 R12: ffffb9a729057d38
-kernel: R13: ffffa069d1c90000 R14: 0000000000000000 R15: ffffa069d1c90880
-kernel: FS:  0000000000000000(0000) GS:ffffa069dba00000(0000) knlGS:0000000000000000
-kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-kernel: CR2: 0000000000000008 CR3: 00000011f51f2000 CR4: 00000000000006f0
-kernel: Call Trace:
-kernel:  ib_mad_recv_done+0x5cc/0xb50 [ib_core]
-kernel:  __ib_process_cq+0x5c/0xb0 [ib_core]
-kernel:  ib_cq_poll_work+0x20/0x60 [ib_core]
-kernel:  process_one_work+0x1e9/0x410
-kernel:  worker_thread+0x4b/0x410
-kernel:  kthread+0x109/0x140
-kernel:  ? process_one_work+0x410/0x410
-kernel:  ? kthread_create_on_node+0x70/0x70
-kernel:  ? SyS_exit_group+0x14/0x20
-kernel:  ret_from_fork+0x25/0x30
-kernel: RIP: ib_free_recv_mad+0x44/0xa0 [ib_core] RSP: ffffb9a729057d38
-kernel: CR2: 0000000000000008
-
-[1] : https://www.spinics.net/lists/linux-rdma/msg56190.html
-
-Fixes: 47a2b338fe63 ("IB/core: Enforce security on management datagrams")
-Signed-off-by: Parav Pandit <parav@mellanox.com>
-Reported-by: Chris Blake <chrisrblake93@gmail.com>
-Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
-Reviewed-by: Hal Rosenstock <hal@mellanox.com>
-Signed-off-by: Doug Ledford <dledford@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- drivers/infiniband/core/mad.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
-index f8f53bb90837..cb91245e9163 100644
--- a/drivers/infiniband/core/mad.c
-+++ b/drivers/infiniband/core/mad.c
-@@ -1974,14 +1974,15 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv,
- 	unsigned long flags;
- 	int ret;
- 
-+	INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
- 	ret = ib_mad_enforce_security(mad_agent_priv,
- 				      mad_recv_wc->wc->pkey_index);
- 	if (ret) {
- 		ib_free_recv_mad(mad_recv_wc);
- 		deref_mad_agent(mad_agent_priv);
-+		return;
- 	}
- 
-	INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);
- 	list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list);
- 	if (ib_mad_kernel_rmpp_agent(&mad_agent_priv->agent)) {
- 		mad_recv_wc = ib_process_rmpp_recv_wc(mad_agent_priv,
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Tue, 10 Jan 2023 08:52:40 +0100
+Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index da51a83b2829..9d9e7822eddf 100644
+--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
+@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ 
+ #define __compiletime_strlen(p)					\
+ ({								\
+-	char *__p = (char *)(p);				\
+	unsigned char *__p = (unsigned char *)(p);		\
+ 	size_t __ret = SIZE_MAX;				\
+ 	const size_t __p_size = __member_size(p);		\
+ 	if (__p_size != SIZE_MAX &&				\
@@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Daniel Jurgens <danielj@mellanox.com>
-Date: Mon, 20 Nov 2017 16:47:45 -0600
-Subject: [PATCH] IB/core: Don't enforce PKey security on SMI MADs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Per the infiniband spec an SMI MAD can have any PKey. Checking the pkey
-on SMI MADs is not necessary, and it seems that some older adapters
-using the mthca driver don't follow the convention of using the default
-PKey, resulting in false denials, or errors querying the PKey cache.
-
-SMI MAD security is still enforced, only agents allowed to manage the
-subnet are able to receive or send SMI MADs.
-
-Reported-by: Chris Blake <chrisrblake93@gmail.com>
-Fixes: 47a2b338fe63("IB/core: Enforce security on management datagrams")
-Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
-Reviewed-by: Parav Pandit <parav@mellanox.com>
-Signed-off-by: Leon Romanovsky <leon@kernel.org>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- drivers/infiniband/core/security.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
-index 70ad19c4c73e..8f9fd3b757db 100644
--- a/drivers/infiniband/core/security.c
-+++ b/drivers/infiniband/core/security.c
-@@ -692,8 +692,11 @@ int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
- {
- 	int ret;
- 
-	if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)
-		return -EACCES;
-+	if (map->agent.qp->qp_type == IB_QPT_SMI) {
-+		if (!map->agent.smp_allowed)
-+			return -EACCES;
-+		return 0;
-+	}
- 
- 	ret = ib_security_pkey_access(map->agent.device,
- 				      map->agent.port_num,
@@ -0,0 +1,133 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 14 Jul 2023 18:10:32 +0200
+Subject: [PATCH] kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no
+ support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes live-migrations & snapshot-rollback of VMs with a restricted
+CPU type (e.g., qemu64) from our 5.15 based kernel (default Proxmox
+VE 7.4) to the 6.2 (and future newer) of Proxmox VE 8.0.
+
+Previous to ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to
+supported bits of XCR0") the PKRU bit of the host could leak into the
+state from the guest, which caused trouble when migrating between
+hosts with different CPUs, i.e., where the source supported it but
+the target did not, causing a general protection fault when the guest
+tried to use a pkru related instruction after the migration.
+
+But the fix, while welcome, caused a temporary out-of-sync state when
+migrating such a VM from a kernel without the fix to a kernel with
+the fix, as it threw of KVM when the CPUID of the guest and most of
+the state doesn't report XSAVE and thus any xfeatures, but PKRU and
+the related state is set as enabled, causing the vCPU to spin at 100%
+without any progress forever.
+
+The fix could be at two sites, either in QEMU or in the kernel, I
+choose the kernel as we have all the info there for a targeted
+heuristic so that we don't have to adapt QEMU and qemu-server, the
+latter even on both sides.
+
+Still, a short summary of the possible fixes and short drawbacks:
+* on QEMU-side either
+  - clear the PKRU state in the migration saved state would be rather
+    complicated to implement as the vCPU is initialised way before we
+    have the saved xfeature state available to check what we'd need
+    to do, plus the user-space only gets a memory blob from ioctl
+    KVM_GET_XSAVE2 that it passes to KVM_SET_XSAVE ioctl, there are
+    no ABI guarantees, and while the struct seem stable for 5.15 to
+    6.5-rc1, that doesn't has to be for future kernels, so off the
+    table.
+  - enforce that the CPUID reports PKU support even if it normally
+    wouldn't. While this works (tested by hard-coding it as POC) it
+    is a) not really nice and b) needs some interaction from
+    qemu-server to enable this flag as otherwise we have no good info
+    to decide when it's OK to do this, which means we need to adapt
+    both PVE 7 and 8's qemu-server and also pve-qemu, workable but
+    not optimal
+
+* on Kernel/KVM-side we can hook into the set XSAVE ioctl specific to
+  the KVM subsystem, which already reduces chance of regression for
+  all other places. There we have access to the union/struct
+  definitions of the saved state and thus can savely cast to that.
+  We also got access to the vCPU's CPUID capabilities, meaning we can
+  check if the XCR0 (first XSAVE Control Register) reports
+  that it support the PKRU feature, and if it does *NOT* but the
+  saved xfeatures register from XSAVE *DOES* report it, we can safely
+  assume that this combination is due to an migration from an older,
+  leaky kernel – and clear the bit in the xfeature register before
+  restoring it to the guest vCPU KVM state, avoiding the confusing
+  situation that made the vCPU spin at 100%.
+  This should be safe to do, as the guest vCPU CPUID never reported
+  support for the PKRU feature, and it's also a relatively niche and
+  newish feature.
+
+If it gains us something we can drop this patch a bit in the future
+Proxmox VE 9 major release, but we should ensure that VMs that where
+started before PVE 8 cannot be directly live-migrated to the release
+that includes that change; so we should rather only drop it if the
+maintenance burden is high.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/cpuid.c |  6 ++++++
+ arch/x86/kvm/cpuid.h |  2 ++
+ arch/x86/kvm/x86.c   | 13 +++++++++++++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 7bdc66abfc92..e2b67975869c 100644
+--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
+@@ -249,6 +249,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
+ 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
+ }
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu) {
+	u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(
+	    vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
+	return (guest_supported_xcr0 & XFEATURE_MASK_PKRU) != 0;
+}
+
+ static void __kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *entries,
+ 				       int nent)
+ {
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
+index b1658c0de847..12a02851ff57 100644
+--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
+@@ -32,6 +32,8 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
+ 	       u32 *ecx, u32 *edx, bool exact_only);
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu);
+
+ u32 xstate_required_size(u64 xstate_bv, bool compacted);
+ 
+ int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index a5c8a01f7e7e..632d2d18041a 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5426,6 +5426,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return 0;
+ 
+	if (!vcpu_supports_xsave_pkru(vcpu)) {
+		void *buf = guest_xsave->region;
+		union fpregs_state *ustate = buf;
+		if (ustate->xsave.header.xfeatures & XFEATURE_MASK_PKRU) {
+			printk(
+				KERN_NOTICE "clearing PKRU xfeature bit as vCPU from PID %d"
+				" reports no PKRU support - migration from fpu-leaky kernel?",
+				current->pid
+			);
+			ustate->xsave.header.xfeatures &= ~XFEATURE_MASK_PKRU;
+		}
+	}
+
+ 	return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
+ 					      guest_xsave->region,
+ 					      kvm_caps.supported_xcr0,
@@ -1,53 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 26 Oct 2017 09:13:27 +0200
-Subject: [PATCH] KVM: SVM: obey guest PAT
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-For many years some users of assigned devices have reported worse
-performance on AMD processors with NPT than on AMD without NPT,
-Intel or bare metal.
-
-The reason turned out to be that SVM is discarding the guest PAT
-setting and uses the default (PA0=PA4=WB, PA1=PA5=WT, PA2=PA6=UC-,
-PA3=UC).  The guest might be using a different setting, and
-especially might want write combining but isn't getting it
-(instead getting slow UC or UC- accesses).
-
-Thanks a lot to geoff@hostfission.com for noticing the relation
-to the g_pat setting.  The patch has been tested also by a bunch
-of people on VFIO users forums.
-
-Fixes: 709ddebf81cb40e3c36c6109a7892e8b93a09464
-Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196409
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Tested-by: Nick Sarnie <commendsarnex@gmail.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
-(cherry picked from commit 15038e14724799b8c205beb5f20f9e54896013c3)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- arch/x86/kvm/svm.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 068084c8e540..da10db3de636 100644
--- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -3666,6 +3666,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
- 	u32 ecx = msr->index;
- 	u64 data = msr->data;
- 	switch (ecx) {
-+	case MSR_IA32_CR_PAT:
-+		if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
-+			return 1;
-+		vcpu->arch.pat = data;
-+		svm->vmcb->save.g_pat = data;
-+		mark_dirty(svm->vmcb, VMCB_NPT);
-+		break;
- 	case MSR_IA32_TSC:
- 		kvm_write_tsc(vcpu, msr);
- 		break;
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: kiler129 <grzegorz@noflash.pl>
+Date: Mon, 18 Sep 2023 15:19:26 +0200
+Subject: [PATCH] allow opt-in to allow pass-through on broken hardware..
+
+adapted from https://github.com/kiler129/relax-intel-rmrr , licensed under MIT or GPL 2.0+
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/iommu/intel/iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 8faccfdfe500..2b9ef40799a5 100644
+--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
+@@ -298,6 +298,7 @@ static int dmar_map_gfx = 1;
+ static int dmar_map_ipu = 1;
+ static int intel_iommu_superpage = 1;
+ static int iommu_identity_mapping;
+static int intel_relaxable_rmrr = 0;
+ static int iommu_skip_te_disable;
+ 
+ #define IDENTMAP_GFX		2
+@@ -359,6 +360,9 @@ static int __init intel_iommu_setup(char *str)
+ 		} else if (!strncmp(str, "tboot_noforce", 13)) {
+ 			pr_info("Intel-IOMMU: not forcing on after tboot. This could expose security risk for tboot\n");
+ 			intel_iommu_tboot_noforce = 1;
+		} else if (!strncmp(str, "relax_rmrr", 10)) {
+			pr_info("Intel-IOMMU: assuming all RMRRs are relaxable. This can lead to instability or data loss\n");
+			intel_relaxable_rmrr = 1;
+ 		} else {
+ 			pr_notice("Unknown option - '%s'\n", str);
+ 		}
+@@ -2506,7 +2510,7 @@ static bool device_rmrr_is_relaxable(struct device *dev)
+ 		return false;
+ 
+ 	pdev = to_pci_dev(dev);
+-	if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+	if (intel_relaxable_rmrr || IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+ 		return true;
+ 	else
+ 		return false;
@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 18 Oct 2023 12:41:04 -0700
+Subject: [PATCH] KVM: nSVM: Advertise support for flush-by-ASID
+
+Advertise support for FLUSHBYASID when nested SVM is enabled, as KVM can
+always emulate flushing TLB entries for a vmcb12 ASID, e.g. by running L2
+with a new, fresh ASID in vmcb02.  Some modern hypervisors, e.g. VMWare
+Workstation 17, require FLUSHBYASID support and will refuse to run if it's
+not present.
+
+Punt on proper support, as "Honor L1's request to flush an ASID on nested
+VMRUN" is one of the TODO items in the (incomplete) list of issues that
+need to be addressed in order for KVM to NOT do a full TLB flush on every
+nested SVM transition (see nested_svm_transition_tlb_flush()).
+
+Reported-by: Stefan Sterz <s.sterz@proxmox.com>
+Closes: https://lkml.kernel.org/r/b9915c9c-4cf6-051a-2d91-44cc6380f455%40proxmox.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/svm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index 99832814341c..e8bb2bfd1ba1 100644
+--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
+@@ -4985,6 +4985,7 @@ static __init void svm_set_cpu_caps(void)
+ 	if (nested) {
+ 		kvm_cpu_cap_set(X86_FEATURE_SVM);
+ 		kvm_cpu_cap_set(X86_FEATURE_VMCBCLEAN);
+		kvm_cpu_cap_set(X86_FEATURE_FLUSHBYASID);
+ 
+ 		if (nrips)
+ 			kvm_cpu_cap_set(X86_FEATURE_NRIPS);
@@ -1,65 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Felix Wilhelm <fwilhelm@google.com>
-Date: Mon, 11 Jun 2018 09:43:44 +0200
-Subject: [PATCH] kvm: nVMX: Enforce cpl=0 for VMX instructions
-
-VMX instructions executed inside a L1 VM will always trigger a VM exit
-even when executed with cpl 3. This means we must perform the
-privilege check in software.
-
-Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
-Cc: stable@vger.kernel.org
-Signed-off-by: Felix Wilhelm <fwilhelm@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/vmx.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 54980817194a..b2d75b59b6e5 100644
--- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -7180,6 +7180,12 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- 		return 1;
- 	}
- 
-+	/* CPL=0 must be checked manually. */
-+	if (vmx_get_cpl(vcpu)) {
-+		kvm_queue_exception(vcpu, UD_VECTOR);
-+		return 1;
-+	}
-+
- 	if (vmx->nested.vmxon) {
- 		nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
- 		return kvm_skip_emulated_instruction(vcpu);
-@@ -7239,6 +7245,11 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
-  */
- static int nested_vmx_check_permission(struct kvm_vcpu *vcpu)
- {
-+	if (vmx_get_cpl(vcpu)) {
-+		kvm_queue_exception(vcpu, UD_VECTOR);
-+		return 0;
-+	}
-+
- 	if (!to_vmx(vcpu)->nested.vmxon) {
- 		kvm_queue_exception(vcpu, UD_VECTOR);
- 		return 0;
-@@ -7577,7 +7588,7 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
- 		if (get_vmx_mem_address(vcpu, exit_qualification,
- 				vmx_instruction_info, true, &gva))
- 			return 1;
-		/* _system ok, as hardware has verified cpl=0 */
-+		/* _system ok, nested_vmx_check_permission has verified cpl=0 */
- 		kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva,
- 			     &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL);
- 	}
-@@ -7720,7 +7731,7 @@ static int handle_vmptrst(struct kvm_vcpu *vcpu)
- 	if (get_vmx_mem_address(vcpu, exit_qualification,
- 			vmx_instruction_info, true, &vmcs_gva))
- 		return 1;
-	/* ok to use *_system, as hardware has verified cpl=0 */
-+	/* *_system ok, nested_vmx_check_permission has verified cpl=0 */
- 	if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva,
- 				 (void *)&to_vmx(vcpu)->nested.current_vmptr,
- 				 sizeof(u64), &e)) {
@@ -1,30 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 19 Jan 2018 11:12:37 +0100
-Subject: [PATCH] net: sched: em_nbyte: don't add the data offset twice
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-'ptr' is shifted by the offset and then validated,
-the memcmp should not add it a second time.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- net/sched/em_nbyte.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c
-index df3110d69585..07c10bac06a0 100644
--- a/net/sched/em_nbyte.c
-+++ b/net/sched/em_nbyte.c
-@@ -51,7 +51,7 @@ static int em_nbyte_match(struct sk_buff *skb, struct tcf_ematch *em,
- 	if (!tcf_valid_offset(skb, ptr, nbyte->hdr.len))
- 		return 0;
- 
-	return !memcmp(ptr + nbyte->hdr.off, nbyte->pattern, nbyte->hdr.len);
-+	return !memcmp(ptr, nbyte->pattern, nbyte->hdr.len);
- }
- 
- static struct tcf_ematch_ops em_nbyte_ops = {
@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Mon, 6 Nov 2023 10:17:02 +0100
+Subject: [PATCH] revert "memfd: improve userspace warnings for missing
+ exec-related flags".
+
+This warning is telling userspace developers to pass MFD_EXEC and
+MFD_NOEXEC_SEAL to memfd_create().  Commit 434ed3350f57 ("memfd: improve
+userspace warnings for missing exec-related flags") made the warning more
+frequent and visible in the hope that this would accelerate the fixing of
+errant userspace.
+
+But the overall effect is to generate far too much dmesg noise.
+
+Fixes: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags")
+Reported-by: Damian Tometzki <dtometzki@fedoraproject.org>
+Closes: https://lkml.kernel.org/r/ZPFzCSIgZ4QuHsSC@fedora.fritz.box
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Daniel Verkamp <dverkamp@chromium.org>
+Cc: Jeff Xu <jeffxu@google.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ (cherry picked from commit 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ mm/memfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/memfd.c b/mm/memfd.c
+index 2dba2cb6f0d0..1c077e98e116 100644
+--- a/mm/memfd.c
+++ b/mm/memfd.c
+@@ -282,7 +282,7 @@ static int check_sysctl_memfd_noexec(unsigned int *flags)
+ 	}
+ 
+ 	if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) {
+-		pr_err_ratelimited(
+		pr_warn_once(
+ 			"%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n",
+ 			current->comm, task_pid_nr(current), sysctl);
+ 		return -EACCES;
@@ -0,0 +1,146 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 27 Oct 2023 16:40:47 -0400
+Subject: [PATCH] drm/amd: Fix UBSAN array-index-out-of-bounds for Powerplay
+ headers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For pptable structs that use flexible array sizes, use flexible arrays.
+
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039926
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry-picked from commit 49afe91370b86566857a3c2c39612cf098110885)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ .../drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h |  4 ++--
+ .../amd/pm/powerplay/hwmgr/vega10_pptable.h   | 24 +++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h
+index e0e40b054c08..5ec564dbf339 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h
+@@ -367,7 +367,7 @@ typedef struct _ATOM_Tonga_VCE_State_Record {
+ typedef struct _ATOM_Tonga_VCE_State_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;
+-	ATOM_Tonga_VCE_State_Record entries[1];
+	ATOM_Tonga_VCE_State_Record entries[];
+ } ATOM_Tonga_VCE_State_Table;
+ 
+ typedef struct _ATOM_Tonga_PowerTune_Table {
+@@ -482,7 +482,7 @@ typedef struct _ATOM_Tonga_Hard_Limit_Record {
+ typedef struct _ATOM_Tonga_Hard_Limit_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;
+-	ATOM_Tonga_Hard_Limit_Record entries[1];
+	ATOM_Tonga_Hard_Limit_Record entries[];
+ } ATOM_Tonga_Hard_Limit_Table;
+ 
+ typedef struct _ATOM_Tonga_GPIO_Table {
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h
+index 9c479bd9a786..a372abcd01be 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h
+@@ -129,7 +129,7 @@ typedef struct _ATOM_Vega10_State {
+ typedef struct _ATOM_Vega10_State_Array {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries. */
+-	ATOM_Vega10_State states[1];                             /* Dynamically allocate entries. */
+	ATOM_Vega10_State states[];                             /* Dynamically allocate entries. */
+ } ATOM_Vega10_State_Array;
+ 
+ typedef struct _ATOM_Vega10_CLK_Dependency_Record {
+@@ -169,37 +169,37 @@ typedef struct _ATOM_Vega10_GFXCLK_Dependency_Table {
+ typedef struct _ATOM_Vega10_MCLK_Dependency_Table {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;                                         /* Number of entries. */
+-    ATOM_Vega10_MCLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+    ATOM_Vega10_MCLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_MCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_SOCCLK_Dependency_Table {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;                                         /* Number of entries. */
+-    ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+    ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_SOCCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_DCEFCLK_Dependency_Table {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;                                         /* Number of entries. */
+-    ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+    ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_DCEFCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_PIXCLK_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries. */
+-	ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+	ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_PIXCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_DISPCLK_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries.*/
+-	ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+	ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_DISPCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_PHYCLK_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries. */
+-	ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+	ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_PHYCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_MM_Dependency_Record {
+@@ -213,7 +213,7 @@ typedef struct _ATOM_Vega10_MM_Dependency_Record {
+ typedef struct _ATOM_Vega10_MM_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries */
+-	ATOM_Vega10_MM_Dependency_Record entries[1];             /* Dynamically allocate entries */
+	ATOM_Vega10_MM_Dependency_Record entries[];             /* Dynamically allocate entries */
+ } ATOM_Vega10_MM_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_PCIE_Record {
+@@ -225,7 +225,7 @@ typedef struct _ATOM_Vega10_PCIE_Record {
+ typedef struct _ATOM_Vega10_PCIE_Table {
+ 	UCHAR  ucRevId;
+ 	UCHAR  ucNumEntries;                                        /* Number of entries */
+-	ATOM_Vega10_PCIE_Record entries[1];                      /* Dynamically allocate entries. */
+	ATOM_Vega10_PCIE_Record entries[];                      /* Dynamically allocate entries. */
+ } ATOM_Vega10_PCIE_Table;
+ 
+ typedef struct _ATOM_Vega10_Voltage_Lookup_Record {
+@@ -235,7 +235,7 @@ typedef struct _ATOM_Vega10_Voltage_Lookup_Record {
+ typedef struct _ATOM_Vega10_Voltage_Lookup_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                          /* Number of entries */
+-	ATOM_Vega10_Voltage_Lookup_Record entries[1];             /* Dynamically allocate entries */
+	ATOM_Vega10_Voltage_Lookup_Record entries[];             /* Dynamically allocate entries */
+ } ATOM_Vega10_Voltage_Lookup_Table;
+ 
+ typedef struct _ATOM_Vega10_Fan_Table {
+@@ -329,7 +329,7 @@ typedef struct _ATOM_Vega10_VCE_State_Table
+ {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;
+-    ATOM_Vega10_VCE_State_Record entries[1];
+    ATOM_Vega10_VCE_State_Record entries[];
+ } ATOM_Vega10_VCE_State_Table;
+ 
+ typedef struct _ATOM_Vega10_PowerTune_Table {
+@@ -432,7 +432,7 @@ typedef struct _ATOM_Vega10_Hard_Limit_Table
+ {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;
+-    ATOM_Vega10_Hard_Limit_Record entries[1];
+    ATOM_Vega10_Hard_Limit_Record entries[];
+ } ATOM_Vega10_Hard_Limit_Table;
+ 
+ typedef struct _Vega10_PPTable_Generic_SubTable_Header
@@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 19 Jan 2018 11:12:38 +0100
-Subject: [PATCH] net: sched: fix TCF_LAYER_LINK case in tcf_get_base_ptr
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-TCF_LAYER_LINK and TCF_LAYER_NETWORK returned the same pointer as
-skb->data points to the network header.
-Use skb_mac_header instead.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- include/net/pkt_cls.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
-index 537d0a0ad4c4..4450961b1554 100644
--- a/include/net/pkt_cls.h
-+++ b/include/net/pkt_cls.h
-@@ -395,7 +395,7 @@ static inline unsigned char * tcf_get_base_ptr(struct sk_buff *skb, int layer)
- {
- 	switch (layer) {
- 		case TCF_LAYER_LINK:
-			return skb->data;
-+			return skb_mac_header(skb);
- 		case TCF_LAYER_NETWORK:
- 			return skb_network_header(skb);
- 		case TCF_LAYER_TRANSPORT:
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Andrew Honig <ahonig@google.com>
-Date: Wed, 10 Jan 2018 10:12:03 -0800
-Subject: [PATCH] KVM: x86: Add memory barrier on vmcs field lookup
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 75f139aaf896d6fdeec2e468ddfa4b2fe469bf40 upstream.
-
-This adds a memory barrier when performing a lookup into
-the vmcs_field_to_offset_table.  This is related to
-CVE-2017-5753.
-
-Signed-off-by: Andrew Honig <ahonig@google.com>
-Reviewed-by: Jim Mattson <jmattson@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- arch/x86/kvm/vmx.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index b2d75b59b6e5..a393186d14b1 100644
--- a/arch/x86/kvm/vmx.c
-+++ b/arch/x86/kvm/vmx.c
-@@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
- {
- 	BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
- 
-	if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
-	    vmcs_field_to_offset_table[field] == 0)
-+	if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
-+		return -ENOENT;
-+
-+	/*
-+	 * FIXME: Mitigation for CVE-2017-5753.  To be replaced with a
-+	 * generic mechanism.
-+	 */
-+	asm("lfence");
-+
-+	if (vmcs_field_to_offset_table[field] == 0)
- 		return -ENOENT;
- 
- 	return vmcs_field_to_offset_table[field];
@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Fri, 15 Dec 2023 16:49:50 +0530
+Subject: [PATCH] ext4: fallback to complex scan if aligned scan doesn't work
+
+Currently in case the goal length is a multiple of stripe size we use
+ext4_mb_scan_aligned() to find the stripe size aligned physical blocks.
+In case we are not able to find any, we again go back to calling
+ext4_mb_choose_next_group() to search for a different suitable block
+group. However, since the linear search always begins from the start,
+most of the times we end up with the same BG and the cycle continues.
+
+With large fliesystems, the CPU can be stuck in this loop for hours
+which can slow down the whole system. Hence, until we figure out a
+better way to continue the search (rather than starting from beginning)
+in ext4_mb_choose_next_group(), lets just fallback to
+ext4_mb_complex_scan_group() in case aligned scan fails, as it is much
+more likely to find the needed blocks.
+
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+---
+ fs/ext4/mballoc.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 2690d47a9ea2..9ff8ea02f79d 100644
+--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
+@@ -2894,14 +2894,19 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac)
+ 			ac->ac_groups_scanned++;
+ 			if (cr == CR_POWER2_ALIGNED)
+ 				ext4_mb_simple_scan_group(ac, &e4b);
+-			else if ((cr == CR_GOAL_LEN_FAST ||
+-				 cr == CR_BEST_AVAIL_LEN) &&
+-				 sbi->s_stripe &&
+-				 !(ac->ac_g_ex.fe_len %
+-				 EXT4_B2C(sbi, sbi->s_stripe)))
+-				ext4_mb_scan_aligned(ac, &e4b);
+-			else
+-				ext4_mb_complex_scan_group(ac, &e4b);
+			else {
+				bool is_stripe_aligned = sbi->s_stripe &&
+					!(ac->ac_g_ex.fe_len %
+					  EXT4_B2C(sbi, sbi->s_stripe));
+
+				if ((cr == CR_GOAL_LEN_FAST ||
+				     cr == CR_BEST_AVAIL_LEN) &&
+				    is_stripe_aligned)
+					ext4_mb_scan_aligned(ac, &e4b);
+
+				if (ac->ac_status == AC_STATUS_CONTINUE)
+					ext4_mb_complex_scan_group(ac, &e4b);
+			}
+ 
+ 			ext4_unlock_group(sb, group);
+ 			ext4_mb_unload_buddy(&e4b);
@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
-Date: Mon, 16 Oct 2017 12:40:29 -0500
-Subject: [PATCH] EDAC, sb_edac: Fix missing break in switch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add missing break statement in order to prevent the code from falling
-through.
-
-Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
-Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
-Cc: linux-edac <linux-edac@vger.kernel.org>
-Link: http://lkml.kernel.org/r/20171016174029.GA19757@embeddedor.com
-Signed-off-by: Borislav Petkov <bp@suse.de>
-(cherry picked from commit a8e9b186f153a44690ad0363a56716e7077ad28c)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- drivers/edac/sb_edac.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c
-index 5c3e707ff3fc..59af590b660c 100644
--- a/drivers/edac/sb_edac.c
-+++ b/drivers/edac/sb_edac.c
-@@ -2454,6 +2454,7 @@ static int ibridge_mci_bind_devs(struct mem_ctl_info *mci,
- 		case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_TA:
- 		case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA1_TA:
- 			pvt->pci_ta = pdev;
-+			break;
- 		case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA0_RAS:
- 		case PCI_DEVICE_ID_INTEL_IBRIDGE_IMC_HA1_RAS:
- 			pvt->pci_ras = pdev;
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Wed, 3 Apr 2024 10:29:59 +0200
+Subject: [PATCH] Revert "cifs: fix flushing folio regression for 6.1 backport"
+
+This reverts commit 2dc07a11e269bfbe5589e99b60cdbae0118be979.
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index 55a6d0296ec82..82313b2534631 100644
+--- a/fs/smb/client/cifsfs.c
+++ b/fs/smb/client/cifsfs.c
+@@ -1245,7 +1245,7 @@ static int cifs_flush_folio(struct inode *inode, loff_t pos, loff_t *_fstart, lo
+ 	int rc = 0;
+ 
+ 	folio = filemap_get_folio(inode->i_mapping, index);
+-	if (!folio)
+	if (IS_ERR(folio))
+ 		return 0;
+ 
+ 	size = folio_size(folio);
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Thu, 4 Apr 2024 11:41:15 +0200
+Subject: [PATCH] Revert "thermal: trip: Drop lockdep assertion from
+ thermal_zone_trip_id()"
+
+This reverts commit c723c4fca6d2db3815623ff4dc0ea51667b56b89.
+---
+ drivers/thermal/thermal_trip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/thermal/thermal_trip.c b/drivers/thermal/thermal_trip.c
+index 68bea8706c597..1d4fe63e09f77 100644
+--- a/drivers/thermal/thermal_trip.c
+++ b/drivers/thermal/thermal_trip.c
+@@ -201,6 +201,8 @@ int thermal_zone_trip_id(struct thermal_zone_device *tz,
+ {
+ 	int i;
+ 
+	lockdep_assert_held(&tz->lock);
+
+ 	for (i = 0; i < tz->num_trips; i++) {
+ 		if (&tz->trips[i] == trip)
+ 			return i;
@@ -0,0 +1,343 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Thu, 4 Apr 2024 11:41:17 +0200
+Subject: [PATCH] Revert "thermal: core: Store trip pointer in struct
+ thermal_instance"
+
+This reverts commit 643b451957369f28b7770af387d14d4e4712074b.
+---
+ drivers/thermal/gov_bang_bang.c       | 23 +++++++++++++++--------
+ drivers/thermal/gov_fair_share.c      |  5 ++---
+ drivers/thermal/gov_power_allocator.c | 11 +++--------
+ drivers/thermal/gov_step_wise.c       | 16 +++++++++-------
+ drivers/thermal/thermal_core.c        | 15 +++++----------
+ drivers/thermal/thermal_core.h        |  4 +---
+ drivers/thermal/thermal_helpers.c     |  5 +----
+ drivers/thermal/thermal_sysfs.c       |  3 +--
+ drivers/thermal/thermal_trip.c        | 15 ---------------
+ 9 files changed, 37 insertions(+), 60 deletions(-)
+
+diff --git a/drivers/thermal/gov_bang_bang.c b/drivers/thermal/gov_bang_bang.c
+index 49cdfaa3a9279..1b121066521ff 100644
+--- a/drivers/thermal/gov_bang_bang.c
+++ b/drivers/thermal/gov_bang_bang.c
+@@ -13,21 +13,28 @@
+ 
+ #include "thermal_core.h"
+ 
+-static int thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_index)
+static int thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_id)
+ {
+-	const struct thermal_trip *trip = &tz->trips[trip_index];
+	struct thermal_trip trip;
+ 	struct thermal_instance *instance;
+	int ret;
+
+	ret = __thermal_zone_get_trip(tz, trip_id, &trip);
+	if (ret) {
+		pr_warn_once("Failed to retrieve trip point %d\n", trip_id);
+		return ret;
+	}
+ 
+-	if (!trip->hysteresis)
+	if (!trip.hysteresis)
+ 		dev_info_once(&tz->device,
+ 			      "Zero hysteresis value for thermal zone %s\n", tz->type);
+ 
+ 	dev_dbg(&tz->device, "Trip%d[temp=%d]:temp=%d:hyst=%d\n",
+-				trip_index, trip->temperature, tz->temperature,
+-				trip->hysteresis);
+				trip_id, trip.temperature, tz->temperature,
+				trip.hysteresis);
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+-		if (instance->trip != trip)
+		if (instance->trip != trip_id)
+ 			continue;
+ 
+ 		/* in case fan is in initial state, switch the fan off */
+@@ -45,10 +52,10 @@ static int thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_ind
+ 		 * enable fan when temperature exceeds trip_temp and disable
+ 		 * the fan in case it falls below trip_temp minus hysteresis
+ 		 */
+-		if (instance->target == 0 && tz->temperature >= trip->temperature)
+		if (instance->target == 0 && tz->temperature >= trip.temperature)
+ 			instance->target = 1;
+ 		else if (instance->target == 1 &&
+-			 tz->temperature <= trip->temperature - trip->hysteresis)
+			 tz->temperature <= trip.temperature - trip.hysteresis)
+ 			instance->target = 0;
+ 
+ 		dev_dbg(&instance->cdev->device, "target=%d\n",
+diff --git a/drivers/thermal/gov_fair_share.c b/drivers/thermal/gov_fair_share.c
+index 2abeb8979f500..03c2daeb6ee8b 100644
+--- a/drivers/thermal/gov_fair_share.c
+++ b/drivers/thermal/gov_fair_share.c
+@@ -49,7 +49,7 @@ static long get_target_state(struct thermal_zone_device *tz,
+ /**
+  * fair_share_throttle - throttles devices associated with the given zone
+  * @tz: thermal_zone_device
+- * @trip_index: trip point index
+ * @trip: trip point index
+  *
+  * Throttling Logic: This uses three parameters to calculate the new
+  * throttle state of the cooling devices associated with the given zone.
+@@ -65,9 +65,8 @@ static long get_target_state(struct thermal_zone_device *tz,
+  *	(Heavily assumes the trip points are in ascending order)
+  * new_state of cooling device = P3 * P2 * P1
+  */
+-static int fair_share_throttle(struct thermal_zone_device *tz, int trip_index)
+static int fair_share_throttle(struct thermal_zone_device *tz, int trip)
+ {
+-	const struct thermal_trip *trip = &tz->trips[trip_index];
+ 	struct thermal_instance *instance;
+ 	int total_weight = 0;
+ 	int total_instance = 0;
+diff --git a/drivers/thermal/gov_power_allocator.c b/drivers/thermal/gov_power_allocator.c
+index fc969642f70b7..fb311339bd08f 100644
+--- a/drivers/thermal/gov_power_allocator.c
+++ b/drivers/thermal/gov_power_allocator.c
+@@ -90,14 +90,12 @@ static u32 estimate_sustainable_power(struct thermal_zone_device *tz)
+ 	u32 sustainable_power = 0;
+ 	struct thermal_instance *instance;
+ 	struct power_allocator_params *params = tz->governor_data;
+-	const struct thermal_trip *trip_max_desired_temperature =
+-			&tz->trips[params->trip_max_desired_temperature];
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ 		struct thermal_cooling_device *cdev = instance->cdev;
+ 		u32 min_power;
+ 
+-		if (instance->trip != trip_max_desired_temperature)
+		if (instance->trip != params->trip_max_desired_temperature)
+ 			continue;
+ 
+ 		if (!cdev_is_power_actor(cdev))
+@@ -385,13 +383,12 @@ static int allocate_power(struct thermal_zone_device *tz,
+ {
+ 	struct thermal_instance *instance;
+ 	struct power_allocator_params *params = tz->governor_data;
+-	const struct thermal_trip *trip_max_desired_temperature =
+-			&tz->trips[params->trip_max_desired_temperature];
+ 	u32 *req_power, *max_power, *granted_power, *extra_actor_power;
+ 	u32 *weighted_req_power;
+ 	u32 total_req_power, max_allocatable_power, total_weighted_req_power;
+ 	u32 total_granted_power, power_range;
+ 	int i, num_actors, total_weight, ret = 0;
+	int trip_max_desired_temperature = params->trip_max_desired_temperature;
+ 
+ 	num_actors = 0;
+ 	total_weight = 0;
+@@ -567,14 +564,12 @@ static void allow_maximum_power(struct thermal_zone_device *tz, bool update)
+ {
+ 	struct thermal_instance *instance;
+ 	struct power_allocator_params *params = tz->governor_data;
+-	const struct thermal_trip *trip_max_desired_temperature =
+-			&tz->trips[params->trip_max_desired_temperature];
+ 	u32 req_power;
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ 		struct thermal_cooling_device *cdev = instance->cdev;
+ 
+-		if ((instance->trip != trip_max_desired_temperature) ||
+		if ((instance->trip != params->trip_max_desired_temperature) ||
+ 		    (!cdev_is_power_actor(instance->cdev)))
+ 			continue;
+ 
+diff --git a/drivers/thermal/gov_step_wise.c b/drivers/thermal/gov_step_wise.c
+index 849dc1ec8d27c..1050fb4d94c2d 100644
+--- a/drivers/thermal/gov_step_wise.c
+++ b/drivers/thermal/gov_step_wise.c
+@@ -81,24 +81,26 @@ static void update_passive_instance(struct thermal_zone_device *tz,
+ 
+ static void thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_id)
+ {
+-	const struct thermal_trip *trip = &tz->trips[trip_id];
+ 	enum thermal_trend trend;
+ 	struct thermal_instance *instance;
+	struct thermal_trip trip;
+ 	bool throttle = false;
+ 	int old_target;
+ 
+	__thermal_zone_get_trip(tz, trip_id, &trip);
+
+ 	trend = get_tz_trend(tz, trip_id);
+ 
+-	if (tz->temperature >= trip->temperature) {
+	if (tz->temperature >= trip.temperature) {
+ 		throttle = true;
+-		trace_thermal_zone_trip(tz, trip_id, trip->type);
+		trace_thermal_zone_trip(tz, trip_id, trip.type);
+ 	}
+ 
+ 	dev_dbg(&tz->device, "Trip%d[type=%d,temp=%d]:trend=%d,throttle=%d\n",
+-		trip_id, trip->type, trip->temperature, trend, throttle);
+				trip_id, trip.type, trip.temperature, trend, throttle);
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+-		if (instance->trip != trip)
+		if (instance->trip != trip_id)
+ 			continue;
+ 
+ 		old_target = instance->target;
+@@ -112,11 +114,11 @@ static void thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_id
+ 		/* Activate a passive thermal instance */
+ 		if (old_target == THERMAL_NO_TARGET &&
+ 			instance->target != THERMAL_NO_TARGET)
+-			update_passive_instance(tz, trip->type, 1);
+			update_passive_instance(tz, trip.type, 1);
+ 		/* Deactivate a passive thermal instance */
+ 		else if (old_target != THERMAL_NO_TARGET &&
+ 			instance->target == THERMAL_NO_TARGET)
+-			update_passive_instance(tz, trip->type, -1);
+			update_passive_instance(tz, trip.type, -1);
+ 
+ 		instance->initialized = true;
+ 		mutex_lock(&instance->cdev->lock);
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index c066c09555667..69cff5fc32156 100644
+--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
+@@ -582,7 +582,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id)
+ /**
+  * thermal_zone_bind_cooling_device() - bind a cooling device to a thermal zone
+  * @tz:		pointer to struct thermal_zone_device
+- * @trip_index:	indicates which trip point the cooling devices is
+ * @trip:	indicates which trip point the cooling devices is
+  *		associated with in this thermal zone.
+  * @cdev:	pointer to struct thermal_cooling_device
+  * @upper:	the Maximum cooling state for this trip point.
+@@ -602,7 +602,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id)
+  * Return: 0 on success, the proper error value otherwise.
+  */
+ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
+-				     int trip_index,
+				     int trip,
+ 				     struct thermal_cooling_device *cdev,
+ 				     unsigned long upper, unsigned long lower,
+ 				     unsigned int weight)
+@@ -611,15 +611,12 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
+ 	struct thermal_instance *pos;
+ 	struct thermal_zone_device *pos1;
+ 	struct thermal_cooling_device *pos2;
+-	const struct thermal_trip *trip;
+ 	bool upper_no_limit;
+ 	int result;
+ 
+-	if (trip_index >= tz->num_trips || trip_index < 0)
+	if (trip >= tz->num_trips || trip < 0)
+ 		return -EINVAL;
+ 
+-	trip = &tz->trips[trip_index];
+-
+ 	list_for_each_entry(pos1, &thermal_tz_list, node) {
+ 		if (pos1 == tz)
+ 			break;
+@@ -724,7 +721,7 @@ EXPORT_SYMBOL_GPL(thermal_zone_bind_cooling_device);
+  * thermal_zone_unbind_cooling_device() - unbind a cooling device from a
+  *					  thermal zone.
+  * @tz:		pointer to a struct thermal_zone_device.
+- * @trip_index:	indicates which trip point the cooling devices is
+ * @trip:	indicates which trip point the cooling devices is
+  *		associated with in this thermal zone.
+  * @cdev:	pointer to a struct thermal_cooling_device.
+  *
+@@ -735,15 +732,13 @@ EXPORT_SYMBOL_GPL(thermal_zone_bind_cooling_device);
+  * Return: 0 on success, the proper error value otherwise.
+  */
+ int thermal_zone_unbind_cooling_device(struct thermal_zone_device *tz,
+-				       int trip_index,
+				       int trip,
+ 				       struct thermal_cooling_device *cdev)
+ {
+ 	struct thermal_instance *pos, *next;
+-	const struct thermal_trip *trip;
+ 
+ 	mutex_lock(&tz->lock);
+ 	mutex_lock(&cdev->lock);
+-	trip = &tz->trips[trip_index];
+ 	list_for_each_entry_safe(pos, next, &tz->thermal_instances, tz_node) {
+ 		if (pos->tz == tz && pos->trip == trip && pos->cdev == cdev) {
+ 			list_del(&pos->tz_node);
+diff --git a/drivers/thermal/thermal_core.h b/drivers/thermal/thermal_core.h
+index a33b389bbcfe8..17c1bbed734d3 100644
+--- a/drivers/thermal/thermal_core.h
+++ b/drivers/thermal/thermal_core.h
+@@ -91,7 +91,7 @@ struct thermal_instance {
+ 	char name[THERMAL_NAME_LENGTH];
+ 	struct thermal_zone_device *tz;
+ 	struct thermal_cooling_device *cdev;
+-	const struct thermal_trip *trip;
+	int trip;
+ 	bool initialized;
+ 	unsigned long upper;	/* Highest cooling state for this trip point */
+ 	unsigned long lower;	/* Lowest cooling state for this trip point */
+@@ -123,8 +123,6 @@ void __thermal_zone_device_update(struct thermal_zone_device *tz,
+ void __thermal_zone_set_trips(struct thermal_zone_device *tz);
+ int __thermal_zone_get_trip(struct thermal_zone_device *tz, int trip_id,
+ 			    struct thermal_trip *trip);
+-int thermal_zone_trip_id(struct thermal_zone_device *tz,
+-			 const struct thermal_trip *trip);
+ int __thermal_zone_get_temp(struct thermal_zone_device *tz, int *temp);
+ 
+ /* sysfs I/F */
+diff --git a/drivers/thermal/thermal_helpers.c b/drivers/thermal/thermal_helpers.c
+index 421ed301541e1..cfba0965a22da 100644
+--- a/drivers/thermal/thermal_helpers.c
+++ b/drivers/thermal/thermal_helpers.c
+@@ -41,17 +41,14 @@ int get_tz_trend(struct thermal_zone_device *tz, int trip)
+ 
+ struct thermal_instance *
+ get_thermal_instance(struct thermal_zone_device *tz,
+-		     struct thermal_cooling_device *cdev, int trip_index)
+		     struct thermal_cooling_device *cdev, int trip)
+ {
+ 	struct thermal_instance *pos = NULL;
+ 	struct thermal_instance *target_instance = NULL;
+-	const struct thermal_trip *trip;
+ 
+ 	mutex_lock(&tz->lock);
+ 	mutex_lock(&cdev->lock);
+ 
+-	trip = &tz->trips[trip_index];
+-
+ 	list_for_each_entry(pos, &tz->thermal_instances, tz_node) {
+ 		if (pos->tz == tz && pos->trip == trip && pos->cdev == cdev) {
+ 			target_instance = pos;
+diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
+index eef40d4f30639..4e6a97db894e9 100644
+--- a/drivers/thermal/thermal_sysfs.c
+++ b/drivers/thermal/thermal_sysfs.c
+@@ -943,8 +943,7 @@ trip_point_show(struct device *dev, struct device_attribute *attr, char *buf)
+ 	instance =
+ 	    container_of(attr, struct thermal_instance, attr);
+ 
+-	return sprintf(buf, "%d\n",
+-		       thermal_zone_trip_id(instance->tz, instance->trip));
+	return sprintf(buf, "%d\n", instance->trip);
+ }
+ 
+ ssize_t
+diff --git a/drivers/thermal/thermal_trip.c b/drivers/thermal/thermal_trip.c
+index 1d4fe63e09f77..21736e02fa360 100644
+--- a/drivers/thermal/thermal_trip.c
+++ b/drivers/thermal/thermal_trip.c
+@@ -195,18 +195,3 @@ int thermal_zone_set_trip(struct thermal_zone_device *tz, int trip_id,
+ 
+ 	return 0;
+ }
+-
+-int thermal_zone_trip_id(struct thermal_zone_device *tz,
+-			 const struct thermal_trip *trip)
+-{
+-	int i;
+-
+-	lockdep_assert_held(&tz->lock);
+-
+-	for (i = 0; i < tz->num_trips; i++) {
+-		if (&tz->trips[i] == trip)
+-			return i;
+-	}
+-
+-	return -ENODATA;
+-}
@@ -1,49 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Omar Sandoval <osandov@fb.com>
-Date: Tue, 5 Dec 2017 23:15:31 -0800
-Subject: [PATCH] sched/wait: Fix add_wait_queue() behavioral change
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The following cleanup commit:
-
-  50816c48997a ("sched/wait: Standardize internal naming of wait-queue entries")
-
-... unintentionally changed the behavior of add_wait_queue() from
-inserting the wait entry at the head of the wait queue to the tail
-of the wait queue.
-
-Beyond a negative performance impact this change in behavior
-theoretically also breaks wait queues which mix exclusive and
-non-exclusive waiters, as non-exclusive waiters will not be
-woken up if they are queued behind enough exclusive waiters.
-
-Signed-off-by: Omar Sandoval <osandov@fb.com>
-Reviewed-by: Jens Axboe <axboe@kernel.dk>
-Acked-by: Peter Zijlstra <peterz@infradead.org>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: kernel-team@fb.com
-Fixes: ("sched/wait: Standardize internal naming of wait-queue entries")
-Link: http://lkml.kernel.org/r/a16c8ccffd39bd08fdaa45a5192294c784b803a7.1512544324.git.osandov@fb.com
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-(cherry picked from commit c6b9d9a33029014446bd9ed84c1688f6d3d4eab9)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- kernel/sched/wait.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/sched/wait.c b/kernel/sched/wait.c
-index d6afed6d0752..c09ebe92a40a 100644
--- a/kernel/sched/wait.c
-+++ b/kernel/sched/wait.c
-@@ -27,7 +27,7 @@ void add_wait_queue(struct wait_queue_head *wq_head, struct wait_queue_entry *wq
- 
- 	wq_entry->flags &= ~WQ_FLAG_EXCLUSIVE;
- 	spin_lock_irqsave(&wq_head->lock, flags);
-	__add_wait_queue_entry_tail(wq_head, wq_entry);
-+	__add_wait_queue(wq_head, wq_entry);
- 	spin_unlock_irqrestore(&wq_head->lock, flags);
- }
- EXPORT_SYMBOL(add_wait_queue);
@@ -1,161 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Andi Kleen <ak@linux.intel.com>
-Date: Thu, 25 Jan 2018 15:50:28 -0800
-Subject: [PATCH] module/retpoline: Warn about missing retpoline in module
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There's a risk that a kernel which has full retpoline mitigations becomes
-vulnerable when a module gets loaded that hasn't been compiled with the
-right compiler or the right option.
-
-To enable detection of that mismatch at module load time, add a module info
-string "retpoline" at build time when the module was compiled with
-retpoline support. This only covers compiled C source, but assembler source
-or prebuilt object files are not checked.
-
-If a retpoline enabled kernel detects a non retpoline protected module at
-load time, print a warning and report it in the sysfs vulnerability file.
-
-[ tglx: Massaged changelog ]
-
-Signed-off-by: Andi Kleen <ak@linux.intel.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: David Woodhouse <dwmw2@infradead.org>
-Cc: gregkh@linuxfoundation.org
-Cc: torvalds@linux-foundation.org
-Cc: jeyu@kernel.org
-Cc: arjan@linux.intel.com
-Link: https://lkml.kernel.org/r/20180125235028.31211-1-andi@firstfloor.org
-(backported from commit caf7501a1b4ec964190f31f9c3f163de252273b8)
-Conflicts:
-	arch/x86/kernel/cpu/bugs.c
-context changes
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- arch/x86/kernel/cpu/bugs.c | 18 +++++++++++++++++-
- include/linux/module.h     |  9 +++++++++
- kernel/module.c            | 11 +++++++++++
- scripts/mod/modpost.c      |  9 +++++++++
- 4 files changed, 46 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 7e5db5aa37f3..b5bcdf7e94d7 100644
--- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -11,6 +11,7 @@
- #include <linux/utsname.h>
- #include <linux/cpu.h>
- #include <linux/smp.h>
-+#include <linux/module.h>
- #include <linux/nospec.h>
- #include <linux/prctl.h>
- 
-@@ -131,6 +132,19 @@ static const char *spectre_v2_strings[] = {
- 
- static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
- 	SPECTRE_V2_NONE;
-+static bool spectre_v2_bad_module;
-+
-+#ifdef RETPOLINE
-+bool retpoline_module_ok(bool has_retpoline)
-+{
-+	if (spectre_v2_enabled == SPECTRE_V2_NONE || has_retpoline)
-+		return true;
-+
-+	pr_err("System may be vunerable to spectre v2\n");
-+	spectre_v2_bad_module = true;
-+	return false;
-+}
-+#endif
- 
- void
- x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
-@@ -627,7 +641,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
- 			return sprintf(buf, "Mitigation: OSB (observable speculation barrier, Intel v6)\n");
- 
- 	case X86_BUG_SPECTRE_V2:
-		return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_inuse ? ", IBPB (Intel v4)" : "");
-+		return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-+		               ibpb_inuse ? ",IBPB (Intel v4)" : "",
-+		               spectre_v2_bad_module ? " - vulnerable module loaded" : "");
- 
- 	case X86_BUG_SPEC_STORE_BYPASS:
- 		return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
-diff --git a/include/linux/module.h b/include/linux/module.h
-index e7bdd549e527..c4fdf7661f82 100644
--- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -794,6 +794,15 @@ static inline void module_bug_finalize(const Elf_Ehdr *hdr,
- static inline void module_bug_cleanup(struct module *mod) {}
- #endif	/* CONFIG_GENERIC_BUG */
- 
-+#ifdef RETPOLINE
-+extern bool retpoline_module_ok(bool has_retpoline);
-+#else
-+static inline bool retpoline_module_ok(bool has_retpoline)
-+{
-+	return true;
-+}
-+#endif
-+
- #ifdef CONFIG_MODULE_SIG
- static inline bool module_sig_ok(struct module *module)
- {
-diff --git a/kernel/module.c b/kernel/module.c
-index 41b97a191a72..1c3fd6f767b4 100644
--- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -2855,6 +2855,15 @@ static int check_modinfo_livepatch(struct module *mod, struct load_info *info)
- }
- #endif /* CONFIG_LIVEPATCH */
- 
-+static void check_modinfo_retpoline(struct module *mod, struct load_info *info)
-+{
-+	if (retpoline_module_ok(get_modinfo(info, "retpoline")))
-+		return;
-+
-+	pr_warn("%s: loading module not compiled with retpoline compiler.\n",
-+		mod->name);
-+}
-+
- /* Sets info->hdr and info->len. */
- static int copy_module_from_user(const void __user *umod, unsigned long len,
- 				  struct load_info *info)
-@@ -3021,6 +3030,8 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
- 		add_taint_module(mod, TAINT_OOT_MODULE, LOCKDEP_STILL_OK);
- 	}
- 
-+	check_modinfo_retpoline(mod, info);
-+
- 	if (get_modinfo(info, "staging")) {
- 		add_taint_module(mod, TAINT_CRAP, LOCKDEP_STILL_OK);
- 		pr_warn("%s: module is from the staging directory, the quality "
-diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
-index 48397feb08fb..cc91f81ac33e 100644
--- a/scripts/mod/modpost.c
-+++ b/scripts/mod/modpost.c
-@@ -2147,6 +2147,14 @@ static void add_intree_flag(struct buffer *b, int is_intree)
- 		buf_printf(b, "\nMODULE_INFO(intree, \"Y\");\n");
- }
- 
-+/* Cannot check for assembler */
-+static void add_retpoline(struct buffer *b)
-+{
-+	buf_printf(b, "\n#ifdef RETPOLINE\n");
-+	buf_printf(b, "MODULE_INFO(retpoline, \"Y\");\n");
-+	buf_printf(b, "#endif\n");
-+}
-+
- static void add_staging_flag(struct buffer *b, const char *name)
- {
- 	static const char *staging_dir = "drivers/staging";
-@@ -2492,6 +2500,7 @@ int main(int argc, char **argv)
- 
- 		add_header(&buf, mod);
- 		add_intree_flag(&buf, !external_module);
-+		add_retpoline(&buf);
- 		add_staging_flag(&buf, mod->name);
- 		err |= add_versions(&buf, mod);
- 		add_depends(&buf, mod, modules);
@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Date: Wed, 3 Apr 2024 15:21:58 +0200
+Subject: [PATCH] net: usb: ax88179_178a: avoid the interface always configured
+ as random address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+After the commit d2689b6a86b9 ("net: usb: ax88179_178a: avoid two
+consecutive device resets"), reset is not executed from bind operation and
+mac address is not read from the device registers or the devicetree at that
+moment. Since the check to configure if the assigned mac address is random
+or not for the interface, happens after the bind operation from
+usbnet_probe, the interface keeps configured as random address, although the
+address is correctly read and set during open operation (the only reset
+now).
+
+In order to keep only one reset for the device and to avoid the interface
+always configured as random address, after reset, configure correctly the
+suitable field from the driver, if the mac address is read successfully from
+the device registers or the devicetree. Take into account if a locally
+administered address (random) was previously stored.
+
+cc: stable@vger.kernel.org # 6.6+
+Fixes: d2689b6a86b9 ("net: usb: ax88179_178a: avoid two consecutive device resets")
+Reported-by: Dave Stevenson  <dave.stevenson@raspberrypi.com>
+Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240403132158.344838-1-jtornosm@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 2e91bb99b9d4f756e92e83c4453f894dda220f09)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ drivers/net/usb/ax88179_178a.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index d837c1887416..e0e9b4c53cb0 100644
+--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
+@@ -1273,6 +1273,8 @@ static void ax88179_get_mac_addr(struct usbnet *dev)
+ 
+ 	if (is_valid_ether_addr(mac)) {
+ 		eth_hw_addr_set(dev->net, mac);
+		if (!is_local_ether_addr(mac))
+			dev->net->addr_assign_type = NET_ADDR_PERM;
+ 	} else {
+ 		netdev_info(dev->net, "invalid MAC address, using random\n");
+ 		eth_hw_addr_random(dev->net);
@@ -1,124 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Dan Streetman <ddstreet@ieee.org>
-Date: Thu, 18 Jan 2018 16:14:26 -0500
-Subject: [PATCH] net: tcp: close sock if net namespace is exiting
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When a tcp socket is closed, if it detects that its net namespace is
-exiting, close immediately and do not wait for FIN sequence.
-
-For normal sockets, a reference is taken to their net namespace, so it will
-never exit while the socket is open.  However, kernel sockets do not take a
-reference to their net namespace, so it may begin exiting while the kernel
-socket is still open.  In this case if the kernel socket is a tcp socket,
-it will stay open trying to complete its close sequence.  The sock's dst(s)
-hold a reference to their interface, which are all transferred to the
-namespace's loopback interface when the real interfaces are taken down.
-When the namespace tries to take down its loopback interface, it hangs
-waiting for all references to the loopback interface to release, which
-results in messages like:
-
-unregister_netdevice: waiting for lo to become free. Usage count = 1
-
-These messages continue until the socket finally times out and closes.
-Since the net namespace cleanup holds the net_mutex while calling its
-registered pernet callbacks, any new net namespace initialization is
-blocked until the current net namespace finishes exiting.
-
-After this change, the tcp socket notices the exiting net namespace, and
-closes immediately, releasing its dst(s) and their reference to the
-loopback interface, which lets the net namespace continue exiting.
-
-Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1711407
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=97811
-Signed-off-by: Dan Streetman <ddstreet@canonical.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- include/net/net_namespace.h | 10 ++++++++++
- net/ipv4/tcp.c              |  3 +++
- net/ipv4/tcp_timer.c        | 15 +++++++++++++++
- 3 files changed, 28 insertions(+)
-
-diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
-index 1c401bd4c2e0..a5d023fa78db 100644
--- a/include/net/net_namespace.h
-+++ b/include/net/net_namespace.h
-@@ -221,6 +221,11 @@ int net_eq(const struct net *net1, const struct net *net2)
- 	return net1 == net2;
- }
- 
-+static inline int check_net(const struct net *net)
-+{
-+	return atomic_read(&net->count) != 0;
-+}
-+
- void net_drop_ns(void *);
- 
- #else
-@@ -245,6 +250,11 @@ int net_eq(const struct net *net1, const struct net *net2)
- 	return 1;
- }
- 
-+static inline int check_net(const struct net *net)
-+{
-+	return 1;
-+}
-+
- #define net_drop_ns NULL
- #endif
- 
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index a3e91b552edc..fd2a086da910 100644
--- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -2258,6 +2258,9 @@ void tcp_close(struct sock *sk, long timeout)
- 			tcp_send_active_reset(sk, GFP_ATOMIC);
- 			__NET_INC_STATS(sock_net(sk),
- 					LINUX_MIB_TCPABORTONMEMORY);
-+		} else if (!check_net(sock_net(sk))) {
-+			/* Not possible to send reset; just close */
-+			tcp_set_state(sk, TCP_CLOSE);
- 		}
- 	}
- 
-diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
-index e906014890b6..ec1e5de41653 100644
--- a/net/ipv4/tcp_timer.c
-+++ b/net/ipv4/tcp_timer.c
-@@ -50,11 +50,19 @@ static void tcp_write_err(struct sock *sk)
-  *  to prevent DoS attacks. It is called when a retransmission timeout
-  *  or zero probe timeout occurs on orphaned socket.
-  *
-+ *  Also close if our net namespace is exiting; in that case there is no
-+ *  hope of ever communicating again since all netns interfaces are already
-+ *  down (or about to be down), and we need to release our dst references,
-+ *  which have been moved to the netns loopback interface, so the namespace
-+ *  can finish exiting.  This condition is only possible if we are a kernel
-+ *  socket, as those do not hold references to the namespace.
-+ *
-  *  Criteria is still not confirmed experimentally and may change.
-  *  We kill the socket, if:
-  *  1. If number of orphaned sockets exceeds an administratively configured
-  *     limit.
-  *  2. If we have strong memory pressure.
-+ *  3. If our net namespace is exiting.
-  */
- static int tcp_out_of_resources(struct sock *sk, bool do_reset)
- {
-@@ -83,6 +91,13 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset)
- 		__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONMEMORY);
- 		return 1;
- 	}
-+
-+	if (!check_net(sock_net(sk))) {
-+		/* Not possible to send reset; just close */
-+		tcp_done(sk);
-+		return 1;
-+	}
-+
- 	return 0;
- }
- 
@@ -0,0 +1,83 @@
+From fe4261ef5f99878f60290709d10d44bba326f95f Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sun, 24 Mar 2024 20:51:35 +0100
+Subject: [PATCH] x86/CPU/AMD: Improve the erratum 1386 workaround
+
+Disable XSAVES only on machines which haven't loaded the microcode
+revision containing the erratum fix.
+
+This will come in handy when running archaic OSes as guests. OSes whose
+brilliant programmers thought that CPUID is overrated and one should not
+query it but use features directly, ala shoot first, ask questions
+later... but only if you're alive after the shooting.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+[ FG: port to 6.5 ]
+Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
+Tested-by: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20240324200525.GBZgCHhYFsBj12PrKv@fat_crate.local
+---
+ arch/x86/include/asm/cpu_device_id.h |  8 ++++++++
+ arch/x86/kernel/cpu/amd.c            | 11 +++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
+index eb8fcede9e3b..bf4e065cf1e2 100644
+--- a/arch/x86/include/asm/cpu_device_id.h
+++ b/arch/x86/include/asm/cpu_device_id.h
+@@ -190,6 +190,14 @@ struct x86_cpu_desc {
+ 	.x86_microcode_rev	= (revision),			\
+ }
+ 
+#define AMD_CPU_DESC(fam, model, stepping, revision) {		\
+	.x86_family		= (fam),			\
+	.x86_vendor		= X86_VENDOR_AMD,		\
+	.x86_model		= (model),			\
+	.x86_stepping		= (stepping),			\
+	.x86_microcode_rev	= (revision),			\
+}
+
+ extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
+ extern bool x86_cpu_has_min_microcode_rev(const struct x86_cpu_desc *table);
+ 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 9390074ddb25..8201271f6505 100644
+--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
+@@ -13,6 +13,7 @@
+ #include <asm/apic.h>
+ #include <asm/cacheinfo.h>
+ #include <asm/cpu.h>
+#include <asm/cpu_device_id.h>
+ #include <asm/spec-ctrl.h>
+ #include <asm/smp.h>
+ #include <asm/numa.h>
+@@ -945,6 +946,11 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
+ 	clear_rdrand_cpuid_bit(c);
+ }
+ 
+static const struct x86_cpu_desc erratum_1386_microcode[] = {
+	AMD_CPU_DESC(0x17,  0x1, 0x2, 0x0800126e),
+	AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052),
+};
+
+ void init_spectral_chicken(struct cpuinfo_x86 *c)
+ {
+ #ifdef CONFIG_CPU_UNRET_ENTRY
+@@ -972,7 +978,12 @@ void init_spectral_chicken(struct cpuinfo_x86 *c)
+ 	 *
+ 	 * Affected parts all have no supervisor XSAVE states, meaning that
+ 	 * the XSAVEC instruction (which works fine) is equivalent.
+	 * Clear the feature flag only on microcode revisions which
+	 * don't have the fix.
+ 	 */
+	if (x86_cpu_has_min_microcode_rev(erratum_1386_microcode))
+		return;
+
+ 	clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+ 
+-- 
+2.39.2
+
@@ -1,86 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Tommi Rantala <tommi.t.rantala@nokia.com>
-Date: Mon, 5 Feb 2018 21:48:14 +0200
-Subject: [PATCH] sctp: fix dst refcnt leak in sctp_v4_get_dst
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix dst reference count leak in sctp_v4_get_dst() introduced in commit
-410f03831 ("sctp: add routing output fallback"):
-
-When walking the address_list, successive ip_route_output_key() calls
-may return the same rt->dst with the reference incremented on each call.
-
-The code would not decrement the dst refcount when the dst pointer was
-identical from the previous iteration, causing the dst refcnt leak.
-
-Testcase:
-  ip netns add TEST
-  ip netns exec TEST ip link set lo up
-  ip link add dummy0 type dummy
-  ip link add dummy1 type dummy
-  ip link add dummy2 type dummy
-  ip link set dev dummy0 netns TEST
-  ip link set dev dummy1 netns TEST
-  ip link set dev dummy2 netns TEST
-  ip netns exec TEST ip addr add 192.168.1.1/24 dev dummy0
-  ip netns exec TEST ip link set dummy0 up
-  ip netns exec TEST ip addr add 192.168.1.2/24 dev dummy1
-  ip netns exec TEST ip link set dummy1 up
-  ip netns exec TEST ip addr add 192.168.1.3/24 dev dummy2
-  ip netns exec TEST ip link set dummy2 up
-  ip netns exec TEST sctp_test -H 192.168.1.2 -P 20002 -h 192.168.1.1 -p 20000 -s -B 192.168.1.3
-  ip netns del TEST
-
-In 4.4 and 4.9 kernels this results to:
-  [  354.179591] unregister_netdevice: waiting for lo to become free. Usage count = 1
-  [  364.419674] unregister_netdevice: waiting for lo to become free. Usage count = 1
-  [  374.663664] unregister_netdevice: waiting for lo to become free. Usage count = 1
-  [  384.903717] unregister_netdevice: waiting for lo to become free. Usage count = 1
-  [  395.143724] unregister_netdevice: waiting for lo to become free. Usage count = 1
-  [  405.383645] unregister_netdevice: waiting for lo to become free. Usage count = 1
-  ...
-
-Fixes: 410f03831 ("sctp: add routing output fallback")
-Fixes: 0ca50d12f ("sctp: fix src address selection if using secondary addresses")
-Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
-Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- net/sctp/protocol.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
-index 989a900383b5..e1a3ae4f3cab 100644
--- a/net/sctp/protocol.c
-+++ b/net/sctp/protocol.c
-@@ -514,22 +514,20 @@ static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
- 		if (IS_ERR(rt))
- 			continue;
- 
-		if (!dst)
-			dst = &rt->dst;
-
- 		/* Ensure the src address belongs to the output
- 		 * interface.
- 		 */
- 		odev = __ip_dev_find(sock_net(sk), laddr->a.v4.sin_addr.s_addr,
- 				     false);
- 		if (!odev || odev->ifindex != fl4->flowi4_oif) {
-			if (&rt->dst != dst)
-+			if (!dst)
-+				dst = &rt->dst;
-+			else
- 				dst_release(&rt->dst);
- 			continue;
- 		}
- 
-		if (dst != &rt->dst)
-			dst_release(dst);
-+		dst_release(dst);
- 		dst = &rt->dst;
- 		break;
- 	}
@@ -1,57 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Alexey Kodanev <alexey.kodanev@oracle.com>
-Date: Mon, 5 Feb 2018 15:10:35 +0300
-Subject: [PATCH] sctp: fix dst refcnt leak in sctp_v6_get_dst()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When going through the bind address list in sctp_v6_get_dst() and
-the previously found address is better ('matchlen > bmatchlen'),
-the code continues to the next iteration without releasing currently
-held destination.
-
-Fix it by releasing 'bdst' before continue to the next iteration, and
-instead of introducing one more '!IS_ERR(bdst)' check for dst_release(),
-move the already existed one right after ip6_dst_lookup_flow(), i.e. we
-shouldn't proceed further if we get an error for the route lookup.
-
-Fixes: dbc2b5e9a09e ("sctp: fix src address selection if using secondary addresses for ipv6")
-Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- net/sctp/ipv6.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
-index edb462b0b73b..e626d72868fe 100644
--- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -326,8 +326,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
- 		final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
- 		bdst = ip6_dst_lookup_flow(sk, fl6, final_p);
- 
-		if (!IS_ERR(bdst) &&
-		    ipv6_chk_addr(dev_net(bdst->dev),
-+		if (IS_ERR(bdst))
-+			continue;
-+
-+		if (ipv6_chk_addr(dev_net(bdst->dev),
- 				  &laddr->a.v6.sin6_addr, bdst->dev, 1)) {
- 			if (!IS_ERR_OR_NULL(dst))
- 				dst_release(dst);
-@@ -336,8 +338,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
- 		}
- 
- 		bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
-		if (matchlen > bmatchlen)
-+		if (matchlen > bmatchlen) {
-+			dst_release(bdst);
- 			continue;
-+		}
- 
- 		if (!IS_ERR_OR_NULL(dst))
- 			dst_release(dst);
@@ -1,43 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Vasily Averin <vvs@virtuozzo.com>
-Date: Thu, 2 Nov 2017 13:03:42 +0300
-Subject: [PATCH] lockd: lost rollback of set_grace_period() in
- lockd_down_net()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit efda760fe95ea ("lockd: fix lockd shutdown race") is incorrect,
-it removes lockd_manager and disarm grace_period_end for init_net only.
-
-If nfsd was started from another net namespace lockd_up_net() calls
-set_grace_period() that adds lockd_manager into per-netns list
-and queues grace_period_end delayed work.
-
-These action should be reverted in lockd_down_net().
-Otherwise it can lead to double list_add on after restart nfsd in netns,
-and to use-after-free if non-disarmed delayed work will be executed after netns destroy.
-
-Fixes: efda760fe95e ("lockd: fix lockd shutdown race")
-Cc: stable@vger.kernel.org
-Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
-Signed-off-by: J. Bruce Fields <bfields@redhat.com>
-(cherry picked from commit 3a2b19d1ee5633f76ae8a88da7bc039a5d1732aa)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- fs/lockd/svc.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
-index 726b6cecf430..fa8f6effcf00 100644
--- a/fs/lockd/svc.c
-+++ b/fs/lockd/svc.c
-@@ -274,6 +274,8 @@ static void lockd_down_net(struct svc_serv *serv, struct net *net)
- 	if (ln->nlmsvc_users) {
- 		if (--ln->nlmsvc_users == 0) {
- 			nlm_shutdown_hosts_net(net);
-+			cancel_delayed_work_sync(&ln->grace_period_end);
-+			locks_end_grace(&ln->lockd_manager);
- 			svc_shutdown_net(serv, net);
- 			dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net);
- 		}
@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Changwei Ge <ge.changwei@h3c.com>
-Date: Wed, 31 Jan 2018 16:15:02 -0800
-Subject: [PATCH] ocfs2: make metadata estimation accurate and clear
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Current code assume that ::w_unwritten_list always has only one item on.
-This is not right and hard to get understood.  So improve how to count
-unwritten item.
-
-Link: http://lkml.kernel.org/r/1515479070-32653-1-git-send-email-ge.changwei@h3c.com
-Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
-Reported-by: John Lightsey <john@nixnuts.net>
-Tested-by: John Lightsey <john@nixnuts.net>
-Cc: Mark Fasheh <mfasheh@versity.com>
-Cc: Joseph Qi <jiangqi903@gmail.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Changwei Ge <ge.changwei@h3c.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-(cherry picked from commit 63de8bd9328bf2a778fc277503da163ae3defa3c)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- fs/ocfs2/aops.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
-index 88a31e9340a0..77ec9b495027 100644
--- a/fs/ocfs2/aops.c
-+++ b/fs/ocfs2/aops.c
-@@ -784,6 +784,7 @@ struct ocfs2_write_ctxt {
- 	struct ocfs2_cached_dealloc_ctxt w_dealloc;
- 
- 	struct list_head		w_unwritten_list;
-+	unsigned int			w_unwritten_count;
- };
- 
- void ocfs2_unlock_and_free_pages(struct page **pages, int num_pages)
-@@ -1373,6 +1374,7 @@ static int ocfs2_unwritten_check(struct inode *inode,
- 	desc->c_clear_unwritten = 0;
- 	list_add_tail(&new->ue_ip_node, &oi->ip_unwritten_list);
- 	list_add_tail(&new->ue_node, &wc->w_unwritten_list);
-+	wc->w_unwritten_count++;
- 	new = NULL;
- unlock:
- 	spin_unlock(&oi->ip_lock);
-@@ -2246,7 +2248,7 @@ static int ocfs2_dio_get_block(struct inode *inode, sector_t iblock,
- 		ue->ue_phys = desc->c_phys;
- 
- 		list_splice_tail_init(&wc->w_unwritten_list, &dwc->dw_zero_list);
-		dwc->dw_zero_count++;
-+		dwc->dw_zero_count += wc->w_unwritten_count;
- 	}
- 
- 	ret = ocfs2_write_end_nolock(inode->i_mapping, pos, len, len, wc);
@@ -1,367 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Changwei Ge <ge.changwei@h3c.com>
-Date: Wed, 31 Jan 2018 16:15:06 -0800
-Subject: [PATCH] ocfs2: try to reuse extent block in dealloc without
- meta_alloc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A crash issue was reported by John Lightsey with a call trace as follows:
-
-  ocfs2_split_extent+0x1ad3/0x1b40 [ocfs2]
-  ocfs2_change_extent_flag+0x33a/0x470 [ocfs2]
-  ocfs2_mark_extent_written+0x172/0x220 [ocfs2]
-  ocfs2_dio_end_io+0x62d/0x910 [ocfs2]
-  dio_complete+0x19a/0x1a0
-  do_blockdev_direct_IO+0x19dd/0x1eb0
-  __blockdev_direct_IO+0x43/0x50
-  ocfs2_direct_IO+0x8f/0xa0 [ocfs2]
-  generic_file_direct_write+0xb2/0x170
-  __generic_file_write_iter+0xc3/0x1b0
-  ocfs2_file_write_iter+0x4bb/0xca0 [ocfs2]
-  __vfs_write+0xae/0xf0
-  vfs_write+0xb8/0x1b0
-  SyS_write+0x4f/0xb0
-  system_call_fastpath+0x16/0x75
-
-The BUG code told that extent tree wants to grow but no metadata was
-reserved ahead of time.  From my investigation into this issue, the root
-cause it that although enough metadata is not reserved, there should be
-enough for following use.  Rightmost extent is merged into its left one
-due to a certain times of marking extent written.  Because during
-marking extent written, we got many physically continuous extents.  At
-last, an empty extent showed up and the rightmost path is removed from
-extent tree.
-
-Add a new mechanism to reuse extent block cached in dealloc which were
-just unlinked from extent tree to solve this crash issue.
-
-Criteria is that during marking extents *written*, if extent rotation
-and merging results in unlinking extent with growing extent tree later
-without any metadata reserved ahead of time, try to reuse those extents
-in dealloc in which deleted extents are cached.
-
-Also, this patch addresses the issue John reported that ::dw_zero_count
-is not calculated properly.
-
-After applying this patch, the issue John reported was gone.  Thanks for
-the reproducer provided by John.  And this patch has passed
-ocfs2-test(29 cases) suite running by New H3C Group.
-
-[ge.changwei@h3c.com: fix static checker warnning]
-  Link: http://lkml.kernel.org/r/63ADC13FD55D6546B7DECE290D39E373F29196AE@H3CMLB12-EX.srv.huawei-3com.com
-[akpm@linux-foundation.org: brelse(NULL) is legal]
-Link: http://lkml.kernel.org/r/1515479070-32653-2-git-send-email-ge.changwei@h3c.com
-Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
-Reported-by: John Lightsey <john@nixnuts.net>
-Tested-by: John Lightsey <john@nixnuts.net>
-Cc: Joel Becker <jlbec@evilplan.org>
-Cc: Joseph Qi <jiangqi903@gmail.com>
-Cc: Junxiao Bi <junxiao.bi@oracle.com>
-Cc: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: Mark Fasheh <mfasheh@versity.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-(cherry picked from commit 71a36944042b7d9dd71f6a5d1c5ea1c2353b5d42)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- fs/ocfs2/alloc.c | 206 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
- fs/ocfs2/alloc.h |   1 +
- fs/ocfs2/aops.c  |   6 ++
- 3 files changed, 203 insertions(+), 10 deletions(-)
-
-diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
-index 386aecce881d..9b5e7d8ba710 100644
--- a/fs/ocfs2/alloc.c
-+++ b/fs/ocfs2/alloc.c
-@@ -165,6 +165,13 @@ static int ocfs2_dinode_insert_check(struct ocfs2_extent_tree *et,
- 				     struct ocfs2_extent_rec *rec);
- static int ocfs2_dinode_sanity_check(struct ocfs2_extent_tree *et);
- static void ocfs2_dinode_fill_root_el(struct ocfs2_extent_tree *et);
-+
-+static int ocfs2_reuse_blk_from_dealloc(handle_t *handle,
-+					struct ocfs2_extent_tree *et,
-+					struct buffer_head **new_eb_bh,
-+					int blk_wanted, int *blk_given);
-+static int ocfs2_is_dealloc_empty(struct ocfs2_extent_tree *et);
-+
- static const struct ocfs2_extent_tree_operations ocfs2_dinode_et_ops = {
- 	.eo_set_last_eb_blk	= ocfs2_dinode_set_last_eb_blk,
- 	.eo_get_last_eb_blk	= ocfs2_dinode_get_last_eb_blk,
-@@ -448,6 +455,7 @@ static void __ocfs2_init_extent_tree(struct ocfs2_extent_tree *et,
- 	if (!obj)
- 		obj = (void *)bh->b_data;
- 	et->et_object = obj;
-+	et->et_dealloc = NULL;
- 
- 	et->et_ops->eo_fill_root_el(et);
- 	if (!et->et_ops->eo_fill_max_leaf_clusters)
-@@ -1159,7 +1167,7 @@ static int ocfs2_add_branch(handle_t *handle,
- 			    struct buffer_head **last_eb_bh,
- 			    struct ocfs2_alloc_context *meta_ac)
- {
-	int status, new_blocks, i;
-+	int status, new_blocks, i, block_given = 0;
- 	u64 next_blkno, new_last_eb_blk;
- 	struct buffer_head *bh;
- 	struct buffer_head **new_eb_bhs = NULL;
-@@ -1214,11 +1222,31 @@ static int ocfs2_add_branch(handle_t *handle,
- 		goto bail;
- 	}
- 
-	status = ocfs2_create_new_meta_bhs(handle, et, new_blocks,
-					   meta_ac, new_eb_bhs);
-	if (status < 0) {
-		mlog_errno(status);
-		goto bail;
-+	/* Firstyly, try to reuse dealloc since we have already estimated how
-+	 * many extent blocks we may use.
-+	 */
-+	if (!ocfs2_is_dealloc_empty(et)) {
-+		status = ocfs2_reuse_blk_from_dealloc(handle, et,
-+						      new_eb_bhs, new_blocks,
-+						      &block_given);
-+		if (status < 0) {
-+			mlog_errno(status);
-+			goto bail;
-+		}
-+	}
-+
-+	BUG_ON(block_given > new_blocks);
-+
-+	if (block_given < new_blocks) {
-+		BUG_ON(!meta_ac);
-+		status = ocfs2_create_new_meta_bhs(handle, et,
-+						   new_blocks - block_given,
-+						   meta_ac,
-+						   &new_eb_bhs[block_given]);
-+		if (status < 0) {
-+			mlog_errno(status);
-+			goto bail;
-+		}
- 	}
- 
- 	/* Note: new_eb_bhs[new_blocks - 1] is the guy which will be
-@@ -1341,15 +1369,25 @@ static int ocfs2_shift_tree_depth(handle_t *handle,
- 				  struct ocfs2_alloc_context *meta_ac,
- 				  struct buffer_head **ret_new_eb_bh)
- {
-	int status, i;
-+	int status, i, block_given = 0;
- 	u32 new_clusters;
- 	struct buffer_head *new_eb_bh = NULL;
- 	struct ocfs2_extent_block *eb;
- 	struct ocfs2_extent_list  *root_el;
- 	struct ocfs2_extent_list  *eb_el;
- 
-	status = ocfs2_create_new_meta_bhs(handle, et, 1, meta_ac,
-					   &new_eb_bh);
-+	if (!ocfs2_is_dealloc_empty(et)) {
-+		status = ocfs2_reuse_blk_from_dealloc(handle, et,
-+						      &new_eb_bh, 1,
-+						      &block_given);
-+	} else if (meta_ac) {
-+		status = ocfs2_create_new_meta_bhs(handle, et, 1, meta_ac,
-+						   &new_eb_bh);
-+
-+	} else {
-+		BUG();
-+	}
-+
- 	if (status < 0) {
- 		mlog_errno(status);
- 		goto bail;
-@@ -1512,7 +1550,7 @@ static int ocfs2_grow_tree(handle_t *handle, struct ocfs2_extent_tree *et,
- 	int depth = le16_to_cpu(el->l_tree_depth);
- 	struct buffer_head *bh = NULL;
- 
-	BUG_ON(meta_ac == NULL);
-+	BUG_ON(meta_ac == NULL && ocfs2_is_dealloc_empty(et));
- 
- 	shift = ocfs2_find_branch_target(et, &bh);
- 	if (shift < 0) {
-@@ -6593,6 +6631,154 @@ ocfs2_find_per_slot_free_list(int type,
- 	return fl;
- }
- 
-+static struct ocfs2_per_slot_free_list *
-+ocfs2_find_preferred_free_list(int type,
-+			       int preferred_slot,
-+			       int *real_slot,
-+			       struct ocfs2_cached_dealloc_ctxt *ctxt)
-+{
-+	struct ocfs2_per_slot_free_list *fl = ctxt->c_first_suballocator;
-+
-+	while (fl) {
-+		if (fl->f_inode_type == type && fl->f_slot == preferred_slot) {
-+			*real_slot = fl->f_slot;
-+			return fl;
-+		}
-+
-+		fl = fl->f_next_suballocator;
-+	}
-+
-+	/* If we can't find any free list matching preferred slot, just use
-+	 * the first one.
-+	 */
-+	fl = ctxt->c_first_suballocator;
-+	*real_slot = fl->f_slot;
-+
-+	return fl;
-+}
-+
-+/* Return Value 1 indicates empty */
-+static int ocfs2_is_dealloc_empty(struct ocfs2_extent_tree *et)
-+{
-+	struct ocfs2_per_slot_free_list *fl = NULL;
-+
-+	if (!et->et_dealloc)
-+		return 1;
-+
-+	fl = et->et_dealloc->c_first_suballocator;
-+	if (!fl)
-+		return 1;
-+
-+	if (!fl->f_first)
-+		return 1;
-+
-+	return 0;
-+}
-+
-+/* If extent was deleted from tree due to extent rotation and merging, and
-+ * no metadata is reserved ahead of time. Try to reuse some extents
-+ * just deleted. This is only used to reuse extent blocks.
-+ * It is supposed to find enough extent blocks in dealloc if our estimation
-+ * on metadata is accurate.
-+ */
-+static int ocfs2_reuse_blk_from_dealloc(handle_t *handle,
-+					struct ocfs2_extent_tree *et,
-+					struct buffer_head **new_eb_bh,
-+					int blk_wanted, int *blk_given)
-+{
-+	int i, status = 0, real_slot;
-+	struct ocfs2_cached_dealloc_ctxt *dealloc;
-+	struct ocfs2_per_slot_free_list *fl;
-+	struct ocfs2_cached_block_free *bf;
-+	struct ocfs2_extent_block *eb;
-+	struct ocfs2_super *osb =
-+		OCFS2_SB(ocfs2_metadata_cache_get_super(et->et_ci));
-+
-+	*blk_given = 0;
-+
-+	/* If extent tree doesn't have a dealloc, this is not faulty. Just
-+	 * tell upper caller dealloc can't provide any block and it should
-+	 * ask for alloc to claim more space.
-+	 */
-+	dealloc = et->et_dealloc;
-+	if (!dealloc)
-+		goto bail;
-+
-+	for (i = 0; i < blk_wanted; i++) {
-+		/* Prefer to use local slot */
-+		fl = ocfs2_find_preferred_free_list(EXTENT_ALLOC_SYSTEM_INODE,
-+						    osb->slot_num, &real_slot,
-+						    dealloc);
-+		/* If no more block can be reused, we should claim more
-+		 * from alloc. Just return here normally.
-+		 */
-+		if (!fl) {
-+			status = 0;
-+			break;
-+		}
-+
-+		bf = fl->f_first;
-+		fl->f_first = bf->free_next;
-+
-+		new_eb_bh[i] = sb_getblk(osb->sb, bf->free_blk);
-+		if (new_eb_bh[i] == NULL) {
-+			status = -ENOMEM;
-+			mlog_errno(status);
-+			goto bail;
-+		}
-+
-+		mlog(0, "Reusing block(%llu) from "
-+		     "dealloc(local slot:%d, real slot:%d)\n",
-+		     bf->free_blk, osb->slot_num, real_slot);
-+
-+		ocfs2_set_new_buffer_uptodate(et->et_ci, new_eb_bh[i]);
-+
-+		status = ocfs2_journal_access_eb(handle, et->et_ci,
-+						 new_eb_bh[i],
-+						 OCFS2_JOURNAL_ACCESS_CREATE);
-+		if (status < 0) {
-+			mlog_errno(status);
-+			goto bail;
-+		}
-+
-+		memset(new_eb_bh[i]->b_data, 0, osb->sb->s_blocksize);
-+		eb = (struct ocfs2_extent_block *) new_eb_bh[i]->b_data;
-+
-+		/* We can't guarantee that buffer head is still cached, so
-+		 * polutlate the extent block again.
-+		 */
-+		strcpy(eb->h_signature, OCFS2_EXTENT_BLOCK_SIGNATURE);
-+		eb->h_blkno = cpu_to_le64(bf->free_blk);
-+		eb->h_fs_generation = cpu_to_le32(osb->fs_generation);
-+		eb->h_suballoc_slot = cpu_to_le16(real_slot);
-+		eb->h_suballoc_loc = cpu_to_le64(bf->free_bg);
-+		eb->h_suballoc_bit = cpu_to_le16(bf->free_bit);
-+		eb->h_list.l_count =
-+			cpu_to_le16(ocfs2_extent_recs_per_eb(osb->sb));
-+
-+		/* We'll also be dirtied by the caller, so
-+		 * this isn't absolutely necessary.
-+		 */
-+		ocfs2_journal_dirty(handle, new_eb_bh[i]);
-+
-+		if (!fl->f_first) {
-+			dealloc->c_first_suballocator = fl->f_next_suballocator;
-+			kfree(fl);
-+		}
-+		kfree(bf);
-+	}
-+
-+	*blk_given = i;
-+
-+bail:
-+	if (unlikely(status < 0)) {
-+		for (i = 0; i < blk_wanted; i++)
-+			brelse(new_eb_bh[i]);
-+	}
-+
-+	return status;
-+}
-+
- int ocfs2_cache_block_dealloc(struct ocfs2_cached_dealloc_ctxt *ctxt,
- 			      int type, int slot, u64 suballoc,
- 			      u64 blkno, unsigned int bit)
-diff --git a/fs/ocfs2/alloc.h b/fs/ocfs2/alloc.h
-index 4a5152ec88a3..571692171dd1 100644
--- a/fs/ocfs2/alloc.h
-+++ b/fs/ocfs2/alloc.h
-@@ -61,6 +61,7 @@ struct ocfs2_extent_tree {
- 	ocfs2_journal_access_func		et_root_journal_access;
- 	void					*et_object;
- 	unsigned int				et_max_leaf_clusters;
-+	struct ocfs2_cached_dealloc_ctxt	*et_dealloc;
- };
- 
- /*
-diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
-index 77ec9b495027..2ff02dda97d8 100644
--- a/fs/ocfs2/aops.c
-+++ b/fs/ocfs2/aops.c
-@@ -2322,6 +2322,12 @@ static int ocfs2_dio_end_io_write(struct inode *inode,
- 
- 	ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh);
- 
-+	/* Attach dealloc with extent tree in case that we may reuse extents
-+	 * which are already unlinked from current extent tree due to extent
-+	 * rotation and merging.
-+	 */
-+	et.et_dealloc = &dealloc;
-+
- 	ret = ocfs2_lock_allocators(inode, &et, 0, dwc->dw_zero_count*2,
- 				    &data_ac, &meta_ac);
- 	if (ret) {
@@ -1,100 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Fri, 23 Mar 2018 09:19:21 +0100
-Subject: [PATCH] mm/shmem: do not wait for lock_page() in
- shmem_unused_huge_shrink()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-shmem_unused_huge_shrink() gets called from reclaim path.  Waiting for
-page lock may lead to deadlock there.
-
-There was a bug report that may be attributed to this:
-
-http://lkml.kernel.org/r/alpine.LRH.2.11.1801242349220.30642@mail.ewheeler.net
-
-Replace lock_page() with trylock_page() and skip the page if we failed to
-lock it.  We will get to the page on the next scan.
-
-We can test for the PageTransHuge() outside the page lock as we only need
-protection against splitting the page under us.  Holding pin oni the page
-is enough for this.
-
-Link: http://lkml.kernel.org/r/20180316210830.43738-1-kirill.shutemov@linux.intel.com
-Fixes: 779750d20b93 ("shmem: split huge pages beyond i_size under memory pressure")
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Reported-by: Eric Wheeler <linux-mm@lists.ewheeler.net>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: <stable@vger.kernel.org>	[4.8+]
-Signed-off-by: Andrew Morton <>
-(cherry-picked from https://git.kernel.org/pub/scm/linux/kernel/git/mhocko/mm.git/commit/?h=since-4.15&id=73eccc61c701ee7b4223aea2079542a712feeea7)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- mm/shmem.c | 31 ++++++++++++++++++++-----------
- 1 file changed, 20 insertions(+), 11 deletions(-)
-
-diff --git a/mm/shmem.c b/mm/shmem.c
-index 859e4c224b80..2aae929eb90b 100644
--- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -483,36 +483,45 @@ static unsigned long shmem_unused_huge_shrink(struct shmem_sb_info *sbinfo,
- 		info = list_entry(pos, struct shmem_inode_info, shrinklist);
- 		inode = &info->vfs_inode;
- 
-		if (nr_to_split && split >= nr_to_split) {
-			iput(inode);
-			continue;
-		}
-+		if (nr_to_split && split >= nr_to_split)
-+			goto leave;
- 
-		page = find_lock_page(inode->i_mapping,
-+		page = find_get_page(inode->i_mapping,
- 				(inode->i_size & HPAGE_PMD_MASK) >> PAGE_SHIFT);
- 		if (!page)
- 			goto drop;
- 
-+		/* No huge page at the end of the file: nothing to split */
- 		if (!PageTransHuge(page)) {
-			unlock_page(page);
- 			put_page(page);
- 			goto drop;
- 		}
- 
-+		/*
-+		 * Leave the inode on the list if we failed to lock
-+		 * the page at this time.
-+		 *
-+		 * Waiting for the lock may lead to deadlock in the
-+		 * reclaim path.
-+		 */
-+		if (!trylock_page(page)) {
-+			put_page(page);
-+			goto leave;
-+		}
-+
- 		ret = split_huge_page(page);
- 		unlock_page(page);
- 		put_page(page);
- 
-		if (ret) {
-			/* split failed: leave it on the list */
-			iput(inode);
-			continue;
-		}
-+		/* If split failed leave the inode on the list */
-+		if (ret)
-+			goto leave;
- 
- 		split++;
- drop:
- 		list_del_init(&info->shrinklist);
- 		removed++;
-+leave:
- 		iput(inode);
- 	}
- 
@@ -1,43 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Thu, 15 Mar 2018 18:07:47 +0300
-Subject: [PATCH] mm/thp: Do not wait for lock_page() in deferred_split_scan()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-deferred_split_scan() gets called from reclaim path. Waiting for page
-lock may lead to deadlock there.
-
-Replace lock_page() with trylock_page() and skip the page if we failed
-to lock it. We will get to the page on the next scan.
-
-Fixes: 9a982250f773 ("thp: introduce deferred_split_huge_page()")
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-(cherry-picked from https://patchwork.kernel.org/patch/10284703/)
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- mm/huge_memory.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/mm/huge_memory.c b/mm/huge_memory.c
-index 8b887db33383..5c4093e0be8d 100644
--- a/mm/huge_memory.c
-+++ b/mm/huge_memory.c
-@@ -2621,11 +2621,13 @@ static unsigned long deferred_split_scan(struct shrinker *shrink,
- 
- 	list_for_each_safe(pos, next, &list) {
- 		page = list_entry((void *)pos, struct page, mapping);
-		lock_page(page);
-+		if (!trylock_page(page))
-+			goto next;
- 		/* split_huge_page() removes page from list on success */
- 		if (!split_huge_page(page))
- 			split++;
- 		unlock_page(page);
-+next:
- 		put_page(page);
- 	}
- 
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
-Date: Mon, 9 Apr 2018 09:33:25 +0200
-Subject: [PATCH] Revert Ubuntu RETPOLINE checks in kernel Makefile
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-these break builds outside of Ubuntu's packaging.
-
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- scripts/Makefile.build | 8 --------
- 1 file changed, 8 deletions(-)
-
-diff --git a/scripts/Makefile.build b/scripts/Makefile.build
-index d74c3f9f1fa8..436005392047 100644
--- a/scripts/Makefile.build
-+++ b/scripts/Makefile.build
-@@ -282,18 +282,11 @@ objtool_dep = $(objtool_obj)					\
- 	      $(wildcard include/config/orc/unwinder.h		\
- 			 include/config/stack/validation.h)
- 
-ifdef CONFIG_RETPOLINE
-cmd_ubuntu_retpoline = $(CONFIG_SHELL) $(srctree)/scripts/ubuntu-retpoline-extract-one $(@) $(<) "$(filter -m16 %code16gcc.h,$(a_flags))";
-else
-cmd_ubuntu_retpoline =
-endif
-
- define rule_cc_o_c
- 	$(call echo-cmd,checksrc) $(cmd_checksrc)			  \
- 	$(call cmd_and_fixdep,cc_o_c)					  \
- 	$(cmd_modversions_c)						  \
- 	$(call echo-cmd,objtool) $(cmd_objtool)				  \
-	$(call echo-cmd,ubuntu-retpoline) $(cmd_ubuntu_retpoline)	  \
- 	$(call echo-cmd,record_mcount) $(cmd_record_mcount)
- endef
- 
-@@ -301,7 +294,6 @@ define rule_as_o_S
- 	$(call cmd_and_fixdep,as_o_S)					  \
- 	$(cmd_modversions_S)						  \
- 	$(call echo-cmd,objtool) $(cmd_objtool)
-	$(call echo-cmd,ubuntu-retpoline) $(cmd_ubuntu_retpoline)
- endef
- 
- # List module undefined symbols (or empty line if not enabled)
@@ -1,92 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Mon, 9 Apr 2018 14:56:29 +0200
-Subject: [PATCH] net: fix deadlock while clearing neighbor proxy table
-
-When coming from ndisc_netdev_event() in net/ipv6/ndisc.c,
-neigh_ifdown() is called with &nd_tbl, locking this while
-clearing the proxy neighbor entries when eg. deleting an
-interface. Calling the table's pndisc_destructor() with the
-lock still held, however, can cause a deadlock: When a
-multicast listener is available an IGMP packet of type
-ICMPV6_MGM_REDUCTION may be sent out. When reaching
-ip6_finish_output2(), if no neighbor entry for the target
-address is found, __neigh_create() is called with &nd_tbl,
-which it'll want to lock.
-
-Move the elements into their own list, then unlock the table
-and perform the destruction.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289
-Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
- net/core/neighbour.c | 28 ++++++++++++++++++----------
- 1 file changed, 18 insertions(+), 10 deletions(-)
-
-diff --git a/net/core/neighbour.c b/net/core/neighbour.c
-index d0713627deb6..3b495739bf65 100644
--- a/net/core/neighbour.c
-+++ b/net/core/neighbour.c
-@@ -55,7 +55,8 @@ static void neigh_timer_handler(unsigned long arg);
- static void __neigh_notify(struct neighbour *n, int type, int flags,
- 			   u32 pid);
- static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
-+static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
-+				    struct net_device *dev);
- 
- #ifdef CONFIG_PROC_FS
- static const struct file_operations neigh_stat_seq_fops;
-@@ -291,8 +292,7 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
- {
- 	write_lock_bh(&tbl->lock);
- 	neigh_flush_dev(tbl, dev);
-	pneigh_ifdown(tbl, dev);
-	write_unlock_bh(&tbl->lock);
-+	pneigh_ifdown_and_unlock(tbl, dev);
- 
- 	del_timer_sync(&tbl->proxy_timer);
- 	pneigh_queue_purge(&tbl->proxy_queue);
-@@ -681,9 +681,10 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
- 	return -ENOENT;
- }
- 
-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
-+static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
-+				    struct net_device *dev)
- {
-	struct pneigh_entry *n, **np;
-+	struct pneigh_entry *n, **np, *freelist = NULL;
- 	u32 h;
- 
- 	for (h = 0; h <= PNEIGH_HASHMASK; h++) {
-@@ -691,16 +692,23 @@ static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
- 		while ((n = *np) != NULL) {
- 			if (!dev || n->dev == dev) {
- 				*np = n->next;
-				if (tbl->pdestructor)
-					tbl->pdestructor(n);
-				if (n->dev)
-					dev_put(n->dev);
-				kfree(n);
-+				n->next = freelist;
-+				freelist = n;
- 				continue;
- 			}
- 			np = &n->next;
- 		}
- 	}
-+	write_unlock_bh(&tbl->lock);
-+	while ((n = freelist)) {
-+		freelist = n->next;
-+		n->next = NULL;
-+		if (tbl->pdestructor)
-+			tbl->pdestructor(n);
-+		if (n->dev)
-+			dev_put(n->dev);
-+		kfree(n);
-+	}
- 	return -ENOENT;
- }
-