cherry-pick improved erratum 1386 workaround

The original fix disabled the xsaves feature for zen1/2. The issue has since been fixed in the cpus microcode and this patch keeps the feature enabled if the microcode version is recent enough to contain the fix. The patch had to be altered slightly to apply cleanly on 6.5, but no changes content-wise. Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
config: disable CONFIG_N_GSM
2024-04-17 16:51:43 +02:00 · 2024-04-17 11:56:34 +02:00 · 2024-04-15 09:37:08 +02:00 · 2024-04-05 14:02:41 +02:00 · 2024-04-05 13:04:13 +02:00 · 2024-04-05 12:21:20 +02:00
56 changed files with 32968 additions and 26740 deletions
@@ -1,6 +1,6 @@
 [submodule "submodules/zfsonlinux"]
 	path = submodules/zfsonlinux
 	url = ../zfsonlinux
-[submodule "submodules/ubuntu-hirsute"]
-	path = submodules/ubuntu-hirsute
-	url = ../mirror_ubuntu-hirsute-kernel
+[submodule "submodules/ubuntu-kernel"]
+	path = submodules/ubuntu-kernel
+	url = ../mirror_ubuntu-kernels
@@ -1,110 +1,134 @@
-# also bump pve-kernel-meta if either of MAJ.MIN, PATCHLEVEL or KREL change
-KERNEL_MAJ=5
-KERNEL_MIN=11
-KERNEL_PATCHLEVEL=22
-# increment KREL if the ABI changes (abicheck target in debian/rules)
-# rebuild packages with new KREL and run 'make abiupdate'
-KREL=4
+include /usr/share/dpkg/pkg-info.mk

-PKGREL=9
+# also bump proxmox-kernel-meta if the default MAJ.MIN version changes!
+KERNEL_MAJ=6
+KERNEL_MIN=5
+KERNEL_PATCHLEVEL=13
+# increment KREL for every published package release!
+# rebuild packages with new KREL and run 'make abiupdate'
+KREL=5

 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

-EXTRAVERSION=-${KREL}-pve
-KVNAME=${KERNEL_VER}${EXTRAVERSION}
-PACKAGE=pve-kernel-${KVNAME}
-HDRPACKAGE=pve-headers-${KVNAME}
+EXTRAVERSION=-$(KREL)-pve
+KVNAME=$(KERNEL_VER)$(EXTRAVERSION)
+PACKAGE=proxmox-kernel-$(KVNAME)
+HDRPACKAGE=proxmox-headers-$(KVNAME)

 ARCH=$(shell dpkg-architecture -qDEB_BUILD_ARCH)

 # amd64/x86_64/x86 share the arch subdirectory in the kernel, 'x86' so we need
 # a mapping
 KERNEL_ARCH=x86
-ifneq (${ARCH}, amd64)
-KERNEL_ARCH=${ARCH}
+ifneq ($(ARCH), amd64)
+KERNEL_ARCH=$(ARCH)
 endif

-GITVERSION:=$(shell git rev-parse HEAD)
-
 SKIPABI=0

-BUILD_DIR=build
+BUILD_DIR=proxmox-kernel-$(KERNEL_VER)

-KERNEL_SRC=ubuntu-hirsute
+KERNEL_SRC=ubuntu-kernel
 KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
-KERNEL_CFG_ORG=config-${KERNEL_VER}.org
+KERNEL_CFG_ORG=config-$(KERNEL_VER).org

 ZFSONLINUX_SUBMODULE=submodules/zfsonlinux
 ZFSDIR=pkg-zfs

 MODULES=modules
-MODULE_DIRS=${ZFSDIR}
+MODULE_DIRS=$(ZFSDIR)

 # exported to debian/rules via debian/rules.d/dirs.mk
 DIRS=KERNEL_SRC ZFSDIR MODULES

-DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-USR_HDR_DEB=pve-kernel-libc-dev_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+DSC=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL).dsc
+DST_DEB=$(PACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+SIGNED_TEMPLATE_DEB=$(PACKAGE)-signed-template_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_DEB=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+HDR_DEB=$(HDRPACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_HDR_DEB=proxmox-headers-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+USR_HDR_DEB=proxmox-kernel-libc-dev_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_$(KERNEL_VER)-$(KREL)_$(ARCH).deb

-DEBS=${DST_DEB} ${HDR_DEB} ${USR_HDR_DEB} ${LINUX_TOOLS_DEB} ${LINUX_TOOLS_DBG_DEB}
+DEBS=$(DST_DEB) $(META_DEB) $(HDR_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) $(SIGNED_TEMPLATE_DEB) # $(USR_HDR_DEB)

 all: deb
-deb: ${DEBS}
+deb: $(DEBS)

-${LINUX_TOOLS_DEB} ${HDR_DEB}: ${DST_DEB}
-${DST_DEB}: ${BUILD_DIR}.prepared
-	cd ${BUILD_DIR}; dpkg-buildpackage --jobs=auto -b -uc -us
-	lintian ${DST_DEB}
-	#lintian ${HDR_DEB}
-	lintian ${LINUX_TOOLS_DEB}
+$(META_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
+$(DST_DEB): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage --jobs=auto -b -uc -us
+	lintian $(DST_DEB)
+	#lintian $(HDR_DEB)
+	lintian $(LINUX_TOOLS_DEB)

-${BUILD_DIR}.prepared: $(addsuffix .prepared,${KERNEL_SRC} ${MODULES} debian)
-	cp -a fwlist-previous ${BUILD_DIR}/
-	cp -a abi-prev-* ${BUILD_DIR}/
-	cp -a abi-blacklist ${BUILD_DIR}/
+dsc:
+	$(MAKE) $(DSC)
+	lintian $(DSC)
+
+$(DSC): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage -S -uc -us -d
+
+sbuild: $(DSC)
+	sbuild $(DSC)
+
+$(BUILD_DIR).prepared: $(addsuffix .prepared,$(KERNEL_SRC) $(MODULES) debian)
+	cp -a fwlist-previous $(BUILD_DIR)/
+	cp -a abi-prev-* $(BUILD_DIR)/
+	cp -a abi-blacklist $(BUILD_DIR)/
 	touch $@

+.PHONY: build-dir-fresh
+build-dir-fresh:
+	$(MAKE) clean
+	$(MAKE) $(BUILD_DIR).prepared
+	echo "created build-directory: $(BUILD_DIR).prepared/"
+
 debian.prepared: debian
-	rm -rf ${BUILD_DIR}/debian
-	mkdir -p ${BUILD_DIR}
-	cp -a debian ${BUILD_DIR}/debian
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > ${BUILD_DIR}/debian/SOURCE
-	@$(foreach dir, ${DIRS},echo "${dir}=${${dir}}" >> ${BUILD_DIR}/debian/rules.d/env.mk;)
-	echo "KVNAME=${KVNAME}" >> ${BUILD_DIR}/debian/rules.d/env.mk
-	echo "KERNEL_MAJMIN=${KERNEL_MAJMIN}" >> ${BUILD_DIR}/debian/rules.d/env.mk
-	cd ${BUILD_DIR}; debian/rules debian/control
+	rm -rf $(BUILD_DIR)/debian
+	mkdir -p $(BUILD_DIR)
+	cp -a debian $(BUILD_DIR)/debian
+	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout $(shell git rev-parse HEAD)" \
+	    >$(BUILD_DIR)/debian/SOURCE
+	@$(foreach dir, $(DIRS),echo "$(dir)=$($(dir))" >> $(BUILD_DIR)/debian/rules.d/env.mk;)
+	echo "KVNAME=$(KVNAME)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	echo "KERNEL_MAJMIN=$(KERNEL_MAJMIN)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	cd $(BUILD_DIR); debian/rules debian/control
 	touch $@

-${KERNEL_SRC}.prepared: ${KERNEL_SRC_SUBMODULE} | submodule
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC} $@
-	mkdir -p ${BUILD_DIR}
-	cp -a ${KERNEL_SRC_SUBMODULE} ${BUILD_DIR}/${KERNEL_SRC}
+$(KERNEL_SRC).prepared: $(KERNEL_SRC_SUBMODULE) | submodule
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC) $@
+	mkdir -p $(BUILD_DIR)
+	cp -a $(KERNEL_SRC_SUBMODULE) $(BUILD_DIR)/$(KERNEL_SRC)
 # TODO: split for archs, track and diff in our repository?
-	cat ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/config.common.ubuntu ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.common.${ARCH} ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.flavour.generic > ${KERNEL_CFG_ORG}
-	cp ${KERNEL_CFG_ORG} ${BUILD_DIR}/${KERNEL_SRC}/.config
-	sed -i ${BUILD_DIR}/${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC}/debian ${BUILD_DIR}/${KERNEL_SRC}/debian.master
-	set -e; cd ${BUILD_DIR}/${KERNEL_SRC}; for patch in ../../patches/kernel/*.patch; do echo "applying patch '$$patch'" && patch -p1 < $${patch}; done
+	cd $(BUILD_DIR)/$(KERNEL_SRC); python3 debian/scripts/misc/annotations --arch amd64 --export >../../$(KERNEL_CFG_ORG)
+	cp $(KERNEL_CFG_ORG) $(BUILD_DIR)/$(KERNEL_SRC)/.config
+	sed -i $(BUILD_DIR)/$(KERNEL_SRC)/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=$(EXTRAVERSION)/'
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC)/debian $(BUILD_DIR)/$(KERNEL_SRC)/debian.master
+	set -e; cd $(BUILD_DIR)/$(KERNEL_SRC); \
+	  for patch in ../../patches/kernel/*.patch; do \
+	    echo "applying patch '$$patch'"; \
+	    patch --batch -p1 < "$${patch}"; \
+	  done
 	touch $@

-${MODULES}.prepared: $(addsuffix .prepared,${MODULE_DIRS})
+$(MODULES).prepared: $(addsuffix .prepared,$(MODULE_DIRS))
 	touch $@

-${ZFSDIR}.prepared: ${ZFSONLINUX_SUBMODULE}
-	rm -rf ${BUILD_DIR}/${MODULES}/${ZFSDIR} ${BUILD_DIR}/${MODULES}/tmp $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/tmp
-	cp -a ${ZFSONLINUX_SUBMODULE}/* ${BUILD_DIR}/${MODULES}/tmp
-	cd ${BUILD_DIR}/${MODULES}/tmp; make kernel
-	rm -rf ${BUILD_DIR}/${MODULES}/tmp
-	touch ${ZFSDIR}.prepared
+$(ZFSDIR).prepared: $(ZFSONLINUX_SUBMODULE)
+	rm -rf $(BUILD_DIR)/$(MODULES)/$(ZFSDIR) $(BUILD_DIR)/$(MODULES)/tmp $@
+	mkdir -p $(BUILD_DIR)/$(MODULES)/tmp
+	cp -a $(ZFSONLINUX_SUBMODULE)/* $(BUILD_DIR)/$(MODULES)/tmp
+	cd $(BUILD_DIR)/$(MODULES)/tmp; make kernel
+	rm -rf $(BUILD_DIR)/$(MODULES)/tmp
+	touch $(ZFSDIR).prepared

 .PHONY: upload
-upload: ${DEBS}
-	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist bullseye --arch ${ARCH}
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
+upload: $(DEBS)
+	tar cf - $(DEBS)|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist $(UPLOAD_DIST) --arch $(ARCH)

 .PHONY: distclean
 distclean: clean
@@ -114,18 +138,18 @@ distclean: clean
 .PHONY: update_modules
 update_modules: submodule
 	git submodule foreach 'git pull --ff-only origin master'
-	cd ${ZFSONLINUX_SUBMODULE}; git pull --ff-only origin master
+	cd $(ZFSONLINUX_SUBMODULE); git pull --ff-only origin master

 # make sure submodules were initialized
 .PHONY: submodule
 submodule:
-	test -f "${KERNEL_SRC_SUBMODULE}/README" || git submodule update --init ${KERNEL_SRC_SUBMODULE}
-	test -f "${ZFSONLINUX_SUBMODULE}/Makefile" || git submodule update --init --recursive ${ZFSONLINUX_SUBMODULE}
+	test -f "$(KERNEL_SRC_SUBMODULE)/README" || git submodule update --init $(KERNEL_SRC_SUBMODULE)
+	test -f "$(ZFSONLINUX_SUBMODULE)/Makefile" || git submodule update --init --recursive $(ZFSONLINUX_SUBMODULE)

 # call after ABI bump with header deb in working directory
 .PHONY: abiupdate
-abiupdate: abi-prev-${KVNAME}
-abi-prev-${KVNAME}: abi-tmp-${KVNAME}
+abiupdate: abi-prev-$(KVNAME)
+abi-prev-$(KVNAME): abi-tmp-$(KVNAME)
 ifneq ($(strip $(shell git status --untracked-files=no --porcelain -z)),)
 	@echo "working directory unclean, aborting!"
 	@false
@@ -133,15 +157,15 @@ else
 	git rm "abi-prev-*"
 	mv $< $@
 	git add $@
-	git commit -s -m "update ABI file for ${KVNAME}" -m "(generated with debian/scripts/abi-generate)"
-	@echo "update abi-prev-${KVNAME} committed!"
+	git commit -s -m "update ABI file for $(KVNAME)" -m "(generated with debian/scripts/abi-generate)"
+	@echo "update abi-prev-$(KVNAME) committed!"
 endif

-abi-tmp-${KVNAME}:
-	@ test -e ${HDR_DEB} || (echo "need ${HDR_DEB} to extract ABI data!" && false)
-	debian/scripts/abi-generate ${HDR_DEB} $@ ${KVNAME} 1
+abi-tmp-$(KVNAME):
+	@ test -e $(HDR_DEB) || (echo "need $(HDR_DEB) to extract ABI data!" && false)
+	debian/scripts/abi-generate $(HDR_DEB) $@ $(KVNAME) 1

 .PHONY: clean
 clean:
-	rm -rf *~ build *.prepared ${KERNEL_CFG_ORG}
-	rm -f *.deb *.changes *.buildinfo
+	rm -rf *~ proxmox-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
+	rm -f *.deb *.dsc *.changes *.buildinfo *.build proxmox-kernel*.tar.*
@@ -1,13 +1,17 @@
 KERNEL SOURCE:
 ==============

-We currently use the Ubuntu kernel sources, available from:
+We currently use the Ubuntu kernel sources, available from our mirror:

- http://kernel.ubuntu.com/git/ubuntu/ubuntu-hirsute.git/
+ https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary

 Ubuntu will maintain those kernels till:

 https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
+ or
+ https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
+
+ whatever happens to be earlier.


 Additional/Updated Modules:
@@ -20,6 +24,67 @@ Additional/Updated Modules:
  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ


+BUILD
+=====
+
+As this is packaging for the Linux kernel with some extra integrations, like
+ZFS, this repo cannot be handled like a plain Linux kernel git repository.
+
+The actual Linux kernel source lives in a git submodule.
+
+For a build you should init the submodules and then handle it like most our
+Debian packaging builds. If unsure you can follow this:
+
+Installing Build-Dependencies
+-----------------------------
+
+You can either just check the package metadata template `debian/control.in`
+and install the packages listed in the `Build-Depends` section manually
+(replace `debhelper-compat` with just `debhelper`) or use a more automated way
+described below:
+
+ # install base build-dependencies and helpers
+ apt update
+ apt install devscripts
+
+ # create build-directory so that we got final packaging control files from the
+ # .in templates generated
+ make build-dir-fresh
+
+ # install build-dependencies (replace BUILD-DIR with actual one)
+ mk-build-deps -ir BUILD-DIR/debian/control
+
+
+Package Build
+-------------
+
+ # start the actual build
+ make deb
+
+For simple KConfig modifications you can adapt the list in `debian/rules` file.
+For quick code changes to the actual kernel code you can do them directly in
+the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:
+
+ make clean
+ # now build again, explicitly creating the build-dir isn't required anymore
+ # after one has the build-dependencies already installed.
+ make deb
+
+
+Modify-Build-Test Cycles
+------------------------
+
+Ideally you avoid the need for doing a full package build and just directly
+build linux from the ubuntu-kernels or the mainline (stable) repo with copying
+over a build-config of a proxmox-kernel to that as .config and then using the
+`make olddefconfig` target.
+
+If you need full package builds you can try to make changes inside the
+BUILD-DIR directly and then continue build from there, e.g., using
+`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
+to continue build you might need to touch, or remove some *.prepared files.
+Just check `debian/rules` for how kernel build progress is tracked by make.
+
 SUBMODULE
 =========

@@ -31,7 +96,7 @@ get applied with the `patch` tool. From a git point-of-view, the copied
 directory remains clean even with extra patches applied since it does not
 contain a .git directory, but a reference to the (still pristine) submodule:

-$ cat build/ubuntu-hirsute/.git
+$ cat build/ubuntu-kernel/.git

 If you mistakenly cloned the upstream repo as "normal" clone (not via the
 submodule mechanics) this means that you have a real .git directory with its
@@ -56,18 +121,30 @@ top level meta package, depends on current default kernel series meta package.

 git clone git://git.proxmox.com/git/proxmox-ve.git

-pve-kernel-meta
---------------
+proxmox-default-kernel
+----------------------

-depends on latest kernel and header package within a certain kernel series,
-e.g., pve-kernel-4.15 / pve-headers-4.15
+Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
+proxmox-headers-6.2.

 git clone git://git.proxmox.com/git/pve-kernel-meta.git

+proxmox-kernel-X.Y
+------------------
+
+Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
+package within a certain series.
+
+e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve
+
+NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
+with every version bump due to module signing. Since then the meta package was
+pulled into the kernel repo, before that it lived in pve-kernel-meta.git.
+
 pve-firmware
 ------------

-contains the firmware for all released PVE kernels.
+Contains the firmware for all released PVE kernels.

 git clone git://git.proxmox.com/git/pve-firmware.git

@@ -95,18 +172,18 @@ Watchdog blacklist

 By default, all watchdog modules are black-listed because it is totally undefined
 which device is actually used for /dev/watchdog.
-We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
+We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
 The user typically edit /etc/modules to enable a specific watchdog device.

 Debug kernel and modules
 ------------------------

 In order to build a -dbgsym package containing an unstripped copy of the kernel
-image and modules, enable the 'pkg.pve-kernel.debug' build profile (e.g. by
-exporting DEB_BUILD_PROFILES='pkg.pve-kernel.debug'). The resulting package can
+image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
+exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
 be used together with 'crash'/'kdump-tools' to debug kernel crashes.

-Note: the -dbgsym package is only valid for the pve-kernel packages produced by
+Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
 the same build. A kernel/module from a different build will likely not match,
 even if both builds are of the same kernel and package version.

@@ -138,45 +215,34 @@ NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)
 	 CONFIG_BLK_DEV_RBD=m

 - enable IBM JFS file system as module
-
-  enable it as requested by users (bug #64)
+  requested by users (bug #64)

 - enable apple HFS and HFSPLUS as module
-
-  enable it as requested by users
+  requested by users

 - enable CONFIG_BCACHE=m (requested by user)

 - enable CONFIG_BRIDGE=y
-
-  Else we get warnings on boot, that
-  net.bridge.bridge-nf-call-iptables is an unknown key
+  to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key

 - enable CONFIG_DEFAULT_SECURITY_APPARMOR
-
  We need this for lxc

 - set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
-
  because if not set, it can give some dynamic memory or cpu frequencies 
  change, and vms can crash (mainly windows guest).
-
  see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273

 - use 'deadline' as default scheduler
-
-  This is the suggested setting for KVM. We also measure bad fsync
-  performance with ext4 and cfq.
+  This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.

 - disable CONFIG_INPUT_EVBUG
-
-  Module evbug is not blacklisted on debian, so we simply disable it
-  to avoid key-event logs (which is a big security problem)
+  Module evbug is not blacklisted on debian, so we simply disable it to avoid
+  key-event logs (which is a big security problem)

 - enable CONFIG_MODVERSIONS (needed for ABI tracking)

 - switch default UNWINDER to FRAME_POINTER
-
  the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS

 - enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbjCCBFagAwIBAgIUTVo8veNlt0qzt14J+H2mhEB2SNUwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTM1MTM0WhcNMzMwMzAzMTM1MTM0WjCBkzELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEXMBUGA1UEAwwOU2Vj
+dXJlIEJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEm9mZmljZUBwcm94bW94LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ59mP8gRLqsA6P53ejy0wMk
+0qLlICtDkPXsJoi4QRHjlPErxXv5zsZ4WqSG2bQ8EW95FAf8EOF6ge+G17neYt1w
+DmlvHzLBfqTJj5EBRgVjdWOjX3AkS/elOyzHdq4rKOteUSpQlMP4ub2cAUdy/8rp
+ouTbduttNv8mymAO89/kbXCEmKFiRS+av+hykFFyXH/KTRa2QnvLVadMEkmtA+vm
+yQhYWCTD8hdisa1o3dKM0Z2l8LyzfIOsVXcwHHB7AhtR4tbLR9Tz2p/m9Gz//vj
+82dBaChh6kxIMZ8kACP28dA561R2P6ZcjzLSJ0Tq5e4tiW9SNEzuTYKTRvFeQoQh
+4usDdSF3ifXDuimShpv8Yaf4fntyIaUfnm6H5tvNr9b9Rw6ZL200LV5VugQ1EpfE
+F0+c3LQfurwT7svISgXSY62Fe/TiHFANOVXM5j3/Dr2ktKyce7BUGN4ewpWPvP99
+io+rdd4bTReuDh8j0nhsSdYKfvuOmvQpgL8Smzno54/hdpuO6cv+slCr1ApDexl8
+gAPPwCZRsH7aPc92g+YPzDm3k77RqkCXPA19KKQLYKvL7a+H3rnqgO81CdGFPHOz
+I5UruKLLeDGAWR0bo0JqDMEL8/oPh9IvGo8lFcTros0NEof6A7p8SGmxM2NodTo9
+spDVs84xDPlp4yX4u8A9AgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFLXxsR5I
+LbWGkynLl1qjUgX4cs16MB8GA1UdIwQYMBaAFLXxsR5ILbWGkynLl1qjUgX4cs16
+MB0GA1UdEQQWMBSBEm9mZmljZUBwcm94bW94LmNvbTAdBgNVHRIEFjAUgRJvZmZp
+Y2VAcHJveG1veC5jb20wDQYJKoZIhvcNAQELBQADggIBAAUGWTt792ibVtE9yKgq
+9YtmybKGWjDHdMKl5AcnxLD60z7cEgcUBpEXaUbTzic5rz7fYhUM29LZkF8NIA2a
+rzrF0w+J1zZZKG2VvTWmdgynNNKQ/iTRbhgSZ94hEWOwumlEW4O6HwUN+VYFx8wf
+jvyWc1K6cdCc70IeC5POjYTlXKPoDq8ysPMLhxm7dsk7DDWcR0siMbYqGLLK5cJB
+lZE+9Q3Nj/q4m3odjK1ILrDGKqWWJgxopE21e903Ej+TNw+TduXygHqwVloEXUi4
+clmMMwCfhEBI9Vuy0+QSLxvrHKbwYpWd59RBQEsUubi8sT8Oh7njgmEd/Pf9uD7U
+1Rd9I+1MkNOZXyoyvaJQl9NZ9RpyG+ZbeQoFcL2CeCy0jJQQSilI5k4RtiDrGn6R
+GxlRL/FTvGWBkQGNwvoeFwD6i7zYainf1Z7f1Dh83MxKarxpAwX61K+rHpvAvjN/
+Hd4dslj5C+p188FnGaqiFlFAgVcF//F+yZFGYu1sTIQJ5f0C3LiFLeQYi3SPTf0L
+wk78eHgo6x1cIOM3/Ct4mflHBxnrfOJ9YdEAn2MklpDT5dif+9+zpN1myCQn4HoW
+OgoWIacSuvuFczHTQf2IX4ZEEE5SZwE31f7E0cqjgXmwbz1a81UMZHzvr71rDeWi
+oRgE3Pe1htzpOmw5Ygvjtn8k
+-----END CERTIFICATE-----
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbzCCBFegAwIBAgIUakjebPHbd0vTEj9dEa3OF+gioGMwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTQwNTI1WhcNMjcwNDE0MTQwNTI1WjCBmjELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEeMBwGA1UEAwwVU2Vj
+dXJlIEJvb3QgU2lnbiAyMDIzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1v
+eC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJGReH5i3aihb/
+frdbzzNueHBt7DC9W2/GXYf0wfl8izCXz2SYM/UIZavbpzF2uhgxli3Dj4M0FyR2
+oTKRseWyy+YMiwuhQcqCw0KRS6uOUiGjOtPHsEqDFO6DP8d1gNjYkF0jzY/CNf0N
+5Sc+w8jknQJgZ9G1RGcC2ihZATx2pgG9nYA30Op8qHyhcF2KrUmh8wpXky21u0Ja
+0/whsNFNSfQrvosgUroxLd2TvBdcBJu3SXt0B15jfY4Qssjmwgfs/oU8YGaAYnIp
+PLJRqzho/kpDA3PH2lsgxv5BJHQgDuODLj3Q3dx09C71Qdb3FlQ6z9hIdFUoPrvC
+kUpZ5lEwGUyvFZtJJQvGm/1BpDj1G7P8lqODyfkJ4c77XoH7M9z945HmxrfAyjP7
+9Jk8NXA9bSy+ygPHPHlTLEc10HKvk/SRg/sGGUveTr9C6rObfP8EmvXogpS46xSn
+W9s2vFSVFyOBvLpdIhU91McBFinvQaqY0r2XTNrsU3Zp5YG3z6hh6BOLCpD/pixc
+BQyfT8wGeI59dobVSSrWqt+1vNxO02I5t7Mlam687Ix1e3C/nk7+i44WMcmB8n+x
+Dq/v/L+UJlQ75u2dsaAiYUrGcsHQWAZ34oIAfec9qCgG+OLTwobwXXiOlaWiO51n
+0xCQ4ePK+vZuDxRHaXL7hOxFCe3iKwIDAQABo4GxMIGuMB0GA1UdDgQWBBRr/2t+
+Hu0KTVTbNhd31p7aJH15IjAfBgNVHSMEGDAWgBS18bEeSC21hpMpy5dao1IF+HLN
+ejAdBgNVHREEFjAUgRJvZmZpY2VAcHJveG1veC5jb20wHQYDVR0SBBYwFIESb2Zm
+aWNlQHByb3htb3guY29tMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwMwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQBYmLgWPJSK/pP/CkZE
+iYttW1Vd0Wm4DeZVSyUh2c9AI+A+IT5otEXjCflU8sYU4vm0eEtNwhmGdVf8oZe4
+tS/2eFawDAqEQ8xMsinbMJoqvcYx9uEZPiOOo3GS2YjfUy03Q3BAOV3rMFOjP4y+
+dfYF3IWnKQxvUV0wapRyDbT62plKt4UCtBagUPcm838YRD6ax+4yK/5sojMQM1IW
+2yGgEz8jeCyPI19Ots2RBZTJU2BZ1QqRPLybvLfsENtKgKqOE14BEp6WqtYBaj89
+QZD4tbP9Mqcmnj8AfG89pb1Fj6tq0MLZsboF6i0J7uuQ6CKkb5ksQhLODLMwAZi1
+1EAgWk5btwj6ZvoOHFOjAXGJ13tmUeYt/Zipyy/ie+5LSEdFevQ+zmZzsglfX3QK
+6skoBpHs3kLcuPsoe8uhCvn/b22lHkFdYYkIwIUQFPJgdvBzD8LYHnD8P60UdsQO
+vSSt9qzsq04DCEjwhmNJUeddL9ESGNL8vgpB9GvNjFEq6QMncELkdXDoAeqGFolE
+/dj+8sVq+34plRsvD1GDDx70UWk0ZtQlvhqDJ0kxeT+yYASrwLoujK44SLq8cMJr
+JYxDoxFOy5MSw+EzEXTP9LLkYNdPv/nzPbEz3lEctczyOgBWr22272Kdv3QCHBdP
+v4+vFbHnrXmu8cC9T45r2aX3rQ==
+-----END CERTIFICATE-----
@@ -1,3 +1,638 @@
+proxmox-kernel-6.5 (6.5.13-5) bookworm; urgency=medium
+
+  * revert a backport to avoid breaking copying files within a CIFS mount
+
+  * revert a backport for the thermal subsystem that causes early boot failure
+    for some hardware using the step-wise-throttle governor
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 05 Apr 2024 13:03:12 +0200
+
+proxmox-kernel-6.5 (6.5.13-4) bookworm; urgency=medium
+
+  * update sources to Ubuntu-6.5.0-32.32 based on stable-tree backports of up
+    to v6.1.77, v6.6.16
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 29 Mar 2024 15:28:57 +0100
+
+proxmox-kernel-6.5 (6.5.13-3) bookworm; urgency=medium
+
+  * updated sources to Ubuntu-6.5.0-27.28 to fix a regression in the tracing &
+    debugging related eventfs, potentially breaking bpftrace.
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 20 Mar 2024 11:45:08 +0100
+
+proxmox-kernel-6.5 (6.5.13-2) bookworm; urgency=medium
+
+  * update sources to Ubuntu-6.5.0-27.27 based on stable-tree backports of
+    v6.1.74, v6.6.13
+
+  * update ZFS to 2.2.3
+
+  * Revert "cherry-pick scheduler fix to avoid temporary VM freezes on NUMA
+    hosts" as user feedback did not show real improvement.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 11 Mar 2024 14:36:05 +0100
+
+proxmox-kernel-6.5 (6.5.13-1) bookworm; urgency=medium
+
+  * update sources to Ubuntu-6.5.0-20.20 based on v6.5.13 and some newer
+    stable-tree backports
+
+  * backport scheduler fix to avoid temporary VM freezes on NUMA hosts
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 05 Feb 2024 14:50:54 +0100
+
+proxmox-kernel-6.5 (6.5.11-8) bookworm; urgency=medium
+
+  * fix #5077: cherry-pick revert for aacraid resets
+
+  * fix #5158: cherry-pick ext4 fix for high-CPU flush
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 30 Jan 2024 13:27:34 +0100
+
+proxmox-kernel-6.5 (6.5.11-7) bookworm; urgency=medium
+
+  * update ZFS to 2.2.2 to make it easier for users to ensure we're not
+    affected by any recently uncovered data integrity issues (which got
+    already patched out earlier via backports).
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 05 Dec 2023 10:44:02 +0100
+
+proxmox-kernel-6.5 (6.5.11-6) bookworm; urgency=medium
+
+  * cherry-pick ZFS fix for (rare) dirty dnode data corruption bug
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 29 Nov 2023 09:32:26 +0100
+
+proxmox-kernel-6.5 (6.5.11-5) bookworm; urgency=medium
+
+  * properly set CONFIG_VFIO_VIRQFD as a boolean
+
+  * cherry-pick fix for RCU stall issue after VM live migration
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Nov 2023 20:52:25 +0100
+
+proxmox-kernel-6.5 (6.5.11-4) bookworm; urgency=medium
+
+  * add signed kernel variant for secure boot
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 20 Nov 2023 11:19:53 +0100
+
+proxmox-kernel-6.5 (6.5.11-3) bookworm; urgency=medium
+
+  * ZFS: pick bug-fixes staged for 2.2.1:
+    - add a tunable to disable BRT support and disable it by default
+    - fix block cloning between unencrypted and encrypted datasets
+    - disable block cloning by default
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 17 Nov 2023 17:34:32 +0100
+
+proxmox-kernel-6.5 (6.5.11-2) bookworm; urgency=medium
+
+  * rebase on Ubuntu-6.5.0-14.14 to include a fix for viewing ast/bmc remote
+    consoles
+
+  * backport flexible-array-member fixes for the amdgpu module to avoid UBSAN
+    warnings.
+
+  * disable UBSAN bounds checking again completely, to many false-positives
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Nov 2023 18:19:51 +0100
+
+proxmox-kernel-6.5 (6.5.11-1) bookworm; urgency=medium
+
+  * update to v6.5.11 upstream stable release
+
+  * revert "memfd: improve userspace warnings for missing exec-related flags",
+    producing to much log noise without any benefit
+
+  * Revert "UBUNTU: SAUCE: ceph: make sure all the files successfully put
+    before unmounting"
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Nov 2023 15:40:29 +0100
+
+proxmox-kernel-6.5 (6.5.3-1) bookworm; urgency=medium
+
+  * disable UBSAN bounds checking to avoid false-positive oopses due to the
+    ZFS module using an older style for declaring flexible array member.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 23 Oct 2023 10:03:52 +0200
+
+proxmox-kernel-6.5 (6.5.3-1~1) bookworm; urgency=medium
+
+  * update kernel to 6.5 based Ubuntu 23.10 Mantic release
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 13 Oct 2023 15:28:11 +0200
+
+proxmox-kernel-6.2 (6.2.16-19) bookworm; urgency=medium
+
+  * backport exposing FLUSHBYASID when running nested VMs on AMD CPUs to fix
+    nesting of some hyper-visors like VMware Workstation.
+
+  * backport constraining guest-supported xfeatures only at KVM_GET_XSAVE{2}
+    to further improve compatibility for guests w.r.t. live-migration, or live
+    snapshot rollback, to hosts with less (FPU) xfeatures supported.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 24 Oct 2023 14:07:51 +0200
+
+proxmox-kernel-6.2 (6.2.16-18) bookworm; urgency=medium
+
+  * backport fix for AMD erratum #1485 on Zen4-based CPUs to avoid triggering
+    undefined instruction exceptions when disabling all, or certain security
+    mitigations, like using the "mitigations=off" kernel command line
+    parameter
+
+  * backport ZFS fix to avoid crashes and hangs if used on modern Intel HW
+    like the Xeon Scalable 4th Gen "Sapphire Rapids" CPUs due to a HW bug as
+    per Intel SPR erratum SPR4
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 11 Oct 2023 17:05:18 +0200
+
+proxmox-kernel-6.2 (6.2.16-16) bookworm; urgency=medium
+
+  * update sources to Ubuntu-6.2.0-36.36
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 03 Oct 2023 07:42:21 +0200
+
+proxmox-kernel-6.2 (6.2.16-15) bookworm; urgency=medium
+
+  * fix thunderbolt ring-interrupt not being masked on suspend
+
+  * cherry-pick fix to avoid potentially offlining one CPU thread on some EPYC
+    CPUs with a new amd64-microcode package (still in unstable).
+
+  * update ZFS to 2.1.13
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 28 Sep 2023 15:53:58 +0200
+
+proxmox-kernel-6.2 (6.2.16-14) bookworm; urgency=medium
+
+  * cherry-pick fix for setting X86_FEATURE_OSXSAVE feature improving
+    performance of some code that tries to live-detect available CPU features,
+    like, e.g., ZFS.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 19 Sep 2023 10:17:16 +0200
+
+proxmox-kernel-6.2 (6.2.16-13) bookworm; urgency=medium
+
+  * fix #4707: add override parameter for RMRR relaxation
+
+  * backport thunderbolt-net fixes for IPv6 and connection re-establishment
+    after a node got rebooted
+
+  * update sources to Ubuntu-6.2.0-34.34
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 18 Sep 2023 15:31:57 +0200
+
+proxmox-kernel-6.2 (6.2.16-12) bookworm; urgency=medium
+
+  * cherry-pick fix for KVM vCPU page-fault loop.
+    Due to too small and signed type used for an memory related sequence
+    counter there was a chance that for long-lived VMs KVM would effectively
+    hang vCPUs due to always thinking page faults are stale, which results in
+    KVM refusing to "fix" faults.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Sep 2023 15:21:22 +0200
+
+proxmox-kernel-6.2 (6.2.16-11) bookworm; urgency=medium
+
+  * cherry-pick fix to surpress faulty segfault logging. While harmless, such
+    logs can look scary and might let people follow them like a red herring.
+
+  * update sources to Ubuntu-6.2.0-32.32
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Aug 2023 11:56:15 +0200
+
+proxmox-kernel-6.2 (6.2.16-10) bookworm; urgency=medium
+
+  * disable CONFIG_GDS_FORCE_MITIGATION again
+    when not having installed a new-enough intel-microcode, this disables AVX
+    instructions which breaks a lot of software
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 18 Aug 2023 13:42:38 +0200
+
+proxmox-kernel-6.2 (6.2.16-9) bookworm; urgency=medium
+
+  * add fixes for downfall
+
+  * enable mitigation config option CONFIG_GDS_FORCE_MITIGATION
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 16 Aug 2023 10:07:11 +0200
+
+proxmox-kernel-6.2 (6.2.16-8) bookworm; urgency=medium
+
+  * sign modules and set trust anchor/lockdown to allow manual secure boot
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 02 Aug 2023 14:17:00 +0200
+
+proxmox-kernel-6.2 (6.2.16-7) bookworm; urgency=medium
+
+  * change `pve-` prefix to `proxmox-`
+
+  * merge proxmox-kernel-meta packaging into main kernel repository
+
+  * bump ABI to 6.2.16-6
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 01 Aug 2023 13:23:46 +0200
+
+pve-kernel (6.2.16-6) bookworm; urgency=medium
+
+  * fix #4833: backport fix for recovering potential NX huge pages
+
+  * fix #4770: backport "nvme: don't reject probe due to duplicate IDs"
+
+  * backport Zenbleed stop-gap workaround for CVE-2023-20593, the actual fix
+    is the amd64-microcode update.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 25 Jul 2023 17:33:45 +0200
+
+pve-kernel (6.2.16-5) bookworm; urgency=medium
+
+  * kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no support to
+    improve live-migrations & snapshot-rollback of VMs running on modern Intel
+    CPUs (Skylake-Server or Tiger Lake Desktop), if configured with a
+    restricted vCPU type (e.g., qemu64) and if the migration source is from
+    our 5.15 based kernel (default in Proxmox VE 7.4) to the 6.2 (and future
+    newer) of Proxmox VE 8.0 as target.
+    This copes with the fallout of a fix, that while itself improved migration
+    compatibility for clusters with different host-CPU models, caused another
+    issue on the transition between the older "broken" and newer "fixed"
+    kernels for homogeneous clusters, i.e., those with the same PVE host-CPU
+    model.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 14 Jul 2023 19:53:39 +0200
+
+pve-kernel (6.2.16-4) bookworm; urgency=medium
+
+  * backport fixes for StackRot (CVE-2023-3269)
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 07 Jul 2023 06:22:28 +0200
+
+pve-kernel (6.2.16-3) bookworm; urgency=medium
+
+  * update to Ubuntu-6.2.0-25.25
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 17 Jun 2023 07:58:57 +0200
+
+pve-kernel (6.2.16-2) bookworm; urgency=medium
+
+  * update ZFS to 2.1.12
+
+  * bump ABI to 6.2.16-2
+
+  * backport "net/sched: flower: fix possible OOB write in fl_set_geneve_opt()"
+
+  * backport re-adding mdev_set_iommu_device() kABI for support of SRIOV based
+    Nvidia vGPU
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 13 Jun 2023 15:30:53 +0200
+
+pve-kernel (6.2.16-1) bookworm; urgency=medium
+
+  * update to Ubuntu-6.2.0-23.23 and pull in stable fixes up to v6.2.16
+
+  * build for Debian 12 Bookworm based releases
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 20 May 2023 19:23:34 +0200
+
+pve-kernel (6.2.11-2) bullseye; urgency=medium
+
+  * backport "netfilter: nf_tables: deactivate anonymous set from preparation
+    phase"
+
+  * bump ABI to 6.2.11-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 10 May 2023 11:13:34 +0200
+
+pve-kernel (6.2.11-1) bullseye; urgency=medium
+
+  * update kernel to Proxmox-6.2.11-1
+
+  * update ZFS to 2.1.11
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 20 Apr 2023 11:59:36 +0200
+
+pve-kernel (6.2.9-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.2.0-19.19 and cherry-pick patches up to 6.2.9
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 31 Mar 2023 12:48:33 +0200
+
+pve-kernel (6.2.6-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.2.0-17.17 based on 6.2.6
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Mar 2023 18:08:23 +0100
+
+pve-kernel (6.2.2-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.2.0-1.1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 13 Mar 2023 17:57:00 +0100
+
+pve-kernel (6.1.15-1) bullseye; urgency=medium
+
+  * update to Proxmox-6.1.15-1
+
+  * backport patch to fix issue with large IO requests
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Mar 2023 09:53:18 +0100
+
+pve-kernel (6.1.14-1) bullseye; urgency=medium
+
+  * update to Proxmox-6.1.14-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Feb 2023 18:09:47 +0100
+
+pve-kernel (6.1.10-1) bullseye; urgency=medium
+
+  * update to Proxmox-6.1.10-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 07 Feb 2023 14:10:10 +0100
+
+pve-kernel (6.1.6-1) bullseye; urgency=medium
+
+  * update ZFS to 2.1.9
+
+  * update to Ubuntu-6.1.0-14.14 based on upstream 6.1.6
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 28 Jan 2023 15:05:09 +0100
+
+pve-kernel (6.1.2-1) bullseye; urgency=medium
+
+  * backport ZFS compat fixes for Linux 6.1 w.r.t. a OTMPFILE open syscall
+
+  * update to Ubuntu-6.1.0-12.12
+
+  * backport a few newer fixes-of-fixes from 6.1.4
+
+  * bump ABI to 6.1.2-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 07 Jan 2023 14:56:01 +0100
+
+pve-kernel (6.1.0-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.1.0-1.1 based on upstram v6.1
+
+  * update ZFS to 2.1.7
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 13 Dec 2022 15:08:53 +0100
+
+pve-kernel (5.19.17-1) bullseye; urgency=medium
+
+  * update to Ubuntu-5.19.0-24.25
+
+  * bump ABI to 5.19.17-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 14 Nov 2022 20:25:12 +0100
+
+pve-kernel (5.19.7-2) bullseye; urgency=medium
+
+  * update ZFS to 2.1.6
+
+  * update to Ubuntu-5.19.0-19.19
+
+  * bump ABI to 5.19.7-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 04 Oct 2022 17:18:40 +0200
+
+pve-kernel (5.19.7-1) bullseye; urgency=medium
+
+  * update to 5.19.7 based on Ubuntu-5.19.0-16.16
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 06 Sep 2022 07:54:58 +0200
+
+pve-kernel (5.19.0-1) bullseye; urgency=medium
+
+  * update to 5.19.0 based from Ubuntu-5.19.0-14.14
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 02 Aug 2022 09:18:39 +0200
+
+pve-kernel (5.19.0-1~rc8+2) bullseye; urgency=medium
+
+  * backport smm fixes
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 27 Jul 2022 11:27:10 +0200
+
+pve-kernel (5.19.0-1~rc8+1) bullseye; urgency=medium
+
+  * update to 5.19.0-rc8 based from Ubuntu-5.19.0-11.11
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 26 Jul 2022 11:47:30 +0200
+
+pve-kernel (5.15.53-1) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-48.54
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 26 Aug 2022 16:53:52 +0200
+
+pve-kernel (5.15.39-4) bullseye; urgency=medium
+
+  * update "SMM emulation and interrupt shadow fixes" to v3
+
+  * bump ABI to 5.15.35-4
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Aug 2022 15:11:15 +0200
+
+pve-kernel (5.15.39-3) bullseye; urgency=medium
+
+  * backport "SMM emulation and interrupt shadow fixes"
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 27 Jul 2022 13:45:39 +0200
+
+pve-kernel (5.15.39-2) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-45.48
+
+  * update ZFS to 2.1.5
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 20 Jul 2022 17:22:19 +0200
+
+pve-kernel (5.15.39-1) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-41.44
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 22 Jun 2022 17:22:00 +0200
+
+pve-kernel (5.15.35-6) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-40.43
+
+  * bump ABI to 5.15.35-3
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 17 Jun 2022 13:42:35 +0200
+
+pve-kernel (5.15.35-5) bullseye; urgency=medium
+
+  * backport netfilter nf_table sanitiation fixes
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Jun 2022 15:02:51 +0200
+
+pve-kernel (5.15.35-4) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-36.37
+
+  * fix #4083: backport "EDAC/amd64: Add PCI device IDs for family 19h
+    model 50h"
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 02 Jun 2022 13:48:41 +0200
+
+pve-kernel (5.15.35-3) bullseye; urgency=medium
+
+  * fix #4039: backport aquantia atlantic NIC fixes
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 11 May 2022 07:57:51 +0200
+
+pve-kernel (5.15.35-2) bullseye; urgency=medium
+
+  * cherry pick "NFSv4.1 provide mount option to toggle trunking discovery"
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 05 May 2022 13:54:35 +0200
+
+pve-kernel (5.15.35-1) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-29.30
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 04 May 2022 12:32:49 +0200
+
+pve-kernel (5.15.30-3) bullseye; urgency=medium
+
+  * backport "io_uring: fix race between timeout flush and removal"
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 22 Apr 2022 18:08:27 +0200
+
+pve-kernel (5.15.30-2) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.15.0-27.28
+
+  * bump ABI to 5.15.30-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 22 Apr 2022 11:15:56 +0200
+
+pve-kernel (5.15.30-1) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.15.0-24.24 based on 5.15.30
+
+  * update ZFS to 2.1.4
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Mar 2022 10:36:02 +0200
+
+pve-kernel (5.15.27-1) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.15.0-23.23 based on 5.15.27
+
+  * update ZFS to 2.1.3
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 12 Mar 2022 15:16:17 +0100
+
+pve-kernel (5.15.19-3) bullseye; urgency=medium
+
+  * backport "lib/iov_iter: initialize "flags" in new pipe_buffer"
+    fixing CVE-2022-0847 "dirty pipe"
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 07 Mar 2022 16:23:02 +0100
+
+pve-kernel (5.15.19-2) bullseye; urgency=medium
+
+  * backport fbdev memory region release improvements
+
+  * ensure 'simpledrm' module gets build, allowing it to take over any system
+    VGA/VBE/EFI framebuffer directly
+
+  * bump ABI to 5.15.19-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 08 Feb 2022 11:19:02 +0100
+
+pve-kernel (5.15.19-1) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.15.0-20.20 based on 5.15.19
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 04 Feb 2022 06:09:14 +0100
+
+pve-kernel (5.15.17-1) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.15.0-19.19 based on 5.15.17
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 31 Jan 2022 09:41:30 +0100
+
+pve-kernel (5.15.12-3) bullseye; urgency=medium
+
+  * backport "vfs: fs_context: fix up param length parsing in
+    legacy_parse_param"
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 20 Jan 2022 16:36:44 +0100
+
+pve-kernel (5.15.12-2) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.15.0-16.16 based on 5.15.12
+
+  * update ZFS to 2.1.2
+
+  * ZFS: cherry-pick lock-inversion patch for zvol_open
+
+  * cherry-pick "blk-cgroup: always terminate io.stat lines"
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 11 Jan 2022 16:43:18 +0100
+
+pve-kernel (5.15.7-1) bullseye; urgency=medium
+
+  * update to Ubuntu-5.15.0-14.14
+
+  * bump ABI to 5.15.7-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Dec 2021 16:42:34 +0100
+
+pve-kernel (5.15.5-1) bullseye; urgency=medium
+
+  * update to upcomming Ubuntu 22.04, Jammy Jellyfish kernel
+
+  * bump ABI to 5.15.5-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Nov 2021 18:49:57 +0100
+
+pve-kernel (5.13.19-4) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.13.0-23.23
+
+  * bump ABI to 5.13.19-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Nov 2021 12:10:09 +0100
+
+pve-kernel (5.13.19-3) bullseye; urgency=medium
+
+  * backport two io-wq fixes relevant for io_uring
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 23 Nov 2021 13:31:19 +0100
+
+pve-kernel (5.13.19-2) bullseye; urgency=medium
+
+  * re-enable retrying to get a blockdev on ERESTARTSYS to work around
+    ZFS still depending on that
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 09 Nov 2021 12:59:38 +0100
+
+pve-kernel (5.13.19-1) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.13.0-22.22
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 06 Nov 2021 13:08:30 +0100
+
+pve-kernel (5.13.18-1) bullseye; urgency=medium
+
+  * update sources to Ubuntu-5.13.0-21.21
+
+  * bump ABI to 5.13.18-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 19 Oct 2021 13:42:26 +0200
+
+pve-kernel (5.13.14-1) bullseye; urgency=medium
+
+  * update kernel-base to Ubuntu 21.10 Impish kernel
+
+  * update ZFS to 2.1.1
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 28 Sep 2021 06:16:44 +0200
+
 pve-kernel (5.11.22-9) bullseye; urgency=medium

  * backport "blk-mq: fix kernel panic during iterating over flush
@@ -1 +0,0 @@
-10
@@ -1,4 +1,4 @@
-Source: pve-kernel
+Source: proxmox-kernel-@KVMAJMIN@
 Section: devel
 Priority: optional
 Maintainer: Proxmox Support Team <support@proxmox.com>
@@ -7,7 +7,7 @@ Build-Depends: asciidoc-base,
               bc,
               bison,
               cpio,
-               debhelper (>= 10~),
+               debhelper-compat (= 13),
               dh-python,
               dwarves,
               file,
@@ -25,15 +25,15 @@ Build-Depends: asciidoc-base,
               libtool,
               lintian,
               lz4,
-               perl-modules,
+               python3-dev,
               python3-minimal,
               rsync,
-               sed,
               sphinx-common,
-               tar,
               xmlto,
-               zlib1g-dev
-Build-Conflicts: pve-headers-@KVNAME@
+               zlib1g-dev,
+               zstd,
+Build-Conflicts: proxmox-headers-@KVNAME@,
+Standards-Version: 4.6.2
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git

@@ -41,52 +41,84 @@ Package: linux-tools-@KVMAJMIN@
 Architecture: any
 Section: devel
 Priority: optional
-Depends: linux-base, ${misc:Depends}, ${shlibs:Depends}
+Depends: linux-base, ${misc:Depends}, ${shlibs:Depends},
 Description: Linux kernel version specific tools for version @KVMAJMIN@
 This package provides the architecture dependent parts for kernel
 version locked tools (such as perf and x86_energy_perf_policy)

-Package: pve-headers-@KVNAME@
+Package: proxmox-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers
-Depends: coreutils | fileutils (>= 4.0)
-Description: The Proxmox PVE Kernel Headers
+Provides: linux-headers-@KVNAME@-amd64, pve-headers-@KVNAME@
+Depends: ${misc:Depends},
+Description: Proxmox Kernel Headers
 This package contains the linux kernel headers

-Package: pve-kernel-@KVNAME@
+Package: proxmox-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image
-Suggests: pve-firmware
-Depends: busybox, initramfs-tools
-Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64
-Description: The Proxmox PVE Kernel Image
+Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
+Suggests: pve-firmware,
+Depends: busybox, initramfs-tools | linux-initramfs-tool, ${misc:Depends},
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
+Description: Proxmox Kernel Image
 This package contains the linux kernel and initial ramdisk used for booting

-Package: pve-kernel-@KVNAME@-dbgsym
+Package: proxmox-kernel-@KVNAME@-dbgsym
 Architecture: any
-Provides: linux-debug
+Provides: linux-debug, pve-kernel-@KVNAME@-dbgsym
 Section: devel
 Priority: optional
-Build-Profiles: <pkg.pve-kernel.debug>
-Description: The Proxmox PVE Kernel debug image
+Build-Profiles: <pkg.proxmox-kernel.debug>
+Depends: ${misc:Depends},
+Description: Proxmox Kernel debug image
 This package provides the kernel debug image for version @KVNAME@. The debug
 kernel image contained in this package is NOT meant to boot from - it is
 uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
- to analyze kernel crashes. This package also contains the pve-kernel modules
+ to analyze kernel crashes. This package also contains the proxmox-kernel modules
 in their unstripped version.

-Package: pve-kernel-libc-dev
+Package: proxmox-kernel-@KVNAME@-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed kernel package
+ This package is used to control code signing by the Proxmox signing
+ service.
+
+Package: proxmox-kernel-libc-dev
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-libc-dev (=${binary:Version})
-Conflicts: linux-libc-dev
-Replaces: linux-libc-dev
-Depends: ${misc:Depends}
+Provides: linux-libc-dev (=${binary:Version}), pve-kernel-libc-dev
+Conflicts: linux-libc-dev,
+Replaces: linux-libc-dev, pve-kernel-libc-dev
+Breaks: pve-kernel-libc-dev
+Depends: ${misc:Depends},
 Description: Linux support headers for userspace development
 This package provides userspaces headers from the Linux kernel.  These headers
 are used by the installed headers for GNU libc and other system libraries.
+
+Package: proxmox-headers-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-headers-amd64, linux-headers-generic, pve-headers-@KVMAJMIN@
+Replaces: pve-headers-@KVMAJMIN@
+Priority: optional
+Depends: proxmox-headers-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Headers
+ This is a metapackage which will install the kernel headers
+ for the latest available proxmox kernel from the @KVMAJMIN@
+ series.
+
+Package: proxmox-kernel-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-image-amd64, linux-image-generic, wireguard-modules (=1.0.0), pve-kernel-@KVMAJMIN@
+Replaces: pve-kernel-@KVMAJMIN@
+Priority: optional
+Depends: pve-firmware, proxmox-kernel-@KVNAME@-signed | proxmox-kernel-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Image
+ This is a metapackage which will install the latest available
+ proxmox kernel from the @KVMAJMIN@ series.
@@ -1,11 +1,8 @@
 This is a prepackaged version of the Linux kernel binary image.

-This package was put together by Proxmox Server
-Solutions GmbH <support@proxmox.com>.
-
-We use the RHEL7 kernel sources, available from:
-
-ftp://ftp.redhat.com/redhat/rhel/
+For the packaging and all files in the debian/ folder consider:
+ Copyright (C) 2007-2022 Proxmox Server Solutions GmbH
+ Licensed under the AGPL-3.0-or-later

 Linux is copyrighted by Linus Torvalds and others.

@@ -0,0 +1,17 @@
+#! /bin/sh
+
+# Abort if any command returns an error value 
+set -e
+
+case "$1" in
+  configure)
+    # setup kernel links for installation CD (rescue boot)
+    mkdir -p /boot/pve
+    ln -sf /boot/vmlinuz-@@KVNAME@@ /boot/pve/vmlinuz-@@KVMAJMIN@@
+    ln -sf /boot/initrd.img-@@KVNAME@@ /boot/pve/initrd.img-@@KVMAJMIN@@
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+# Abort if any command returns an error value
+set -e
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # remove kernel symlinks
+        rm -f /boot/pve/vmlinuz-@@KVNAME@@
+        rm -f /boot/pve/initrd.img-@@KVNAME@@
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations except when called on to configure.
 exit 0 unless $ARGV[0] =~ /configure/;
@@ -16,10 +17,9 @@ system("depmod $version");

 if (-d "/etc/kernel/postinst.d") {
  print STDERR "Examining /etc/kernel/postinst.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postinst.d") &&
-            die "Failed to process /etc/kernel/postinst.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postinst.d"
+  ) && die "Failed to process /etc/kernel/postinst.d";
 }

 exit 0
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+# Ignore all 'upgrade' invocations .
+exit 0 if $ARGV[0] =~ /upgrade/;
+
+my $imagedir = "/boot";
+
+my $version = "@@KVNAME@@";
+
+if (-d "/etc/kernel/postrm.d") {
+  print STDERR "Examining /etc/kernel/postrm.d.\n";
+  system (
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postrm.d"
+  ) && die "Failed to process /etc/kernel/postrm.d";
+}
+
+unlink "$imagedir/initrd.img-$version";
+unlink "$imagedir/initrd.img-$version.bak";
+unlink "/var/lib/initramfs-tools/$version";
+
+# Ignore all invocations except when called on to purge.
+exit 0 unless $ARGV[0] =~ /purge/;
+
+my @files_to_remove = qw{
+    modules.dep modules.isapnpmap modules.pcimap
+    modules.usbmap modules.parportmap
+    modules.generic_string modules.ieee1394map
+    modules.ieee1394map modules.pnpbiosmap
+    modules.alias modules.ccwmap modules.inputmap
+    modules.symbols modules.ofmap
+    modules.seriomap modules.*.bin
+    modules.softdep modules.devname
+};
+
+foreach my $extra_file (@files_to_remove) {
+    for (glob("/lib/modules/$version/$extra_file")) {
+	unlink;
+    }
+}
+
+system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
+
+exit 0
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations uxcept when called on to remove
 exit 0 unless ($ARGV[0] && $ARGV[0] =~ /remove/) ;
@@ -14,10 +15,9 @@ my $version = "@@KVNAME@@";

 if (-d "/etc/kernel/prerm.d") {
  print STDERR "Examining /etc/kernel/prerm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " . 
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/prerm.d") &&
-	  die "Failed to process /etc/kernel/prerm.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/prerm.d"
+  ) && die "Failed to process /etc/kernel/prerm.d";
 }

 exit 0
@@ -1,46 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-# Ignore all 'upgrade' invocations .
-exit 0 if $ARGV[0] =~ /upgrade/;
-
-my $imagedir = "/boot";
-
-my $version = "@@KVNAME@@";
-
-if (-d "/etc/kernel/postrm.d") {
-  print STDERR "Examining /etc/kernel/postrm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postrm.d") &&
-            die "Failed to process /etc/kernel/postrm.d";
-}
-
-unlink "$imagedir/initrd.img-$version";
-unlink "$imagedir/initrd.img-$version.bak";
-unlink "/var/lib/initramfs-tools/$version";
-
-# Ignore all invocations except when called on to purge.
-exit 0 unless $ARGV[0] =~ /purge/;
-
-my @files_to_remove = qw{
-                         modules.dep modules.isapnpmap modules.pcimap
-                         modules.usbmap modules.parportmap
-                         modules.generic_string modules.ieee1394map
-                         modules.ieee1394map modules.pnpbiosmap
-                         modules.alias modules.ccwmap modules.inputmap
-                         modules.symbols modules.ofmap
-                         modules.seriomap modules.*.bin
-			 modules.softdep modules.devname
-                       };
-
-foreach my $extra_file (@files_to_remove) {
-    for (glob("/lib/modules/$version/$extra_file")) {
-	unlink;
-    }
-}
-
-system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
-
-exit 0
@@ -9,19 +9,25 @@ BUILD_DIR=$(shell pwd)

 include /usr/share/dpkg/default.mk
 include debian/rules.d/env.mk
-include debian/rules.d/${DEB_BUILD_ARCH}.mk
+include debian/rules.d/$(DEB_BUILD_ARCH).mk
+
+MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))

 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
+CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)

-PVE_KERNEL_PKG=pve-kernel-${KVNAME}
-PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym
-PVE_HEADER_PKG=pve-headers-${KVNAME}
-PVE_USR_HEADER_PKG=pve-kernel-libc-dev
-LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
-KERNEL_SRC_COPY=${KERNEL_SRC}_tmp
+PMX_KERNEL_PKG=proxmox-kernel-$(KVNAME)
+PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
+PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
+PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
+PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template
+PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
+LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
+KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp

 # TODO: split for archs, move to files?
-PVE_CONFIG_OPTS= \
+PMX_CONFIG_OPTS= \
 -m INTEL_MEI_WDT \
 -d CONFIG_SND_PCM_OSS \
 -e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
@@ -29,6 +35,7 @@ PVE_CONFIG_OPTS= \
 -m CONFIG_CEPH_FS \
 -m CONFIG_BLK_DEV_NBD \
 -m CONFIG_BLK_DEV_RBD \
+-m CONFIG_BLK_DEV_UBLK \
 -d CONFIG_SND_PCSP \
 -m CONFIG_BCACHE \
 -m CONFIG_JFS_FS \
@@ -47,12 +54,20 @@ PVE_CONFIG_OPTS= \
 -d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
 -d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-d CONFIG_MODULE_SIG \
+-e CONFIG_SYSFB_SIMPLEFB \
+-e CONFIG_DRM_SIMPLEDRM \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
 -e CONFIG_HYPERV \
 -m CONFIG_VFIO_IOMMU_TYPE1 \
-m CONFIG_VFIO_VIRQFD \
+-e CONFIG_VFIO_VIRQFD \
 -m CONFIG_VFIO \
 -m CONFIG_VFIO_PCI \
 -m CONFIG_USB_XHCI_HCD \
@@ -70,29 +85,51 @@ PVE_CONFIG_OPTS= \
 -d CONFIG_DEFAULT_CFQ \
 -e CONFIG_DEFAULT_DEADLINE \
 -e CONFIG_MODVERSIONS \
+-e CONFIG_ZSTD_COMPRESS \
 -d CONFIG_DEFAULT_SECURITY_DAC \
 -e CONFIG_DEFAULT_SECURITY_APPARMOR \
 --set-str CONFIG_DEFAULT_SECURITY apparmor \
+-e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
 -d CONFIG_UNWINDER_ORC \
 -d CONFIG_UNWINDER_GUESS \
 -e CONFIG_UNWINDER_FRAME_POINTER \
 --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
 --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
-d CONFIG_SECURITY_LOCKDOWN_LSM \
-d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
--set-str CONFIG_LSM yama,integrity,apparmor \
-e CONFIG_PAGE_TABLE_ISOLATION
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
+-e CONFIG_PAGE_TABLE_ISOLATION \
+-e CONFIG_ARCH_HAS_CPU_FINALIZE_INIT \
+-d CONFIG_GDS_FORCE_MITIGATION \
+-d CONFIG_WQ_CPU_INTENSIVE_REPORT \
+-d CONFIG_N_GSM \
+-d UBSAN_BOUNDS \

 debian/control: $(wildcard debian/*.in)
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/${PVE_KERNEL_PKG}.prerm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/${PVE_KERNEL_PKG}.postrm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/${PVE_KERNEL_PKG}.postinst
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-headers.postinst.in > debian/${PVE_HEADER_PKG}.postinst
-	chmod +x debian/${PVE_KERNEL_PKG}.prerm
-	chmod +x debian/${PVE_KERNEL_PKG}.postrm
-	chmod +x debian/${PVE_KERNEL_PKG}.postinst
-	chmod +x debian/${PVE_HEADER_PKG}.postinst
-	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PMX_KERNEL_PKG).postrm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PMX_KERNEL_PKG).postinst
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_PKG).prerm
+	chmod +x debian/$(PMX_KERNEL_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
+
+	# signing-template
+	sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+	sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst
+	rm debian/signing-template/*.in
+	cp debian/SOURCE debian/signing-template/

 build: .compile_mark .tools_compile_mark .modules_compile_mark

@@ -106,7 +143,7 @@ install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_in

 binary: install
 	debian/rules fwcheck abicheck
-	dh_strip -N${PVE_HEADER_PKG} -N${PVE_USR_HEADER_PKG}
+	dh_strip -N$(PMX_HEADER_PKG) -N$(PMX_USR_HEADER_PKG)
 	dh_makeshlibs
 	dh_shlibdeps
 	dh_installdeb
@@ -115,82 +152,106 @@ binary: install
 	dh_builddeb

 .config_mark:
-	cd ${KERNEL_SRC}; scripts/config ${PVE_CONFIG_OPTS}
-	${MAKE} -C ${KERNEL_SRC} oldconfig
+	cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
+	$(MAKE) -C $(KERNEL_SRC) olddefconfig
 	# copy to allow building in parallel to kernel/module compilation without interference
-	rm -rf ${KERNEL_SRC_COPY}
-	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
+	rm -rf $(KERNEL_SRC_COPY)
+	cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
 	touch $@

 .compile_mark: .config_mark
-	${MAKE} -C ${KERNEL_SRC} KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${DEB_VERSION} (${CHANGELOG_DATE})"
+	$(MAKE) -C $(KERNEL_SRC) KBUILD_BUILD_VERSION_TIMESTAMP="PMX $(DEB_VERSION) ($(CHANGELOG_DATE_UTC_ISO))"
 	touch $@

 .install_mark: .compile_mark .modules_compile_mark
-	rm -rf debian/${PVE_KERNEL_PKG}
-	mkdir -p debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}
-	mkdir debian/${PVE_KERNEL_PKG}/boot
-	install -m 644 ${KERNEL_SRC}/.config debian/${PVE_KERNEL_PKG}/boot/config-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/System.map debian/${PVE_KERNEL_PKG}/boot/System.map-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/${KERNEL_IMAGE_PATH} debian/${PVE_KERNEL_PKG}/boot/${KERNEL_INSTALL_FILE}-${KVNAME}
-	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
+	rm -rf debian/$(PMX_KERNEL_PKG)
+	mkdir -p debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_KERNEL_PKG)/boot
+	install -m 644 $(KERNEL_SRC)/.config debian/$(PMX_KERNEL_PKG)/boot/config-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/System.map debian/$(PMX_KERNEL_PKG)/boot/System.map-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/$(KERNEL_IMAGE_PATH) debian/$(PMX_KERNEL_PKG)/boot/$(KERNEL_INSTALL_FILE)-$(KVNAME)
+	$(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
 	# install zfs drivers
-	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 $(addprefix ${MODULES}/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+	install -m 644 $(MODULES)/zfs.ko $(MODULES)/spl.ko debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
 	# remove firmware
-	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
+	rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware

-ifeq ($(filter pkg.pve-kernel.debug,$(DEB_BUILD_PROFILES)),)
-	echo "'pkg.pve-kernel.debug' build profile disabled, skipping -dbgsym creation"
+ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
+	echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
 else
-	echo "'pkg.pve-kernel.debug' build profile enabled, creating -dbgsym contents"
-	mkdir -p debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}
-	mkdir debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot
-	install -m 644 ${KERNEL_SRC}/vmlinux debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot/vmlinux-${KVNAME}
-	cp -r debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/source
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/build
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/modules.*
+	echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
+	mkdir -p debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
+	install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
+	cp -r debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/build
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/modules.*
 endif

 	# strip debug info
-	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+	find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+	# sign modules using ephemeral, embedded key
+	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+		find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+		done; \
+		rm ./ubuntu-kernel/certs/signing_key.pem ; \
+	fi
 	# finalize
-	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
+	/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
 	# Autogenerate blacklist for watchdog devices (see README)
-	install -m 0755 -d debian/${PVE_KERNEL_PKG}/lib/modprobe.d
-	ls debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
+	install -m 0755 -d debian/$(PMX_KERNEL_PKG)/lib/modprobe.d
+	ls debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
 	echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
-	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
-	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
-	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
+	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+
+	# copy signing template contents
+	rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}
+	mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp -R debian/copyright \
+		debian/signing-template/rules \
+		debian/signing-template/control \
+		debian/signing-template/source \
+		debian/signing-template/changelog \
+		debian/signing-template/prerm \
+		debian/signing-template/postrm \
+		debian/signing-template/postinst \
+		debian/signing-template/SOURCE \
+		debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/
+
 	touch $@

 .tools_compile_mark: .compile_mark
-	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr NO_LIBTRACEEVENT=1 HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
 	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
-	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
-	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
-	${MAKE} -C ${KERNEL_SRC}/tools/perf man
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf NO_LIBTRACEEVENT=1 man
 	touch $@

 .tools_install_mark: .tools_compile_mark
-	rm -rf debian/${LINUX_TOOLS_PKG}
-	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/bin
-	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/share/man/man1
-	install -m 755 ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/perf debian/${LINUX_TOOLS_PKG}/usr/bin/perf_$(KERNEL_MAJMIN)
-	for i in ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/Documentation/*.1; do \
+	rm -rf debian/$(LINUX_TOOLS_PKG)
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/bin
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1
+	install -m 755 $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/perf debian/$(LINUX_TOOLS_PKG)/usr/bin/perf_$(KERNEL_MAJMIN)
+	for i in $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/Documentation/*.1; do \
 	    fname="$${i##*/}"; manname="$${fname%.1}"; \
-	    install -m644 "$$i" "debian/${LINUX_TOOLS_PKG}/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
+	    install -m644 "$$i" "debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
 	done
 	touch $@

 .headers_prepare_mark: .config_mark
-	rm -rf debian/${PVE_HEADER_PKG}
-	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	make -C ${KERNEL_SRC_COPY} mrproper
-	cd ${KERNEL_SRC_COPY}; find . -path './debian/*' -prune \
+	rm -rf debian/$(PMX_HEADER_PKG)
+	mkdir -p debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	install -m 0644 $(KERNEL_SRC)/.config debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	make -C $(KERNEL_SRC_COPY) mrproper
+	cd $(KERNEL_SRC_COPY); find . -path './debian/*' -prune \
 	    -o -path './include/*' -prune \
 	    -o -path './Documentation' -prune \
 	    -o -path './scripts' -prune \
@@ -202,41 +263,40 @@ endif
 	        -o -name '*.sh' \
 	        -o -name '*.pl' \
 	    \) \
-	    -print | cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	cd ${KERNEL_SRC_COPY}; \
+	    -print | cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	cd $(KERNEL_SRC_COPY); \
 	    ( \
-	        find arch/${KERNEL_HEADER_ARCH} -name include -type d -print | \
+	        find arch/$(KERNEL_HEADER_ARCH) -name include -type d -print | \
 	        xargs -n1 -i: find : -type f \
 	    ) | \
-	    cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	    cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
 	touch $@

 .headers_compile_mark: .headers_prepare_mark
 	# set output to subdir of source to reduce number of hardcoded paths in output files
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
-	mkdir -p ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
-	cp ${KERNEL_SRC}/.config ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/.config
-	${MAKE} -C ${KERNEL_SRC_COPY} O=${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -j1 syncconfig modules_prepare prepare scripts
-	cd ${KERNEL_SRC_COPY}; cp -a include scripts ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	find ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
-	rsync --ignore-existing -r -v -a $(addprefix ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/,arch include kernel scripts tools) ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	mkdir -p $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	cp $(KERNEL_SRC)/.config $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/.config
+	$(MAKE) -C $(KERNEL_SRC_COPY) O=$(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -j1 syncconfig modules_prepare prepare scripts
+	cd $(KERNEL_SRC_COPY); cp -a include scripts $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	find $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
+	rsync --ignore-existing -r -v -a $(addprefix $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/,arch include kernel scripts tools) $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)
 	touch $@

 .headers_install_mark: .compile_mark .modules_compile_mark .headers_compile_mark
-	cp ${KERNEL_SRC}/include/generated/compile.h debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/include/generated/compile.h
-	install -m 0644 ${KERNEL_SRC}/Module.symvers debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	mkdir -p debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}
-	ln -sf /usr/src/linux-headers-${KVNAME} debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}/build
+	cp $(KERNEL_SRC)/include/generated/compile.h debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/include/generated/compile.h
+	install -m 0644 $(KERNEL_SRC)/Module.symvers debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	mkdir -p debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)
+	ln -sf /usr/src/linux-headers-$(KVNAME) debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)/build
 	touch $@

-.usr_headers_install_mark: PKG_DIR = debian/${PVE_USR_HEADER_PKG}
-.usr_headers_install_mark: OUT_DIR = ${PKG_DIR}/usr
+.usr_headers_install_mark: PKG_DIR = debian/$(PMX_USR_HEADER_PKG)
+.usr_headers_install_mark: OUT_DIR = $(PKG_DIR)/usr
 .usr_headers_install_mark: .config_mark
-	rm -rf '${PKG_DIR}'
-	mkdir -p  '${PKG_DIR}'
-	$(MAKE) -C ${KERNEL_SRC} headers_check ARCH=$(KERNEL_HEADER_ARCH)
-	$(MAKE) -C ${KERNEL_SRC} headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
+	rm -rf '$(PKG_DIR)'
+	mkdir -p  '$(PKG_DIR)'
+	$(MAKE) -C $(KERNEL_SRC) headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
 	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
 	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +

@@ -247,43 +307,36 @@ endif
 		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
 	touch $@

-.modules_compile_mark: ${MODULES}/zfs.ko
+.modules_compile_mark: $(MODULES)/zfs.ko
 	touch $@

-${MODULES}/zfs.ko: .compile_mark
-	cd ${MODULES}/${ZFSDIR}; ./autogen.sh
-	cd ${MODULES}/${ZFSDIR}; ./configure --with-config=kernel --with-linux=${BUILD_DIR}/${KERNEL_SRC} --with-linux-obj=${BUILD_DIR}/${KERNEL_SRC}
-	${MAKE} -C ${MODULES}/${ZFSDIR}
-	cp ${MODULES}/${ZFSDIR}/module/avl/zavl.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/nvpair/znvpair.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/unicode/zunicode.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zcommon/zcommon.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/icp/icp.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zfs/zfs.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/lua/zlua.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/spl/spl.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zstd/zzstd.ko ${MODULES}/
+$(MODULES)/zfs.ko: .compile_mark
+	cd $(MODULES)/$(ZFSDIR); ./autogen.sh
+	cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
+	$(MAKE) -C $(MODULES)/$(ZFSDIR)
+	cp $(MODULES)/$(ZFSDIR)/module/zfs.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/spl.ko $(MODULES)/

-fwlist-${KVNAME}: .compile_mark .modules_compile_mark
-	debian/scripts/find-firmware.pl debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} >fwlist.tmp
+fwlist-$(KVNAME): .compile_mark .modules_compile_mark
+	debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp
 	mv fwlist.tmp $@

 .PHONY: fwcheck
-fwcheck: fwlist-${KVNAME} fwlist-previous
+fwcheck: fwlist-$(KVNAME) fwlist-previous
 	@echo "checking fwlist for changes since last built firmware package.."
-	@echo "if this check fails, add fwlist-${KVNAME} to the pve-firmware repository and upload a new firmware package together with the ${KVNAME} kernel"
+	@echo "if this check fails, add fwlist-$(KVNAME) to the pve-firmware repository and upload a new firmware package together with the $(KVNAME) kernel"
 	sort fwlist-previous | uniq > fwlist-previous.sorted
-	sort fwlist-${KVNAME} | uniq > fwlist-${KVNAME}.sorted
-	diff -up -N fwlist-previous.sorted fwlist-${KVNAME}.sorted > fwlist.diff
-	rm fwlist.diff fwlist-previous.sorted fwlist-${KVNAME}.sorted
+	sort fwlist-$(KVNAME) | uniq > fwlist-$(KVNAME).sorted
+	diff -up -N fwlist-previous.sorted fwlist-$(KVNAME).sorted > fwlist.diff
+	rm fwlist.diff fwlist-previous.sorted fwlist-$(KVNAME).sorted
 	@echo "done, no need to rebuild pve-firmware"


-abi-${KVNAME}: .compile_mark
-	debian/scripts/abi-generate debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/Module.symvers abi-${KVNAME} ${KVNAME}
+abi-$(KVNAME): .compile_mark
+	debian/scripts/abi-generate debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/Module.symvers abi-$(KVNAME) $(KVNAME)

 .PHONY: abicheck
-abicheck: debian/scripts/abi-check abi-${KVNAME} abi-prev-* abi-blacklist
-	debian/scripts/abi-check abi-${KVNAME} abi-prev-* ${SKIPABI}
+abicheck: debian/scripts/abi-check abi-$(KVNAME) abi-prev-* abi-blacklist
+	debian/scripts/abi-check abi-$(KVNAME) abi-prev-* $(SKIPABI)

 .PHONY: clean
@@ -1,12 +1,14 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl
+
+use strict;
+use warnings;

 my $abinew = shift;
 my $abiold = shift;
 my $skipabi = shift;

 # to catch multiple abi-prev-* files being passed in
-die "invalid value for skipabi parameter\n"
-	if (defined($skipabi) && $skipabi !~ /^[01]$/);
+die "invalid value '$skipabi' for skipabi parameter\n" if defined($skipabi) && $skipabi !~ /^[01]$/;

 $abinew =~ /abi-(.*)/;
 my $abistr = $1;
@@ -23,30 +25,30 @@ my $count;
 print "II: Checking ABI...\n";

 if ($skipabi) {
-	print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
-	$fail_exit = 0;
-	$abiskip = 1;
-	$EE = "WW:";
+    print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
+    $fail_exit = 0;
+    $abiskip = 1;
+    $EE = "WW:";
 }

 if ($prev_abistr ne $abistr) {
-	print "II: Different ABI's, running in no-fail mode\n";
-	$fail_exit = 0;
-	$EE = "WW:";
+    print "II: Different ABI's, running in no-fail mode\n";
+    $fail_exit = 0;
+    $EE = "WW:";
 }

 if (not -f "$abinew" or not -f "$abiold") {
-	print "EE: Previous or current ABI file missing!\n";
-	print "    $abinew\n" if not -f "$abinew";
-	print "    $abiold\n" if not -f "$abiold";
+    print "EE: Previous or current ABI file missing!\n";
+    print "    $abinew\n" if not -f "$abinew";
+    print "    $abiold\n" if not -f "$abiold";

-	# Exit if the ABI files are missing, but return status based on whether
-	# skip ABI was indicated.
-	if ("$abiskip" eq "1") {
-		exit(0);
-	} else {
-		exit(1);
-	}
+    # Exit if the ABI files are missing, but return status based on whether
+    # skip ABI was indicated.
+    if ("$abiskip" eq "1") {
+	exit(0);
+    } else {
+	exit(1);
+    }
 }

 my %symbols;
@@ -58,101 +60,97 @@ my %module_syms;
 my $ignore = 0;
 print "    Reading symbols/modules to ignore...";

-for $file ("abi-blacklist") {
-	if (-f $file) {
-		open(IGNORE, "< $file") or
-			die "Could not open $file";
-		while (<IGNORE>) {
-			chomp;
-			if ($_ =~ m/M: (.*)/) {
-				$modules_ignore{$1} = 1;
-			} else {
-				$symbols_ignore{$_} = 1;
-			}
-			$ignore++;
-		}
-		close(IGNORE);
+for my $file ("abi-blacklist") {
+    next if !-f $file;
+    open(my $IGNORE_FH, '<', $file) or die "Could not open $file - $!";
+
+    while (<$IGNORE_FH>) {
+	chomp;
+	if ($_ =~ m/M: (.*)/) {
+	    $modules_ignore{$1} = 1;
+	} else {
+	    $symbols_ignore{$_} = 1;
 	}
+	$ignore++;
+    }
+    close($IGNORE_FH);
 }
 print "read $ignore symbols/modules.\n";

 sub is_ignored($$) {
-	my ($mod, $sym) = @_;
+    my ($mod, $sym) = @_;

-	die "Missing module name in is_ignored()" if not defined($mod);
-	die "Missing symbol name in is_ignored()" if not defined($sym);
+    die "Missing module name in is_ignored()" if not defined($mod);
+    die "Missing symbol name in is_ignored()" if not defined($sym);

-	if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
-		return 1;
-	}
-	return 0;
+    if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
+	return 1;
+    }
+    return 0;
 }

 # Read new syms first
 print "    Reading new symbols ($abistr)...";
 $count = 0;
-open(NEW, "< $abinew") or
-	die "Could not open $abinew";
-while (<NEW>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'type'} = $1;
-	$symbols{$4}{'loc'} = $2;
-	$symbols{$4}{'hash'} = $3;
-	$module_syms{$2} = 0;
-	$count++;
+open(my $NEW_FH, '<', $abinew) or die "Could not open $abinew - $!";
+while (<$NEW_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'type'} = $1;
+    $symbols{$4}{'loc'} = $2;
+    $symbols{$4}{'hash'} = $3;
+    $module_syms{$2} = 0;
+    $count++;
 }
-close(NEW);
+close($NEW_FH);
 print "read $count symbols.\n";

 # Now the old symbols, checking for missing ones
 print "    Reading old symbols...";
 $count = 0;
-open(OLD, "< $abiold") or
-	die "Could not open $abiold";
-while (<OLD>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'old_type'} = $1;
-	$symbols{$4}{'old_loc'} = $2;
-	$symbols{$4}{'old_hash'} = $3;
-	$count++;
+open(my $OLD_FH, '<', $abiold) or die "Could not open $abiold - $!";
+while (<$OLD_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'old_type'} = $1;
+    $symbols{$4}{'old_loc'} = $2;
+    $symbols{$4}{'old_hash'} = $3;
+    $count++;
 }
-close(OLD);
+close($OLD_FH);

 print "read $count symbols.\n";

 print "II: Checking for missing symbols in new ABI...";
 $count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'type'})) {
-		print "\n" if not $count;
-		printf("    MISS : %s%s\n", $sym,
-			is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
-		$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'type'})) {
+	print "\n" if not $count;
+	printf("    MISS : %s%s\n", $sym, is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
+	$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
+    }
 }
 print "    " if $count;
 print "found $count missing symbols\n";
 if ($count) {
-	print "$EE Symbols gone missing (what did you do!?!)\n";
-	$errors++;
+    print "$EE Symbols gone missing (what did you do!?!)\n";
+    $errors++;
 }


 print "II: Checking for new symbols in new ABI...";
 $count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'})) {
-		print "\n" if not $count;
-		print "    NEW : $sym\n";
-		$count++;
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'})) {
+	print "\n" if not $count;
+	print "    NEW : $sym\n";
+	$count++;
+    }
 }
 print "    " if $count;
 print "found $count new symbols\n";
 if ($count) {
-	print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
+    print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
 }

 print "II: Checking for changes to ABI...\n";
@@ -160,37 +158,34 @@ $count = 0;
 my $moved = 0;
 my $changed_type = 0;
 my $changed_hash = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'}) or
-	    !defined($symbols{$sym}{'type'})) {
-		next;
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'}) or !defined($symbols{$sym}{'type'})) {
+	next;
+    }

-	# Changes in location don't hurt us, but log it anyway
-	if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
-		printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'},
-			$symbols{$sym}{'loc'});
-		$moved++;
-	}
+    # Changes in location don't hurt us, but log it anyway
+    if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
+	printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'}, $symbols{$sym}{'loc'});
+	$moved++;
+    }

-	# Changes to export type are only bad if new type isn't
-	# EXPORT_SYMBOL. Changing things to GPL are bad.
-	if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
-		printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
-			$symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL"
-			and !is_ignored($symbols{$sym}{'loc'}, $sym);
-	}
+    # Changes to export type are only bad if new type isn't
+    # EXPORT_SYMBOL. Changing things to GPL are bad.
+    if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
+	printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
+	    $symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL" and !is_ignored($symbols{$sym}{'loc'}, $sym);
+    }

-	# Changes to the hash are always bad
-	if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
-		printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
-			$symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
-		$module_syms{$symbols{$sym}{'loc'}}++;
-	}
+    # Changes to the hash are always bad
+    if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
+	printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
+	    $symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
+	$module_syms{$symbols{$sym}{'loc'}}++;
+    }
 }

 print "WW: $moved symbols changed location\n" if $moved;
@@ -199,17 +194,17 @@ print "$EE $changed_hash symbols changed hash and weren't ignored\n" if $changed

 $errors++ if $changed_hash or $changed_type;
 if ($changed_hash) {
-	print "II: Module hash change summary...\n";
-	foreach $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
-		next if ! $module_syms{$mod};
-		printf("    %-40s: %d\n", $mod, $module_syms{$mod});
-	}
+    print "II: Module hash change summary...\n";
+    for my $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
+	next if ! $module_syms{$mod};
+	printf("    %-40s: %d\n", $mod, $module_syms{$mod});
+    }
 }

 print "II: Done\n";

 if ($errors) {
-	exit($fail_exit);
+    exit($fail_exit);
 } else {
-	exit(0);
+    exit(0);
 }
@@ -1,8 +1,11 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

-use PVE::Tools;
+use strict;
+use warnings;

-use IO::File;
+use PVE::Tools ();
+
+use IO::File ();

 sub usage {
    die "USAGE: $0 INFILE OUTFILE [ABI INFILE-IS-DEB]\n";
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 my $dir = shift;

@@ -8,25 +9,25 @@ die "no directory to scan" if !$dir;

 die "no such directory" if ! -d $dir;

-die "strange directory name: $dir" if $dir !~ m|^(.*/)?(\d+.\d+.\d+\-\d+\-pve)(/+)?$|;
+warn "\n\nNOTE: strange directory name: $dir\n\n" if $dir !~ m|^(.*/)?(\d+.\d+.\d+\-\d+\-pve)(/+)?$|;

 my $apiver = $2;

-open(TMP, "find '$dir' -name '*.ko'|");
-while (defined(my $fn = <TMP>)) {
+open(my $FIND_KO_FH, "find '$dir' -name '*.ko'|");
+while (defined(my $fn = <$FIND_KO_FH>)) {
    chomp $fn;
    my $relfn = $fn;
    $relfn =~ s|^$dir/*||;

    my $cmd = "/sbin/modinfo -F firmware '$fn'";
-    open(MOD, "$cmd|");
-    while (defined(my $fw = <MOD>)) {
+    open(my $MOD_FH, "$cmd|");
+    while (defined(my $fw = <$MOD_FH>)) {
 	chomp $fw;
 	print "$fw $relfn\n";
    }
-    close(MOD);
+    close($MOD_FH);

 }
-close TMP;
+close($FIND_KO_FH);

 exit 0;
@@ -0,0 +1,25 @@
+Source: proxmox-kernel-signed-@KVMAJMIN@
+Section: kernel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.2.0
+Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, proxmox-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
+Rules-Requires-Root: no
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: proxmox-kernel-@KVNAME@-signed
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, proxmox-kernel-@KVNAME@
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: proxmox-kernel-@KVNAME@
+Replaces: proxmox-kernel-@KVNAME@
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ This package contains the kernel image signed by the Proxmox Secure Boot CA.
@@ -0,0 +1,13 @@
+{
+	"packages": {
+		"proxmox-kernel-@KVNAME@": {
+			"trusted_certs": [],
+			"files": [
+				{
+					"sig_type": "efi",
+					"file": "boot/vmlinuz-@KVNAME@"
+				}
+			]
+		}
+	}
+}
@@ -0,0 +1,58 @@
+#!/usr/bin/make -f
+
+SHELL := bash -e
+
+export DH_OPTIONS
+
+include /usr/share/dpkg/architecture.mk
+
+KERNEL_VERSION=@KVNAME@
+IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION)
+PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
+PACKAGE_VERSION=@PKG_VERSION@
+PACKAGE_DIR=debian/$(PACKAGE_NAME)
+SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+	dh_testdir
+	dh_clean
+
+binary: binary-arch binary-indep
+binary-arch:
+	dh_testdir
+	mkdir -p $(PACKAGE_DIR)/boot
+	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
+	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+	else \
+		echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
+		false; \
+	fi
+	mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+	rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+	mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
+	cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
+	dh_install
+	dh_installchangelogs
+	dh_installdocs -A debian/copyright debian/SOURCE
+	dh_lintian
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	# Copy most package relations and description from unsigned package
+	for field in Depends Suggests Recommends Breaks; do \
+		echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+	done
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+	dh_gencontrol -- -v$(PACKAGE_VERSION)
+	dh_md5sums
+	dh_builddeb
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
@@ -0,0 +1 @@
+3.0 (native)
@@ -0,0 +1,2 @@
+debian-control-has-dbgsym-package (in section for proxmox-kernel-*-pve-dbgsym) Package [debian/control:*]
+license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]
@@ -17,28 +17,19 @@ $KBUILD_BUILD_TIMESTAMP.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- scripts/mkcompile_h | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
+ init/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

-diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
-index 4ae735039daf..5a1abe7b4169 100755
--- a/scripts/mkcompile_h
-+++ b/scripts/mkcompile_h
-@@ -24,10 +24,14 @@ else
- 	VERSION=$KBUILD_BUILD_VERSION
- fi
+diff --git a/init/Makefile b/init/Makefile
+index cbac576c57d6..479b1253fcbe 100644
+--- a/init/Makefile
+++ b/init/Makefile
+@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
+ preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
 
-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-	TIMESTAMP=`date`
-+if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
-+	if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-+		TIMESTAMP=`date`
-+	else
-+		TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	fi
- else
-	TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
- fi
- if test -z "$KBUILD_BUILD_USER"; then
- 	LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')
+ build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
+-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+ 
+ # Maximum length of UTS_VERSION is 64 chars
+ filechk_uts_version = \
@@ -19,7 +19,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 1 insertion(+), 4 deletions(-)

 diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index ba55851fe132..82675e1ecfb8 100644
+index 75204d36d7f9..1fb5ff73ec1e 100644
 --- a/net/bridge/br_stp_if.c
 +++ b/net/bridge/br_stp_if.c
@@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
@@ -55,10 +55,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2 files changed, 111 insertions(+)

 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index ee85be64b680..a38a8e44422e 100644
+index 90ddf08e8409..eedfabda597f 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3653,6 +3653,15 @@
+@@ -4285,6 +4285,15 @@
 				Also, it enforces the PCI Local Bus spec
 				rule that those bits should be 0 in system reset
 				events (useful for kexec/kdump cases).
@@ -75,10 +75,10 @@ index ee85be64b680..a38a8e44422e 100644
 				Safety option to keep boot IRQs enabled. This
 				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index f32e521ade1e..4f3558d0c00a 100644
+index c7a5718e5729..901f55b9ac64 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void)
+@@ -287,6 +287,106 @@ static int __init pci_apply_final_quirks(void)
 }
 fs_initcall_sync(pci_apply_final_quirks);
 
@@ -185,8 +185,8 @@ index f32e521ade1e..4f3558d0c00a 100644
 /*
  * Decoding should be disabled for a PCI device during BAR sizing to avoid
  * conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4857,6 +4957,8 @@ static const struct pci_dev_acs_enabled {
- 	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
+@@ -5091,6 +5191,8 @@ static const struct pci_dev_acs_enabled {
+ 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
 	/* APM X-Gene */
 	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
 +	/* Enable overrides for missing ACS capabilities */
@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 14e6c73a6031..c191c9e50735 100644
+index 5bbb5612b207..691ce10e7647 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -77,7 +77,7 @@ module_param(halt_poll_ns, uint, 0644);
+@@ -82,7 +82,7 @@ module_param(halt_poll_ns, uint, 0644);
 EXPORT_SYMBOL_GPL(halt_poll_ns);
 
 /* Default doubles per-vcpu halt_poll_ns. */
@@ -1,24 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Wed, 7 Oct 2020 17:18:28 +0200
-Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
- emergency to error
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- net/core/dev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/core/dev.c b/net/core/dev.c
-index b91b76890cbc..cb7ffc3e848b 100644
--- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -10365,7 +10365,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
- 		refcnt = netdev_refcnt_read(dev);
- 
- 		if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {
-			pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
-+			pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
- 				 dev->name, refcnt);
- 			warning_time = jiffies;
- 		}
@@ -1,68 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 2 Jul 2021 14:07:36 +0200
-Subject: [PATCH] net: bridge: sync fdb to new unicast-filtering ports
-
-Since commit 2796d0c648c9 ("bridge: Automatically manage
-port promiscuous mode.")
-bridges with `vlan_filtering 1` and only 1 auto-port don't
-set IFF_PROMISC for unicast-filtering-capable ports.
-
-Normally on port changes `br_manage_promisc` is called to
-update the promisc flags and unicast filters if necessary,
-but it cannot distinguish between *new* ports and ones
-losing their promisc flag, and new ports end up not
-receiving the MAC address list.
-
-Fix this by calling `br_fdb_sync_static` in `br_add_if`
-after the port promisc flags are updated and the unicast
-filter was supposed to have been filled.
-
-Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.")
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
- net/bridge/br_if.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
-index f7d2f472ae24..6e4a32354a13 100644
--- a/net/bridge/br_if.c
-+++ b/net/bridge/br_if.c
-@@ -562,7 +562,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
- 	struct net_bridge_port *p;
- 	int err = 0;
- 	unsigned br_hr, dev_hr;
-	bool changed_addr;
-+	bool changed_addr, fdb_synced = false;
- 
- 	/* Don't allow bridging non-ethernet like devices. */
- 	if ((dev->flags & IFF_LOOPBACK) ||
-@@ -652,6 +652,19 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
- 	list_add_rcu(&p->list, &br->port_list);
- 
- 	nbp_update_port_count(br);
-+	if (!br_promisc_port(p) && (p->dev->priv_flags & IFF_UNICAST_FLT)) {
-+		/* When updating the port count we also update all ports'
-+		 * promiscuous mode.
-+		 * A port leaving promiscuous mode normally gets the bridge's
-+		 * fdb synced to the unicast filter (if supported), however,
-+		 * `br_port_clear_promisc` does not distinguish between
-+		 * non-promiscuous ports and *new* ports, so we need to
-+		 * sync explicitly here.
-+		 */
-+		fdb_synced = br_fdb_sync_static(br, p) == 0;
-+		if (!fdb_synced)
-+			netdev_err(dev, "failed to sync bridge static fdb addresses to this port\n");
-+	}
- 
- 	netdev_update_features(br->dev);
- 
-@@ -701,6 +714,8 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
- 	return 0;
- 
- err7:
-+	if (fdb_synced)
-+		br_fdb_unsync_static(br, p);
- 	list_del_rcu(&p->list);
- 	br_fdb_delete_by_port(br, p, 0, 1);
- 	nbp_update_port_count(br);
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 7 Oct 2020 17:18:28 +0200
+Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
+ emergency to error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 4811937f572d..8850f9be9044 100644
+--- a/net/core/dev.c
+++ b/net/core/dev.c
+@@ -10355,7 +10355,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
+ 		if (time_after(jiffies, warning_time +
+ 			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
+ 			list_for_each_entry(dev, list, todo_list) {
+-				pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+				pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+ 					 dev->name, netdev_refcnt_read(dev));
+ 				ref_tracker_dir_print(&dev->refcnt_tracker, 10);
+ 			}
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Tue, 10 Jan 2023 08:52:40 +0100
+Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index da51a83b2829..9d9e7822eddf 100644
+--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
+@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ 
+ #define __compiletime_strlen(p)					\
+ ({								\
+-	char *__p = (char *)(p);				\
+	unsigned char *__p = (unsigned char *)(p);		\
+ 	size_t __ret = SIZE_MAX;				\
+ 	const size_t __p_size = __member_size(p);		\
+ 	if (__p_size != SIZE_MAX &&				\
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Fabian Ebner <f.ebner@proxmox.com>
-Date: Wed, 28 Jul 2021 08:55:31 +0200
-Subject: [PATCH] io_uring: don't block level reissue off completion path
-
-Some setups, like SCSI, can throw spurious -EAGAIN off the softirq
-completion path. Normally we expect this to happen inline as part
-of submission, but apparently SCSI has a weird corner case where it
-can happen as part of normal completions.
-
-This should be solved by having the -EAGAIN bubble back up the stack
-as part of submission, but previous attempts at this failed and we're
-not just quite there yet. Instead we currently use REQ_F_REISSUE to
-handle this case.
-
-For now, catch it in io_rw_should_reissue() and prevent a reissue
-from a bogus path.
-
-Upstream mail:
-https://lore.kernel.org/io-uring/20210727165811.284510-3-axboe@kernel.dk/T/#u
-
-Originally-by: Jens Axboe <axboe@kernel.dk>
-[backport]
-Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---
- fs/io_uring.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/fs/io_uring.c b/fs/io_uring.c
-index a0d42aea3aa1..ce5cf51a5667 100644
--- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -2731,6 +2731,13 @@ static bool io_rw_reissue(struct io_kiocb *req, long res)
- 	if (percpu_ref_is_dying(&req->ctx->refs))
- 		return false;
- 
-+	/*
-+	 * Play it safe and assume not safe to re-import and reissue if we're
-+	 * not in the original thread group (or in task context).
-+	 */
-+	if (!same_thread_group(req->task, current) || !in_task())
-+		return false;
-+
- 	lockdep_assert_held(&req->ctx->uring_lock);
- 
- 	ret = io_sq_thread_acquire_mm_files(req->ctx, req);
@@ -1,102 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
-Date: Mon, 2 Aug 2021 10:22:30 +0200
-Subject: [PATCH] Revert "PCI: Coalesce host bridge contiguous apertures"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit c2ff8072deba40887560dc73dd2e558ec539ea09.
-
-was reverted upstream because of reports similar to
-
-Link: https://bugzilla.proxmox.com/show_bug.cgi?id=3552
-Link: https://lore.kernel.org/r/20210709231529.GA3270116@roeck-us.net
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- drivers/pci/probe.c | 49 ++++-----------------------------------------
- 1 file changed, 4 insertions(+), 45 deletions(-)
-
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 04664d4fe4be..be51670572fa 100644
--- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -19,7 +19,6 @@
- #include <linux/hypervisor.h>
- #include <linux/irqdomain.h>
- #include <linux/pm_runtime.h>
-#include <linux/list_sort.h>
- #include "pci.h"
- 
- #define CARDBUS_LATENCY_TIMER	176	/* secondary latency timer */
-@@ -875,30 +874,14 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
- 	dev_set_msi_domain(&bus->dev, d);
- }
- 
-static int res_cmp(void *priv, struct list_head *a, struct list_head *b)
-{
-	struct resource_entry *entry1, *entry2;
-
-	entry1 = container_of(a, struct resource_entry, node);
-	entry2 = container_of(b, struct resource_entry, node);
-
-	if (entry1->res->flags != entry2->res->flags)
-		return entry1->res->flags > entry2->res->flags;
-
-	if (entry1->offset != entry2->offset)
-		return entry1->offset > entry2->offset;
-
-	return entry1->res->start > entry2->res->start;
-}
-
- static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- {
- 	struct device *parent = bridge->dev.parent;
-	struct resource_entry *window, *next, *n;
-+	struct resource_entry *window, *n;
- 	struct pci_bus *bus, *b;
-	resource_size_t offset, next_offset;
-+	resource_size_t offset;
- 	LIST_HEAD(resources);
-	struct resource *res, *next_res;
-+	struct resource *res;
- 	char addr[64], *fmt;
- 	const char *name;
- 	int err;
-@@ -976,35 +959,11 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- 	if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
- 		dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
- 
-	/* Sort and coalesce contiguous windows */
-	list_sort(NULL, &resources, res_cmp);
-	resource_list_for_each_entry_safe(window, n, &resources) {
-		if (list_is_last(&window->node, &resources))
-			break;
-
-		next = list_next_entry(window, node);
-		offset = window->offset;
-		res = window->res;
-		next_offset = next->offset;
-		next_res = next->res;
-
-		if (res->flags != next_res->flags || offset != next_offset)
-			continue;
-
-		if (res->end + 1 == next_res->start) {
-			next_res->start = res->start;
-			res->flags = res->start = res->end = 0;
-		}
-	}
-
- 	/* Add initial resources to the bus */
- 	resource_list_for_each_entry_safe(window, n, &resources) {
-+		list_move_tail(&window->node, &bridge->windows);
- 		offset = window->offset;
- 		res = window->res;
-		if (!res->end)
-			continue;
-
-		list_move_tail(&window->node, &bridge->windows);
- 
- 		if (res->flags & IORESOURCE_BUS)
- 			pci_bus_insert_busn_res(bus, bus->number, res->end);
@@ -0,0 +1,133 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 14 Jul 2023 18:10:32 +0200
+Subject: [PATCH] kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no
+ support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes live-migrations & snapshot-rollback of VMs with a restricted
+CPU type (e.g., qemu64) from our 5.15 based kernel (default Proxmox
+VE 7.4) to the 6.2 (and future newer) of Proxmox VE 8.0.
+
+Previous to ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to
+supported bits of XCR0") the PKRU bit of the host could leak into the
+state from the guest, which caused trouble when migrating between
+hosts with different CPUs, i.e., where the source supported it but
+the target did not, causing a general protection fault when the guest
+tried to use a pkru related instruction after the migration.
+
+But the fix, while welcome, caused a temporary out-of-sync state when
+migrating such a VM from a kernel without the fix to a kernel with
+the fix, as it threw of KVM when the CPUID of the guest and most of
+the state doesn't report XSAVE and thus any xfeatures, but PKRU and
+the related state is set as enabled, causing the vCPU to spin at 100%
+without any progress forever.
+
+The fix could be at two sites, either in QEMU or in the kernel, I
+choose the kernel as we have all the info there for a targeted
+heuristic so that we don't have to adapt QEMU and qemu-server, the
+latter even on both sides.
+
+Still, a short summary of the possible fixes and short drawbacks:
+* on QEMU-side either
+  - clear the PKRU state in the migration saved state would be rather
+    complicated to implement as the vCPU is initialised way before we
+    have the saved xfeature state available to check what we'd need
+    to do, plus the user-space only gets a memory blob from ioctl
+    KVM_GET_XSAVE2 that it passes to KVM_SET_XSAVE ioctl, there are
+    no ABI guarantees, and while the struct seem stable for 5.15 to
+    6.5-rc1, that doesn't has to be for future kernels, so off the
+    table.
+  - enforce that the CPUID reports PKU support even if it normally
+    wouldn't. While this works (tested by hard-coding it as POC) it
+    is a) not really nice and b) needs some interaction from
+    qemu-server to enable this flag as otherwise we have no good info
+    to decide when it's OK to do this, which means we need to adapt
+    both PVE 7 and 8's qemu-server and also pve-qemu, workable but
+    not optimal
+
+* on Kernel/KVM-side we can hook into the set XSAVE ioctl specific to
+  the KVM subsystem, which already reduces chance of regression for
+  all other places. There we have access to the union/struct
+  definitions of the saved state and thus can savely cast to that.
+  We also got access to the vCPU's CPUID capabilities, meaning we can
+  check if the XCR0 (first XSAVE Control Register) reports
+  that it support the PKRU feature, and if it does *NOT* but the
+  saved xfeatures register from XSAVE *DOES* report it, we can safely
+  assume that this combination is due to an migration from an older,
+  leaky kernel – and clear the bit in the xfeature register before
+  restoring it to the guest vCPU KVM state, avoiding the confusing
+  situation that made the vCPU spin at 100%.
+  This should be safe to do, as the guest vCPU CPUID never reported
+  support for the PKRU feature, and it's also a relatively niche and
+  newish feature.
+
+If it gains us something we can drop this patch a bit in the future
+Proxmox VE 9 major release, but we should ensure that VMs that where
+started before PVE 8 cannot be directly live-migrated to the release
+that includes that change; so we should rather only drop it if the
+maintenance burden is high.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/cpuid.c |  6 ++++++
+ arch/x86/kvm/cpuid.h |  2 ++
+ arch/x86/kvm/x86.c   | 13 +++++++++++++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 7bdc66abfc92..e2b67975869c 100644
+--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
+@@ -249,6 +249,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
+ 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
+ }
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu) {
+	u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(
+	    vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
+	return (guest_supported_xcr0 & XFEATURE_MASK_PKRU) != 0;
+}
+
+ static void __kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *entries,
+ 				       int nent)
+ {
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
+index b1658c0de847..12a02851ff57 100644
+--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
+@@ -32,6 +32,8 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
+ 	       u32 *ecx, u32 *edx, bool exact_only);
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu);
+
+ u32 xstate_required_size(u64 xstate_bv, bool compacted);
+ 
+ int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index a5c8a01f7e7e..632d2d18041a 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5426,6 +5426,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return 0;
+ 
+	if (!vcpu_supports_xsave_pkru(vcpu)) {
+		void *buf = guest_xsave->region;
+		union fpregs_state *ustate = buf;
+		if (ustate->xsave.header.xfeatures & XFEATURE_MASK_PKRU) {
+			printk(
+				KERN_NOTICE "clearing PKRU xfeature bit as vCPU from PID %d"
+				" reports no PKRU support - migration from fpu-leaky kernel?",
+				current->pid
+			);
+			ustate->xsave.header.xfeatures &= ~XFEATURE_MASK_PKRU;
+		}
+	}
+
+ 	return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
+ 					      guest_xsave->region,
+ 					      kvm_caps.supported_xcr0,
@@ -1,111 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Date: Tue, 13 Jul 2021 20:50:07 +0800
-Subject: [PATCH] PCI: Reinstate "PCI: Coalesce host bridge contiguous
- apertures"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Built-in graphics on HP EliteDesk 805 G6 doesn't work because graphics
-can't get the BAR it needs:
-  pci_bus 0000:00: root bus resource [mem 0x10020200000-0x100303fffff window]
-  pci_bus 0000:00: root bus resource [mem 0x10030400000-0x100401fffff window]
-
-  pci 0000:00:08.1:   bridge window [mem 0xd2000000-0xd23fffff]
-  pci 0000:00:08.1:   bridge window [mem 0x10030000000-0x100401fffff 64bit pref]
-  pci 0000:00:08.1: can't claim BAR 15 [mem 0x10030000000-0x100401fffff 64bit pref]: no compatible bridge window
-  pci 0000:00:08.1: [mem 0x10030000000-0x100401fffff 64bit pref] clipped to [mem 0x10030000000-0x100303fffff 64bit pref]
-  pci 0000:00:08.1:   bridge window [mem 0x10030000000-0x100303fffff 64bit pref]
-  pci 0000:07:00.0: can't claim BAR 0 [mem 0x10030000000-0x1003fffffff 64bit pref]: no compatible bridge window
-  pci 0000:07:00.0: can't claim BAR 2 [mem 0x10040000000-0x100401fffff 64bit pref]: no compatible bridge window
-
-However, the root bus has two contiguous apertures that can contain the
-child resource requested.
-
-Coalesce contiguous apertures so we can allocate from the entire contiguous
-region.
-
-This is the second take of commit 65db04053efe ("PCI: Coalesce host
-bridge contiguous apertures"). The original approach sorts the apertures
-by address, but that makes NVMe stop working on QEMU ppc:sam460ex:
-  PCI host bridge to bus 0002:00
-  pci_bus 0002:00: root bus resource [io  0x0000-0xffff]
-  pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
-  pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
-
-After the offending commit:
-  PCI host bridge to bus 0002:00
-  pci_bus 0002:00: root bus resource [io  0x0000-0xffff]
-  pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
-  pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
-
-Since the apertures on HP EliteDesk 805 G6 are already in ascending
-order, doing a precautious sorting is not necessary.
-
-Remove the sorting part to avoid the regression on ppc:sam460ex.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212013
-Cc: Guenter Roeck <linux@roeck-us.net>
-Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
-Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
- drivers/pci/probe.c | 31 +++++++++++++++++++++++++++----
- 1 file changed, 27 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index be51670572fa..133f5d2b189d 100644
--- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -877,11 +877,11 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
- static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- {
- 	struct device *parent = bridge->dev.parent;
-	struct resource_entry *window, *n;
-+	struct resource_entry *window, *next, *n;
- 	struct pci_bus *bus, *b;
-	resource_size_t offset;
-+	resource_size_t offset, next_offset;
- 	LIST_HEAD(resources);
-	struct resource *res;
-+	struct resource *res, *next_res;
- 	char addr[64], *fmt;
- 	const char *name;
- 	int err;
-@@ -959,11 +959,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- 	if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
- 		dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
- 
-+	/* Coalesce contiguous windows */
-+	resource_list_for_each_entry_safe(window, n, &resources) {
-+		if (list_is_last(&window->node, &resources))
-+			break;
-+
-+		next = list_next_entry(window, node);
-+		offset = window->offset;
-+		res = window->res;
-+		next_offset = next->offset;
-+		next_res = next->res;
-+
-+		if (res->flags != next_res->flags || offset != next_offset)
-+			continue;
-+
-+		if (res->end + 1 == next_res->start) {
-+			next_res->start = res->start;
-+			res->flags = res->start = res->end = 0;
-+		}
-+	}
-+
- 	/* Add initial resources to the bus */
- 	resource_list_for_each_entry_safe(window, n, &resources) {
-		list_move_tail(&window->node, &bridge->windows);
- 		offset = window->offset;
- 		res = window->res;
-+		if (!res->end)
-+			continue;
-+
-+		list_move_tail(&window->node, &bridge->windows);
- 
- 		if (res->flags & IORESOURCE_BUS)
- 			pci_bus_insert_busn_res(bus, bus->number, res->end);
@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: kiler129 <grzegorz@noflash.pl>
+Date: Mon, 18 Sep 2023 15:19:26 +0200
+Subject: [PATCH] allow opt-in to allow pass-through on broken hardware..
+
+adapted from https://github.com/kiler129/relax-intel-rmrr , licensed under MIT or GPL 2.0+
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/iommu/intel/iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 8faccfdfe500..2b9ef40799a5 100644
+--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
+@@ -298,6 +298,7 @@ static int dmar_map_gfx = 1;
+ static int dmar_map_ipu = 1;
+ static int intel_iommu_superpage = 1;
+ static int iommu_identity_mapping;
+static int intel_relaxable_rmrr = 0;
+ static int iommu_skip_te_disable;
+ 
+ #define IDENTMAP_GFX		2
+@@ -359,6 +360,9 @@ static int __init intel_iommu_setup(char *str)
+ 		} else if (!strncmp(str, "tboot_noforce", 13)) {
+ 			pr_info("Intel-IOMMU: not forcing on after tboot. This could expose security risk for tboot\n");
+ 			intel_iommu_tboot_noforce = 1;
+		} else if (!strncmp(str, "relax_rmrr", 10)) {
+			pr_info("Intel-IOMMU: assuming all RMRRs are relaxable. This can lead to instability or data loss\n");
+			intel_relaxable_rmrr = 1;
+ 		} else {
+ 			pr_notice("Unknown option - '%s'\n", str);
+ 		}
+@@ -2506,7 +2510,7 @@ static bool device_rmrr_is_relaxable(struct device *dev)
+ 		return false;
+ 
+ 	pdev = to_pci_dev(dev);
+-	if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+	if (intel_relaxable_rmrr || IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+ 		return true;
+ 	else
+ 		return false;
@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 18 Oct 2023 12:41:04 -0700
+Subject: [PATCH] KVM: nSVM: Advertise support for flush-by-ASID
+
+Advertise support for FLUSHBYASID when nested SVM is enabled, as KVM can
+always emulate flushing TLB entries for a vmcb12 ASID, e.g. by running L2
+with a new, fresh ASID in vmcb02.  Some modern hypervisors, e.g. VMWare
+Workstation 17, require FLUSHBYASID support and will refuse to run if it's
+not present.
+
+Punt on proper support, as "Honor L1's request to flush an ASID on nested
+VMRUN" is one of the TODO items in the (incomplete) list of issues that
+need to be addressed in order for KVM to NOT do a full TLB flush on every
+nested SVM transition (see nested_svm_transition_tlb_flush()).
+
+Reported-by: Stefan Sterz <s.sterz@proxmox.com>
+Closes: https://lkml.kernel.org/r/b9915c9c-4cf6-051a-2d91-44cc6380f455%40proxmox.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/svm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index 99832814341c..e8bb2bfd1ba1 100644
+--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
+@@ -4985,6 +4985,7 @@ static __init void svm_set_cpu_caps(void)
+ 	if (nested) {
+ 		kvm_cpu_cap_set(X86_FEATURE_SVM);
+ 		kvm_cpu_cap_set(X86_FEATURE_VMCBCLEAN);
+		kvm_cpu_cap_set(X86_FEATURE_FLUSHBYASID);
+ 
+ 		if (nrips)
+ 			kvm_cpu_cap_set(X86_FEATURE_NRIPS);
@@ -1,75 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ming Lei <ming.lei@redhat.com>
-Date: Fri, 10 Sep 2021 14:30:15 +0200
-Subject: [PATCH] blk-mq: fix kernel panic during iterating over flush request
-
-commit c2da19ed50554ce52ecbad3655c98371fe58599f upstream.
-
-For fixing use-after-free during iterating over requests, we grabbed
-request's refcount before calling ->fn in commit 2e315dc07df0 ("blk-mq:
-grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter").
-Turns out this way may cause kernel panic when iterating over one flush
-request:
-
-1) old flush request's tag is just released, and this tag is reused by
-one new request, but ->rqs[] isn't updated yet
-
-2) the flush request can be re-used for submitting one new flush command,
-so blk_rq_init() is called at the same time
-
-3) meantime blk_mq_queue_tag_busy_iter() is called, and old flush request
-is retrieved from ->rqs[tag]; when blk_mq_put_rq_ref() is called,
-flush_rq->end_io may not be updated yet, so NULL pointer dereference
-is triggered in blk_mq_put_rq_ref().
-
-Fix the issue by calling refcount_set(&flush_rq->ref, 1) after
-flush_rq->end_io is set. So far the only other caller of blk_rq_init() is
-scsi_ioctl_reset() in which the request doesn't enter block IO stack and
-the request reference count isn't used, so the change is safe.
-
-Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter")
-Reported-by: "Blank-Burian, Markus, Dr." <blankburian@uni-muenster.de>
-Tested-by: "Blank-Burian, Markus, Dr." <blankburian@uni-muenster.de>
-Signed-off-by: Ming Lei <ming.lei@redhat.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: John Garry <john.garry@huawei.com>
-Link: https://lore.kernel.org/r/20210811142624.618598-1-ming.lei@redhat.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Cc: Yi Zhang <yi.zhang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- block/blk-core.c  | 1 -
- block/blk-flush.c | 8 ++++++++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/block/blk-core.c b/block/blk-core.c
-index 7663a9b94b80..debdf9b0bf30 100644
--- a/block/blk-core.c
-+++ b/block/blk-core.c
-@@ -121,7 +121,6 @@ void blk_rq_init(struct request_queue *q, struct request *rq)
- 	rq->internal_tag = BLK_MQ_NO_TAG;
- 	rq->start_time_ns = ktime_get_ns();
- 	rq->part = NULL;
-	refcount_set(&rq->ref, 1);
- 	blk_crypto_rq_set_defaults(rq);
- }
- EXPORT_SYMBOL(blk_rq_init);
-diff --git a/block/blk-flush.c b/block/blk-flush.c
-index e89d007dbf6a..8b11ab3b3762 100644
--- a/block/blk-flush.c
-+++ b/block/blk-flush.c
-@@ -329,6 +329,14 @@ static void blk_kick_flush(struct request_queue *q, struct blk_flush_queue *fq,
- 	flush_rq->rq_flags |= RQF_FLUSH_SEQ;
- 	flush_rq->rq_disk = first_rq->rq_disk;
- 	flush_rq->end_io = flush_end_io;
-+	/*
-+	 * Order WRITE ->end_io and WRITE rq->ref, and its pair is the one
-+	 * implied in refcount_inc_not_zero() called from
-+	 * blk_mq_find_and_get_req(), which orders WRITE/READ flush_rq->ref
-+	 * and READ flush_rq->end_io
-+	 */
-+	smp_wmb();
-+	refcount_set(&flush_rq->ref, 1);
- 
- 	blk_flush_queue_rq(flush_rq, false);
- }
@@ -1,91 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ming Lei <ming.lei@redhat.com>
-Date: Fri, 10 Sep 2021 14:30:16 +0200
-Subject: [PATCH] blk-mq: fix is_flush_rq
-
-commit a9ed27a764156929efe714033edb3e9023c5f321 upstream.
-
-is_flush_rq() is called from bt_iter()/bt_tags_iter(), and runs the
-following check:
-
-	hctx->fq->flush_rq == req
-
-but the passed hctx from bt_iter()/bt_tags_iter() may be NULL because:
-
-1) memory re-order in blk_mq_rq_ctx_init():
-
-	rq->mq_hctx = data->hctx;
-	...
-	refcount_set(&rq->ref, 1);
-
-OR
-
-2) tag re-use and ->rqs[] isn't updated with new request.
-
-Fix the issue by re-writing is_flush_rq() as:
-
-	return rq->end_io == flush_end_io;
-
-which turns out simpler to follow and immune to data race since we have
-ordered WRITE rq->end_io and refcount_set(&rq->ref, 1).
-
-Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter")
-Cc: "Blank-Burian, Markus, Dr." <blankburian@uni-muenster.de>
-Cc: Yufen Yu <yuyufen@huawei.com>
-Signed-off-by: Ming Lei <ming.lei@redhat.com>
-Link: https://lore.kernel.org/r/20210818010925.607383-1-ming.lei@redhat.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Cc: Yi Zhang <yi.zhang@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- block/blk-flush.c | 5 +++++
- block/blk-mq.c    | 2 +-
- block/blk.h       | 6 +-----
- 3 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/block/blk-flush.c b/block/blk-flush.c
-index 8b11ab3b3762..705ee6c99020 100644
--- a/block/blk-flush.c
-+++ b/block/blk-flush.c
-@@ -262,6 +262,11 @@ static void flush_end_io(struct request *flush_rq, blk_status_t error)
- 	spin_unlock_irqrestore(&fq->mq_flush_lock, flags);
- }
- 
-+bool is_flush_rq(struct request *rq)
-+{
-+	return rq->end_io == flush_end_io;
-+}
-+
- /**
-  * blk_kick_flush - consider issuing flush request
-  * @q: request_queue being kicked
-diff --git a/block/blk-mq.c b/block/blk-mq.c
-index cb619ec8aaf2..601e40204d06 100644
--- a/block/blk-mq.c
-+++ b/block/blk-mq.c
-@@ -937,7 +937,7 @@ static bool blk_mq_req_expired(struct request *rq, unsigned long *next)
- 
- void blk_mq_put_rq_ref(struct request *rq)
- {
-	if (is_flush_rq(rq, rq->mq_hctx))
-+	if (is_flush_rq(rq))
- 		rq->end_io(rq, 0);
- 	else if (refcount_dec_and_test(&rq->ref))
- 		__blk_mq_free_request(rq);
-diff --git a/block/blk.h b/block/blk.h
-index 7550364c326c..4a4ffd992790 100644
--- a/block/blk.h
-+++ b/block/blk.h
-@@ -43,11 +43,7 @@ static inline void __blk_get_queue(struct request_queue *q)
- 	kobject_get(&q->kobj);
- }
- 
-static inline bool
-is_flush_rq(struct request *req, struct blk_mq_hw_ctx *hctx)
-{
-	return hctx->fq->flush_rq == req;
-}
-+bool is_flush_rq(struct request *req);
- 
- struct blk_flush_queue *blk_alloc_flush_queue(int node, int cmd_size,
- 					      gfp_t flags);
@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Mon, 6 Nov 2023 10:17:02 +0100
+Subject: [PATCH] revert "memfd: improve userspace warnings for missing
+ exec-related flags".
+
+This warning is telling userspace developers to pass MFD_EXEC and
+MFD_NOEXEC_SEAL to memfd_create().  Commit 434ed3350f57 ("memfd: improve
+userspace warnings for missing exec-related flags") made the warning more
+frequent and visible in the hope that this would accelerate the fixing of
+errant userspace.
+
+But the overall effect is to generate far too much dmesg noise.
+
+Fixes: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags")
+Reported-by: Damian Tometzki <dtometzki@fedoraproject.org>
+Closes: https://lkml.kernel.org/r/ZPFzCSIgZ4QuHsSC@fedora.fritz.box
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Daniel Verkamp <dverkamp@chromium.org>
+Cc: Jeff Xu <jeffxu@google.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ (cherry picked from commit 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ mm/memfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/memfd.c b/mm/memfd.c
+index 2dba2cb6f0d0..1c077e98e116 100644
+--- a/mm/memfd.c
+++ b/mm/memfd.c
+@@ -282,7 +282,7 @@ static int check_sysctl_memfd_noexec(unsigned int *flags)
+ 	}
+ 
+ 	if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) {
+-		pr_err_ratelimited(
+		pr_warn_once(
+ 			"%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n",
+ 			current->comm, task_pid_nr(current), sysctl);
+ 		return -EACCES;
@@ -0,0 +1,146 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 27 Oct 2023 16:40:47 -0400
+Subject: [PATCH] drm/amd: Fix UBSAN array-index-out-of-bounds for Powerplay
+ headers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For pptable structs that use flexible array sizes, use flexible arrays.
+
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039926
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry-picked from commit 49afe91370b86566857a3c2c39612cf098110885)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ .../drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h |  4 ++--
+ .../amd/pm/powerplay/hwmgr/vega10_pptable.h   | 24 +++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h
+index e0e40b054c08..5ec564dbf339 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h
+@@ -367,7 +367,7 @@ typedef struct _ATOM_Tonga_VCE_State_Record {
+ typedef struct _ATOM_Tonga_VCE_State_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;
+-	ATOM_Tonga_VCE_State_Record entries[1];
+	ATOM_Tonga_VCE_State_Record entries[];
+ } ATOM_Tonga_VCE_State_Table;
+ 
+ typedef struct _ATOM_Tonga_PowerTune_Table {
+@@ -482,7 +482,7 @@ typedef struct _ATOM_Tonga_Hard_Limit_Record {
+ typedef struct _ATOM_Tonga_Hard_Limit_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;
+-	ATOM_Tonga_Hard_Limit_Record entries[1];
+	ATOM_Tonga_Hard_Limit_Record entries[];
+ } ATOM_Tonga_Hard_Limit_Table;
+ 
+ typedef struct _ATOM_Tonga_GPIO_Table {
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h
+index 9c479bd9a786..a372abcd01be 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_pptable.h
+@@ -129,7 +129,7 @@ typedef struct _ATOM_Vega10_State {
+ typedef struct _ATOM_Vega10_State_Array {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries. */
+-	ATOM_Vega10_State states[1];                             /* Dynamically allocate entries. */
+	ATOM_Vega10_State states[];                             /* Dynamically allocate entries. */
+ } ATOM_Vega10_State_Array;
+ 
+ typedef struct _ATOM_Vega10_CLK_Dependency_Record {
+@@ -169,37 +169,37 @@ typedef struct _ATOM_Vega10_GFXCLK_Dependency_Table {
+ typedef struct _ATOM_Vega10_MCLK_Dependency_Table {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;                                         /* Number of entries. */
+-    ATOM_Vega10_MCLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+    ATOM_Vega10_MCLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_MCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_SOCCLK_Dependency_Table {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;                                         /* Number of entries. */
+-    ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+    ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_SOCCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_DCEFCLK_Dependency_Table {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;                                         /* Number of entries. */
+-    ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+    ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_DCEFCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_PIXCLK_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries. */
+-	ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+	ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_PIXCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_DISPCLK_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries.*/
+-	ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+	ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_DISPCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_PHYCLK_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries. */
+-	ATOM_Vega10_CLK_Dependency_Record entries[1];            /* Dynamically allocate entries. */
+	ATOM_Vega10_CLK_Dependency_Record entries[];            /* Dynamically allocate entries. */
+ } ATOM_Vega10_PHYCLK_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_MM_Dependency_Record {
+@@ -213,7 +213,7 @@ typedef struct _ATOM_Vega10_MM_Dependency_Record {
+ typedef struct _ATOM_Vega10_MM_Dependency_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                         /* Number of entries */
+-	ATOM_Vega10_MM_Dependency_Record entries[1];             /* Dynamically allocate entries */
+	ATOM_Vega10_MM_Dependency_Record entries[];             /* Dynamically allocate entries */
+ } ATOM_Vega10_MM_Dependency_Table;
+ 
+ typedef struct _ATOM_Vega10_PCIE_Record {
+@@ -225,7 +225,7 @@ typedef struct _ATOM_Vega10_PCIE_Record {
+ typedef struct _ATOM_Vega10_PCIE_Table {
+ 	UCHAR  ucRevId;
+ 	UCHAR  ucNumEntries;                                        /* Number of entries */
+-	ATOM_Vega10_PCIE_Record entries[1];                      /* Dynamically allocate entries. */
+	ATOM_Vega10_PCIE_Record entries[];                      /* Dynamically allocate entries. */
+ } ATOM_Vega10_PCIE_Table;
+ 
+ typedef struct _ATOM_Vega10_Voltage_Lookup_Record {
+@@ -235,7 +235,7 @@ typedef struct _ATOM_Vega10_Voltage_Lookup_Record {
+ typedef struct _ATOM_Vega10_Voltage_Lookup_Table {
+ 	UCHAR ucRevId;
+ 	UCHAR ucNumEntries;                                          /* Number of entries */
+-	ATOM_Vega10_Voltage_Lookup_Record entries[1];             /* Dynamically allocate entries */
+	ATOM_Vega10_Voltage_Lookup_Record entries[];             /* Dynamically allocate entries */
+ } ATOM_Vega10_Voltage_Lookup_Table;
+ 
+ typedef struct _ATOM_Vega10_Fan_Table {
+@@ -329,7 +329,7 @@ typedef struct _ATOM_Vega10_VCE_State_Table
+ {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;
+-    ATOM_Vega10_VCE_State_Record entries[1];
+    ATOM_Vega10_VCE_State_Record entries[];
+ } ATOM_Vega10_VCE_State_Table;
+ 
+ typedef struct _ATOM_Vega10_PowerTune_Table {
+@@ -432,7 +432,7 @@ typedef struct _ATOM_Vega10_Hard_Limit_Table
+ {
+     UCHAR ucRevId;
+     UCHAR ucNumEntries;
+-    ATOM_Vega10_Hard_Limit_Record entries[1];
+    ATOM_Vega10_Hard_Limit_Record entries[];
+ } ATOM_Vega10_Hard_Limit_Table;
+ 
+ typedef struct _Vega10_PPTable_Generic_SubTable_Header
@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Fri, 15 Dec 2023 16:49:50 +0530
+Subject: [PATCH] ext4: fallback to complex scan if aligned scan doesn't work
+
+Currently in case the goal length is a multiple of stripe size we use
+ext4_mb_scan_aligned() to find the stripe size aligned physical blocks.
+In case we are not able to find any, we again go back to calling
+ext4_mb_choose_next_group() to search for a different suitable block
+group. However, since the linear search always begins from the start,
+most of the times we end up with the same BG and the cycle continues.
+
+With large fliesystems, the CPU can be stuck in this loop for hours
+which can slow down the whole system. Hence, until we figure out a
+better way to continue the search (rather than starting from beginning)
+in ext4_mb_choose_next_group(), lets just fallback to
+ext4_mb_complex_scan_group() in case aligned scan fails, as it is much
+more likely to find the needed blocks.
+
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+---
+ fs/ext4/mballoc.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 2690d47a9ea2..9ff8ea02f79d 100644
+--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
+@@ -2894,14 +2894,19 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac)
+ 			ac->ac_groups_scanned++;
+ 			if (cr == CR_POWER2_ALIGNED)
+ 				ext4_mb_simple_scan_group(ac, &e4b);
+-			else if ((cr == CR_GOAL_LEN_FAST ||
+-				 cr == CR_BEST_AVAIL_LEN) &&
+-				 sbi->s_stripe &&
+-				 !(ac->ac_g_ex.fe_len %
+-				 EXT4_B2C(sbi, sbi->s_stripe)))
+-				ext4_mb_scan_aligned(ac, &e4b);
+-			else
+-				ext4_mb_complex_scan_group(ac, &e4b);
+			else {
+				bool is_stripe_aligned = sbi->s_stripe &&
+					!(ac->ac_g_ex.fe_len %
+					  EXT4_B2C(sbi, sbi->s_stripe));
+
+				if ((cr == CR_GOAL_LEN_FAST ||
+				     cr == CR_BEST_AVAIL_LEN) &&
+				    is_stripe_aligned)
+					ext4_mb_scan_aligned(ac, &e4b);
+
+				if (ac->ac_status == AC_STATUS_CONTINUE)
+					ext4_mb_complex_scan_group(ac, &e4b);
+			}
+ 
+ 			ext4_unlock_group(sb, group);
+ 			ext4_mb_unload_buddy(&e4b);
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Wed, 3 Apr 2024 10:29:59 +0200
+Subject: [PATCH] Revert "cifs: fix flushing folio regression for 6.1 backport"
+
+This reverts commit 2dc07a11e269bfbe5589e99b60cdbae0118be979.
+---
+ fs/smb/client/cifsfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c
+index 55a6d0296ec82..82313b2534631 100644
+--- a/fs/smb/client/cifsfs.c
+++ b/fs/smb/client/cifsfs.c
+@@ -1245,7 +1245,7 @@ static int cifs_flush_folio(struct inode *inode, loff_t pos, loff_t *_fstart, lo
+ 	int rc = 0;
+ 
+ 	folio = filemap_get_folio(inode->i_mapping, index);
+-	if (!folio)
+	if (IS_ERR(folio))
+ 		return 0;
+ 
+ 	size = folio_size(folio);
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Thu, 4 Apr 2024 11:41:15 +0200
+Subject: [PATCH] Revert "thermal: trip: Drop lockdep assertion from
+ thermal_zone_trip_id()"
+
+This reverts commit c723c4fca6d2db3815623ff4dc0ea51667b56b89.
+---
+ drivers/thermal/thermal_trip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/thermal/thermal_trip.c b/drivers/thermal/thermal_trip.c
+index 68bea8706c597..1d4fe63e09f77 100644
+--- a/drivers/thermal/thermal_trip.c
+++ b/drivers/thermal/thermal_trip.c
+@@ -201,6 +201,8 @@ int thermal_zone_trip_id(struct thermal_zone_device *tz,
+ {
+ 	int i;
+ 
+	lockdep_assert_held(&tz->lock);
+
+ 	for (i = 0; i < tz->num_trips; i++) {
+ 		if (&tz->trips[i] == trip)
+ 			return i;
@@ -0,0 +1,343 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov <s.ivanov@proxmox.com>
+Date: Thu, 4 Apr 2024 11:41:17 +0200
+Subject: [PATCH] Revert "thermal: core: Store trip pointer in struct
+ thermal_instance"
+
+This reverts commit 643b451957369f28b7770af387d14d4e4712074b.
+---
+ drivers/thermal/gov_bang_bang.c       | 23 +++++++++++++++--------
+ drivers/thermal/gov_fair_share.c      |  5 ++---
+ drivers/thermal/gov_power_allocator.c | 11 +++--------
+ drivers/thermal/gov_step_wise.c       | 16 +++++++++-------
+ drivers/thermal/thermal_core.c        | 15 +++++----------
+ drivers/thermal/thermal_core.h        |  4 +---
+ drivers/thermal/thermal_helpers.c     |  5 +----
+ drivers/thermal/thermal_sysfs.c       |  3 +--
+ drivers/thermal/thermal_trip.c        | 15 ---------------
+ 9 files changed, 37 insertions(+), 60 deletions(-)
+
+diff --git a/drivers/thermal/gov_bang_bang.c b/drivers/thermal/gov_bang_bang.c
+index 49cdfaa3a9279..1b121066521ff 100644
+--- a/drivers/thermal/gov_bang_bang.c
+++ b/drivers/thermal/gov_bang_bang.c
+@@ -13,21 +13,28 @@
+ 
+ #include "thermal_core.h"
+ 
+-static int thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_index)
+static int thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_id)
+ {
+-	const struct thermal_trip *trip = &tz->trips[trip_index];
+	struct thermal_trip trip;
+ 	struct thermal_instance *instance;
+	int ret;
+
+	ret = __thermal_zone_get_trip(tz, trip_id, &trip);
+	if (ret) {
+		pr_warn_once("Failed to retrieve trip point %d\n", trip_id);
+		return ret;
+	}
+ 
+-	if (!trip->hysteresis)
+	if (!trip.hysteresis)
+ 		dev_info_once(&tz->device,
+ 			      "Zero hysteresis value for thermal zone %s\n", tz->type);
+ 
+ 	dev_dbg(&tz->device, "Trip%d[temp=%d]:temp=%d:hyst=%d\n",
+-				trip_index, trip->temperature, tz->temperature,
+-				trip->hysteresis);
+				trip_id, trip.temperature, tz->temperature,
+				trip.hysteresis);
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+-		if (instance->trip != trip)
+		if (instance->trip != trip_id)
+ 			continue;
+ 
+ 		/* in case fan is in initial state, switch the fan off */
+@@ -45,10 +52,10 @@ static int thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_ind
+ 		 * enable fan when temperature exceeds trip_temp and disable
+ 		 * the fan in case it falls below trip_temp minus hysteresis
+ 		 */
+-		if (instance->target == 0 && tz->temperature >= trip->temperature)
+		if (instance->target == 0 && tz->temperature >= trip.temperature)
+ 			instance->target = 1;
+ 		else if (instance->target == 1 &&
+-			 tz->temperature <= trip->temperature - trip->hysteresis)
+			 tz->temperature <= trip.temperature - trip.hysteresis)
+ 			instance->target = 0;
+ 
+ 		dev_dbg(&instance->cdev->device, "target=%d\n",
+diff --git a/drivers/thermal/gov_fair_share.c b/drivers/thermal/gov_fair_share.c
+index 2abeb8979f500..03c2daeb6ee8b 100644
+--- a/drivers/thermal/gov_fair_share.c
+++ b/drivers/thermal/gov_fair_share.c
+@@ -49,7 +49,7 @@ static long get_target_state(struct thermal_zone_device *tz,
+ /**
+  * fair_share_throttle - throttles devices associated with the given zone
+  * @tz: thermal_zone_device
+- * @trip_index: trip point index
+ * @trip: trip point index
+  *
+  * Throttling Logic: This uses three parameters to calculate the new
+  * throttle state of the cooling devices associated with the given zone.
+@@ -65,9 +65,8 @@ static long get_target_state(struct thermal_zone_device *tz,
+  *	(Heavily assumes the trip points are in ascending order)
+  * new_state of cooling device = P3 * P2 * P1
+  */
+-static int fair_share_throttle(struct thermal_zone_device *tz, int trip_index)
+static int fair_share_throttle(struct thermal_zone_device *tz, int trip)
+ {
+-	const struct thermal_trip *trip = &tz->trips[trip_index];
+ 	struct thermal_instance *instance;
+ 	int total_weight = 0;
+ 	int total_instance = 0;
+diff --git a/drivers/thermal/gov_power_allocator.c b/drivers/thermal/gov_power_allocator.c
+index fc969642f70b7..fb311339bd08f 100644
+--- a/drivers/thermal/gov_power_allocator.c
+++ b/drivers/thermal/gov_power_allocator.c
+@@ -90,14 +90,12 @@ static u32 estimate_sustainable_power(struct thermal_zone_device *tz)
+ 	u32 sustainable_power = 0;
+ 	struct thermal_instance *instance;
+ 	struct power_allocator_params *params = tz->governor_data;
+-	const struct thermal_trip *trip_max_desired_temperature =
+-			&tz->trips[params->trip_max_desired_temperature];
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ 		struct thermal_cooling_device *cdev = instance->cdev;
+ 		u32 min_power;
+ 
+-		if (instance->trip != trip_max_desired_temperature)
+		if (instance->trip != params->trip_max_desired_temperature)
+ 			continue;
+ 
+ 		if (!cdev_is_power_actor(cdev))
+@@ -385,13 +383,12 @@ static int allocate_power(struct thermal_zone_device *tz,
+ {
+ 	struct thermal_instance *instance;
+ 	struct power_allocator_params *params = tz->governor_data;
+-	const struct thermal_trip *trip_max_desired_temperature =
+-			&tz->trips[params->trip_max_desired_temperature];
+ 	u32 *req_power, *max_power, *granted_power, *extra_actor_power;
+ 	u32 *weighted_req_power;
+ 	u32 total_req_power, max_allocatable_power, total_weighted_req_power;
+ 	u32 total_granted_power, power_range;
+ 	int i, num_actors, total_weight, ret = 0;
+	int trip_max_desired_temperature = params->trip_max_desired_temperature;
+ 
+ 	num_actors = 0;
+ 	total_weight = 0;
+@@ -567,14 +564,12 @@ static void allow_maximum_power(struct thermal_zone_device *tz, bool update)
+ {
+ 	struct thermal_instance *instance;
+ 	struct power_allocator_params *params = tz->governor_data;
+-	const struct thermal_trip *trip_max_desired_temperature =
+-			&tz->trips[params->trip_max_desired_temperature];
+ 	u32 req_power;
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+ 		struct thermal_cooling_device *cdev = instance->cdev;
+ 
+-		if ((instance->trip != trip_max_desired_temperature) ||
+		if ((instance->trip != params->trip_max_desired_temperature) ||
+ 		    (!cdev_is_power_actor(instance->cdev)))
+ 			continue;
+ 
+diff --git a/drivers/thermal/gov_step_wise.c b/drivers/thermal/gov_step_wise.c
+index 849dc1ec8d27c..1050fb4d94c2d 100644
+--- a/drivers/thermal/gov_step_wise.c
+++ b/drivers/thermal/gov_step_wise.c
+@@ -81,24 +81,26 @@ static void update_passive_instance(struct thermal_zone_device *tz,
+ 
+ static void thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_id)
+ {
+-	const struct thermal_trip *trip = &tz->trips[trip_id];
+ 	enum thermal_trend trend;
+ 	struct thermal_instance *instance;
+	struct thermal_trip trip;
+ 	bool throttle = false;
+ 	int old_target;
+ 
+	__thermal_zone_get_trip(tz, trip_id, &trip);
+
+ 	trend = get_tz_trend(tz, trip_id);
+ 
+-	if (tz->temperature >= trip->temperature) {
+	if (tz->temperature >= trip.temperature) {
+ 		throttle = true;
+-		trace_thermal_zone_trip(tz, trip_id, trip->type);
+		trace_thermal_zone_trip(tz, trip_id, trip.type);
+ 	}
+ 
+ 	dev_dbg(&tz->device, "Trip%d[type=%d,temp=%d]:trend=%d,throttle=%d\n",
+-		trip_id, trip->type, trip->temperature, trend, throttle);
+				trip_id, trip.type, trip.temperature, trend, throttle);
+ 
+ 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
+-		if (instance->trip != trip)
+		if (instance->trip != trip_id)
+ 			continue;
+ 
+ 		old_target = instance->target;
+@@ -112,11 +114,11 @@ static void thermal_zone_trip_update(struct thermal_zone_device *tz, int trip_id
+ 		/* Activate a passive thermal instance */
+ 		if (old_target == THERMAL_NO_TARGET &&
+ 			instance->target != THERMAL_NO_TARGET)
+-			update_passive_instance(tz, trip->type, 1);
+			update_passive_instance(tz, trip.type, 1);
+ 		/* Deactivate a passive thermal instance */
+ 		else if (old_target != THERMAL_NO_TARGET &&
+ 			instance->target == THERMAL_NO_TARGET)
+-			update_passive_instance(tz, trip->type, -1);
+			update_passive_instance(tz, trip.type, -1);
+ 
+ 		instance->initialized = true;
+ 		mutex_lock(&instance->cdev->lock);
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index c066c09555667..69cff5fc32156 100644
+--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
+@@ -582,7 +582,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id)
+ /**
+  * thermal_zone_bind_cooling_device() - bind a cooling device to a thermal zone
+  * @tz:		pointer to struct thermal_zone_device
+- * @trip_index:	indicates which trip point the cooling devices is
+ * @trip:	indicates which trip point the cooling devices is
+  *		associated with in this thermal zone.
+  * @cdev:	pointer to struct thermal_cooling_device
+  * @upper:	the Maximum cooling state for this trip point.
+@@ -602,7 +602,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id)
+  * Return: 0 on success, the proper error value otherwise.
+  */
+ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
+-				     int trip_index,
+				     int trip,
+ 				     struct thermal_cooling_device *cdev,
+ 				     unsigned long upper, unsigned long lower,
+ 				     unsigned int weight)
+@@ -611,15 +611,12 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
+ 	struct thermal_instance *pos;
+ 	struct thermal_zone_device *pos1;
+ 	struct thermal_cooling_device *pos2;
+-	const struct thermal_trip *trip;
+ 	bool upper_no_limit;
+ 	int result;
+ 
+-	if (trip_index >= tz->num_trips || trip_index < 0)
+	if (trip >= tz->num_trips || trip < 0)
+ 		return -EINVAL;
+ 
+-	trip = &tz->trips[trip_index];
+-
+ 	list_for_each_entry(pos1, &thermal_tz_list, node) {
+ 		if (pos1 == tz)
+ 			break;
+@@ -724,7 +721,7 @@ EXPORT_SYMBOL_GPL(thermal_zone_bind_cooling_device);
+  * thermal_zone_unbind_cooling_device() - unbind a cooling device from a
+  *					  thermal zone.
+  * @tz:		pointer to a struct thermal_zone_device.
+- * @trip_index:	indicates which trip point the cooling devices is
+ * @trip:	indicates which trip point the cooling devices is
+  *		associated with in this thermal zone.
+  * @cdev:	pointer to a struct thermal_cooling_device.
+  *
+@@ -735,15 +732,13 @@ EXPORT_SYMBOL_GPL(thermal_zone_bind_cooling_device);
+  * Return: 0 on success, the proper error value otherwise.
+  */
+ int thermal_zone_unbind_cooling_device(struct thermal_zone_device *tz,
+-				       int trip_index,
+				       int trip,
+ 				       struct thermal_cooling_device *cdev)
+ {
+ 	struct thermal_instance *pos, *next;
+-	const struct thermal_trip *trip;
+ 
+ 	mutex_lock(&tz->lock);
+ 	mutex_lock(&cdev->lock);
+-	trip = &tz->trips[trip_index];
+ 	list_for_each_entry_safe(pos, next, &tz->thermal_instances, tz_node) {
+ 		if (pos->tz == tz && pos->trip == trip && pos->cdev == cdev) {
+ 			list_del(&pos->tz_node);
+diff --git a/drivers/thermal/thermal_core.h b/drivers/thermal/thermal_core.h
+index a33b389bbcfe8..17c1bbed734d3 100644
+--- a/drivers/thermal/thermal_core.h
+++ b/drivers/thermal/thermal_core.h
+@@ -91,7 +91,7 @@ struct thermal_instance {
+ 	char name[THERMAL_NAME_LENGTH];
+ 	struct thermal_zone_device *tz;
+ 	struct thermal_cooling_device *cdev;
+-	const struct thermal_trip *trip;
+	int trip;
+ 	bool initialized;
+ 	unsigned long upper;	/* Highest cooling state for this trip point */
+ 	unsigned long lower;	/* Lowest cooling state for this trip point */
+@@ -123,8 +123,6 @@ void __thermal_zone_device_update(struct thermal_zone_device *tz,
+ void __thermal_zone_set_trips(struct thermal_zone_device *tz);
+ int __thermal_zone_get_trip(struct thermal_zone_device *tz, int trip_id,
+ 			    struct thermal_trip *trip);
+-int thermal_zone_trip_id(struct thermal_zone_device *tz,
+-			 const struct thermal_trip *trip);
+ int __thermal_zone_get_temp(struct thermal_zone_device *tz, int *temp);
+ 
+ /* sysfs I/F */
+diff --git a/drivers/thermal/thermal_helpers.c b/drivers/thermal/thermal_helpers.c
+index 421ed301541e1..cfba0965a22da 100644
+--- a/drivers/thermal/thermal_helpers.c
+++ b/drivers/thermal/thermal_helpers.c
+@@ -41,17 +41,14 @@ int get_tz_trend(struct thermal_zone_device *tz, int trip)
+ 
+ struct thermal_instance *
+ get_thermal_instance(struct thermal_zone_device *tz,
+-		     struct thermal_cooling_device *cdev, int trip_index)
+		     struct thermal_cooling_device *cdev, int trip)
+ {
+ 	struct thermal_instance *pos = NULL;
+ 	struct thermal_instance *target_instance = NULL;
+-	const struct thermal_trip *trip;
+ 
+ 	mutex_lock(&tz->lock);
+ 	mutex_lock(&cdev->lock);
+ 
+-	trip = &tz->trips[trip_index];
+-
+ 	list_for_each_entry(pos, &tz->thermal_instances, tz_node) {
+ 		if (pos->tz == tz && pos->trip == trip && pos->cdev == cdev) {
+ 			target_instance = pos;
+diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
+index eef40d4f30639..4e6a97db894e9 100644
+--- a/drivers/thermal/thermal_sysfs.c
+++ b/drivers/thermal/thermal_sysfs.c
+@@ -943,8 +943,7 @@ trip_point_show(struct device *dev, struct device_attribute *attr, char *buf)
+ 	instance =
+ 	    container_of(attr, struct thermal_instance, attr);
+ 
+-	return sprintf(buf, "%d\n",
+-		       thermal_zone_trip_id(instance->tz, instance->trip));
+	return sprintf(buf, "%d\n", instance->trip);
+ }
+ 
+ ssize_t
+diff --git a/drivers/thermal/thermal_trip.c b/drivers/thermal/thermal_trip.c
+index 1d4fe63e09f77..21736e02fa360 100644
+--- a/drivers/thermal/thermal_trip.c
+++ b/drivers/thermal/thermal_trip.c
+@@ -195,18 +195,3 @@ int thermal_zone_set_trip(struct thermal_zone_device *tz, int trip_id,
+ 
+ 	return 0;
+ }
+-
+-int thermal_zone_trip_id(struct thermal_zone_device *tz,
+-			 const struct thermal_trip *trip)
+-{
+-	int i;
+-
+-	lockdep_assert_held(&tz->lock);
+-
+-	for (i = 0; i < tz->num_trips; i++) {
+-		if (&tz->trips[i] == trip)
+-			return i;
+-	}
+-
+-	return -ENODATA;
+-}
@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Date: Wed, 3 Apr 2024 15:21:58 +0200
+Subject: [PATCH] net: usb: ax88179_178a: avoid the interface always configured
+ as random address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+After the commit d2689b6a86b9 ("net: usb: ax88179_178a: avoid two
+consecutive device resets"), reset is not executed from bind operation and
+mac address is not read from the device registers or the devicetree at that
+moment. Since the check to configure if the assigned mac address is random
+or not for the interface, happens after the bind operation from
+usbnet_probe, the interface keeps configured as random address, although the
+address is correctly read and set during open operation (the only reset
+now).
+
+In order to keep only one reset for the device and to avoid the interface
+always configured as random address, after reset, configure correctly the
+suitable field from the driver, if the mac address is read successfully from
+the device registers or the devicetree. Take into account if a locally
+administered address (random) was previously stored.
+
+cc: stable@vger.kernel.org # 6.6+
+Fixes: d2689b6a86b9 ("net: usb: ax88179_178a: avoid two consecutive device resets")
+Reported-by: Dave Stevenson  <dave.stevenson@raspberrypi.com>
+Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240403132158.344838-1-jtornosm@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 2e91bb99b9d4f756e92e83c4453f894dda220f09)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ drivers/net/usb/ax88179_178a.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index d837c1887416..e0e9b4c53cb0 100644
+--- a/drivers/net/usb/ax88179_178a.c
+++ b/drivers/net/usb/ax88179_178a.c
+@@ -1273,6 +1273,8 @@ static void ax88179_get_mac_addr(struct usbnet *dev)
+ 
+ 	if (is_valid_ether_addr(mac)) {
+ 		eth_hw_addr_set(dev->net, mac);
+		if (!is_local_ether_addr(mac))
+			dev->net->addr_assign_type = NET_ADDR_PERM;
+ 	} else {
+ 		netdev_info(dev->net, "invalid MAC address, using random\n");
+ 		eth_hw_addr_random(dev->net);
@@ -0,0 +1,83 @@
+From fe4261ef5f99878f60290709d10d44bba326f95f Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sun, 24 Mar 2024 20:51:35 +0100
+Subject: [PATCH] x86/CPU/AMD: Improve the erratum 1386 workaround
+
+Disable XSAVES only on machines which haven't loaded the microcode
+revision containing the erratum fix.
+
+This will come in handy when running archaic OSes as guests. OSes whose
+brilliant programmers thought that CPUID is overrated and one should not
+query it but use features directly, ala shoot first, ask questions
+later... but only if you're alive after the shooting.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+[ FG: port to 6.5 ]
+Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
+Tested-by: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20240324200525.GBZgCHhYFsBj12PrKv@fat_crate.local
+---
+ arch/x86/include/asm/cpu_device_id.h |  8 ++++++++
+ arch/x86/kernel/cpu/amd.c            | 11 +++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
+index eb8fcede9e3b..bf4e065cf1e2 100644
+--- a/arch/x86/include/asm/cpu_device_id.h
+++ b/arch/x86/include/asm/cpu_device_id.h
+@@ -190,6 +190,14 @@ struct x86_cpu_desc {
+ 	.x86_microcode_rev	= (revision),			\
+ }
+ 
+#define AMD_CPU_DESC(fam, model, stepping, revision) {		\
+	.x86_family		= (fam),			\
+	.x86_vendor		= X86_VENDOR_AMD,		\
+	.x86_model		= (model),			\
+	.x86_stepping		= (stepping),			\
+	.x86_microcode_rev	= (revision),			\
+}
+
+ extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
+ extern bool x86_cpu_has_min_microcode_rev(const struct x86_cpu_desc *table);
+ 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 9390074ddb25..8201271f6505 100644
+--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
+@@ -13,6 +13,7 @@
+ #include <asm/apic.h>
+ #include <asm/cacheinfo.h>
+ #include <asm/cpu.h>
+#include <asm/cpu_device_id.h>
+ #include <asm/spec-ctrl.h>
+ #include <asm/smp.h>
+ #include <asm/numa.h>
+@@ -945,6 +946,11 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
+ 	clear_rdrand_cpuid_bit(c);
+ }
+ 
+static const struct x86_cpu_desc erratum_1386_microcode[] = {
+	AMD_CPU_DESC(0x17,  0x1, 0x2, 0x0800126e),
+	AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052),
+};
+
+ void init_spectral_chicken(struct cpuinfo_x86 *c)
+ {
+ #ifdef CONFIG_CPU_UNRET_ENTRY
+@@ -972,7 +978,12 @@ void init_spectral_chicken(struct cpuinfo_x86 *c)
+ 	 *
+ 	 * Affected parts all have no supervisor XSAVE states, meaning that
+ 	 * the XSAVEC instruction (which works fine) is equivalent.
+	 * Clear the feature flag only on microcode revisions which
+	 * don't have the fix.
+ 	 */
+	if (x86_cpu_has_min_microcode_rev(erratum_1386_microcode))
+		return;
+
+ 	clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+ 
+-- 
+2.39.2
+