bump version to 6.2.16-20

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
update ZFS to 2.1.14
2023-12-01 14:17:55 +01:00 · 2023-12-01 14:16:42 +01:00 · 2023-12-01 12:47:24 +01:00 · 2023-12-01 12:47:24 +01:00 · 2023-10-24 14:08:10 +02:00 · 2023-10-21 15:16:56 +02:00
67 changed files with 31369 additions and 29759 deletions
@@ -1,6 +1,6 @@
 [submodule "submodules/zfsonlinux"]
 	path = submodules/zfsonlinux
 	url = ../zfsonlinux
-[submodule "submodules/ubuntu-jammy"]
-	path = submodules/ubuntu-jammy
-	url = ../mirror_ubuntu-jammy-kernel
+[submodule "submodules/ubuntu-kernel"]
+	path = submodules/ubuntu-kernel
+	url = ../mirror_ubuntu-kernels
@@ -1,110 +1,133 @@
-# also bump pve-kernel-meta if either of MAJ.MIN, PATCHLEVEL or KREL change
-KERNEL_MAJ=5
-KERNEL_MIN=15
-KERNEL_PATCHLEVEL=53
-# increment KREL if the ABI changes (abicheck target in debian/rules)
-# rebuild packages with new KREL and run 'make abiupdate'
-KREL=1
+include /usr/share/dpkg/pkg-info.mk

-PKGREL=1
+# also bump proxmox-kernel-meta if the default MAJ.MIN version changes!
+KERNEL_MAJ=6
+KERNEL_MIN=2
+KERNEL_PATCHLEVEL=16
+# increment KREL for every published package release!
+# rebuild packages with new KREL and run 'make abiupdate'
+KREL=20

 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

-EXTRAVERSION=-${KREL}-pve
-KVNAME=${KERNEL_VER}${EXTRAVERSION}
-PACKAGE=pve-kernel-${KVNAME}
-HDRPACKAGE=pve-headers-${KVNAME}
+EXTRAVERSION=-$(KREL)-pve
+KVNAME=$(KERNEL_VER)$(EXTRAVERSION)
+PACKAGE=proxmox-kernel-$(KVNAME)
+HDRPACKAGE=proxmox-headers-$(KVNAME)

 ARCH=$(shell dpkg-architecture -qDEB_BUILD_ARCH)

 # amd64/x86_64/x86 share the arch subdirectory in the kernel, 'x86' so we need
 # a mapping
 KERNEL_ARCH=x86
-ifneq (${ARCH}, amd64)
-KERNEL_ARCH=${ARCH}
+ifneq ($(ARCH), amd64)
+KERNEL_ARCH=$(ARCH)
 endif

-GITVERSION:=$(shell git rev-parse HEAD)
-
 SKIPABI=0

-BUILD_DIR=build
+BUILD_DIR=proxmox-kernel-$(KERNEL_VER)

-KERNEL_SRC=ubuntu-jammy
+KERNEL_SRC=ubuntu-kernel
 KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
-KERNEL_CFG_ORG=config-${KERNEL_VER}.org
+KERNEL_CFG_ORG=config-$(KERNEL_VER).org

 ZFSONLINUX_SUBMODULE=submodules/zfsonlinux
 ZFSDIR=pkg-zfs

 MODULES=modules
-MODULE_DIRS=${ZFSDIR}
+MODULE_DIRS=$(ZFSDIR)

 # exported to debian/rules via debian/rules.d/dirs.mk
 DIRS=KERNEL_SRC ZFSDIR MODULES

-DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-USR_HDR_DEB=pve-kernel-libc-dev_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
+DSC=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL).dsc
+DST_DEB=$(PACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_DEB=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+HDR_DEB=$(HDRPACKAGE)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+META_HDR_DEB=proxmox-headers-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_all.deb
+USR_HDR_DEB=proxmox-kernel-libc-dev_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(KREL)_$(ARCH).deb
+LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_$(KERNEL_VER)-$(KREL)_$(ARCH).deb

-DEBS=${DST_DEB} ${HDR_DEB} ${USR_HDR_DEB} ${LINUX_TOOLS_DEB} ${LINUX_TOOLS_DBG_DEB}
+DEBS=$(DST_DEB) $(META_DEB) $(HDR_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) # $(USR_HDR_DEB)

 all: deb
-deb: ${DEBS}
+deb: $(DEBS)

-${LINUX_TOOLS_DEB} ${HDR_DEB}: ${DST_DEB}
-${DST_DEB}: ${BUILD_DIR}.prepared
-	cd ${BUILD_DIR}; dpkg-buildpackage --jobs=auto -b -uc -us
-	lintian ${DST_DEB}
-	#lintian ${HDR_DEB}
-	lintian ${LINUX_TOOLS_DEB}
+$(META_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
+$(DST_DEB): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage --jobs=auto -b -uc -us
+	lintian $(DST_DEB)
+	#lintian $(HDR_DEB)
+	lintian $(LINUX_TOOLS_DEB)

-${BUILD_DIR}.prepared: $(addsuffix .prepared,${KERNEL_SRC} ${MODULES} debian)
-	cp -a fwlist-previous ${BUILD_DIR}/
-	cp -a abi-prev-* ${BUILD_DIR}/
-	cp -a abi-blacklist ${BUILD_DIR}/
+dsc:
+	$(MAKE) $(DSC)
+	lintian $(DSC)
+
+$(DSC): $(BUILD_DIR).prepared
+	cd $(BUILD_DIR); dpkg-buildpackage -S -uc -us -d
+
+sbuild: $(DSC)
+	sbuild $(DSC)
+
+$(BUILD_DIR).prepared: $(addsuffix .prepared,$(KERNEL_SRC) $(MODULES) debian)
+	cp -a fwlist-previous $(BUILD_DIR)/
+	cp -a abi-prev-* $(BUILD_DIR)/
+	cp -a abi-blacklist $(BUILD_DIR)/
 	touch $@

+.PHONY: build-dir-fresh
+build-dir-fresh:
+	$(MAKE) clean
+	$(MAKE) $(BUILD_DIR).prepared
+	echo "created build-directory: $(BUILD_DIR).prepared/"
+
 debian.prepared: debian
-	rm -rf ${BUILD_DIR}/debian
-	mkdir -p ${BUILD_DIR}
-	cp -a debian ${BUILD_DIR}/debian
-	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout ${GITVERSION}" > ${BUILD_DIR}/debian/SOURCE
-	@$(foreach dir, ${DIRS},echo "${dir}=${${dir}}" >> ${BUILD_DIR}/debian/rules.d/env.mk;)
-	echo "KVNAME=${KVNAME}" >> ${BUILD_DIR}/debian/rules.d/env.mk
-	echo "KERNEL_MAJMIN=${KERNEL_MAJMIN}" >> ${BUILD_DIR}/debian/rules.d/env.mk
-	cd ${BUILD_DIR}; debian/rules debian/control
+	rm -rf $(BUILD_DIR)/debian
+	mkdir -p $(BUILD_DIR)
+	cp -a debian $(BUILD_DIR)/debian
+	echo "git clone git://git.proxmox.com/git/pve-kernel.git\\ngit checkout $(shell git rev-parse HEAD)" \
+	    >$(BUILD_DIR)/debian/SOURCE
+	@$(foreach dir, $(DIRS),echo "$(dir)=$($(dir))" >> $(BUILD_DIR)/debian/rules.d/env.mk;)
+	echo "KVNAME=$(KVNAME)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	echo "KERNEL_MAJMIN=$(KERNEL_MAJMIN)" >> $(BUILD_DIR)/debian/rules.d/env.mk
+	cd $(BUILD_DIR); debian/rules debian/control
 	touch $@

-${KERNEL_SRC}.prepared: ${KERNEL_SRC_SUBMODULE} | submodule
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC} $@
-	mkdir -p ${BUILD_DIR}
-	cp -a ${KERNEL_SRC_SUBMODULE} ${BUILD_DIR}/${KERNEL_SRC}
+$(KERNEL_SRC).prepared: $(KERNEL_SRC_SUBMODULE) | submodule
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC) $@
+	mkdir -p $(BUILD_DIR)
+	cp -a $(KERNEL_SRC_SUBMODULE) $(BUILD_DIR)/$(KERNEL_SRC)
 # TODO: split for archs, track and diff in our repository?
-	cat ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/config.common.ubuntu ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.common.${ARCH} ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.flavour.generic > ${KERNEL_CFG_ORG}
-	cp ${KERNEL_CFG_ORG} ${BUILD_DIR}/${KERNEL_SRC}/.config
-	sed -i ${BUILD_DIR}/${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC}/debian ${BUILD_DIR}/${KERNEL_SRC}/debian.master
-	set -e; cd ${BUILD_DIR}/${KERNEL_SRC}; for patch in ../../patches/kernel/*.patch; do echo "applying patch '$$patch'" && patch -p1 < $${patch}; done
+	cd $(BUILD_DIR)/$(KERNEL_SRC); python3 debian/scripts/misc/annotations --arch amd64 --export >../../$(KERNEL_CFG_ORG)
+	cp $(KERNEL_CFG_ORG) $(BUILD_DIR)/$(KERNEL_SRC)/.config
+	sed -i $(BUILD_DIR)/$(KERNEL_SRC)/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=$(EXTRAVERSION)/'
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC)/debian $(BUILD_DIR)/$(KERNEL_SRC)/debian.master
+	set -e; cd $(BUILD_DIR)/$(KERNEL_SRC); \
+	  for patch in ../../patches/kernel/*.patch; do \
+	    echo "applying patch '$$patch'"; \
+	    patch --batch -p1 < "$${patch}"; \
+	  done
 	touch $@

-${MODULES}.prepared: $(addsuffix .prepared,${MODULE_DIRS})
+$(MODULES).prepared: $(addsuffix .prepared,$(MODULE_DIRS))
 	touch $@

-${ZFSDIR}.prepared: ${ZFSONLINUX_SUBMODULE}
-	rm -rf ${BUILD_DIR}/${MODULES}/${ZFSDIR} ${BUILD_DIR}/${MODULES}/tmp $@
-	mkdir -p ${BUILD_DIR}/${MODULES}/tmp
-	cp -a ${ZFSONLINUX_SUBMODULE}/* ${BUILD_DIR}/${MODULES}/tmp
-	cd ${BUILD_DIR}/${MODULES}/tmp; make kernel
-	rm -rf ${BUILD_DIR}/${MODULES}/tmp
-	touch ${ZFSDIR}.prepared
+$(ZFSDIR).prepared: $(ZFSONLINUX_SUBMODULE)
+	rm -rf $(BUILD_DIR)/$(MODULES)/$(ZFSDIR) $(BUILD_DIR)/$(MODULES)/tmp $@
+	mkdir -p $(BUILD_DIR)/$(MODULES)/tmp
+	cp -a $(ZFSONLINUX_SUBMODULE)/* $(BUILD_DIR)/$(MODULES)/tmp
+	cd $(BUILD_DIR)/$(MODULES)/tmp; make kernel
+	rm -rf $(BUILD_DIR)/$(MODULES)/tmp
+	touch $(ZFSDIR).prepared

 .PHONY: upload
-upload: ${DEBS}
-	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist bullseye --arch ${ARCH}
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
+upload: $(DEBS)
+	tar cf - $(DEBS)|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist $(UPLOAD_DIST) --arch $(ARCH)

 .PHONY: distclean
 distclean: clean
@@ -114,18 +137,18 @@ distclean: clean
 .PHONY: update_modules
 update_modules: submodule
 	git submodule foreach 'git pull --ff-only origin master'
-	cd ${ZFSONLINUX_SUBMODULE}; git pull --ff-only origin master
+	cd $(ZFSONLINUX_SUBMODULE); git pull --ff-only origin master

 # make sure submodules were initialized
 .PHONY: submodule
 submodule:
-	test -f "${KERNEL_SRC_SUBMODULE}/README" || git submodule update --init ${KERNEL_SRC_SUBMODULE}
-	test -f "${ZFSONLINUX_SUBMODULE}/Makefile" || git submodule update --init --recursive ${ZFSONLINUX_SUBMODULE}
+	test -f "$(KERNEL_SRC_SUBMODULE)/README" || git submodule update --init $(KERNEL_SRC_SUBMODULE)
+	test -f "$(ZFSONLINUX_SUBMODULE)/Makefile" || git submodule update --init --recursive $(ZFSONLINUX_SUBMODULE)

 # call after ABI bump with header deb in working directory
 .PHONY: abiupdate
-abiupdate: abi-prev-${KVNAME}
-abi-prev-${KVNAME}: abi-tmp-${KVNAME}
+abiupdate: abi-prev-$(KVNAME)
+abi-prev-$(KVNAME): abi-tmp-$(KVNAME)
 ifneq ($(strip $(shell git status --untracked-files=no --porcelain -z)),)
 	@echo "working directory unclean, aborting!"
 	@false
@@ -133,15 +156,15 @@ else
 	git rm "abi-prev-*"
 	mv $< $@
 	git add $@
-	git commit -s -m "update ABI file for ${KVNAME}" -m "(generated with debian/scripts/abi-generate)"
-	@echo "update abi-prev-${KVNAME} committed!"
+	git commit -s -m "update ABI file for $(KVNAME)" -m "(generated with debian/scripts/abi-generate)"
+	@echo "update abi-prev-$(KVNAME) committed!"
 endif

-abi-tmp-${KVNAME}:
-	@ test -e ${HDR_DEB} || (echo "need ${HDR_DEB} to extract ABI data!" && false)
-	debian/scripts/abi-generate ${HDR_DEB} $@ ${KVNAME} 1
+abi-tmp-$(KVNAME):
+	@ test -e $(HDR_DEB) || (echo "need $(HDR_DEB) to extract ABI data!" && false)
+	debian/scripts/abi-generate $(HDR_DEB) $@ $(KVNAME) 1

 .PHONY: clean
 clean:
-	rm -rf *~ build *.prepared ${KERNEL_CFG_ORG}
-	rm -f *.deb *.changes *.buildinfo
+	rm -rf *~ proxmox-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
+	rm -f *.deb *.dsc *.changes *.buildinfo *.build proxmox-kernel*.tar.*
@@ -1,9 +1,9 @@
 KERNEL SOURCE:
 ==============

-We currently use the Ubuntu kernel sources, available from:
+We currently use the Ubuntu kernel sources, available from our mirror:

- http://kernel.ubuntu.com/git/ubuntu/ubuntu-jammy.git/
+ https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary

 Ubuntu will maintain those kernels till:

@@ -24,6 +24,67 @@ Additional/Updated Modules:
  For licensing questions, see: http://open-zfs.org/wiki/Talk:FAQ


+BUILD
+=====
+
+As this is packaging for the Linux kernel with some extra integrations, like
+ZFS, this repo cannot be handled like a plain Linux kernel git repository.
+
+The actual Linux kernel source lives in a git submodule.
+
+For a build you should init the submodules and then handle it like most our
+Debian packaging builds. If unsure you can follow this:
+
+Installing Build-Dependencies
+-----------------------------
+
+You can either just check the package metadata template `debian/control.in`
+and install the packages listed in the `Build-Depends` section manually
+(replace `debhelper-compat` with just `debhelper`) or use a more automated way
+described below:
+
+ # install base build-dependencies and helpers
+ apt update
+ apt install devscripts
+
+ # create build-directory so that we got final packaging control files from the
+ # .in templates generated
+ make build-dir-fresh
+
+ # install build-dependencies (replace BUILD-DIR with actual one)
+ mk-build-deps -ir BUILD-DIR/debian/control
+
+
+Package Build
+-------------
+
+ # start the actual build
+ make deb
+
+For simple KConfig modifications you can adapt the list in `debian/rules` file.
+For quick code changes to the actual kernel code you can do them directly in
+the submodule/ubuntu-kernels directory, then re-create the build-directory, e.g.:
+
+ make clean
+ # now build again, explicitly creating the build-dir isn't required anymore
+ # after one has the build-dependencies already installed.
+ make deb
+
+
+Modify-Build-Test Cycles
+------------------------
+
+Ideally you avoid the need for doing a full package build and just directly
+build linux from the ubuntu-kernels or the mainline (stable) repo with copying
+over a build-config of a proxmox-kernel to that as .config and then using the
+`make olddefconfig` target.
+
+If you need full package builds you can try to make changes inside the
+BUILD-DIR directly and then continue build from there, e.g., using
+`dpkg-buildpackage -b -uc -us --no-pre-clean`. Depending on what stage you want
+to continue build you might need to touch, or remove some *.prepared files.
+Just check `debian/rules` for how kernel build progress is tracked by make.
+
 SUBMODULE
 =========

@@ -35,7 +96,7 @@ get applied with the `patch` tool. From a git point-of-view, the copied
 directory remains clean even with extra patches applied since it does not
 contain a .git directory, but a reference to the (still pristine) submodule:

-$ cat build/ubuntu-jammy/.git
+$ cat build/ubuntu-kernel/.git

 If you mistakenly cloned the upstream repo as "normal" clone (not via the
 submodule mechanics) this means that you have a real .git directory with its
@@ -60,18 +121,30 @@ top level meta package, depends on current default kernel series meta package.

 git clone git://git.proxmox.com/git/proxmox-ve.git

-pve-kernel-meta
---------------
+proxmox-default-kernel
+----------------------

-depends on latest kernel and header package within a certain kernel series,
-e.g., pve-kernel-5.15 / pve-headers-5.15
+Depends on default kernel and header meta package, e.g., proxmox-kernel-6.2 /
+proxmox-headers-6.2.

 git clone git://git.proxmox.com/git/pve-kernel-meta.git

+proxmox-kernel-X.Y
+------------------
+
+Depends on the latest kernel (or header, in case of proxmox-headers-X.Y)
+package within a certain series.
+
+e.g., proxmox-kernel-6.2 depends on proxmox-kernel-6.2.16-6-pve
+
+NOTE: Since Proxmox VE 8, based on Debian 12 Bookworm, the kernel ABI is bumped
+with every version bump due to module signing. Since then the meta package was
+pulled into the kernel repo, before that it lived in pve-kernel-meta.git.
+
 pve-firmware
 ------------

-contains the firmware for all released PVE kernels.
+Contains the firmware for all released PVE kernels.

 git clone git://git.proxmox.com/git/pve-firmware.git

@@ -99,18 +172,18 @@ Watchdog blacklist

 By default, all watchdog modules are black-listed because it is totally undefined
 which device is actually used for /dev/watchdog.
-We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
+We ship this list in /lib/modprobe.d/blacklist_proxmox-kernel-<VERSION>.conf
 The user typically edit /etc/modules to enable a specific watchdog device.

 Debug kernel and modules
 ------------------------

 In order to build a -dbgsym package containing an unstripped copy of the kernel
-image and modules, enable the 'pkg.pve-kernel.debug' build profile (e.g. by
-exporting DEB_BUILD_PROFILES='pkg.pve-kernel.debug'). The resulting package can
+image and modules, enable the 'pkg.proxmox-kernel.debug' build profile (e.g. by
+exporting DEB_BUILD_PROFILES='pkg.proxmox-kernel.debug'). The resulting package can
 be used together with 'crash'/'kdump-tools' to debug kernel crashes.

-Note: the -dbgsym package is only valid for the pve-kernel packages produced by
+Note: the -dbgsym package is only valid for the proxmox-kernel packages produced by
 the same build. A kernel/module from a different build will likely not match,
 even if both builds are of the same kernel and package version.

@@ -1,3 +1,307 @@
+proxmox-kernel-6.2 (6.2.16-20) bookworm; urgency=medium
+
+  * update sources to Ubuntu-6.2.0-39.40
+
+  * update ZFS to 2.1.14
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 01 Dec 2023 14:17:27 +0100
+
+proxmox-kernel-6.2 (6.2.16-19) bookworm; urgency=medium
+
+  * backport exposing FLUSHBYASID when running nested VMs on AMD CPUs to fix
+    nesting of some hyper-visors like VMware Workstation.
+
+  * backport constraining guest-supported xfeatures only at KVM_GET_XSAVE{2}
+    to further improve compatibility for guests w.r.t. live-migration, or live
+    snapshot rollback, to hosts with less (FPU) xfeatures supported.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 24 Oct 2023 14:07:51 +0200
+
+proxmox-kernel-6.2 (6.2.16-18) bookworm; urgency=medium
+
+  * backport fix for AMD erratum #1485 on Zen4-based CPUs to avoid triggering
+    undefined instruction exceptions when disabling all, or certain security
+    mitigations, like using the "mitigations=off" kernel command line
+    parameter
+
+  * backport ZFS fix to avoid crashes and hangs if used on modern Intel HW
+    like the Xeon Scalable 4th Gen "Sapphire Rapids" CPUs due to a HW bug as
+    per Intel SPR erratum SPR4
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 11 Oct 2023 17:05:18 +0200
+
+proxmox-kernel-6.2 (6.2.16-16) bookworm; urgency=medium
+
+  * update sources to Ubuntu-6.2.0-36.36
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 03 Oct 2023 07:42:21 +0200
+
+proxmox-kernel-6.2 (6.2.16-15) bookworm; urgency=medium
+
+  * fix thunderbolt ring-interrupt not being masked on suspend
+
+  * cherry-pick fix to avoid potentially offlining one CPU thread on some EPYC
+    CPUs with a new amd64-microcode package (still in unstable).
+
+  * update ZFS to 2.1.13
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 28 Sep 2023 15:53:58 +0200
+
+proxmox-kernel-6.2 (6.2.16-14) bookworm; urgency=medium
+
+  * cherry-pick fix for setting X86_FEATURE_OSXSAVE feature improving
+    performance of some code that tries to live-detect available CPU features,
+    like, e.g., ZFS.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 19 Sep 2023 10:17:16 +0200
+
+proxmox-kernel-6.2 (6.2.16-13) bookworm; urgency=medium
+
+  * fix #4707: add override parameter for RMRR relaxation
+
+  * backport thunderbolt-net fixes for IPv6 and connection re-establishment
+    after a node got rebooted
+
+  * update sources to Ubuntu-6.2.0-34.34
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 18 Sep 2023 15:31:57 +0200
+
+proxmox-kernel-6.2 (6.2.16-12) bookworm; urgency=medium
+
+  * cherry-pick fix for KVM vCPU page-fault loop.
+    Due to too small and signed type used for an memory related sequence
+    counter there was a chance that for long-lived VMs KVM would effectively
+    hang vCPUs due to always thinking page faults are stale, which results in
+    KVM refusing to "fix" faults.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Sep 2023 15:21:22 +0200
+
+proxmox-kernel-6.2 (6.2.16-11) bookworm; urgency=medium
+
+  * cherry-pick fix to surpress faulty segfault logging. While harmless, such
+    logs can look scary and might let people follow them like a red herring.
+
+  * update sources to Ubuntu-6.2.0-32.32
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 31 Aug 2023 11:56:15 +0200
+
+proxmox-kernel-6.2 (6.2.16-10) bookworm; urgency=medium
+
+  * disable CONFIG_GDS_FORCE_MITIGATION again
+    when not having installed a new-enough intel-microcode, this disables AVX
+    instructions which breaks a lot of software
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 18 Aug 2023 13:42:38 +0200
+
+proxmox-kernel-6.2 (6.2.16-9) bookworm; urgency=medium
+
+  * add fixes for downfall
+
+  * enable mitigation config option CONFIG_GDS_FORCE_MITIGATION
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 16 Aug 2023 10:07:11 +0200
+
+proxmox-kernel-6.2 (6.2.16-8) bookworm; urgency=medium
+
+  * sign modules and set trust anchor/lockdown to allow manual secure boot
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 02 Aug 2023 14:17:00 +0200
+
+proxmox-kernel-6.2 (6.2.16-7) bookworm; urgency=medium
+
+  * change `pve-` prefix to `proxmox-`
+
+  * merge proxmox-kernel-meta packaging into main kernel repository
+
+  * bump ABI to 6.2.16-6
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 01 Aug 2023 13:23:46 +0200
+
+pve-kernel (6.2.16-6) bookworm; urgency=medium
+
+  * fix #4833: backport fix for recovering potential NX huge pages
+
+  * fix #4770: backport "nvme: don't reject probe due to duplicate IDs"
+
+  * backport Zenbleed stop-gap workaround for CVE-2023-20593, the actual fix
+    is the amd64-microcode update.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 25 Jul 2023 17:33:45 +0200
+
+pve-kernel (6.2.16-5) bookworm; urgency=medium
+
+  * kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no support to
+    improve live-migrations & snapshot-rollback of VMs running on modern Intel
+    CPUs (Skylake-Server or Tiger Lake Desktop), if configured with a
+    restricted vCPU type (e.g., qemu64) and if the migration source is from
+    our 5.15 based kernel (default in Proxmox VE 7.4) to the 6.2 (and future
+    newer) of Proxmox VE 8.0 as target.
+    This copes with the fallout of a fix, that while itself improved migration
+    compatibility for clusters with different host-CPU models, caused another
+    issue on the transition between the older "broken" and newer "fixed"
+    kernels for homogeneous clusters, i.e., those with the same PVE host-CPU
+    model.
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 14 Jul 2023 19:53:39 +0200
+
+pve-kernel (6.2.16-4) bookworm; urgency=medium
+
+  * backport fixes for StackRot (CVE-2023-3269)
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 07 Jul 2023 06:22:28 +0200
+
+pve-kernel (6.2.16-3) bookworm; urgency=medium
+
+  * update to Ubuntu-6.2.0-25.25
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 17 Jun 2023 07:58:57 +0200
+
+pve-kernel (6.2.16-2) bookworm; urgency=medium
+
+  * update ZFS to 2.1.12
+
+  * bump ABI to 6.2.16-2
+
+  * backport "net/sched: flower: fix possible OOB write in fl_set_geneve_opt()"
+
+  * backport re-adding mdev_set_iommu_device() kABI for support of SRIOV based
+    Nvidia vGPU
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 13 Jun 2023 15:30:53 +0200
+
+pve-kernel (6.2.16-1) bookworm; urgency=medium
+
+  * update to Ubuntu-6.2.0-23.23 and pull in stable fixes up to v6.2.16
+
+  * build for Debian 12 Bookworm based releases
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 20 May 2023 19:23:34 +0200
+
+pve-kernel (6.2.11-2) bullseye; urgency=medium
+
+  * backport "netfilter: nf_tables: deactivate anonymous set from preparation
+    phase"
+
+  * bump ABI to 6.2.11-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 10 May 2023 11:13:34 +0200
+
+pve-kernel (6.2.11-1) bullseye; urgency=medium
+
+  * update kernel to Proxmox-6.2.11-1
+
+  * update ZFS to 2.1.11
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 20 Apr 2023 11:59:36 +0200
+
+pve-kernel (6.2.9-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.2.0-19.19 and cherry-pick patches up to 6.2.9
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 31 Mar 2023 12:48:33 +0200
+
+pve-kernel (6.2.6-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.2.0-17.17 based on 6.2.6
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Mar 2023 18:08:23 +0100
+
+pve-kernel (6.2.2-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.2.0-1.1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 13 Mar 2023 17:57:00 +0100
+
+pve-kernel (6.1.15-1) bullseye; urgency=medium
+
+  * update to Proxmox-6.1.15-1
+
+  * backport patch to fix issue with large IO requests
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Mar 2023 09:53:18 +0100
+
+pve-kernel (6.1.14-1) bullseye; urgency=medium
+
+  * update to Proxmox-6.1.14-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Feb 2023 18:09:47 +0100
+
+pve-kernel (6.1.10-1) bullseye; urgency=medium
+
+  * update to Proxmox-6.1.10-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 07 Feb 2023 14:10:10 +0100
+
+pve-kernel (6.1.6-1) bullseye; urgency=medium
+
+  * update ZFS to 2.1.9
+
+  * update to Ubuntu-6.1.0-14.14 based on upstream 6.1.6
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 28 Jan 2023 15:05:09 +0100
+
+pve-kernel (6.1.2-1) bullseye; urgency=medium
+
+  * backport ZFS compat fixes for Linux 6.1 w.r.t. a OTMPFILE open syscall
+
+  * update to Ubuntu-6.1.0-12.12
+
+  * backport a few newer fixes-of-fixes from 6.1.4
+
+  * bump ABI to 6.1.2-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Sat, 07 Jan 2023 14:56:01 +0100
+
+pve-kernel (6.1.0-1) bullseye; urgency=medium
+
+  * update to Ubuntu-6.1.0-1.1 based on upstram v6.1
+
+  * update ZFS to 2.1.7
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 13 Dec 2022 15:08:53 +0100
+
+pve-kernel (5.19.17-1) bullseye; urgency=medium
+
+  * update to Ubuntu-5.19.0-24.25
+
+  * bump ABI to 5.19.17-1
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 14 Nov 2022 20:25:12 +0100
+
+pve-kernel (5.19.7-2) bullseye; urgency=medium
+
+  * update ZFS to 2.1.6
+
+  * update to Ubuntu-5.19.0-19.19
+
+  * bump ABI to 5.19.7-2
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 04 Oct 2022 17:18:40 +0200
+
+pve-kernel (5.19.7-1) bullseye; urgency=medium
+
+  * update to 5.19.7 based on Ubuntu-5.19.0-16.16
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 06 Sep 2022 07:54:58 +0200
+
+pve-kernel (5.19.0-1) bullseye; urgency=medium
+
+  * update to 5.19.0 based from Ubuntu-5.19.0-14.14
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 02 Aug 2022 09:18:39 +0200
+
+pve-kernel (5.19.0-1~rc8+2) bullseye; urgency=medium
+
+  * backport smm fixes
+
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 27 Jul 2022 11:27:10 +0200
+
+pve-kernel (5.19.0-1~rc8+1) bullseye; urgency=medium
+
+  * update to 5.19.0-rc8 based from Ubuntu-5.19.0-11.11
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 26 Jul 2022 11:47:30 +0200
+
 pve-kernel (5.15.53-1) bullseye; urgency=medium

  * update to Ubuntu-5.15.0-48.54
@@ -1 +0,0 @@
-10
@@ -1,4 +1,4 @@
-Source: pve-kernel
+Source: proxmox-kernel-@KVMAJMIN@
 Section: devel
 Priority: optional
 Maintainer: Proxmox Support Team <support@proxmox.com>
@@ -7,7 +7,7 @@ Build-Depends: asciidoc-base,
               bc,
               bison,
               cpio,
-               debhelper (>= 10~),
+               debhelper-compat (= 13),
               dh-python,
               dwarves,
               file,
@@ -25,16 +25,14 @@ Build-Depends: asciidoc-base,
               libtool,
               lintian,
               lz4,
-               perl-modules,
               python3-minimal,
               rsync,
-               sed,
               sphinx-common,
-               tar,
               xmlto,
               zlib1g-dev,
               zstd,
-Build-Conflicts: pve-headers-@KVNAME@
+Build-Conflicts: proxmox-headers-@KVNAME@,
+Standards-Version: 4.6.2
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git

@@ -42,52 +40,77 @@ Package: linux-tools-@KVMAJMIN@
 Architecture: any
 Section: devel
 Priority: optional
-Depends: linux-base, ${misc:Depends}, ${shlibs:Depends}
+Depends: linux-base, ${misc:Depends}, ${shlibs:Depends},
 Description: Linux kernel version specific tools for version @KVMAJMIN@
 This package provides the architecture dependent parts for kernel
 version locked tools (such as perf and x86_energy_perf_policy)

-Package: pve-headers-@KVNAME@
+Package: proxmox-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers-@KVNAME@-amd64
-Depends: coreutils | fileutils (>= 4.0)
+Provides: linux-headers-@KVNAME@-amd64, pve-headers-@KVNAME@
+Depends: ${misc:Depends},
 Description: Proxmox Kernel Headers
 This package contains the linux kernel headers

-Package: pve-kernel-@KVNAME@
+Package: proxmox-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image-@KVNAME@-amd64
-Suggests: pve-firmware
-Depends: busybox, initramfs-tools
-Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64
+Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
+Suggests: pve-firmware,
+Depends: busybox, initramfs-tools | linux-initramfs-tool, ${misc:Depends},
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
 Description: Proxmox Kernel Image
 This package contains the linux kernel and initial ramdisk used for booting

-Package: pve-kernel-@KVNAME@-dbgsym
+Package: proxmox-kernel-@KVNAME@-dbgsym
 Architecture: any
-Provides: linux-debug
+Provides: linux-debug, pve-kernel-@KVNAME@-dbgsym
 Section: devel
 Priority: optional
-Build-Profiles: <pkg.pve-kernel.debug>
+Build-Profiles: <pkg.proxmox-kernel.debug>
+Depends: ${misc:Depends},
 Description: Proxmox Kernel debug image
 This package provides the kernel debug image for version @KVNAME@. The debug
 kernel image contained in this package is NOT meant to boot from - it is
 uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
- to analyze kernel crashes. This package also contains the pve-kernel modules
+ to analyze kernel crashes. This package also contains the proxmox-kernel modules
 in their unstripped version.

-Package: pve-kernel-libc-dev
+Package: proxmox-kernel-libc-dev
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-libc-dev (=${binary:Version})
-Conflicts: linux-libc-dev
-Replaces: linux-libc-dev
-Depends: ${misc:Depends}
+Provides: linux-libc-dev (=${binary:Version}), pve-kernel-libc-dev
+Conflicts: linux-libc-dev,
+Replaces: linux-libc-dev, pve-kernel-libc-dev
+Breaks: pve-kernel-libc-dev
+Depends: ${misc:Depends},
 Description: Linux support headers for userspace development
 This package provides userspaces headers from the Linux kernel.  These headers
 are used by the installed headers for GNU libc and other system libraries.
+
+Package: proxmox-headers-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-headers-amd64, linux-headers-generic, pve-headers-@KVMAJMIN@
+Replaces: pve-headers-@KVMAJMIN@
+Priority: optional
+Depends: proxmox-headers-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Headers
+ This is a metapackage which will install the kernel headers
+ for the latest available proxmox kernel from the @KVMAJMIN@
+ series.
+
+Package: proxmox-kernel-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-image-amd64, linux-image-generic, wireguard-modules (=1.0.0), pve-kernel-@KVMAJMIN@
+Replaces: pve-kernel-@KVMAJMIN@
+Priority: optional
+Depends: pve-firmware, proxmox-kernel-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Image
+ This is a metapackage which will install the latest available
+ proxmox kernel from the @KVMAJMIN@ series.
@@ -0,0 +1,17 @@
+#! /bin/sh
+
+# Abort if any command returns an error value 
+set -e
+
+case "$1" in
+  configure)
+    # setup kernel links for installation CD (rescue boot)
+    mkdir -p /boot/pve
+    ln -sf /boot/vmlinuz-@@KVNAME@@ /boot/pve/vmlinuz-@@KVMAJMIN@@
+    ln -sf /boot/initrd.img-@@KVNAME@@ /boot/pve/initrd.img-@@KVMAJMIN@@
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+# Abort if any command returns an error value
+set -e
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # remove kernel symlinks
+        rm -f /boot/pve/vmlinuz-@@KVNAME@@
+        rm -f /boot/pve/initrd.img-@@KVNAME@@
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations except when called on to configure.
 exit 0 unless $ARGV[0] =~ /configure/;
@@ -16,10 +17,9 @@ system("depmod $version");

 if (-d "/etc/kernel/postinst.d") {
  print STDERR "Examining /etc/kernel/postinst.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postinst.d") &&
-            die "Failed to process /etc/kernel/postinst.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postinst.d"
+  ) && die "Failed to process /etc/kernel/postinst.d";
 }

 exit 0
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+# Ignore all 'upgrade' invocations .
+exit 0 if $ARGV[0] =~ /upgrade/;
+
+my $imagedir = "/boot";
+
+my $version = "@@KVNAME@@";
+
+if (-d "/etc/kernel/postrm.d") {
+  print STDERR "Examining /etc/kernel/postrm.d.\n";
+  system (
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/postrm.d"
+  ) && die "Failed to process /etc/kernel/postrm.d";
+}
+
+unlink "$imagedir/initrd.img-$version";
+unlink "$imagedir/initrd.img-$version.bak";
+unlink "/var/lib/initramfs-tools/$version";
+
+# Ignore all invocations except when called on to purge.
+exit 0 unless $ARGV[0] =~ /purge/;
+
+my @files_to_remove = qw{
+    modules.dep modules.isapnpmap modules.pcimap
+    modules.usbmap modules.parportmap
+    modules.generic_string modules.ieee1394map
+    modules.ieee1394map modules.pnpbiosmap
+    modules.alias modules.ccwmap modules.inputmap
+    modules.symbols modules.ofmap
+    modules.seriomap modules.*.bin
+    modules.softdep modules.devname
+};
+
+foreach my $extra_file (@files_to_remove) {
+    for (glob("/lib/modules/$version/$extra_file")) {
+	unlink;
+    }
+}
+
+system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
+
+exit 0
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 # Ignore all invocations uxcept when called on to remove
 exit 0 unless ($ARGV[0] && $ARGV[0] =~ /remove/) ;
@@ -14,10 +15,9 @@ my $version = "@@KVNAME@@";

 if (-d "/etc/kernel/prerm.d") {
  print STDERR "Examining /etc/kernel/prerm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " . 
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/prerm.d") &&
-	  die "Failed to process /etc/kernel/prerm.d";
+  system(
+      "run-parts --verbose --exit-on-error --arg=$version --arg=$imagedir/vmlinuz-$version /etc/kernel/prerm.d"
+  ) && die "Failed to process /etc/kernel/prerm.d";
 }

 exit 0
@@ -1,46 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-
-# Ignore all 'upgrade' invocations .
-exit 0 if $ARGV[0] =~ /upgrade/;
-
-my $imagedir = "/boot";
-
-my $version = "@@KVNAME@@";
-
-if (-d "/etc/kernel/postrm.d") {
-  print STDERR "Examining /etc/kernel/postrm.d.\n";
-  system ("run-parts --verbose --exit-on-error --arg=$version " .
-          "--arg=$imagedir/vmlinuz-$version " .
-          "/etc/kernel/postrm.d") &&
-            die "Failed to process /etc/kernel/postrm.d";
-}
-
-unlink "$imagedir/initrd.img-$version";
-unlink "$imagedir/initrd.img-$version.bak";
-unlink "/var/lib/initramfs-tools/$version";
-
-# Ignore all invocations except when called on to purge.
-exit 0 unless $ARGV[0] =~ /purge/;
-
-my @files_to_remove = qw{
-                         modules.dep modules.isapnpmap modules.pcimap
-                         modules.usbmap modules.parportmap
-                         modules.generic_string modules.ieee1394map
-                         modules.ieee1394map modules.pnpbiosmap
-                         modules.alias modules.ccwmap modules.inputmap
-                         modules.symbols modules.ofmap
-                         modules.seriomap modules.*.bin
-			 modules.softdep modules.devname
-                       };
-
-foreach my $extra_file (@files_to_remove) {
-    for (glob("/lib/modules/$version/$extra_file")) {
-	unlink;
-    }
-}
-
-system ("rmdir", "/lib/modules/$version") if -d "/lib/modules/$version";
-
-exit 0
@@ -9,19 +9,23 @@ BUILD_DIR=$(shell pwd)

 include /usr/share/dpkg/default.mk
 include debian/rules.d/env.mk
-include debian/rules.d/${DEB_BUILD_ARCH}.mk
+include debian/rules.d/$(DEB_BUILD_ARCH).mk
+
+MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))

 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
+CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)

-PVE_KERNEL_PKG=pve-kernel-${KVNAME}
-PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym
-PVE_HEADER_PKG=pve-headers-${KVNAME}
-PVE_USR_HEADER_PKG=pve-kernel-libc-dev
-LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
-KERNEL_SRC_COPY=${KERNEL_SRC}_tmp
+PMX_KERNEL_PKG=proxmox-kernel-$(KVNAME)
+PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
+PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
+PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
+PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
+KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp

 # TODO: split for archs, move to files?
-PVE_CONFIG_OPTS= \
+PMX_CONFIG_OPTS= \
 -m INTEL_MEI_WDT \
 -d CONFIG_SND_PCM_OSS \
 -e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
@@ -29,6 +33,7 @@ PVE_CONFIG_OPTS= \
 -m CONFIG_CEPH_FS \
 -m CONFIG_BLK_DEV_NBD \
 -m CONFIG_BLK_DEV_RBD \
+-m CONFIG_BLK_DEV_UBLK \
 -d CONFIG_SND_PCSP \
 -m CONFIG_BCACHE \
 -m CONFIG_JFS_FS \
@@ -49,7 +54,13 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
 -e CONFIG_SYSFB_SIMPLEFB \
 -e CONFIG_DRM_SIMPLEDRM \
-d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
 -e CONFIG_HYPERV \
@@ -72,29 +83,37 @@ PVE_CONFIG_OPTS= \
 -d CONFIG_DEFAULT_CFQ \
 -e CONFIG_DEFAULT_DEADLINE \
 -e CONFIG_MODVERSIONS \
+-e CONFIG_ZSTD_COMPRESS \
 -d CONFIG_DEFAULT_SECURITY_DAC \
 -e CONFIG_DEFAULT_SECURITY_APPARMOR \
 --set-str CONFIG_DEFAULT_SECURITY apparmor \
+-e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
 -d CONFIG_UNWINDER_ORC \
 -d CONFIG_UNWINDER_GUESS \
 -e CONFIG_UNWINDER_FRAME_POINTER \
 --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
 --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
-d CONFIG_SECURITY_LOCKDOWN_LSM \
-d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
--set-str CONFIG_LSM yama,integrity,apparmor \
-e CONFIG_PAGE_TABLE_ISOLATION
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
+-e CONFIG_PAGE_TABLE_ISOLATION \
+-e CONFIG_ARCH_HAS_CPU_FINALIZE_INIT \
+-d CONFIG_GDS_FORCE_MITIGATION

 debian/control: $(wildcard debian/*.in)
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/${PVE_KERNEL_PKG}.prerm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/${PVE_KERNEL_PKG}.postrm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/${PVE_KERNEL_PKG}.postinst
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-headers.postinst.in > debian/${PVE_HEADER_PKG}.postinst
-	chmod +x debian/${PVE_KERNEL_PKG}.prerm
-	chmod +x debian/${PVE_KERNEL_PKG}.postrm
-	chmod +x debian/${PVE_KERNEL_PKG}.postinst
-	chmod +x debian/${PVE_HEADER_PKG}.postinst
-	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PMX_KERNEL_PKG).postrm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PMX_KERNEL_PKG).postinst
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_PKG).prerm
+	chmod +x debian/$(PMX_KERNEL_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_PKG).postinst
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postrm
+	chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postinst
+	chmod +x debian/$(PMX_HEADER_PKG).postinst
+	sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control

 build: .compile_mark .tools_compile_mark .modules_compile_mark

@@ -108,7 +127,7 @@ install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_in

 binary: install
 	debian/rules fwcheck abicheck
-	dh_strip -N${PVE_HEADER_PKG} -N${PVE_USR_HEADER_PKG}
+	dh_strip -N$(PMX_HEADER_PKG) -N$(PMX_USR_HEADER_PKG)
 	dh_makeshlibs
 	dh_shlibdeps
 	dh_installdeb
@@ -117,82 +136,90 @@ binary: install
 	dh_builddeb

 .config_mark:
-	cd ${KERNEL_SRC}; scripts/config ${PVE_CONFIG_OPTS}
-	${MAKE} -C ${KERNEL_SRC} oldconfig
+	cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
+	$(MAKE) -C $(KERNEL_SRC) oldconfig
 	# copy to allow building in parallel to kernel/module compilation without interference
-	rm -rf ${KERNEL_SRC_COPY}
-	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
+	rm -rf $(KERNEL_SRC_COPY)
+	cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
 	touch $@

 .compile_mark: .config_mark
-	${MAKE} -C ${KERNEL_SRC} KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${DEB_VERSION} (${CHANGELOG_DATE})"
+	$(MAKE) -C $(KERNEL_SRC) KBUILD_BUILD_VERSION_TIMESTAMP="PMX $(DEB_VERSION) ($(CHANGELOG_DATE_UTC_ISO))"
 	touch $@

 .install_mark: .compile_mark .modules_compile_mark
-	rm -rf debian/${PVE_KERNEL_PKG}
-	mkdir -p debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}
-	mkdir debian/${PVE_KERNEL_PKG}/boot
-	install -m 644 ${KERNEL_SRC}/.config debian/${PVE_KERNEL_PKG}/boot/config-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/System.map debian/${PVE_KERNEL_PKG}/boot/System.map-${KVNAME}
-	install -m 644 ${KERNEL_SRC}/${KERNEL_IMAGE_PATH} debian/${PVE_KERNEL_PKG}/boot/${KERNEL_INSTALL_FILE}-${KVNAME}
-	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
+	rm -rf debian/$(PMX_KERNEL_PKG)
+	mkdir -p debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_KERNEL_PKG)/boot
+	install -m 644 $(KERNEL_SRC)/.config debian/$(PMX_KERNEL_PKG)/boot/config-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/System.map debian/$(PMX_KERNEL_PKG)/boot/System.map-$(KVNAME)
+	install -m 644 $(KERNEL_SRC)/$(KERNEL_IMAGE_PATH) debian/$(PMX_KERNEL_PKG)/boot/$(KERNEL_INSTALL_FILE)-$(KVNAME)
+	$(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
 	# install zfs drivers
-	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 $(addprefix ${MODULES}/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+	install -m 644 $(addprefix $(MODULES)/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
 	# remove firmware
-	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
+	rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware

-ifeq ($(filter pkg.pve-kernel.debug,$(DEB_BUILD_PROFILES)),)
-	echo "'pkg.pve-kernel.debug' build profile disabled, skipping -dbgsym creation"
+ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
+	echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
 else
-	echo "'pkg.pve-kernel.debug' build profile enabled, creating -dbgsym contents"
-	mkdir -p debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}
-	mkdir debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot
-	install -m 644 ${KERNEL_SRC}/vmlinux debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot/vmlinux-${KVNAME}
-	cp -r debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/source
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/build
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/modules.*
+	echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
+	mkdir -p debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
+	mkdir debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
+	install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
+	cp -r debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/build
+	rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/modules.*
 endif

 	# strip debug info
-	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+	find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+	# sign modules using ephemeral, embedded key
+	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+		find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+		done; \
+		rm ./ubuntu-kernel/certs/signing_key.pem ; \
+	fi
 	# finalize
-	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
+	/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
 	# Autogenerate blacklist for watchdog devices (see README)
-	install -m 0755 -d debian/${PVE_KERNEL_PKG}/lib/modprobe.d
-	ls debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
+	install -m 0755 -d debian/$(PMX_KERNEL_PKG)/lib/modprobe.d
+	ls debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
 	echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
-	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
-	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
-	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
+	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
+	rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
 	touch $@

 .tools_compile_mark: .compile_mark
-	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
 	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
-	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
-	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
-	${MAKE} -C ${KERNEL_SRC}/tools/perf man
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
+	! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
+	$(MAKE) -C $(KERNEL_SRC)/tools/perf man
 	touch $@

 .tools_install_mark: .tools_compile_mark
-	rm -rf debian/${LINUX_TOOLS_PKG}
-	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/bin
-	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/share/man/man1
-	install -m 755 ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/perf debian/${LINUX_TOOLS_PKG}/usr/bin/perf_$(KERNEL_MAJMIN)
-	for i in ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/Documentation/*.1; do \
+	rm -rf debian/$(LINUX_TOOLS_PKG)
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/bin
+	mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1
+	install -m 755 $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/perf debian/$(LINUX_TOOLS_PKG)/usr/bin/perf_$(KERNEL_MAJMIN)
+	for i in $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/Documentation/*.1; do \
 	    fname="$${i##*/}"; manname="$${fname%.1}"; \
-	    install -m644 "$$i" "debian/${LINUX_TOOLS_PKG}/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
+	    install -m644 "$$i" "debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
 	done
 	touch $@

 .headers_prepare_mark: .config_mark
-	rm -rf debian/${PVE_HEADER_PKG}
-	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	make -C ${KERNEL_SRC_COPY} mrproper
-	cd ${KERNEL_SRC_COPY}; find . -path './debian/*' -prune \
+	rm -rf debian/$(PMX_HEADER_PKG)
+	mkdir -p debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	install -m 0644 $(KERNEL_SRC)/.config debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	make -C $(KERNEL_SRC_COPY) mrproper
+	cd $(KERNEL_SRC_COPY); find . -path './debian/*' -prune \
 	    -o -path './include/*' -prune \
 	    -o -path './Documentation' -prune \
 	    -o -path './scripts' -prune \
@@ -204,40 +231,40 @@ endif
 	        -o -name '*.sh' \
 	        -o -name '*.pl' \
 	    \) \
-	    -print | cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	cd ${KERNEL_SRC_COPY}; \
+	    -print | cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	cd $(KERNEL_SRC_COPY); \
 	    ( \
-	        find arch/${KERNEL_HEADER_ARCH} -name include -type d -print | \
+	        find arch/$(KERNEL_HEADER_ARCH) -name include -type d -print | \
 	        xargs -n1 -i: find : -type f \
 	    ) | \
-	    cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	    cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
 	touch $@

 .headers_compile_mark: .headers_prepare_mark
 	# set output to subdir of source to reduce number of hardcoded paths in output files
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
-	mkdir -p ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
-	cp ${KERNEL_SRC}/.config ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/.config
-	${MAKE} -C ${KERNEL_SRC_COPY} O=${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -j1 syncconfig modules_prepare prepare scripts
-	cd ${KERNEL_SRC_COPY}; cp -a include scripts ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	find ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
-	rsync --ignore-existing -r -v -a $(addprefix ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/,arch include kernel scripts tools) ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/
-	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	mkdir -p $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
+	cp $(KERNEL_SRC)/.config $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/.config
+	$(MAKE) -C $(KERNEL_SRC_COPY) O=$(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -j1 syncconfig modules_prepare prepare scripts
+	cd $(KERNEL_SRC_COPY); cp -a include scripts $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	find $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
+	rsync --ignore-existing -r -v -a $(addprefix $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/,arch include kernel scripts tools) $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/
+	rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)
 	touch $@

 .headers_install_mark: .compile_mark .modules_compile_mark .headers_compile_mark
-	cp ${KERNEL_SRC}/include/generated/compile.h debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/include/generated/compile.h
-	install -m 0644 ${KERNEL_SRC}/Module.symvers debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	mkdir -p debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}
-	ln -sf /usr/src/linux-headers-${KVNAME} debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}/build
+	cp $(KERNEL_SRC)/include/generated/compile.h debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/include/generated/compile.h
+	install -m 0644 $(KERNEL_SRC)/Module.symvers debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
+	mkdir -p debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)
+	ln -sf /usr/src/linux-headers-$(KVNAME) debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)/build
 	touch $@

-.usr_headers_install_mark: PKG_DIR = debian/${PVE_USR_HEADER_PKG}
-.usr_headers_install_mark: OUT_DIR = ${PKG_DIR}/usr
+.usr_headers_install_mark: PKG_DIR = debian/$(PMX_USR_HEADER_PKG)
+.usr_headers_install_mark: OUT_DIR = $(PKG_DIR)/usr
 .usr_headers_install_mark: .config_mark
-	rm -rf '${PKG_DIR}'
-	mkdir -p  '${PKG_DIR}'
-	$(MAKE) -C ${KERNEL_SRC} headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
+	rm -rf '$(PKG_DIR)'
+	mkdir -p  '$(PKG_DIR)'
+	$(MAKE) -C $(KERNEL_SRC) headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
 	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
 	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +

@@ -248,43 +275,43 @@ endif
 		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
 	touch $@

-.modules_compile_mark: ${MODULES}/zfs.ko
+.modules_compile_mark: $(MODULES)/zfs.ko
 	touch $@

-${MODULES}/zfs.ko: .compile_mark
-	cd ${MODULES}/${ZFSDIR}; ./autogen.sh
-	cd ${MODULES}/${ZFSDIR}; ./configure --with-config=kernel --with-linux=${BUILD_DIR}/${KERNEL_SRC} --with-linux-obj=${BUILD_DIR}/${KERNEL_SRC}
-	${MAKE} -C ${MODULES}/${ZFSDIR}
-	cp ${MODULES}/${ZFSDIR}/module/avl/zavl.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/nvpair/znvpair.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/unicode/zunicode.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zcommon/zcommon.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/icp/icp.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zfs/zfs.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/lua/zlua.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/spl/spl.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zstd/zzstd.ko ${MODULES}/
+$(MODULES)/zfs.ko: .compile_mark
+	cd $(MODULES)/$(ZFSDIR); ./autogen.sh
+	cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
+	$(MAKE) -C $(MODULES)/$(ZFSDIR)
+	cp $(MODULES)/$(ZFSDIR)/module/avl/zavl.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/nvpair/znvpair.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/unicode/zunicode.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/zcommon/zcommon.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/icp/icp.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/zfs/zfs.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/lua/zlua.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/spl/spl.ko $(MODULES)/
+	cp $(MODULES)/$(ZFSDIR)/module/zstd/zzstd.ko $(MODULES)/

-fwlist-${KVNAME}: .compile_mark .modules_compile_mark
-	debian/scripts/find-firmware.pl debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} >fwlist.tmp
+fwlist-$(KVNAME): .compile_mark .modules_compile_mark
+	debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp
 	mv fwlist.tmp $@

 .PHONY: fwcheck
-fwcheck: fwlist-${KVNAME} fwlist-previous
+fwcheck: fwlist-$(KVNAME) fwlist-previous
 	@echo "checking fwlist for changes since last built firmware package.."
-	@echo "if this check fails, add fwlist-${KVNAME} to the pve-firmware repository and upload a new firmware package together with the ${KVNAME} kernel"
+	@echo "if this check fails, add fwlist-$(KVNAME) to the pve-firmware repository and upload a new firmware package together with the $(KVNAME) kernel"
 	sort fwlist-previous | uniq > fwlist-previous.sorted
-	sort fwlist-${KVNAME} | uniq > fwlist-${KVNAME}.sorted
-	diff -up -N fwlist-previous.sorted fwlist-${KVNAME}.sorted > fwlist.diff
-	rm fwlist.diff fwlist-previous.sorted fwlist-${KVNAME}.sorted
+	sort fwlist-$(KVNAME) | uniq > fwlist-$(KVNAME).sorted
+	diff -up -N fwlist-previous.sorted fwlist-$(KVNAME).sorted > fwlist.diff
+	rm fwlist.diff fwlist-previous.sorted fwlist-$(KVNAME).sorted
 	@echo "done, no need to rebuild pve-firmware"


-abi-${KVNAME}: .compile_mark
-	debian/scripts/abi-generate debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/Module.symvers abi-${KVNAME} ${KVNAME}
+abi-$(KVNAME): .compile_mark
+	debian/scripts/abi-generate debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/Module.symvers abi-$(KVNAME) $(KVNAME)

 .PHONY: abicheck
-abicheck: debian/scripts/abi-check abi-${KVNAME} abi-prev-* abi-blacklist
-	debian/scripts/abi-check abi-${KVNAME} abi-prev-* ${SKIPABI}
+abicheck: debian/scripts/abi-check abi-$(KVNAME) abi-prev-* abi-blacklist
+	debian/scripts/abi-check abi-$(KVNAME) abi-prev-* $(SKIPABI)

 .PHONY: clean
@@ -1,4 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl
+
+use strict;
+use warnings;

 my $abinew = shift;
 my $abiold = shift;
@@ -22,30 +25,30 @@ my $count;
 print "II: Checking ABI...\n";

 if ($skipabi) {
-	print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
-	$fail_exit = 0;
-	$abiskip = 1;
-	$EE = "WW:";
+    print "WW: Explicitly asked to ignore ABI, running in no-fail mode\n";
+    $fail_exit = 0;
+    $abiskip = 1;
+    $EE = "WW:";
 }

 if ($prev_abistr ne $abistr) {
-	print "II: Different ABI's, running in no-fail mode\n";
-	$fail_exit = 0;
-	$EE = "WW:";
+    print "II: Different ABI's, running in no-fail mode\n";
+    $fail_exit = 0;
+    $EE = "WW:";
 }

 if (not -f "$abinew" or not -f "$abiold") {
-	print "EE: Previous or current ABI file missing!\n";
-	print "    $abinew\n" if not -f "$abinew";
-	print "    $abiold\n" if not -f "$abiold";
+    print "EE: Previous or current ABI file missing!\n";
+    print "    $abinew\n" if not -f "$abinew";
+    print "    $abiold\n" if not -f "$abiold";

-	# Exit if the ABI files are missing, but return status based on whether
-	# skip ABI was indicated.
-	if ("$abiskip" eq "1") {
-		exit(0);
-	} else {
-		exit(1);
-	}
+    # Exit if the ABI files are missing, but return status based on whether
+    # skip ABI was indicated.
+    if ("$abiskip" eq "1") {
+	exit(0);
+    } else {
+	exit(1);
+    }
 }

 my %symbols;
@@ -57,101 +60,97 @@ my %module_syms;
 my $ignore = 0;
 print "    Reading symbols/modules to ignore...";

-for $file ("abi-blacklist") {
-	if (-f $file) {
-		open(IGNORE, "< $file") or
-			die "Could not open $file";
-		while (<IGNORE>) {
-			chomp;
-			if ($_ =~ m/M: (.*)/) {
-				$modules_ignore{$1} = 1;
-			} else {
-				$symbols_ignore{$_} = 1;
-			}
-			$ignore++;
-		}
-		close(IGNORE);
+for my $file ("abi-blacklist") {
+    next if !-f $file;
+    open(my $IGNORE_FH, '<', $file) or die "Could not open $file - $!";
+
+    while (<$IGNORE_FH>) {
+	chomp;
+	if ($_ =~ m/M: (.*)/) {
+	    $modules_ignore{$1} = 1;
+	} else {
+	    $symbols_ignore{$_} = 1;
 	}
+	$ignore++;
+    }
+    close($IGNORE_FH);
 }
 print "read $ignore symbols/modules.\n";

 sub is_ignored($$) {
-	my ($mod, $sym) = @_;
+    my ($mod, $sym) = @_;

-	die "Missing module name in is_ignored()" if not defined($mod);
-	die "Missing symbol name in is_ignored()" if not defined($sym);
+    die "Missing module name in is_ignored()" if not defined($mod);
+    die "Missing symbol name in is_ignored()" if not defined($sym);

-	if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
-		return 1;
-	}
-	return 0;
+    if (defined($symbols_ignore{$sym}) or defined($modules_ignore{$mod})) {
+	return 1;
+    }
+    return 0;
 }

 # Read new syms first
 print "    Reading new symbols ($abistr)...";
 $count = 0;
-open(NEW, "< $abinew") or
-	die "Could not open $abinew";
-while (<NEW>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'type'} = $1;
-	$symbols{$4}{'loc'} = $2;
-	$symbols{$4}{'hash'} = $3;
-	$module_syms{$2} = 0;
-	$count++;
+open(my $NEW_FH, '<', $abinew) or die "Could not open $abinew - $!";
+while (<$NEW_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'type'} = $1;
+    $symbols{$4}{'loc'} = $2;
+    $symbols{$4}{'hash'} = $3;
+    $module_syms{$2} = 0;
+    $count++;
 }
-close(NEW);
+close($NEW_FH);
 print "read $count symbols.\n";

 # Now the old symbols, checking for missing ones
 print "    Reading old symbols...";
 $count = 0;
-open(OLD, "< $abiold") or
-	die "Could not open $abiold";
-while (<OLD>) {
-	chomp;
-	m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
-	$symbols{$4}{'old_type'} = $1;
-	$symbols{$4}{'old_loc'} = $2;
-	$symbols{$4}{'old_hash'} = $3;
-	$count++;
+open(my $OLD_FH, '<', $abiold) or die "Could not open $abiold - $!";
+while (<$OLD_FH>) {
+    chomp;
+    m/^(\S+)\s(.+)\s(0x[0-9a-f]+)\s(.+)$/;
+    $symbols{$4}{'old_type'} = $1;
+    $symbols{$4}{'old_loc'} = $2;
+    $symbols{$4}{'old_hash'} = $3;
+    $count++;
 }
-close(OLD);
+close($OLD_FH);

 print "read $count symbols.\n";

 print "II: Checking for missing symbols in new ABI...";
 $count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'type'})) {
-		print "\n" if not $count;
-		printf("    MISS : %s%s\n", $sym,
-			is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
-		$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'type'})) {
+	print "\n" if not $count;
+	printf("    MISS : %s%s\n", $sym, is_ignored($symbols{$sym}{'old_loc'}, $sym) ? " (ignored)" : "");
+	$count++ if !is_ignored($symbols{$sym}{'old_loc'}, $sym);
+    }
 }
 print "    " if $count;
 print "found $count missing symbols\n";
 if ($count) {
-	print "$EE Symbols gone missing (what did you do!?!)\n";
-	$errors++;
+    print "$EE Symbols gone missing (what did you do!?!)\n";
+    $errors++;
 }


 print "II: Checking for new symbols in new ABI...";
 $count = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'})) {
-		print "\n" if not $count;
-		print "    NEW : $sym\n";
-		$count++;
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'})) {
+	print "\n" if not $count;
+	print "    NEW : $sym\n";
+	$count++;
+    }
 }
 print "    " if $count;
 print "found $count new symbols\n";
 if ($count) {
-	print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
+    print "WW: Found new symbols. Not recommended unless ABI was bumped\n";
 }

 print "II: Checking for changes to ABI...\n";
@@ -159,37 +158,34 @@ $count = 0;
 my $moved = 0;
 my $changed_type = 0;
 my $changed_hash = 0;
-foreach $sym (keys(%symbols)) {
-	if (!defined($symbols{$sym}{'old_type'}) or
-	    !defined($symbols{$sym}{'type'})) {
-		next;
-	}
+for my $sym (keys(%symbols)) {
+    if (!defined($symbols{$sym}{'old_type'}) or !defined($symbols{$sym}{'type'})) {
+	next;
+    }

-	# Changes in location don't hurt us, but log it anyway
-	if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
-		printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'},
-			$symbols{$sym}{'loc'});
-		$moved++;
-	}
+    # Changes in location don't hurt us, but log it anyway
+    if ($symbols{$sym}{'loc'} ne $symbols{$sym}{'old_loc'}) {
+	printf("    MOVE : %-40s : %s => %s\n", $sym, $symbols{$sym}{'old_loc'}, $symbols{$sym}{'loc'});
+	$moved++;
+    }

-	# Changes to export type are only bad if new type isn't
-	# EXPORT_SYMBOL. Changing things to GPL are bad.
-	if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
-		printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
-			$symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL"
-			and !is_ignored($symbols{$sym}{'loc'}, $sym);
-	}
+    # Changes to export type are only bad if new type isn't
+    # EXPORT_SYMBOL. Changing things to GPL are bad.
+    if ($symbols{$sym}{'type'} ne $symbols{$sym}{'old_type'}) {
+	printf("    TYPE : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_type'}.
+	    $symbols{$sym}{'type'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_type++ if $symbols{$sym}{'type'} ne "EXPORT_SYMBOL" and !is_ignored($symbols{$sym}{'loc'}, $sym);
+    }

-	# Changes to the hash are always bad
-	if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
-		printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
-			$symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
-			? " (ignored)" : "");
-		$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
-		$module_syms{$symbols{$sym}{'loc'}}++;
-	}
+    # Changes to the hash are always bad
+    if ($symbols{$sym}{'hash'} ne $symbols{$sym}{'old_hash'}) {
+	printf("    HASH : %-40s : %s => %s%s\n", $sym, $symbols{$sym}{'old_hash'},
+	    $symbols{$sym}{'hash'}, is_ignored($symbols{$sym}{'loc'}, $sym)
+	    ? " (ignored)" : "");
+	$changed_hash++ if !is_ignored($symbols{$sym}{'loc'}, $sym);
+	$module_syms{$symbols{$sym}{'loc'}}++;
+    }
 }

 print "WW: $moved symbols changed location\n" if $moved;
@@ -198,17 +194,17 @@ print "$EE $changed_hash symbols changed hash and weren't ignored\n" if $changed

 $errors++ if $changed_hash or $changed_type;
 if ($changed_hash) {
-	print "II: Module hash change summary...\n";
-	foreach $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
-		next if ! $module_syms{$mod};
-		printf("    %-40s: %d\n", $mod, $module_syms{$mod});
-	}
+    print "II: Module hash change summary...\n";
+    for my $mod (sort { $module_syms{$b} <=> $module_syms{$a} } keys %module_syms) {
+	next if ! $module_syms{$mod};
+	printf("    %-40s: %d\n", $mod, $module_syms{$mod});
+    }
 }

 print "II: Done\n";

 if ($errors) {
-	exit($fail_exit);
+    exit($fail_exit);
 } else {
-	exit(0);
+    exit(0);
 }
@@ -1,8 +1,11 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

-use PVE::Tools;
+use strict;
+use warnings;

-use IO::File;
+use PVE::Tools ();
+
+use IO::File ();

 sub usage {
    die "USAGE: $0 INFILE OUTFILE [ABI INFILE-IS-DEB]\n";
@@ -1,6 +1,7 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl

 use strict;
+use warnings;

 my $dir = shift;

@@ -12,21 +13,21 @@ warn "\n\nNOTE: strange directory name: $dir\n\n" if $dir !~ m|^(.*/)?(\d+.\d+.\

 my $apiver = $2;

-open(TMP, "find '$dir' -name '*.ko'|");
-while (defined(my $fn = <TMP>)) {
+open(my $FIND_KO_FH, "find '$dir' -name '*.ko'|");
+while (defined(my $fn = <$FIND_KO_FH>)) {
    chomp $fn;
    my $relfn = $fn;
    $relfn =~ s|^$dir/*||;

    my $cmd = "/sbin/modinfo -F firmware '$fn'";
-    open(MOD, "$cmd|");
-    while (defined(my $fw = <MOD>)) {
+    open(my $MOD_FH, "$cmd|");
+    while (defined(my $fw = <$MOD_FH>)) {
 	chomp $fw;
 	print "$fw $relfn\n";
    }
-    close(MOD);
+    close($MOD_FH);

 }
-close TMP;
+close($FIND_KO_FH);

 exit 0;
@@ -0,0 +1,2 @@
+proxmox-kernel-6.2 source: debian-control-has-dbgsym-package (in section for proxmox-kernel-*-pve-dbgsym) Package [debian/control:*]
+proxmox-kernel-6.2 source: license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]
@@ -17,28 +17,19 @@ $KBUILD_BUILD_TIMESTAMP.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- scripts/mkcompile_h | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
+ init/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)

-diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
-index 6a2a04d92f42..6c9430ee1a09 100755
--- a/scripts/mkcompile_h
-+++ b/scripts/mkcompile_h
-@@ -22,10 +22,14 @@ else
- 	VERSION=$KBUILD_BUILD_VERSION
- fi
+diff --git a/init/Makefile b/init/Makefile
+index ec557ada3c12..72095034f338 100644
+--- a/init/Makefile
+++ b/init/Makefile
+@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
+ preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
 
-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-	TIMESTAMP=`date`
-+if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
-+	if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
-+		TIMESTAMP=`date`
-+	else
-+		TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	fi
- else
-	TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
-+	TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
- fi
- if test -z "$KBUILD_BUILD_USER"; then
- 	LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')
+ build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
+-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+ 
+ # Maximum length of UTS_VERSION is 64 chars
+ filechk_uts_version = \
@@ -19,7 +19,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 1 insertion(+), 4 deletions(-)

 diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index ba55851fe132..82675e1ecfb8 100644
+index 75204d36d7f9..1fb5ff73ec1e 100644
 --- a/net/bridge/br_stp_if.c
 +++ b/net/bridge/br_stp_if.c
@@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
@@ -55,10 +55,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2 files changed, 111 insertions(+)

 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index efb9e8b66652..b2331a9c08dd 100644
+index 5d47f23514d0..f06df077504b 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -3943,6 +3943,15 @@
+@@ -4210,6 +4210,15 @@
 				Also, it enforces the PCI Local Bus spec
 				rule that those bits should be 0 in system reset
 				events (useful for kexec/kdump cases).
@@ -75,10 +75,10 @@ index efb9e8b66652..b2331a9c08dd 100644
 				Safety option to keep boot IRQs enabled. This
 				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 1c566b0cbee9..d49c54c579bb 100644
+index 592e1c4ae697..aebf6f412203 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
-@@ -193,6 +193,106 @@ static int __init pci_apply_final_quirks(void)
+@@ -194,6 +194,106 @@ static int __init pci_apply_final_quirks(void)
 }
 fs_initcall_sync(pci_apply_final_quirks);
 
@@ -185,7 +185,7 @@ index 1c566b0cbee9..d49c54c579bb 100644
 /*
  * Decoding should be disabled for a PCI device during BAR sizing to avoid
  * conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4927,6 +5027,8 @@ static const struct pci_dev_acs_enabled {
+@@ -4974,6 +5074,8 @@ static const struct pci_dev_acs_enabled {
 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
 	/* APM X-Gene */
 	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
@@ -13,7 +13,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index fefdf3a6dae3..b1f35bc88be5 100644
+index 73fad57408f7..99ae3e468ce6 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
@@ -79,7 +79,7 @@ module_param(halt_poll_ns, uint, 0644);
@@ -1,24 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Wed, 7 Oct 2020 17:18:28 +0200
-Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
- emergency to error
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- net/core/dev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/core/dev.c b/net/core/dev.c
-index 6111506a4105..564801ce82ba 100644
--- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -10528,7 +10528,7 @@ static void netdev_wait_allrefs(struct net_device *dev)
- 		if (refcnt != 1 &&
- 		    time_after(jiffies, warning_time +
- 			       netdev_unregister_timeout_secs * HZ)) {
-			pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
-+			pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
- 				 dev->name, refcnt);
- 			warning_time = jiffies;
- 		}
@@ -1,104 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Mon, 27 Sep 2021 11:28:39 +0200
-Subject: [PATCH] Revert "PCI: Coalesce host bridge contiguous apertures"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit ab20e43b20b60f5cc8e2ea3763ffa388158469ac.
-
-was reverted upstream because of reports similar to
-
-Link: https://bugzilla.proxmox.com/show_bug.cgi?id=3552
-Link: https://lore.kernel.org/r/20210709231529.GA3270116@roeck-us.net
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/pci/probe.c | 50 ++++-----------------------------------------
- 1 file changed, 4 insertions(+), 46 deletions(-)
-
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index 4f26c222f5f2..c0abe906b84e 100644
--- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -20,7 +20,6 @@
- #include <linux/irqdomain.h>
- #include <linux/pm_runtime.h>
- #include <linux/bitfield.h>
-#include <linux/list_sort.h>
- #include "pci.h"
- 
- #define CARDBUS_LATENCY_TIMER	176	/* secondary latency timer */
-@@ -881,31 +880,14 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
- 	dev_set_msi_domain(&bus->dev, d);
- }
- 
-static int res_cmp(void *priv, const struct list_head *a,
-		   const struct list_head *b)
-{
-	struct resource_entry *entry1, *entry2;
-
-	entry1 = container_of(a, struct resource_entry, node);
-	entry2 = container_of(b, struct resource_entry, node);
-
-	if (entry1->res->flags != entry2->res->flags)
-		return entry1->res->flags > entry2->res->flags;
-
-	if (entry1->offset != entry2->offset)
-		return entry1->offset > entry2->offset;
-
-	return entry1->res->start > entry2->res->start;
-}
-
- static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- {
- 	struct device *parent = bridge->dev.parent;
-	struct resource_entry *window, *next, *n;
-+	struct resource_entry *window, *n;
- 	struct pci_bus *bus, *b;
-	resource_size_t offset, next_offset;
-+	resource_size_t offset;
- 	LIST_HEAD(resources);
-	struct resource *res, *next_res;
-+	struct resource *res;
- 	char addr[64], *fmt;
- 	const char *name;
- 	int err;
-@@ -988,35 +970,11 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- 	if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
- 		dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
- 
-	/* Sort and coalesce contiguous windows */
-	list_sort(NULL, &resources, res_cmp);
-	resource_list_for_each_entry_safe(window, n, &resources) {
-		if (list_is_last(&window->node, &resources))
-			break;
-
-		next = list_next_entry(window, node);
-		offset = window->offset;
-		res = window->res;
-		next_offset = next->offset;
-		next_res = next->res;
-
-		if (res->flags != next_res->flags || offset != next_offset)
-			continue;
-
-		if (res->end + 1 == next_res->start) {
-			next_res->start = res->start;
-			res->flags = res->start = res->end = 0;
-		}
-	}
-
- 	/* Add initial resources to the bus */
- 	resource_list_for_each_entry_safe(window, n, &resources) {
-+		list_move_tail(&window->node, &bridge->windows);
- 		offset = window->offset;
- 		res = window->res;
-		if (!res->end)
-			continue;
-
-		list_move_tail(&window->node, &bridge->windows);
- 
- 		if (res->flags & IORESOURCE_BUS)
- 			pci_bus_insert_busn_res(bus, bus->number, res->end);
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 7 Oct 2020 17:18:28 +0200
+Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
+ emergency to error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 555bbe774734..de2e0d0185fc 100644
+--- a/net/core/dev.c
+++ b/net/core/dev.c
+@@ -10262,7 +10262,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
+ 		if (time_after(jiffies, warning_time +
+ 			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
+ 			list_for_each_entry(dev, list, todo_list) {
+-				pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+				pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+ 					 dev->name, netdev_refcnt_read(dev));
+ 				ref_tracker_dir_print(&dev->refcnt_tracker, 10);
+ 			}
@@ -1,112 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Date: Tue, 13 Jul 2021 20:50:07 +0800
-Subject: [PATCH] PCI: Reinstate "PCI: Coalesce host bridge contiguous
- apertures"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Built-in graphics on HP EliteDesk 805 G6 doesn't work because graphics
-can't get the BAR it needs:
-  pci_bus 0000:00: root bus resource [mem 0x10020200000-0x100303fffff window]
-  pci_bus 0000:00: root bus resource [mem 0x10030400000-0x100401fffff window]
-
-  pci 0000:00:08.1:   bridge window [mem 0xd2000000-0xd23fffff]
-  pci 0000:00:08.1:   bridge window [mem 0x10030000000-0x100401fffff 64bit pref]
-  pci 0000:00:08.1: can't claim BAR 15 [mem 0x10030000000-0x100401fffff 64bit pref]: no compatible bridge window
-  pci 0000:00:08.1: [mem 0x10030000000-0x100401fffff 64bit pref] clipped to [mem 0x10030000000-0x100303fffff 64bit pref]
-  pci 0000:00:08.1:   bridge window [mem 0x10030000000-0x100303fffff 64bit pref]
-  pci 0000:07:00.0: can't claim BAR 0 [mem 0x10030000000-0x1003fffffff 64bit pref]: no compatible bridge window
-  pci 0000:07:00.0: can't claim BAR 2 [mem 0x10040000000-0x100401fffff 64bit pref]: no compatible bridge window
-
-However, the root bus has two contiguous apertures that can contain the
-child resource requested.
-
-Coalesce contiguous apertures so we can allocate from the entire contiguous
-region.
-
-This is the second take of commit 65db04053efe ("PCI: Coalesce host
-bridge contiguous apertures"). The original approach sorts the apertures
-by address, but that makes NVMe stop working on QEMU ppc:sam460ex:
-  PCI host bridge to bus 0002:00
-  pci_bus 0002:00: root bus resource [io  0x0000-0xffff]
-  pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
-  pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
-
-After the offending commit:
-  PCI host bridge to bus 0002:00
-  pci_bus 0002:00: root bus resource [io  0x0000-0xffff]
-  pci_bus 0002:00: root bus resource [mem 0xc0ee00000-0xc0eefffff] (bus address [0x00000000-0x000fffff])
-  pci_bus 0002:00: root bus resource [mem 0xd80000000-0xdffffffff] (bus address [0x80000000-0xffffffff])
-
-Since the apertures on HP EliteDesk 805 G6 are already in ascending
-order, doing a precautious sorting is not necessary.
-
-Remove the sorting part to avoid the regression on ppc:sam460ex.
-
-Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212013
-Cc: Guenter Roeck <linux@roeck-us.net>
-Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
-Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/pci/probe.c | 31 +++++++++++++++++++++++++++----
- 1 file changed, 27 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
-index c0abe906b84e..8b7c58dec9e4 100644
--- a/drivers/pci/probe.c
-+++ b/drivers/pci/probe.c
-@@ -883,11 +883,11 @@ static void pci_set_bus_msi_domain(struct pci_bus *bus)
- static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- {
- 	struct device *parent = bridge->dev.parent;
-	struct resource_entry *window, *n;
-+	struct resource_entry *window, *next, *n;
- 	struct pci_bus *bus, *b;
-	resource_size_t offset;
-+	resource_size_t offset, next_offset;
- 	LIST_HEAD(resources);
-	struct resource *res;
-+	struct resource *res, *next_res;
- 	char addr[64], *fmt;
- 	const char *name;
- 	int err;
-@@ -970,11 +970,34 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
- 	if (nr_node_ids > 1 && pcibus_to_node(bus) == NUMA_NO_NODE)
- 		dev_warn(&bus->dev, "Unknown NUMA node; performance will be reduced\n");
- 
-+	/* Coalesce contiguous windows */
-+	resource_list_for_each_entry_safe(window, n, &resources) {
-+		if (list_is_last(&window->node, &resources))
-+			break;
-+
-+		next = list_next_entry(window, node);
-+		offset = window->offset;
-+		res = window->res;
-+		next_offset = next->offset;
-+		next_res = next->res;
-+
-+		if (res->flags != next_res->flags || offset != next_offset)
-+			continue;
-+
-+		if (res->end + 1 == next_res->start) {
-+			next_res->start = res->start;
-+			res->flags = res->start = res->end = 0;
-+		}
-+	}
-+
- 	/* Add initial resources to the bus */
- 	resource_list_for_each_entry_safe(window, n, &resources) {
-		list_move_tail(&window->node, &bridge->windows);
- 		offset = window->offset;
- 		res = window->res;
-+		if (!res->end)
-+			continue;
-+
-+		list_move_tail(&window->node, &bridge->windows);
- 
- 		if (res->flags & IORESOURCE_BUS)
- 			pci_bus_insert_busn_res(bus, bus->number, res->end);
@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Tue, 10 Jan 2023 08:52:40 +0100
+Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index 7cad8bb031e9..acc24887db3e 100644
+--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
+@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ 
+ #define __compiletime_strlen(p)					\
+ ({								\
+-	char *__p = (char *)(p);				\
+	unsigned char *__p = (unsigned char *)(p);		\
+ 	size_t __ret = SIZE_MAX;				\
+ 	size_t __p_size = __member_size(p);			\
+ 	if (__p_size != SIZE_MAX &&				\
@@ -1,28 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
-Date: Thu, 14 Sep 2017 11:09:58 +0200
-Subject: [PATCH] do not generate split BTF type info per default
-
-This reverts commit a8ed1a0607cfa5478ff6009539f44790c4d0956d.
-
-It breaks ZFS sometimes:
-https://github.com/openzfs/zfs/issues/12301#issuecomment-873303739
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- lib/Kconfig.debug | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index ead81fad883c..9d76f3c39735 100644
--- a/lib/Kconfig.debug
-+++ b/lib/Kconfig.debug
-@@ -325,7 +325,7 @@ config PAHOLE_HAS_SPLIT_BTF
- 	def_bool PAHOLE_VERSION >= 119
- 
- config DEBUG_INFO_BTF_MODULES
-	def_bool y
-+	def_bool n
- 	depends on DEBUG_INFO_BTF && MODULES && PAHOLE_HAS_SPLIT_BTF
- 	help
- 	  Generate compact split BTF type information for kernel modules.
@@ -0,0 +1,133 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 14 Jul 2023 18:10:32 +0200
+Subject: [PATCH] kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no
+ support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes live-migrations & snapshot-rollback of VMs with a restricted
+CPU type (e.g., qemu64) from our 5.15 based kernel (default Proxmox
+VE 7.4) to the 6.2 (and future newer) of Proxmox VE 8.0.
+
+Previous to ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to
+supported bits of XCR0") the PKRU bit of the host could leak into the
+state from the guest, which caused trouble when migrating between
+hosts with different CPUs, i.e., where the source supported it but
+the target did not, causing a general protection fault when the guest
+tried to use a pkru related instruction after the migration.
+
+But the fix, while welcome, caused a temporary out-of-sync state when
+migrating such a VM from a kernel without the fix to a kernel with
+the fix, as it threw of KVM when the CPUID of the guest and most of
+the state doesn't report XSAVE and thus any xfeatures, but PKRU and
+the related state is set as enabled, causing the vCPU to spin at 100%
+without any progress forever.
+
+The fix could be at two sites, either in QEMU or in the kernel, I
+choose the kernel as we have all the info there for a targeted
+heuristic so that we don't have to adapt QEMU and qemu-server, the
+latter even on both sides.
+
+Still, a short summary of the possible fixes and short drawbacks:
+* on QEMU-side either
+  - clear the PKRU state in the migration saved state would be rather
+    complicated to implement as the vCPU is initialised way before we
+    have the saved xfeature state available to check what we'd need
+    to do, plus the user-space only gets a memory blob from ioctl
+    KVM_GET_XSAVE2 that it passes to KVM_SET_XSAVE ioctl, there are
+    no ABI guarantees, and while the struct seem stable for 5.15 to
+    6.5-rc1, that doesn't has to be for future kernels, so off the
+    table.
+  - enforce that the CPUID reports PKU support even if it normally
+    wouldn't. While this works (tested by hard-coding it as POC) it
+    is a) not really nice and b) needs some interaction from
+    qemu-server to enable this flag as otherwise we have no good info
+    to decide when it's OK to do this, which means we need to adapt
+    both PVE 7 and 8's qemu-server and also pve-qemu, workable but
+    not optimal
+
+* on Kernel/KVM-side we can hook into the set XSAVE ioctl specific to
+  the KVM subsystem, which already reduces chance of regression for
+  all other places. There we have access to the union/struct
+  definitions of the saved state and thus can savely cast to that.
+  We also got access to the vCPU's CPUID capabilities, meaning we can
+  check if the XCR0 (first XSAVE Control Register) reports
+  that it support the PKRU feature, and if it does *NOT* but the
+  saved xfeatures register from XSAVE *DOES* report it, we can safely
+  assume that this combination is due to an migration from an older,
+  leaky kernel – and clear the bit in the xfeature register before
+  restoring it to the guest vCPU KVM state, avoiding the confusing
+  situation that made the vCPU spin at 100%.
+  This should be safe to do, as the guest vCPU CPUID never reported
+  support for the PKRU feature, and it's also a relatively niche and
+  newish feature.
+
+If it gains us something we can drop this patch a bit in the future
+Proxmox VE 9 major release, but we should ensure that VMs that where
+started before PVE 8 cannot be directly live-migrated to the release
+that includes that change; so we should rather only drop it if the
+maintenance burden is high.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/cpuid.c |  6 ++++++
+ arch/x86/kvm/cpuid.h |  2 ++
+ arch/x86/kvm/x86.c   | 13 +++++++++++++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 7ccdf991d18e..61aefeb3fdbc 100644
+--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
+@@ -251,6 +251,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
+ 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
+ }
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu) {
+	u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(
+	    vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
+	return (guest_supported_xcr0 & XFEATURE_MASK_PKRU) != 0;
+}
+
+ static void __kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *entries,
+ 				       int nent)
+ {
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
+index b1658c0de847..12a02851ff57 100644
+--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
+@@ -32,6 +32,8 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
+ 	       u32 *ecx, u32 *edx, bool exact_only);
+ 
+bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu);
+
+ u32 xstate_required_size(u64 xstate_bv, bool compacted);
+ 
+ int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index ee603f4edce1..ff92ff41d5ce 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5342,6 +5342,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return 0;
+ 
+	if (!vcpu_supports_xsave_pkru(vcpu)) {
+		void *buf = guest_xsave->region;
+		union fpregs_state *ustate = buf;
+		if (ustate->xsave.header.xfeatures & XFEATURE_MASK_PKRU) {
+			printk(
+				KERN_NOTICE "clearing PKRU xfeature bit as vCPU from PID %d"
+				" reports no PKRU support - migration from fpu-leaky kernel?",
+				current->pid
+			);
+			ustate->xsave.header.xfeatures &= ~XFEATURE_MASK_PKRU;
+		}
+	}
+
+ 	return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
+ 					      guest_xsave->region,
+ 					      kvm_caps.supported_xcr0,
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: kiler129 <grzegorz@noflash.pl>
+Date: Mon, 18 Sep 2023 15:19:26 +0200
+Subject: [PATCH] allow opt-in to allow pass-through on broken hardware..
+
+adapted from https://github.com/kiler129/relax-intel-rmrr , licensed under MIT or GPL 2.0+
+---
+ drivers/iommu/intel/iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index 1c5ba4dbfe78..887667218e3b 100644
+--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
+@@ -297,6 +297,7 @@ static int dmar_map_gfx = 1;
+ static int dmar_map_ipu = 1;
+ static int intel_iommu_superpage = 1;
+ static int iommu_identity_mapping;
+static int intel_relaxable_rmrr = 0;
+ static int iommu_skip_te_disable;
+ 
+ #define IDENTMAP_GFX		2
+@@ -358,6 +359,9 @@ static int __init intel_iommu_setup(char *str)
+ 		} else if (!strncmp(str, "tboot_noforce", 13)) {
+ 			pr_info("Intel-IOMMU: not forcing on after tboot. This could expose security risk for tboot\n");
+ 			intel_iommu_tboot_noforce = 1;
+		} else if (!strncmp(str, "relax_rmrr", 10)) {
+			pr_info("Intel-IOMMU: assuming all RMRRs are relaxable. This can lead to instability or data loss\n");
+			intel_relaxable_rmrr = 1;
+ 		} else {
+ 			pr_notice("Unknown option - '%s'\n", str);
+ 		}
+@@ -2538,7 +2542,7 @@ static bool device_rmrr_is_relaxable(struct device *dev)
+ 		return false;
+ 
+ 	pdev = to_pci_dev(dev);
+-	if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+	if (intel_relaxable_rmrr || IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+ 		return true;
+ 	else
+ 		return false;
@@ -1,147 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 11 Jan 2022 09:31:59 +0100
-Subject: [PATCH] blk-cgroup: always terminate io.stat lines
-
-With the removal of seq_get_buf in blkcg_print_one_stat, we
-cannot make adding the newline conditional on there being
-relevant stats because the name was already written out
-unconditionally.
-Otherwise we may end up with multiple device names in one
-line which is confusing and doesn't follow the nested-keyed
-file format.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: 252c651a4c85 ("blk-cgroup: stop using seq_get_buf")
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- block/blk-cgroup.c         | 9 ++-------
- block/blk-iocost.c         | 5 ++---
- block/blk-iolatency.c      | 8 +++-----
- include/linux/blk-cgroup.h | 2 +-
- 4 files changed, 8 insertions(+), 16 deletions(-)
-
-diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
-index ce5858dadca5..aa43ed94deb6 100644
--- a/block/blk-cgroup.c
-+++ b/block/blk-cgroup.c
-@@ -887,7 +887,6 @@ static void blkcg_print_one_stat(struct blkcg_gq *blkg, struct seq_file *s)
- {
- 	struct blkg_iostat_set *bis = &blkg->iostat;
- 	u64 rbytes, wbytes, rios, wios, dbytes, dios;
-	bool has_stats = false;
- 	const char *dname;
- 	unsigned seq;
- 	int i;
-@@ -913,14 +912,12 @@ static void blkcg_print_one_stat(struct blkcg_gq *blkg, struct seq_file *s)
- 	} while (u64_stats_fetch_retry(&bis->sync, seq));
- 
- 	if (rbytes || wbytes || rios || wios) {
-		has_stats = true;
- 		seq_printf(s, "rbytes=%llu wbytes=%llu rios=%llu wios=%llu dbytes=%llu dios=%llu",
- 			rbytes, wbytes, rios, wios,
- 			dbytes, dios);
- 	}
- 
- 	if (blkcg_debug_stats && atomic_read(&blkg->use_delay)) {
-		has_stats = true;
- 		seq_printf(s, " use_delay=%d delay_nsec=%llu",
- 			atomic_read(&blkg->use_delay),
- 			atomic64_read(&blkg->delay_nsec));
-@@ -932,12 +929,10 @@ static void blkcg_print_one_stat(struct blkcg_gq *blkg, struct seq_file *s)
- 		if (!blkg->pd[i] || !pol->pd_stat_fn)
- 			continue;
- 
-		if (pol->pd_stat_fn(blkg->pd[i], s))
-			has_stats = true;
-+		pol->pd_stat_fn(blkg->pd[i], s);
- 	}
- 
-	if (has_stats)
-		seq_printf(s, "\n");
-+	seq_puts(s, "\n");
- }
- 
- static int blkcg_print_stat(struct seq_file *sf, void *v)
-diff --git a/block/blk-iocost.c b/block/blk-iocost.c
-index 10851493940c..21db328c0bcc 100644
--- a/block/blk-iocost.c
-+++ b/block/blk-iocost.c
-@@ -3005,13 +3005,13 @@ static void ioc_pd_free(struct blkg_policy_data *pd)
- 	kfree(iocg);
- }
- 
-static bool ioc_pd_stat(struct blkg_policy_data *pd, struct seq_file *s)
-+static void ioc_pd_stat(struct blkg_policy_data *pd, struct seq_file *s)
- {
- 	struct ioc_gq *iocg = pd_to_iocg(pd);
- 	struct ioc *ioc = iocg->ioc;
- 
- 	if (!ioc->enabled)
-		return false;
-+		return;
- 
- 	if (iocg->level == 0) {
- 		unsigned vp10k = DIV64_U64_ROUND_CLOSEST(
-@@ -3027,7 +3027,6 @@ static bool ioc_pd_stat(struct blkg_policy_data *pd, struct seq_file *s)
- 			iocg->last_stat.wait_us,
- 			iocg->last_stat.indebt_us,
- 			iocg->last_stat.indelay_us);
-	return true;
- }
- 
- static u64 ioc_weight_prfill(struct seq_file *sf, struct blkg_policy_data *pd,
-diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
-index ce3847499d85..0bac2c9ebb4a 100644
--- a/block/blk-iolatency.c
-+++ b/block/blk-iolatency.c
-@@ -902,7 +902,7 @@ static int iolatency_print_limit(struct seq_file *sf, void *v)
- 	return 0;
- }
- 
-static bool iolatency_ssd_stat(struct iolatency_grp *iolat, struct seq_file *s)
-+static void iolatency_ssd_stat(struct iolatency_grp *iolat, struct seq_file *s)
- {
- 	struct latency_stat stat;
- 	int cpu;
-@@ -925,17 +925,16 @@ static bool iolatency_ssd_stat(struct iolatency_grp *iolat, struct seq_file *s)
- 			(unsigned long long)stat.ps.missed,
- 			(unsigned long long)stat.ps.total,
- 			iolat->rq_depth.max_depth);
-	return true;
- }
- 
-static bool iolatency_pd_stat(struct blkg_policy_data *pd, struct seq_file *s)
-+static void iolatency_pd_stat(struct blkg_policy_data *pd, struct seq_file *s)
- {
- 	struct iolatency_grp *iolat = pd_to_lat(pd);
- 	unsigned long long avg_lat;
- 	unsigned long long cur_win;
- 
- 	if (!blkcg_debug_stats)
-		return false;
-+		return;
- 
- 	if (iolat->ssd)
- 		return iolatency_ssd_stat(iolat, s);
-@@ -948,7 +947,6 @@ static bool iolatency_pd_stat(struct blkg_policy_data *pd, struct seq_file *s)
- 	else
- 		seq_printf(s, " depth=%u avg_lat=%llu win=%llu",
- 			iolat->rq_depth.max_depth, avg_lat, cur_win);
-	return true;
- }
- 
- static struct blkg_policy_data *iolatency_pd_alloc(gfp_t gfp,
-diff --git a/include/linux/blk-cgroup.h b/include/linux/blk-cgroup.h
-index bc5c04d711bb..618359e3beca 100644
--- a/include/linux/blk-cgroup.h
-+++ b/include/linux/blk-cgroup.h
-@@ -153,7 +153,7 @@ typedef void (blkcg_pol_online_pd_fn)(struct blkg_policy_data *pd);
- typedef void (blkcg_pol_offline_pd_fn)(struct blkg_policy_data *pd);
- typedef void (blkcg_pol_free_pd_fn)(struct blkg_policy_data *pd);
- typedef void (blkcg_pol_reset_pd_stats_fn)(struct blkg_policy_data *pd);
-typedef bool (blkcg_pol_stat_pd_fn)(struct blkg_policy_data *pd,
-+typedef void (blkcg_pol_stat_pd_fn)(struct blkg_policy_data *pd,
- 				struct seq_file *s);
- 
- struct blkcg_policy {
@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Tue, 25 Jan 2022 10:12:19 +0100
-Subject: [PATCH] drivers/firmware: Don't mark as busy the simple-framebuffer
- IO resource
-
-The sysfb_create_simplefb() function requests a IO memory resource for the
-simple-framebuffer platform device, but it also marks it as busy which can
-lead to drivers requesting the same memory resource to fail.
-
-Let's drop the IORESOURCE_BUSY flag and let drivers to request it as busy
-instead.
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
-Reviewed-by: Zack Rusin <zackr@vmware.com>
-Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/firmware/sysfb_simplefb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/firmware/sysfb_simplefb.c b/drivers/firmware/sysfb_simplefb.c
-index 757cc8b9f3de..bda8712bfd8c 100644
--- a/drivers/firmware/sysfb_simplefb.c
-+++ b/drivers/firmware/sysfb_simplefb.c
-@@ -99,7 +99,7 @@ __init int sysfb_create_simplefb(const struct screen_info *si,
- 
- 	/* setup IORESOURCE_MEM as framebuffer memory */
- 	memset(&res, 0, sizeof(res));
-	res.flags = IORESOURCE_MEM | IORESOURCE_BUSY;
-+	res.flags = IORESOURCE_MEM;
- 	res.name = simplefb_resname;
- 	res.start = base;
- 	res.end = res.start + length - 1;
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 13 Sep 2023 08:26:47 +0300
+Subject: [PATCH] net: thunderbolt: Fix TCPv6 GSO checksum calculation
+
+Alex reported that running ssh over IPv6 does not work with
+Thunderbolt/USB4 networking driver. The reason for that is that driver
+should call skb_is_gso() before calling skb_is_gso_v6(), and it should
+not return false after calculates the checksum successfully. This probably
+was a copy paste error from the original driver where it was done properly.
+
+Reported-by: Alex Balcanquall <alex@alexbal.com>
+Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/net/thunderbolt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
+index 990484776f2d..0c554a7a5ce4 100644
+--- a/drivers/net/thunderbolt.c
+++ b/drivers/net/thunderbolt.c
+@@ -1005,12 +1005,11 @@ static bool tbnet_xmit_csum_and_map(struct tbnet *net, struct sk_buff *skb,
+ 		*tucso = ~csum_tcpudp_magic(ip_hdr(skb)->saddr,
+ 					    ip_hdr(skb)->daddr, 0,
+ 					    ip_hdr(skb)->protocol, 0);
+-	} else if (skb_is_gso_v6(skb)) {
+	} else if (skb_is_gso(skb) && skb_is_gso_v6(skb)) {
+ 		tucso = dest + ((void *)&(tcp_hdr(skb)->check) - data);
+ 		*tucso = ~csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
+ 					  &ipv6_hdr(skb)->daddr, 0,
+ 					  IPPROTO_TCP, 0);
+-		return false;
+ 	} else if (protocol == htons(ETH_P_IPV6)) {
+ 		tucso = dest + skb_checksum_start_offset(skb) + skb->csum_offset;
+ 		*tucso = ~csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
@@ -1,63 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Zimmermann <tzimmermann@suse.de>
-Date: Tue, 25 Jan 2022 10:12:20 +0100
-Subject: [PATCH] drm/simpledrm: Request memory region in driver
-
-Requesting the framebuffer memory in simpledrm marks the memory
-range as busy. This used to be done by the firmware sysfb code,
-but the driver is the correct place.
-
-v2:
-	* use I/O memory if request_mem_region() fails (Jocelyn)
-
-Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
-Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
-Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/gpu/drm/tiny/simpledrm.c | 22 +++++++++++++++++-----
- 1 file changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c
-index 3e3f9ba1e885..806fdc3237b3 100644
--- a/drivers/gpu/drm/tiny/simpledrm.c
-+++ b/drivers/gpu/drm/tiny/simpledrm.c
-@@ -525,21 +525,33 @@ static int simpledrm_device_init_mm(struct simpledrm_device *sdev)
- {
- 	struct drm_device *dev = &sdev->dev;
- 	struct platform_device *pdev = sdev->pdev;
-	struct resource *mem;
-+	struct resource *res, *mem;
- 	void __iomem *screen_base;
- 	int ret;
- 
-	mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	if (!mem)
-+	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-+	if (!res)
- 		return -EINVAL;
- 
-	ret = devm_aperture_acquire_from_firmware(dev, mem->start, resource_size(mem));
-+	ret = devm_aperture_acquire_from_firmware(dev, res->start, resource_size(res));
- 	if (ret) {
- 		drm_err(dev, "could not acquire memory range %pr: error %d\n",
-			mem, ret);
-+			res, ret);
- 		return ret;
- 	}
- 
-+	mem = devm_request_mem_region(&pdev->dev, res->start, resource_size(res),
-+				      sdev->dev.driver->name);
-+	if (!mem) {
-+		/*
-+		 * We cannot make this fatal. Sometimes this comes from magic
-+		 * spaces our resource handlers simply don't know about. Use
-+		 * the I/O-memory resource as-is and try to map that instead.
-+		 */
-+		drm_warn(dev, "could not acquire memory region %pr\n", res);
-+		mem = res;
-+	}
-+
- 	screen_base = devm_ioremap_wc(&pdev->dev, mem->start,
- 				      resource_size(mem));
- 	if (!screen_base)
@@ -0,0 +1,134 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Thu, 7 Sep 2023 16:02:30 +0300
+Subject: [PATCH] thunderbolt: Restart XDomain discovery handshake after
+ failure
+
+Alex reported that after rebooting the other host the peer-to-peer link
+does not come up anymore. The reason for this is that the host that was
+not rebooted tries to send the UUID request only 10 times according to
+the USB4 Inter-Domain spec and gives up if it does not get reply. Then
+when the other side is actually ready it cannot get the link established
+anymore. The USB4 Inter-Domain spec requires that the discovery protocol
+is restarted in that case so implement this now.
+
+Reported-by: Alex Balcanquall <alex@alexbal.com>
+Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/thunderbolt/xdomain.c | 58 +++++++++++++++++++++++++----------
+ 1 file changed, 41 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
+index 3c51e47dd86b..0b17a4d4e9b9 100644
+--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
+@@ -704,6 +704,27 @@ static void update_property_block(struct tb_xdomain *xd)
+ 	mutex_unlock(&xdomain_lock);
+ }
+ 
+static void start_handshake(struct tb_xdomain *xd)
+{
+	xd->state = XDOMAIN_STATE_INIT;
+	queue_delayed_work(xd->tb->wq, &xd->state_work,
+			   msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT));
+}
+
+/* Can be called from state_work */
+static void __stop_handshake(struct tb_xdomain *xd)
+{
+	cancel_delayed_work_sync(&xd->properties_changed_work);
+	xd->properties_changed_retries = 0;
+	xd->state_retries = 0;
+}
+
+static void stop_handshake(struct tb_xdomain *xd)
+{
+	cancel_delayed_work_sync(&xd->state_work);
+	__stop_handshake(xd);
+}
+
+ static void tb_xdp_handle_request(struct work_struct *work)
+ {
+ 	struct xdomain_request_work *xw = container_of(work, typeof(*xw), work);
+@@ -766,6 +787,15 @@ static void tb_xdp_handle_request(struct work_struct *work)
+ 	case UUID_REQUEST:
+ 		tb_dbg(tb, "%llx: received XDomain UUID request\n", route);
+ 		ret = tb_xdp_uuid_response(ctl, route, sequence, uuid);
+		/*
+		 * If we've stopped the discovery with an error such as
+		 * timing out, we will restart the handshake now that we
+		 * received UUID request from the remote host.
+		 */
+		if (!ret && xd && xd->state == XDOMAIN_STATE_ERROR) {
+			dev_dbg(&xd->dev, "restarting handshake\n");
+			start_handshake(xd);
+		}
+ 		break;
+ 
+ 	case LINK_STATE_STATUS_REQUEST:
+@@ -1522,6 +1552,13 @@ static void tb_xdomain_queue_properties_changed(struct tb_xdomain *xd)
+ 			   msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT));
+ }
+ 
+static void tb_xdomain_failed(struct tb_xdomain *xd)
+{
+	xd->state = XDOMAIN_STATE_ERROR;
+	queue_delayed_work(xd->tb->wq, &xd->state_work,
+			   msecs_to_jiffies(XDOMAIN_DEFAULT_TIMEOUT));
+}
+
+ static void tb_xdomain_state_work(struct work_struct *work)
+ {
+ 	struct tb_xdomain *xd = container_of(work, typeof(*xd), state_work.work);
+@@ -1548,7 +1585,7 @@ static void tb_xdomain_state_work(struct work_struct *work)
+ 		if (ret) {
+ 			if (ret == -EAGAIN)
+ 				goto retry_state;
+-			xd->state = XDOMAIN_STATE_ERROR;
+			tb_xdomain_failed(xd);
+ 		} else {
+ 			tb_xdomain_queue_properties_changed(xd);
+ 			if (xd->bonding_possible)
+@@ -1613,7 +1650,7 @@ static void tb_xdomain_state_work(struct work_struct *work)
+ 		if (ret) {
+ 			if (ret == -EAGAIN)
+ 				goto retry_state;
+-			xd->state = XDOMAIN_STATE_ERROR;
+			tb_xdomain_failed(xd);
+ 		} else {
+ 			xd->state = XDOMAIN_STATE_ENUMERATED;
+ 		}
+@@ -1624,6 +1661,8 @@ static void tb_xdomain_state_work(struct work_struct *work)
+ 		break;
+ 
+ 	case XDOMAIN_STATE_ERROR:
+		dev_dbg(&xd->dev, "discovery failed, stopping handshake\n");
+		__stop_handshake(xd);
+ 		break;
+ 
+ 	default:
+@@ -1793,21 +1832,6 @@ static void tb_xdomain_release(struct device *dev)
+ 	kfree(xd);
+ }
+ 
+-static void start_handshake(struct tb_xdomain *xd)
+-{
+-	xd->state = XDOMAIN_STATE_INIT;
+-	queue_delayed_work(xd->tb->wq, &xd->state_work,
+-			   msecs_to_jiffies(XDOMAIN_SHORT_TIMEOUT));
+-}
+-
+-static void stop_handshake(struct tb_xdomain *xd)
+-{
+-	cancel_delayed_work_sync(&xd->properties_changed_work);
+-	cancel_delayed_work_sync(&xd->state_work);
+-	xd->properties_changed_retries = 0;
+-	xd->state_retries = 0;
+-}
+-
+ static int __maybe_unused tb_xdomain_suspend(struct device *dev)
+ {
+ 	stop_handshake(tb_to_xdomain(dev));
@@ -1,148 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Zimmermann <tzimmermann@suse.de>
-Date: Tue, 25 Jan 2022 10:12:21 +0100
-Subject: [PATCH] fbdev/simplefb: Request memory region in driver
-
-Requesting the framebuffer memory in simpledrm marks the memory
-range as busy. This used to be done by the firmware sysfb code,
-but the driver is the correct place.
-
-v2:
-	* store memory region in struct for later cleanup (Javier)
-
-Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
-Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/video/fbdev/simplefb.c | 65 +++++++++++++++++++++++-----------
- 1 file changed, 45 insertions(+), 20 deletions(-)
-
-diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c
-index a2e3a4690025..8acfb12abfee 100644
--- a/drivers/video/fbdev/simplefb.c
-+++ b/drivers/video/fbdev/simplefb.c
-@@ -66,7 +66,21 @@ static int simplefb_setcolreg(u_int regno, u_int red, u_int green, u_int blue,
- 	return 0;
- }
- 
-struct simplefb_par;
-+struct simplefb_par {
-+	u32 palette[PSEUDO_PALETTE_SIZE];
-+	struct resource *mem;
-+#if defined CONFIG_OF && defined CONFIG_COMMON_CLK
-+	bool clks_enabled;
-+	unsigned int clk_count;
-+	struct clk **clks;
-+#endif
-+#if defined CONFIG_OF && defined CONFIG_REGULATOR
-+	bool regulators_enabled;
-+	u32 regulator_count;
-+	struct regulator **regulators;
-+#endif
-+};
-+
- static void simplefb_clocks_destroy(struct simplefb_par *par);
- static void simplefb_regulators_destroy(struct simplefb_par *par);
- 
-@@ -76,12 +90,18 @@ static void simplefb_regulators_destroy(struct simplefb_par *par);
-  */
- static void simplefb_destroy(struct fb_info *info)
- {
-+	struct simplefb_par *par = info->par;
-+	struct resource *mem = par->mem;
-+
- 	simplefb_regulators_destroy(info->par);
- 	simplefb_clocks_destroy(info->par);
- 	if (info->screen_base)
- 		iounmap(info->screen_base);
- 
- 	framebuffer_release(info);
-+
-+	if (mem)
-+		release_mem_region(mem->start, resource_size(mem));
- }
- 
- static const struct fb_ops simplefb_ops = {
-@@ -175,20 +195,6 @@ static int simplefb_parse_pd(struct platform_device *pdev,
- 	return 0;
- }
- 
-struct simplefb_par {
-	u32 palette[PSEUDO_PALETTE_SIZE];
-#if defined CONFIG_OF && defined CONFIG_COMMON_CLK
-	bool clks_enabled;
-	unsigned int clk_count;
-	struct clk **clks;
-#endif
-#if defined CONFIG_OF && defined CONFIG_REGULATOR
-	bool regulators_enabled;
-	u32 regulator_count;
-	struct regulator **regulators;
-#endif
-};
-
- #if defined CONFIG_OF && defined CONFIG_COMMON_CLK
- /*
-  * Clock handling code.
-@@ -411,7 +417,7 @@ static int simplefb_probe(struct platform_device *pdev)
- 	struct simplefb_params params;
- 	struct fb_info *info;
- 	struct simplefb_par *par;
-	struct resource *mem;
-+	struct resource *res, *mem;
- 
- 	/*
- 	 * Generic drivers must not be registered if a framebuffer exists.
-@@ -436,15 +442,28 @@ static int simplefb_probe(struct platform_device *pdev)
- 	if (ret)
- 		return ret;
- 
-	mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	if (!mem) {
-+	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-+	if (!res) {
- 		dev_err(&pdev->dev, "No memory resource\n");
- 		return -EINVAL;
- 	}
- 
-+	mem = request_mem_region(res->start, resource_size(res), "simplefb");
-+	if (!mem) {
-+		/*
-+		 * We cannot make this fatal. Sometimes this comes from magic
-+		 * spaces our resource handlers simply don't know about. Use
-+		 * the I/O-memory resource as-is and try to map that instead.
-+		 */
-+		dev_warn(&pdev->dev, "simplefb: cannot reserve video memory at %pR\n", res);
-+		mem = res;
-+	}
-+
- 	info = framebuffer_alloc(sizeof(struct simplefb_par), &pdev->dev);
-	if (!info)
-		return -ENOMEM;
-+	if (!info) {
-+		ret = -ENOMEM;
-+		goto error_release_mem_region;
-+	}
- 	platform_set_drvdata(pdev, info);
- 
- 	par = info->par;
-@@ -501,6 +520,9 @@ static int simplefb_probe(struct platform_device *pdev)
- 			     info->var.xres, info->var.yres,
- 			     info->var.bits_per_pixel, info->fix.line_length);
- 
-+	if (mem != res)
-+		par->mem = mem; /* release in clean-up handler */
-+
- 	ret = register_framebuffer(info);
- 	if (ret < 0) {
- 		dev_err(&pdev->dev, "Unable to register simplefb: %d\n", ret);
-@@ -519,6 +541,9 @@ static int simplefb_probe(struct platform_device *pdev)
- 	iounmap(info->screen_base);
- error_fb_release:
- 	framebuffer_release(info);
-+error_release_mem_region:
-+	if (mem != res)
-+		release_mem_region(mem->start, resource_size(mem));
- 	return ret;
- }
- 
@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sat, 7 Oct 2023 12:57:02 +0200
+Subject: [PATCH] x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fix erratum #1485 on Zen4 parts where running with STIBP disabled can
+cause an #UD exception. The performance impact of the fix is negligible.
+
+Reported-by: René Rebe <rene@exactcode.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: René Rebe <rene@exactcode.de>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/D99589F4-BC5D-430B-87B2-72C20370CF57@exactcode.com
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/include/asm/msr-index.h | 9 +++++++--
+ arch/x86/kernel/cpu/amd.c        | 8 ++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index ebbf80d8b8bd..a79b10e57757 100644
+--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
+@@ -630,12 +630,17 @@
+ /* AMD Last Branch Record MSRs */
+ #define MSR_AMD64_LBR_SELECT			0xc000010e
+ 
+-/* Fam 17h MSRs */
+-#define MSR_F17H_IRPERF			0xc00000e9
+/* Zen4 */
+#define MSR_ZEN4_BP_CFG			0xc001102e
+#define MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT 5
+ 
+/* Zen 2 */
+ #define MSR_ZEN2_SPECTRAL_CHICKEN	0xc00110e3
+ #define MSR_ZEN2_SPECTRAL_CHICKEN_BIT	BIT_ULL(1)
+ 
+/* Fam 17h MSRs */
+#define MSR_F17H_IRPERF			0xc00000e9
+
+ /* Fam 16h MSRs */
+ #define MSR_F16H_L2I_PERF_CTL		0xc0010230
+ #define MSR_F16H_L2I_PERF_CTR		0xc0010231
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index a608a2b78073..154e9c0c16bd 100644
+--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
+@@ -80,6 +80,10 @@ static const int amd_div0[] =
+ 	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x00, 0x0, 0x2f, 0xf),
+ 			   AMD_MODEL_RANGE(0x17, 0x50, 0x0, 0x5f, 0xf));
+ 
+static const int amd_erratum_1485[] =
+	AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x19, 0x10, 0x0, 0x1f, 0xf),
+			   AMD_MODEL_RANGE(0x19, 0x60, 0x0, 0xaf, 0xf));
+
+ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
+ {
+ 	int osvw_id = *erratum++;
+@@ -1125,6 +1129,10 @@ static void init_amd(struct cpuinfo_x86 *c)
+ 		pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n");
+ 		setup_force_cpu_bug(X86_BUG_DIV0);
+ 	}
+
+	if (!cpu_has(c, X86_FEATURE_HYPERVISOR) &&
+	     cpu_has_amd_erratum(c, amd_erratum_1485))
+		msr_set_bit(MSR_ZEN4_BP_CFG, MSR_ZEN4_BP_CFG_SHARED_BTB_FIX_BIT);
+ }
+ 
+ #ifdef CONFIG_X86_32
@@ -1,81 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Olga Kornievskaia <kolga@netapp.com>
-Date: Wed, 16 Mar 2022 18:24:26 -0400
-Subject: [PATCH] NFSv4.1 provide mount option to toggle trunking discovery
-
-Introduce a new mount option -- trunkdiscovery,notrunkdiscovery -- to
-toggle whether or not the client will engage in actively discovery
-of trunking locations.
-
-v2 make notrunkdiscovery default
-
-Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
-Fixes: 1976b2b31462 ("NFSv4.1 query for fs_location attr on a new file system")
-Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
-(cherry picked from commit a43bf604446414103b7535f38e739b65601c4fb2)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- fs/nfs/client.c           | 3 ++-
- fs/nfs/fs_context.c       | 8 ++++++++
- include/linux/nfs_fs_sb.h | 1 +
- 3 files changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/fs/nfs/client.c b/fs/nfs/client.c
-index 090b16890e3d..f303e96ce165 100644
--- a/fs/nfs/client.c
-+++ b/fs/nfs/client.c
-@@ -861,7 +861,8 @@ int nfs_probe_fsinfo(struct nfs_server *server, struct nfs_fh *mntfh, struct nfs
- 	}
- 
- 	if (clp->rpc_ops->discover_trunking != NULL &&
-			(server->caps & NFS_CAP_FS_LOCATIONS)) {
-+			(server->caps & NFS_CAP_FS_LOCATIONS &&
-+			 (server->flags & NFS_MOUNT_TRUNK_DISCOVERY))) {
- 		error = clp->rpc_ops->discover_trunking(server, mntfh);
- 		if (error < 0)
- 			return error;
-diff --git a/fs/nfs/fs_context.c b/fs/nfs/fs_context.c
-index fb3cad38b149..0166370f088e 100644
--- a/fs/nfs/fs_context.c
-+++ b/fs/nfs/fs_context.c
-@@ -79,6 +79,7 @@ enum nfs_param {
- 	Opt_source,
- 	Opt_tcp,
- 	Opt_timeo,
-+	Opt_trunkdiscovery,
- 	Opt_udp,
- 	Opt_v,
- 	Opt_vers,
-@@ -179,6 +180,7 @@ static const struct fs_parameter_spec nfs_fs_parameters[] = {
- 	fsparam_string("source",	Opt_source),
- 	fsparam_flag  ("tcp",		Opt_tcp),
- 	fsparam_u32   ("timeo",		Opt_timeo),
-+	fsparam_flag_no("trunkdiscovery", Opt_trunkdiscovery),
- 	fsparam_flag  ("udp",		Opt_udp),
- 	fsparam_flag  ("v2",		Opt_v),
- 	fsparam_flag  ("v3",		Opt_v),
-@@ -528,6 +530,12 @@ static int nfs_fs_context_parse_param(struct fs_context *fc,
- 		else
- 			ctx->flags &= ~NFS_MOUNT_NOCTO;
- 		break;
-+	case Opt_trunkdiscovery:
-+		if (result.negated)
-+			ctx->flags &= ~NFS_MOUNT_TRUNK_DISCOVERY;
-+		else
-+			ctx->flags |= NFS_MOUNT_TRUNK_DISCOVERY;
-+		break;
- 	case Opt_ac:
- 		if (result.negated)
- 			ctx->flags |= NFS_MOUNT_NOAC;
-diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
-index da9ef0ab9b4b..5336e494703b 100644
--- a/include/linux/nfs_fs_sb.h
-+++ b/include/linux/nfs_fs_sb.h
-@@ -156,6 +156,7 @@ struct nfs_server {
- #define NFS_MOUNT_SOFTREVAL		0x800000
- #define NFS_MOUNT_WRITE_EAGER		0x01000000
- #define NFS_MOUNT_WRITE_WAIT		0x02000000
-+#define NFS_MOUNT_TRUNK_DISCOVERY	0x04000000
- 
- 	unsigned int		fattr_valid;	/* Valid attributes */
- 	unsigned int		caps;		/* server capabilities */
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stefan Sterz <s.sterz@proxmox.com>
+Date: Wed, 18 Oct 2023 10:45:45 +0200
+Subject: [PATCH] Revert "nSVM: Check for reserved encodings of TLB_CONTROL in
+ nested VMCB"
+
+This reverts commit 174a921b6975ef959dd82ee9e8844067a62e3ec1.
+
+Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
+---
+ arch/x86/kvm/svm/nested.c | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
+index add65dd59756..61a6c0235519 100644
+--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
+@@ -242,18 +242,6 @@ static bool nested_svm_check_bitmap_pa(struct kvm_vcpu *vcpu, u64 pa, u32 size)
+ 	    kvm_vcpu_is_legal_gpa(vcpu, addr + size - 1);
+ }
+ 
+-static bool nested_svm_check_tlb_ctl(struct kvm_vcpu *vcpu, u8 tlb_ctl)
+-{
+-	/* Nested FLUSHBYASID is not supported yet.  */
+-	switch(tlb_ctl) {
+-		case TLB_CONTROL_DO_NOTHING:
+-		case TLB_CONTROL_FLUSH_ALL_ASID:
+-			return true;
+-		default:
+-			return false;
+-	}
+-}
+-
+ static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
+ 					 struct vmcb_ctrl_area_cached *control)
+ {
+@@ -273,9 +261,6 @@ static bool __nested_vmcb_check_controls(struct kvm_vcpu *vcpu,
+ 					   IOPM_SIZE)))
+ 		return false;
+ 
+-	if (CC(!nested_svm_check_tlb_ctl(vcpu, control->tlb_ctl)))
+-		return false;
+-
+ 	return true;
+ }
+ 
@@ -1,69 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Marc Bevand <m@zorinaq.com>
-Date: Tue, 21 Dec 2021 15:31:12 -0800
-Subject: [PATCH] EDAC/amd64: Add PCI device IDs for family 19h model 50h
-
-Add the new family 19h model 50h PCI IDs (device 18h functions 0 and 6)
-to support Ryzen 5000 APUs ("Cezanne").
-
-Signed-off-by: Marc Bevand <m@zorinaq.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/edac/amd64_edac.c | 15 +++++++++++++++
- drivers/edac/amd64_edac.h |  3 +++
- 2 files changed, 18 insertions(+)
-
-diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
-index c6c58f01067f..f8ef2edf8abf 100644
--- a/drivers/edac/amd64_edac.c
-+++ b/drivers/edac/amd64_edac.c
-@@ -2660,6 +2660,16 @@ static struct amd64_family_type family_types[] = {
- 			.dbam_to_cs		= f17_addr_mask_to_cs_size,
- 		}
- 	},
-+	[F19_M50H_CPUS] = {
-+		.ctl_name = "F19h_M50h",
-+		.f0_id = PCI_DEVICE_ID_AMD_19H_M50H_DF_F0,
-+		.f6_id = PCI_DEVICE_ID_AMD_19H_M50H_DF_F6,
-+		.max_mcs = 2,
-+		.ops = {
-+			.early_channel_count	= f17_early_channel_count,
-+			.dbam_to_cs		= f17_addr_mask_to_cs_size,
-+		}
-+	},
- };
- 
- /*
-@@ -3706,6 +3716,11 @@ static struct amd64_family_type *per_family_init(struct amd64_pvt *pvt)
- 			pvt->ops = &family_types[F17_M70H_CPUS].ops;
- 			fam_type->ctl_name = "F19h_M20h";
- 			break;
-+		} else if (pvt->model >= 0x50 && pvt->model <= 0x5f) {
-+			fam_type = &family_types[F19_M50H_CPUS];
-+			pvt->ops = &family_types[F19_M50H_CPUS].ops;
-+			fam_type->ctl_name = "F19h_M50h";
-+			break;
- 		} else if (pvt->model >= 0xa0 && pvt->model <= 0xaf) {
- 			fam_type = &family_types[F19_M10H_CPUS];
- 			pvt->ops = &family_types[F19_M10H_CPUS].ops;
-diff --git a/drivers/edac/amd64_edac.h b/drivers/edac/amd64_edac.h
-index 650cab401e21..352bda9803f6 100644
--- a/drivers/edac/amd64_edac.h
-+++ b/drivers/edac/amd64_edac.h
-@@ -128,6 +128,8 @@
- #define PCI_DEVICE_ID_AMD_19H_DF_F6	0x1656
- #define PCI_DEVICE_ID_AMD_19H_M10H_DF_F0 0x14ad
- #define PCI_DEVICE_ID_AMD_19H_M10H_DF_F6 0x14b3
-+#define PCI_DEVICE_ID_AMD_19H_M50H_DF_F0 0x166a
-+#define PCI_DEVICE_ID_AMD_19H_M50H_DF_F6 0x1670
- 
- /*
-  * Function 1 - Address Map
-@@ -301,6 +303,7 @@ enum amd_families {
- 	F17_M70H_CPUS,
- 	F19_CPUS,
- 	F19_M10H_CPUS,
-+	F19_M50H_CPUS,
- 	NUM_FAMILIES,
- };
- 
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 18 Oct 2023 12:41:04 -0700
+Subject: [PATCH] KVM: nSVM: Advertise support for flush-by-ASID
+
+Advertise support for FLUSHBYASID when nested SVM is enabled, as KVM can
+always emulate flushing TLB entries for a vmcb12 ASID, e.g. by running L2
+with a new, fresh ASID in vmcb02.  Some modern hypervisors, e.g. VMWare
+Workstation 17, require FLUSHBYASID support and will refuse to run if it's
+not present.
+
+Punt on proper support, as "Honor L1's request to flush an ASID on nested
+VMRUN" is one of the TODO items in the (incomplete) list of issues that
+need to be addressed in order for KVM to NOT do a full TLB flush on every
+nested SVM transition (see nested_svm_transition_tlb_flush()).
+
+Reported-by: Stefan Sterz <s.sterz@proxmox.com>
+Closes: https://lkml.kernel.org/r/b9915c9c-4cf6-051a-2d91-44cc6380f455%40proxmox.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
+---
+ arch/x86/kvm/svm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index cf31babfbbb9..99a7e93b2edf 100644
+--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
+@@ -4920,6 +4920,7 @@ static __init void svm_set_cpu_caps(void)
+ 	if (nested) {
+ 		kvm_cpu_cap_set(X86_FEATURE_SVM);
+ 		kvm_cpu_cap_set(X86_FEATURE_VMCBCLEAN);
+		kvm_cpu_cap_set(X86_FEATURE_FLUSHBYASID);
+ 
+ 		if (nrips)
+ 			kvm_cpu_cap_set(X86_FEATURE_NRIPS);
@@ -1,53 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:49:59 +0300
-Subject: [PATCH] bug: introduce ASSERT_STRUCT_OFFSET
-
-ASSERT_STRUCT_OFFSET allows to assert during the build of
-the kernel that a field in a struct have an expected offset.
-
-KVM used to have such macro, but there is almost nothing KVM specific
-in it so move it to build_bug.h, so that it can be used in other
-places in KVM.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/vmx/vmcs12.h | 5 ++---
- include/linux/build_bug.h | 9 +++++++++
- 2 files changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx/vmcs12.h b/arch/x86/kvm/vmx/vmcs12.h
-index 2a45f026ee11..ba8617964982 100644
--- a/arch/x86/kvm/vmx/vmcs12.h
-+++ b/arch/x86/kvm/vmx/vmcs12.h
-@@ -208,9 +208,8 @@ struct __packed vmcs12 {
- /*
-  * For save/restore compatibility, the vmcs12 field offsets must not change.
-  */
-#define CHECK_OFFSET(field, loc)				\
-	BUILD_BUG_ON_MSG(offsetof(struct vmcs12, field) != (loc),	\
-		"Offset of " #field " in struct vmcs12 has changed.")
-+#define CHECK_OFFSET(field, loc) \
-+	ASSERT_STRUCT_OFFSET(struct vmcs12, field, loc)
- 
- static inline void vmx_check_vmcs12_offsets(void)
- {
-diff --git a/include/linux/build_bug.h b/include/linux/build_bug.h
-index e3a0be2c90ad..3aa3640f8c18 100644
--- a/include/linux/build_bug.h
-+++ b/include/linux/build_bug.h
-@@ -77,4 +77,13 @@
- #define static_assert(expr, ...) __static_assert(expr, ##__VA_ARGS__, #expr)
- #define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
- 
-+
-+/*
-+ * Compile time check that field has an expected offset
-+ */
-+#define ASSERT_STRUCT_OFFSET(type, field, expected_offset)	\
-+	BUILD_BUG_ON_MSG(offsetof(type, field) != (expected_offset),	\
-+		"Offset of " #field " in " #type " has changed.")
-+
-+
- #endif	/* _LINUX_BUILD_BUG_H */
@@ -0,0 +1,164 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 27 Sep 2023 17:19:52 -0700
+Subject: [PATCH] x86/fpu: Allow caller to constrain xfeatures when copying to
+ uabi buffer
+
+Plumb an xfeatures mask into __copy_xstate_to_uabi_buf() so that KVM can
+constrain which xfeatures are saved into the userspace buffer without
+having to modify the user_xfeatures field in KVM's guest_fpu state.
+
+KVM's ABI for KVM_GET_XSAVE{2} is that features that are not exposed to
+guest must not show up in the effective xstate_bv field of the buffer.
+Saving only the guest-supported xfeatures allows userspace to load the
+saved state on a different host with a fewer xfeatures, so long as the
+target host supports the xfeatures that are exposed to the guest.
+
+KVM currently sets user_xfeatures directly to restrict KVM_GET_XSAVE{2} to
+the set of guest-supported xfeatures, but doing so broke KVM's historical
+ABI for KVM_SET_XSAVE, which allows userspace to load any xfeatures that
+are supported by the *host*.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20230928001956.924301-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 18164f66e6c59fda15c198b371fa008431efdb22)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/include/asm/fpu/api.h |  3 ++-
+ arch/x86/kernel/fpu/core.c     |  5 +++--
+ arch/x86/kernel/fpu/xstate.c   |  7 +++++--
+ arch/x86/kernel/fpu/xstate.h   |  3 ++-
+ arch/x86/kvm/x86.c             | 21 +++++++++------------
+ 5 files changed, 21 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
+index b475d9a582b8..e829fa4c6788 100644
+--- a/arch/x86/include/asm/fpu/api.h
+++ b/arch/x86/include/asm/fpu/api.h
+@@ -148,7 +148,8 @@ static inline void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd) {
+ static inline void fpu_sync_guest_vmexit_xfd_state(void) { }
+ #endif
+ 
+-extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf, unsigned int size, u32 pkru);
+extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf,
+					   unsigned int size, u64 xfeatures, u32 pkru);
+ extern int fpu_copy_uabi_to_guest_fpstate(struct fpu_guest *gfpu, const void *buf, u64 xcr0, u32 *vpkru);
+ 
+ static inline void fpstate_set_confidential(struct fpu_guest *gfpu)
+diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
+index a083f9ac9e4f..1d190761d00f 100644
+--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
+@@ -369,14 +369,15 @@ int fpu_swap_kvm_fpstate(struct fpu_guest *guest_fpu, bool enter_guest)
+ EXPORT_SYMBOL_GPL(fpu_swap_kvm_fpstate);
+ 
+ void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf,
+-				    unsigned int size, u32 pkru)
+				    unsigned int size, u64 xfeatures, u32 pkru)
+ {
+ 	struct fpstate *kstate = gfpu->fpstate;
+ 	union fpregs_state *ustate = buf;
+ 	struct membuf mb = { .p = buf, .left = size };
+ 
+ 	if (cpu_feature_enabled(X86_FEATURE_XSAVE)) {
+-		__copy_xstate_to_uabi_buf(mb, kstate, pkru, XSTATE_COPY_XSAVE);
+		__copy_xstate_to_uabi_buf(mb, kstate, xfeatures, pkru,
+					  XSTATE_COPY_XSAVE);
+ 	} else {
+ 		memcpy(&ustate->fxsave, &kstate->regs.fxsave,
+ 		       sizeof(ustate->fxsave));
+diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
+index 1afbc4866b10..463ec0cd0dab 100644
+--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
+@@ -1053,6 +1053,7 @@ static void copy_feature(bool from_xstate, struct membuf *to, void *xstate,
+  * __copy_xstate_to_uabi_buf - Copy kernel saved xstate to a UABI buffer
+  * @to:		membuf descriptor
+  * @fpstate:	The fpstate buffer from which to copy
+ * @xfeatures:	The mask of xfeatures to save (XSAVE mode only)
+  * @pkru_val:	The PKRU value to store in the PKRU component
+  * @copy_mode:	The requested copy mode
+  *
+@@ -1063,7 +1064,8 @@ static void copy_feature(bool from_xstate, struct membuf *to, void *xstate,
+  * It supports partial copy but @to.pos always starts from zero.
+  */
+ void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
+-			       u32 pkru_val, enum xstate_copy_mode copy_mode)
+			       u64 xfeatures, u32 pkru_val,
+			       enum xstate_copy_mode copy_mode)
+ {
+ 	const unsigned int off_mxcsr = offsetof(struct fxregs_state, mxcsr);
+ 	struct xregs_state *xinit = &init_fpstate.regs.xsave;
+@@ -1087,7 +1089,7 @@ void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
+ 		break;
+ 
+ 	case XSTATE_COPY_XSAVE:
+-		header.xfeatures &= fpstate->user_xfeatures;
+		header.xfeatures &= fpstate->user_xfeatures & xfeatures;
+ 		break;
+ 	}
+ 
+@@ -1189,6 +1191,7 @@ void copy_xstate_to_uabi_buf(struct membuf to, struct task_struct *tsk,
+ 			     enum xstate_copy_mode copy_mode)
+ {
+ 	__copy_xstate_to_uabi_buf(to, tsk->thread.fpu.fpstate,
+				  tsk->thread.fpu.fpstate->user_xfeatures,
+ 				  tsk->thread.pkru, copy_mode);
+ }
+ 
+diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h
+index a4ecb04d8d64..3518fb26d06b 100644
+--- a/arch/x86/kernel/fpu/xstate.h
+++ b/arch/x86/kernel/fpu/xstate.h
+@@ -43,7 +43,8 @@ enum xstate_copy_mode {
+ 
+ struct membuf;
+ extern void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
+-				      u32 pkru_val, enum xstate_copy_mode copy_mode);
+				      u64 xfeatures, u32 pkru_val,
+				      enum xstate_copy_mode copy_mode);
+ extern void copy_xstate_to_uabi_buf(struct membuf to, struct task_struct *tsk,
+ 				    enum xstate_copy_mode mode);
+ extern int copy_uabi_from_kernel_to_xstate(struct fpstate *fpstate, const void *kbuf, u32 *pkru);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index ff92ff41d5ce..a43a950d04cb 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5314,26 +5314,23 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
+ 	return 0;
+ }
+ 
+-static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
+-					 struct kvm_xsave *guest_xsave)
+
+static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
+					  u8 *state, unsigned int size)
+ {
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return;
+ 
+-	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu,
+-				       guest_xsave->region,
+-				       sizeof(guest_xsave->region),
+	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu, state, size,
+				       vcpu->arch.guest_fpu.fpstate->user_xfeatures,
+ 				       vcpu->arch.pkru);
+ }
+ 
+-static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
+-					  u8 *state, unsigned int size)
+static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
+					 struct kvm_xsave *guest_xsave)
+ {
+-	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+-		return;
+-
+-	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu,
+-				       state, size, vcpu->arch.pkru);
+	return kvm_vcpu_ioctl_x86_get_xsave2(vcpu, (void *)guest_xsave->region,
+					     sizeof(guest_xsave->region));
+ }
+ 
+ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
@@ -0,0 +1,119 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 27 Sep 2023 17:19:53 -0700
+Subject: [PATCH] KVM: x86: Constrain guest-supported xfeatures only at
+ KVM_GET_XSAVE{2}
+
+Mask off xfeatures that aren't exposed to the guest only when saving guest
+state via KVM_GET_XSAVE{2} instead of modifying user_xfeatures directly.
+Preserving the maximal set of xfeatures in user_xfeatures restores KVM's
+ABI for KVM_SET_XSAVE, which prior to commit ad856280ddea ("x86/kvm/fpu:
+Limit guest user_xfeatures to supported bits of XCR0") allowed userspace
+to load xfeatures that are supported by the host, irrespective of what
+xfeatures are exposed to the guest.
+
+There is no known use case where userspace *intentionally* loads xfeatures
+that aren't exposed to the guest, but the bug fixed by commit ad856280ddea
+was specifically that KVM_GET_SAVE{2} would save xfeatures that weren't
+exposed to the guest, e.g. would lead to userspace unintentionally loading
+guest-unsupported xfeatures when live migrating a VM.
+
+Restricting KVM_SET_XSAVE to guest-supported xfeatures is especially
+problematic for QEMU-based setups, as QEMU has a bug where instead of
+terminating the VM if KVM_SET_XSAVE fails, QEMU instead simply stops
+loading guest state, i.e. resumes the guest after live migration with
+incomplete guest state, and ultimately results in guest data corruption.
+
+Note, letting userspace restore all host-supported xfeatures does not fix
+setups where a VM is migrated from a host *without* commit ad856280ddea,
+to a target with a subset of host-supported xfeatures.  However there is
+no way to safely address that scenario, e.g. KVM could silently drop the
+unsupported features, but that would be a clear violation of KVM's ABI and
+so would require userspace to opt-in, at which point userspace could
+simply be updated to sanitize the to-be-loaded XSAVE state.
+
+Reported-by: Tyler Stachecki <stachecki.tyler@gmail.com>
+Closes: https://lore.kernel.org/all/20230914010003.358162-1-tstachecki@bloomberg.net
+Fixes: ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0")
+Cc: stable@vger.kernel.org
+Cc: Leonardo Bras <leobras@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Message-Id: <20230928001956.924301-3-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 8647c52e9504c99752a39f1d44f6268f82c40a5c)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kernel/fpu/xstate.c |  5 +----
+ arch/x86/kvm/cpuid.c         |  8 --------
+ arch/x86/kvm/x86.c           | 18 ++++++++++++++++--
+ 3 files changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
+index 463ec0cd0dab..ebe698f8af73 100644
+--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
+@@ -1543,10 +1543,7 @@ static int fpstate_realloc(u64 xfeatures, unsigned int ksize,
+ 		fpregs_restore_userregs();
+ 
+ 	newfps->xfeatures = curfps->xfeatures | xfeatures;
+-
+-	if (!guest_fpu)
+-		newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
+-
+	newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
+ 	newfps->xfd = curfps->xfd & ~xfeatures;
+ 
+ 	/* Do the final updates within the locked region */
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 61aefeb3fdbc..e5393ee652ba 100644
+--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
+@@ -350,14 +350,6 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
+ 	vcpu->arch.guest_supported_xcr0 =
+ 		cpuid_get_supported_xcr0(vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
+ 
+-	/*
+-	 * FP+SSE can always be saved/restored via KVM_{G,S}ET_XSAVE, even if
+-	 * XSAVE/XCRO are not exposed to the guest, and even if XSAVE isn't
+-	 * supported by the host.
+-	 */
+-	vcpu->arch.guest_fpu.fpstate->user_xfeatures = vcpu->arch.guest_supported_xcr0 |
+-						       XFEATURE_MASK_FPSSE;
+-
+ 	kvm_update_pv_runtime(vcpu);
+ 
+ 	vcpu->arch.maxphyaddr = cpuid_query_maxphyaddr(vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index a43a950d04cb..a4a44adf7c72 100644
+--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
+@@ -5318,12 +5318,26 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
+ static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
+ 					  u8 *state, unsigned int size)
+ {
+	/*
+	 * Only copy state for features that are enabled for the guest.  The
+	 * state itself isn't problematic, but setting bits in the header for
+	 * features that are supported in *this* host but not exposed to the
+	 * guest can result in KVM_SET_XSAVE failing when live migrating to a
+	 * compatible host without the features that are NOT exposed to the
+	 * guest.
+	 *
+	 * FP+SSE can always be saved/restored via KVM_{G,S}ET_XSAVE, even if
+	 * XSAVE/XCRO are not exposed to the guest, and even if XSAVE isn't
+	 * supported by the host.
+	 */
+	u64 supported_xcr0 = vcpu->arch.guest_supported_xcr0 |
+			     XFEATURE_MASK_FPSSE;
+
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return;
+ 
+ 	fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu, state, size,
+-				       vcpu->arch.guest_fpu.fpstate->user_xfeatures,
+-				       vcpu->arch.pkru);
+				       supported_xcr0, vcpu->arch.pkru);
+ }
+ 
+ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
@@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:00 +0300
-Subject: [PATCH] KVM: x86: emulator: em_sysexit should update ctxt->mode
-
-This is one of the instructions that can change the
-processor mode.
-
-Note that this is likely a benign bug, because the only problematic
-mode change is from 32 bit to 64 bit which can lead to truncation of RIP,
-and it is not possible to do with sysexit,
-since sysexit running in 32 bit mode will be limited to 32 bit version.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 318a78379ca6..35b12692739c 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2862,6 +2862,7 @@ static int em_sysexit(struct x86_emulate_ctxt *ctxt)
- 	ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
- 
- 	ctxt->_eip = rdx;
-+	ctxt->mode = usermode;
- 	*reg_write(ctxt, VCPU_REGS_RSP) = rcx;
- 
- 	return X86EMUL_CONTINUE;
@@ -1,158 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:01 +0300
-Subject: [PATCH] KVM: x86: emulator: introduce emulator_recalc_and_set_mode
-
-Some instructions update the cpu execution mode, which needs
-to update the emulation mode.
-
-Extract this code, and make assign_eip_far use it.
-
-assign_eip_far now reads CS, instead of getting it via a parameter,
-which is ok, because callers always assign CS to the
-same value before calling it.
-
-No functional change is intended.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c | 85 ++++++++++++++++++++++++++++--------------
- 1 file changed, 57 insertions(+), 28 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 35b12692739c..6a597d68d456 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -795,8 +795,7 @@ static int linearize(struct x86_emulate_ctxt *ctxt,
- 			   ctxt->mode, linear);
- }
- 
-static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
-			     enum x86emul_mode mode)
-+static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst)
- {
- 	ulong linear;
- 	int rc;
-@@ -806,41 +805,71 @@ static inline int assign_eip(struct x86_emulate_ctxt *ctxt, ulong dst,
- 
- 	if (ctxt->op_bytes != sizeof(unsigned long))
- 		addr.ea = dst & ((1UL << (ctxt->op_bytes << 3)) - 1);
-	rc = __linearize(ctxt, addr, &max_size, 1, false, true, mode, &linear);
-+	rc = __linearize(ctxt, addr, &max_size, 1, false, true, ctxt->mode, &linear);
- 	if (rc == X86EMUL_CONTINUE)
- 		ctxt->_eip = addr.ea;
- 	return rc;
- }
- 
-+static inline int emulator_recalc_and_set_mode(struct x86_emulate_ctxt *ctxt)
-+{
-+	u64 efer;
-+	struct desc_struct cs;
-+	u16 selector;
-+	u32 base3;
-+
-+	ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
-+
-+	if (!ctxt->ops->get_cr(ctxt, 0) & X86_CR0_PE) {
-+		/* Real mode. cpu must not have long mode active */
-+		if (efer & EFER_LMA)
-+			return X86EMUL_UNHANDLEABLE;
-+		ctxt->mode = X86EMUL_MODE_REAL;
-+		return X86EMUL_CONTINUE;
-+	}
-+
-+	if (ctxt->eflags & X86_EFLAGS_VM) {
-+		/* Protected/VM86 mode. cpu must not have long mode active */
-+		if (efer & EFER_LMA)
-+			return X86EMUL_UNHANDLEABLE;
-+		ctxt->mode = X86EMUL_MODE_VM86;
-+		return X86EMUL_CONTINUE;
-+	}
-+
-+	if (!ctxt->ops->get_segment(ctxt, &selector, &cs, &base3, VCPU_SREG_CS))
-+		return X86EMUL_UNHANDLEABLE;
-+
-+	if (efer & EFER_LMA) {
-+		if (cs.l) {
-+			/* Proper long mode */
-+			ctxt->mode = X86EMUL_MODE_PROT64;
-+		} else if (cs.d) {
-+			/* 32 bit compatibility mode*/
-+			ctxt->mode = X86EMUL_MODE_PROT32;
-+		} else {
-+			ctxt->mode = X86EMUL_MODE_PROT16;
-+		}
-+	} else {
-+		/* Legacy 32 bit / 16 bit mode */
-+		ctxt->mode = cs.d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
-+	}
-+
-+	return X86EMUL_CONTINUE;
-+}
-+
- static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
- {
-	return assign_eip(ctxt, dst, ctxt->mode);
-+	return assign_eip(ctxt, dst);
- }
- 
-static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
-			  const struct desc_struct *cs_desc)
-+static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst)
- {
-	enum x86emul_mode mode = ctxt->mode;
-	int rc;
-+	int rc = emulator_recalc_and_set_mode(ctxt);
- 
-#ifdef CONFIG_X86_64
-	if (ctxt->mode >= X86EMUL_MODE_PROT16) {
-		if (cs_desc->l) {
-			u64 efer = 0;
-+	if (rc != X86EMUL_CONTINUE)
-+		return rc;
- 
-			ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
-			if (efer & EFER_LMA)
-				mode = X86EMUL_MODE_PROT64;
-		} else
-			mode = X86EMUL_MODE_PROT32; /* temporary value */
-	}
-#endif
-	if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
-		mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
-	rc = assign_eip(ctxt, dst, mode);
-	if (rc == X86EMUL_CONTINUE)
-		ctxt->mode = mode;
-	return rc;
-+	return assign_eip(ctxt, dst);
- }
- 
- static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
-@@ -2154,7 +2183,7 @@ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
- 	if (rc != X86EMUL_CONTINUE)
- 		return rc;
- 
-	rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
-+	rc = assign_eip_far(ctxt, ctxt->src.val);
- 	/* Error handling is not implemented. */
- 	if (rc != X86EMUL_CONTINUE)
- 		return X86EMUL_UNHANDLEABLE;
-@@ -2235,7 +2264,7 @@ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
- 				       &new_desc);
- 	if (rc != X86EMUL_CONTINUE)
- 		return rc;
-	rc = assign_eip_far(ctxt, eip, &new_desc);
-+	rc = assign_eip_far(ctxt, eip);
- 	/* Error handling is not implemented. */
- 	if (rc != X86EMUL_CONTINUE)
- 		return X86EMUL_UNHANDLEABLE;
-@@ -3459,7 +3488,7 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
- 	if (rc != X86EMUL_CONTINUE)
- 		return rc;
- 
-	rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc);
-+	rc = assign_eip_far(ctxt, ctxt->src.val);
- 	if (rc != X86EMUL_CONTINUE)
- 		goto fail;
- 
@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:02 +0300
-Subject: [PATCH] KVM: x86: emulator: update the emulation mode after rsm
-
-This ensures that RIP will be correctly written back,
-because the RSM instruction can switch the CPU mode from
-32 bit (or less) to 64 bit.
-
-This fixes a guest crash in case the #SMI is received
-while the guest runs a code from an address > 32 bit.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 6a597d68d456..49697d589f87 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2639,6 +2639,11 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
- 	if (ret != X86EMUL_CONTINUE)
- 		goto emulate_shutdown;
- 
-+
-+	ret = emulator_recalc_and_set_mode(ctxt);
-+	if (ret != X86EMUL_CONTINUE)
-+		goto emulate_shutdown;
-+
- 	/*
- 	 * Note, the ctxt->ops callbacks are responsible for handling side
- 	 * effects when writing MSRs and CRs, e.g. MMU context resets, CPUID
@@ -1,49 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:03 +0300
-Subject: [PATCH] KVM: x86: emulator: update the emulation mode after CR0 write
-
-CR0.PE toggles real/protected mode, thus its update
-should update the emulation mode.
-
-This is likely a benign bug because there is no writeback
-of state, other than the RIP increment, and when toggling
-CR0.PE, the CPU has to execute code from a very low memory address.
-
-Also CR0.PG toggle when EFER.LMA is set, toggles the long mode.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 49697d589f87..89f035fc52e7 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -3635,11 +3635,23 @@ static int em_movbe(struct x86_emulate_ctxt *ctxt)
- 
- static int em_cr_write(struct x86_emulate_ctxt *ctxt)
- {
-	if (ctxt->ops->set_cr(ctxt, ctxt->modrm_reg, ctxt->src.val))
-+	int cr_num = ctxt->modrm_reg;
-+	int r;
-+
-+	if (ctxt->ops->set_cr(ctxt, cr_num, ctxt->src.val))
- 		return emulate_gp(ctxt, 0);
- 
- 	/* Disable writeback. */
- 	ctxt->dst.type = OP_NONE;
-+
-+	if (cr_num == 0) {
-+		/* CR0 write might have updated CR0.PE and/or CR0.PG
-+		 * which can affect the cpu execution mode */
-+		r = emulator_recalc_and_set_mode(ctxt);
-+		if (r != X86EMUL_CONTINUE)
-+			return r;
-+	}
-+
- 	return X86EMUL_CONTINUE;
- }
- 
@@ -1,280 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:05 +0300
-Subject: [PATCH] KVM: x86: emulator/smm: add structs for KVM's smram layout
-
-Those structs will be used to read/write the smram state image.
-
-Also document the differences between KVM's SMRAM layout and SMRAM
-layout that is used by real Intel/AMD cpus.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c     |   6 +
- arch/x86/kvm/kvm_emulate.h | 218 +++++++++++++++++++++++++++++++++++++
- arch/x86/kvm/x86.c         |   1 +
- 3 files changed, 225 insertions(+)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 89f035fc52e7..bfaf5d24bf1e 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -5825,3 +5825,9 @@ bool emulator_can_use_gpa(struct x86_emulate_ctxt *ctxt)
- 
- 	return true;
- }
-+
-+void  __init kvm_emulator_init(void)
-+{
-+	__check_smram32_offsets();
-+	__check_smram64_offsets();
-+}
-diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h
-index fb09cd22cb7f..0b2bbcce321a 100644
--- a/arch/x86/kvm/kvm_emulate.h
-+++ b/arch/x86/kvm/kvm_emulate.h
-@@ -13,6 +13,7 @@
- #define _ASM_X86_KVM_X86_EMULATE_H
- 
- #include <asm/desc_defs.h>
-+#include <linux/build_bug.h>
- #include "fpu.h"
- 
- struct x86_emulate_ctxt;
-@@ -482,6 +483,223 @@ enum x86_intercept {
- 	nr_x86_intercepts
- };
- 
-+
-+/* 32 bit KVM's emulated SMM layout. Loosely based on Intel's layout */
-+
-+struct kvm_smm_seg_state_32 {
-+	u32 flags;
-+	u32 limit;
-+	u32 base;
-+} __packed;
-+
-+struct kvm_smram_state_32 {
-+	u32 reserved1[62];
-+	u32 smbase;
-+	u32 smm_revision;
-+	u32 reserved2[5];
-+	u32 cr4; /* CR4 is not present in Intel/AMD SMRAM image */
-+	u32 reserved3[5];
-+
-+	/*
-+	 * Segment state is not present/documented in the Intel/AMD SMRAM image
-+	 * Instead this area on Intel/AMD contains IO/HLT restart flags.
-+	 */
-+	struct kvm_smm_seg_state_32 ds;
-+	struct kvm_smm_seg_state_32 fs;
-+	struct kvm_smm_seg_state_32 gs;
-+	struct kvm_smm_seg_state_32 idtr; /* IDTR has only base and limit */
-+	struct kvm_smm_seg_state_32 tr;
-+	u32 reserved;
-+	struct kvm_smm_seg_state_32 gdtr; /* GDTR has only base and limit */
-+	struct kvm_smm_seg_state_32 ldtr;
-+	struct kvm_smm_seg_state_32 es;
-+	struct kvm_smm_seg_state_32 cs;
-+	struct kvm_smm_seg_state_32 ss;
-+
-+	u32 es_sel;
-+	u32 cs_sel;
-+	u32 ss_sel;
-+	u32 ds_sel;
-+	u32 fs_sel;
-+	u32 gs_sel;
-+	u32 ldtr_sel;
-+	u32 tr_sel;
-+
-+	u32 dr7;
-+	u32 dr6;
-+	u32 gprs[8]; /* GPRS in the "natural" X86 order (EAX/ECX/EDX.../EDI) */
-+	u32 eip;
-+	u32 eflags;
-+	u32 cr3;
-+	u32 cr0;
-+} __packed;
-+
-+
-+static inline void __check_smram32_offsets(void)
-+{
-+#define __CHECK_SMRAM32_OFFSET(field, offset) \
-+	ASSERT_STRUCT_OFFSET(struct kvm_smram_state_32, field, offset - 0xFE00)
-+
-+	__CHECK_SMRAM32_OFFSET(reserved1,	0xFE00);
-+	__CHECK_SMRAM32_OFFSET(smbase,		0xFEF8);
-+	__CHECK_SMRAM32_OFFSET(smm_revision,	0xFEFC);
-+	__CHECK_SMRAM32_OFFSET(reserved2,	0xFF00);
-+	__CHECK_SMRAM32_OFFSET(cr4,		0xFF14);
-+	__CHECK_SMRAM32_OFFSET(reserved3,	0xFF18);
-+	__CHECK_SMRAM32_OFFSET(ds,		0xFF2C);
-+	__CHECK_SMRAM32_OFFSET(fs,		0xFF38);
-+	__CHECK_SMRAM32_OFFSET(gs,		0xFF44);
-+	__CHECK_SMRAM32_OFFSET(idtr,		0xFF50);
-+	__CHECK_SMRAM32_OFFSET(tr,		0xFF5C);
-+	__CHECK_SMRAM32_OFFSET(gdtr,		0xFF6C);
-+	__CHECK_SMRAM32_OFFSET(ldtr,		0xFF78);
-+	__CHECK_SMRAM32_OFFSET(es,		0xFF84);
-+	__CHECK_SMRAM32_OFFSET(cs,		0xFF90);
-+	__CHECK_SMRAM32_OFFSET(ss,		0xFF9C);
-+	__CHECK_SMRAM32_OFFSET(es_sel,		0xFFA8);
-+	__CHECK_SMRAM32_OFFSET(cs_sel,		0xFFAC);
-+	__CHECK_SMRAM32_OFFSET(ss_sel,		0xFFB0);
-+	__CHECK_SMRAM32_OFFSET(ds_sel,		0xFFB4);
-+	__CHECK_SMRAM32_OFFSET(fs_sel,		0xFFB8);
-+	__CHECK_SMRAM32_OFFSET(gs_sel,		0xFFBC);
-+	__CHECK_SMRAM32_OFFSET(ldtr_sel,	0xFFC0);
-+	__CHECK_SMRAM32_OFFSET(tr_sel,		0xFFC4);
-+	__CHECK_SMRAM32_OFFSET(dr7,		0xFFC8);
-+	__CHECK_SMRAM32_OFFSET(dr6,		0xFFCC);
-+	__CHECK_SMRAM32_OFFSET(gprs,		0xFFD0);
-+	__CHECK_SMRAM32_OFFSET(eip,		0xFFF0);
-+	__CHECK_SMRAM32_OFFSET(eflags,		0xFFF4);
-+	__CHECK_SMRAM32_OFFSET(cr3,		0xFFF8);
-+	__CHECK_SMRAM32_OFFSET(cr0,		0xFFFC);
-+#undef __CHECK_SMRAM32_OFFSET
-+}
-+
-+
-+/* 64 bit KVM's emulated SMM layout. Based on AMD64 layout */
-+
-+struct kvm_smm_seg_state_64 {
-+	u16 selector;
-+	u16 attributes;
-+	u32 limit;
-+	u64 base;
-+};
-+
-+struct kvm_smram_state_64 {
-+
-+	struct kvm_smm_seg_state_64 es;
-+	struct kvm_smm_seg_state_64 cs;
-+	struct kvm_smm_seg_state_64 ss;
-+	struct kvm_smm_seg_state_64 ds;
-+	struct kvm_smm_seg_state_64 fs;
-+	struct kvm_smm_seg_state_64 gs;
-+	struct kvm_smm_seg_state_64 gdtr; /* GDTR has only base and limit*/
-+	struct kvm_smm_seg_state_64 ldtr;
-+	struct kvm_smm_seg_state_64 idtr; /* IDTR has only base and limit*/
-+	struct kvm_smm_seg_state_64 tr;
-+
-+	/* I/O restart and auto halt restart are not implemented by KVM */
-+	u64 io_restart_rip;
-+	u64 io_restart_rcx;
-+	u64 io_restart_rsi;
-+	u64 io_restart_rdi;
-+	u32 io_restart_dword;
-+	u32 reserved1;
-+	u8 io_inst_restart;
-+	u8 auto_hlt_restart;
-+	u8 reserved2[6];
-+
-+	u64 efer;
-+
-+	/*
-+	 * Two fields below are implemented on AMD only, to store
-+	 * SVM guest vmcb address if the #SMI was received while in the guest mode.
-+	 */
-+	u64 svm_guest_flag;
-+	u64 svm_guest_vmcb_gpa;
-+	u64 svm_guest_virtual_int; /* unknown purpose, not implemented */
-+
-+	u32 reserved3[3];
-+	u32 smm_revison;
-+	u32 smbase;
-+	u32 reserved4[5];
-+
-+	/* ssp and svm_* fields below are not implemented by KVM */
-+	u64 ssp;
-+	u64 svm_guest_pat;
-+	u64 svm_host_efer;
-+	u64 svm_host_cr4;
-+	u64 svm_host_cr3;
-+	u64 svm_host_cr0;
-+
-+	u64 cr4;
-+	u64 cr3;
-+	u64 cr0;
-+	u64 dr7;
-+	u64 dr6;
-+	u64 rflags;
-+	u64 rip;
-+	u64 gprs[16]; /* GPRS in a reversed "natural" X86 order (R15/R14/../RCX/RAX.) */
-+};
-+
-+
-+static inline void __check_smram64_offsets(void)
-+{
-+#define __CHECK_SMRAM64_OFFSET(field, offset) \
-+	ASSERT_STRUCT_OFFSET(struct kvm_smram_state_64, field, offset - 0xFE00)
-+
-+	__CHECK_SMRAM64_OFFSET(es,			0xFE00);
-+	__CHECK_SMRAM64_OFFSET(cs,			0xFE10);
-+	__CHECK_SMRAM64_OFFSET(ss,			0xFE20);
-+	__CHECK_SMRAM64_OFFSET(ds,			0xFE30);
-+	__CHECK_SMRAM64_OFFSET(fs,			0xFE40);
-+	__CHECK_SMRAM64_OFFSET(gs,			0xFE50);
-+	__CHECK_SMRAM64_OFFSET(gdtr,			0xFE60);
-+	__CHECK_SMRAM64_OFFSET(ldtr,			0xFE70);
-+	__CHECK_SMRAM64_OFFSET(idtr,			0xFE80);
-+	__CHECK_SMRAM64_OFFSET(tr,			0xFE90);
-+	__CHECK_SMRAM64_OFFSET(io_restart_rip,		0xFEA0);
-+	__CHECK_SMRAM64_OFFSET(io_restart_rcx,		0xFEA8);
-+	__CHECK_SMRAM64_OFFSET(io_restart_rsi,		0xFEB0);
-+	__CHECK_SMRAM64_OFFSET(io_restart_rdi,		0xFEB8);
-+	__CHECK_SMRAM64_OFFSET(io_restart_dword,	0xFEC0);
-+	__CHECK_SMRAM64_OFFSET(reserved1,		0xFEC4);
-+	__CHECK_SMRAM64_OFFSET(io_inst_restart,		0xFEC8);
-+	__CHECK_SMRAM64_OFFSET(auto_hlt_restart,	0xFEC9);
-+	__CHECK_SMRAM64_OFFSET(reserved2,		0xFECA);
-+	__CHECK_SMRAM64_OFFSET(efer,			0xFED0);
-+	__CHECK_SMRAM64_OFFSET(svm_guest_flag,		0xFED8);
-+	__CHECK_SMRAM64_OFFSET(svm_guest_vmcb_gpa,	0xFEE0);
-+	__CHECK_SMRAM64_OFFSET(svm_guest_virtual_int,	0xFEE8);
-+	__CHECK_SMRAM64_OFFSET(reserved3,		0xFEF0);
-+	__CHECK_SMRAM64_OFFSET(smm_revison,		0xFEFC);
-+	__CHECK_SMRAM64_OFFSET(smbase,			0xFF00);
-+	__CHECK_SMRAM64_OFFSET(reserved4,		0xFF04);
-+	__CHECK_SMRAM64_OFFSET(ssp,			0xFF18);
-+	__CHECK_SMRAM64_OFFSET(svm_guest_pat,		0xFF20);
-+	__CHECK_SMRAM64_OFFSET(svm_host_efer,		0xFF28);
-+	__CHECK_SMRAM64_OFFSET(svm_host_cr4,		0xFF30);
-+	__CHECK_SMRAM64_OFFSET(svm_host_cr3,		0xFF38);
-+	__CHECK_SMRAM64_OFFSET(svm_host_cr0,		0xFF40);
-+	__CHECK_SMRAM64_OFFSET(cr4,			0xFF48);
-+	__CHECK_SMRAM64_OFFSET(cr3,			0xFF50);
-+	__CHECK_SMRAM64_OFFSET(cr0,			0xFF58);
-+	__CHECK_SMRAM64_OFFSET(dr7,			0xFF60);
-+	__CHECK_SMRAM64_OFFSET(dr6,			0xFF68);
-+	__CHECK_SMRAM64_OFFSET(rflags,			0xFF70);
-+	__CHECK_SMRAM64_OFFSET(rip,			0xFF78);
-+	__CHECK_SMRAM64_OFFSET(gprs,			0xFF80);
-+#undef __CHECK_SMRAM64_OFFSET
-+}
-+
-+union kvm_smram {
-+	struct kvm_smram_state_64 smram64;
-+	struct kvm_smram_state_32 smram32;
-+	u8 bytes[512];
-+};
-+
-+void  __init kvm_emulator_init(void);
-+
-+
- /* Host execution mode. */
- #if defined(CONFIG_X86_32)
- #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT32
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 604716996c5d..673262228f3e 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -12449,6 +12449,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_vmgexit_msr_protocol_exit);
- static int __init kvm_x86_init(void)
- {
- 	kvm_mmu_x86_module_init();
-+	kvm_emulator_init();
- 	return 0;
- }
- module_init(kvm_x86_init);
@@ -1,214 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:06 +0300
-Subject: [PATCH] KVM: x86: emulator/smm: use smram structs in the common code
-
-Switch from using a raw array to 'union kvm_smram'.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/include/asm/kvm_host.h |  5 +++--
- arch/x86/kvm/emulate.c          | 12 +++++++-----
- arch/x86/kvm/kvm_emulate.h      |  3 ++-
- arch/x86/kvm/svm/svm.c          |  8 ++++++--
- arch/x86/kvm/vmx/vmx.c          |  4 ++--
- arch/x86/kvm/x86.c              | 16 ++++++++--------
- 6 files changed, 28 insertions(+), 20 deletions(-)
-
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index 867febee8fc3..fb48dd8773e1 100644
--- a/arch/x86/include/asm/kvm_host.h
-+++ b/arch/x86/include/asm/kvm_host.h
-@@ -200,6 +200,7 @@ typedef enum exit_fastpath_completion fastpath_t;
- 
- struct x86_emulate_ctxt;
- struct x86_exception;
-+union kvm_smram;
- enum x86_intercept;
- enum x86_intercept_stage;
- 
-@@ -1463,8 +1464,8 @@ struct kvm_x86_ops {
- 	void (*setup_mce)(struct kvm_vcpu *vcpu);
- 
- 	int (*smi_allowed)(struct kvm_vcpu *vcpu, bool for_injection);
-	int (*enter_smm)(struct kvm_vcpu *vcpu, char *smstate);
-	int (*leave_smm)(struct kvm_vcpu *vcpu, const char *smstate);
-+	int (*enter_smm)(struct kvm_vcpu *vcpu, union kvm_smram *smram);
-+	int (*leave_smm)(struct kvm_vcpu *vcpu, const union kvm_smram *smram);
- 	void (*enable_smi_window)(struct kvm_vcpu *vcpu);
- 
- 	int (*mem_enc_op)(struct kvm *kvm, void __user *argp);
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index bfaf5d24bf1e..730c3e2662d6 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2567,16 +2567,18 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
- static int em_rsm(struct x86_emulate_ctxt *ctxt)
- {
- 	unsigned long cr0, cr4, efer;
-	char buf[512];
-+	const union kvm_smram smram;
- 	u64 smbase;
- 	int ret;
- 
-+	BUILD_BUG_ON(sizeof(smram) != 512);
-+
- 	if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
- 		return emulate_ud(ctxt);
- 
- 	smbase = ctxt->ops->get_smbase(ctxt);
- 
-	ret = ctxt->ops->read_phys(ctxt, smbase + 0xfe00, buf, sizeof(buf));
-+	ret = ctxt->ops->read_phys(ctxt, smbase + 0xfe00, (void *)&smram, sizeof(smram));
- 	if (ret != X86EMUL_CONTINUE)
- 		return X86EMUL_UNHANDLEABLE;
- 
-@@ -2626,15 +2628,15 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
- 	 * state (e.g. enter guest mode) before loading state from the SMM
- 	 * state-save area.
- 	 */
-	if (ctxt->ops->leave_smm(ctxt, buf))
-+	if (ctxt->ops->leave_smm(ctxt, &smram))
- 		goto emulate_shutdown;
- 
- #ifdef CONFIG_X86_64
- 	if (emulator_has_longmode(ctxt))
-		ret = rsm_load_state_64(ctxt, buf);
-+		ret = rsm_load_state_64(ctxt, (const char *)&smram);
- 	else
- #endif
-		ret = rsm_load_state_32(ctxt, buf);
-+		ret = rsm_load_state_32(ctxt, (const char *)&smram);
- 
- 	if (ret != X86EMUL_CONTINUE)
- 		goto emulate_shutdown;
-diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h
-index 0b2bbcce321a..3b37b3e17379 100644
--- a/arch/x86/kvm/kvm_emulate.h
-+++ b/arch/x86/kvm/kvm_emulate.h
-@@ -19,6 +19,7 @@
- struct x86_emulate_ctxt;
- enum x86_intercept;
- enum x86_intercept_stage;
-+union kvm_smram;
- 
- struct x86_exception {
- 	u8 vector;
-@@ -233,7 +234,7 @@ struct x86_emulate_ops {
- 
- 	unsigned (*get_hflags)(struct x86_emulate_ctxt *ctxt);
- 	void (*exiting_smm)(struct x86_emulate_ctxt *ctxt);
-	int (*leave_smm)(struct x86_emulate_ctxt *ctxt, const char *smstate);
-+	int (*leave_smm)(struct x86_emulate_ctxt *ctxt, const union kvm_smram *smram);
- 	void (*triple_fault)(struct x86_emulate_ctxt *ctxt);
- 	int (*set_xcr)(struct x86_emulate_ctxt *ctxt, u32 index, u64 xcr);
- };
-diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index 21f747eacc9a..d903120811b9 100644
--- a/arch/x86/kvm/svm/svm.c
-+++ b/arch/x86/kvm/svm/svm.c
-@@ -4302,12 +4302,14 @@ static int svm_smi_allowed(struct kvm_vcpu *vcpu, bool for_injection)
- 	return !svm_smi_blocked(vcpu);
- }
- 
-static int svm_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
-+static int svm_enter_smm(struct kvm_vcpu *vcpu, union kvm_smram *smram)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
- 	struct kvm_host_map map_save;
- 	int ret;
- 
-+	char *smstate = (char *)smram;
-+
- 	if (!is_guest_mode(vcpu))
- 		return 0;
- 
-@@ -4349,7 +4351,7 @@ static int svm_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
- 	return 0;
- }
- 
-static int svm_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)
-+static int svm_leave_smm(struct kvm_vcpu *vcpu, const union kvm_smram *smram)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
- 	struct kvm_host_map map, map_save;
-@@ -4357,6 +4359,8 @@ static int svm_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)
- 	struct vmcb *vmcb12;
- 	int ret;
- 
-+	const char *smstate = (const char *)smram;
-+
- 	if (!guest_cpuid_has(vcpu, X86_FEATURE_LM))
- 		return 0;
- 
-diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
-index 417176817d80..a45a43bcc844 100644
--- a/arch/x86/kvm/vmx/vmx.c
-+++ b/arch/x86/kvm/vmx/vmx.c
-@@ -7594,7 +7594,7 @@ static int vmx_smi_allowed(struct kvm_vcpu *vcpu, bool for_injection)
- 	return !is_smm(vcpu);
- }
- 
-static int vmx_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
-+static int vmx_enter_smm(struct kvm_vcpu *vcpu, union kvm_smram *smram)
- {
- 	struct vcpu_vmx *vmx = to_vmx(vcpu);
- 
-@@ -7608,7 +7608,7 @@ static int vmx_enter_smm(struct kvm_vcpu *vcpu, char *smstate)
- 	return 0;
- }
- 
-static int vmx_leave_smm(struct kvm_vcpu *vcpu, const char *smstate)
-+static int vmx_leave_smm(struct kvm_vcpu *vcpu, const union kvm_smram *smram)
- {
- 	struct vcpu_vmx *vmx = to_vmx(vcpu);
- 	int ret;
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 673262228f3e..37edf00584f8 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -7312,9 +7312,9 @@ static void emulator_exiting_smm(struct x86_emulate_ctxt *ctxt)
- }
- 
- static int emulator_leave_smm(struct x86_emulate_ctxt *ctxt,
-				  const char *smstate)
-+			      const union kvm_smram *smram)
- {
-	return static_call(kvm_x86_leave_smm)(emul_to_vcpu(ctxt), smstate);
-+	return static_call(kvm_x86_leave_smm)(emul_to_vcpu(ctxt), smram);
- }
- 
- static void emulator_triple_fault(struct x86_emulate_ctxt *ctxt)
-@@ -9171,25 +9171,25 @@ static void enter_smm(struct kvm_vcpu *vcpu)
- 	struct kvm_segment cs, ds;
- 	struct desc_ptr dt;
- 	unsigned long cr0;
-	char buf[512];
-+	union kvm_smram smram;
- 
-	memset(buf, 0, 512);
-+	memset(smram.bytes, 0, sizeof(smram.bytes));
- #ifdef CONFIG_X86_64
- 	if (guest_cpuid_has(vcpu, X86_FEATURE_LM))
-		enter_smm_save_state_64(vcpu, buf);
-+		enter_smm_save_state_64(vcpu, (char *)&smram);
- 	else
- #endif
-		enter_smm_save_state_32(vcpu, buf);
-+		enter_smm_save_state_32(vcpu, (char *)&smram);
- 
- 	/*
- 	 * Give enter_smm() a chance to make ISA-specific changes to the vCPU
- 	 * state (e.g. leave guest mode) after we've saved the state into the
- 	 * SMM state-save area.
- 	 */
-	static_call(kvm_x86_enter_smm)(vcpu, buf);
-+	static_call(kvm_x86_enter_smm)(vcpu, &smram);
- 
- 	kvm_smm_changed(vcpu, true);
-	kvm_vcpu_write_guest(vcpu, vcpu->arch.smbase + 0xfe00, buf, sizeof(buf));
-+	kvm_vcpu_write_guest(vcpu, vcpu->arch.smbase + 0xfe00, &smram, sizeof(smram));
- 
- 	if (static_call(kvm_x86_get_nmi_mask)(vcpu))
- 		vcpu->arch.hflags |= HF_SMM_INSIDE_NMI_MASK;
@@ -1,268 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:07 +0300
-Subject: [PATCH] KVM: x86: emulator/smm: use smram struct for 32 bit smram
- load/restore
-
-Use kvm_smram_state_32 struct to save/restore 32 bit SMM state
-(used when X86_FEATURE_LM is not present in the guest CPUID).
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c | 81 +++++++++++++++---------------------------
- arch/x86/kvm/x86.c     | 75 +++++++++++++++++---------------------
- 2 files changed, 60 insertions(+), 96 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 730c3e2662d6..ad5d2ab9ab84 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2344,25 +2344,17 @@ static void rsm_set_desc_flags(struct desc_struct *desc, u32 flags)
- 	desc->type = (flags >>  8) & 15;
- }
- 
-static int rsm_load_seg_32(struct x86_emulate_ctxt *ctxt, const char *smstate,
-+static void rsm_load_seg_32(struct x86_emulate_ctxt *ctxt,
-+			   const struct kvm_smm_seg_state_32 *state,
-+			   u16 selector,
- 			   int n)
- {
- 	struct desc_struct desc;
-	int offset;
-	u16 selector;
-
-	selector = GET_SMSTATE(u32, smstate, 0x7fa8 + n * 4);
-
-	if (n < 3)
-		offset = 0x7f84 + n * 12;
-	else
-		offset = 0x7f2c + (n - 3) * 12;
- 
-	set_desc_base(&desc,      GET_SMSTATE(u32, smstate, offset + 8));
-	set_desc_limit(&desc,     GET_SMSTATE(u32, smstate, offset + 4));
-	rsm_set_desc_flags(&desc, GET_SMSTATE(u32, smstate, offset));
-+	set_desc_base(&desc,      state->base);
-+	set_desc_limit(&desc,     state->limit);
-+	rsm_set_desc_flags(&desc, state->flags);
- 	ctxt->ops->set_segment(ctxt, selector, &desc, 0, n);
-	return X86EMUL_CONTINUE;
- }
- 
- #ifdef CONFIG_X86_64
-@@ -2433,63 +2425,46 @@ static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
- }
- 
- static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
-			     const char *smstate)
-+			     const struct kvm_smram_state_32 *smstate)
- {
-	struct desc_struct desc;
- 	struct desc_ptr dt;
-	u16 selector;
-	u32 val, cr0, cr3, cr4;
- 	int i;
- 
-	cr0 =                      GET_SMSTATE(u32, smstate, 0x7ffc);
-	cr3 =                      GET_SMSTATE(u32, smstate, 0x7ff8);
-	ctxt->eflags =             GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED;
-	ctxt->_eip =               GET_SMSTATE(u32, smstate, 0x7ff0);
-+	ctxt->eflags =  smstate->eflags | X86_EFLAGS_FIXED;
-+	ctxt->_eip =  smstate->eip;
- 
- 	for (i = 0; i < 8; i++)
-		*reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4);
-
-	val = GET_SMSTATE(u32, smstate, 0x7fcc);
-+		*reg_write(ctxt, i) = smstate->gprs[i];
- 
-	if (ctxt->ops->set_dr(ctxt, 6, val))
-+	if (ctxt->ops->set_dr(ctxt, 6, smstate->dr6))
- 		return X86EMUL_UNHANDLEABLE;
-
-	val = GET_SMSTATE(u32, smstate, 0x7fc8);
-
-	if (ctxt->ops->set_dr(ctxt, 7, val))
-+	if (ctxt->ops->set_dr(ctxt, 7, smstate->dr7))
- 		return X86EMUL_UNHANDLEABLE;
- 
-	selector =                 GET_SMSTATE(u32, smstate, 0x7fc4);
-	set_desc_base(&desc,       GET_SMSTATE(u32, smstate, 0x7f64));
-	set_desc_limit(&desc,      GET_SMSTATE(u32, smstate, 0x7f60));
-	rsm_set_desc_flags(&desc,  GET_SMSTATE(u32, smstate, 0x7f5c));
-	ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_TR);
-+	rsm_load_seg_32(ctxt, &smstate->tr, smstate->tr_sel, VCPU_SREG_TR);
-+	rsm_load_seg_32(ctxt, &smstate->ldtr, smstate->ldtr_sel, VCPU_SREG_LDTR);
- 
-	selector =                 GET_SMSTATE(u32, smstate, 0x7fc0);
-	set_desc_base(&desc,       GET_SMSTATE(u32, smstate, 0x7f80));
-	set_desc_limit(&desc,      GET_SMSTATE(u32, smstate, 0x7f7c));
-	rsm_set_desc_flags(&desc,  GET_SMSTATE(u32, smstate, 0x7f78));
-	ctxt->ops->set_segment(ctxt, selector, &desc, 0, VCPU_SREG_LDTR);
- 
-	dt.address =               GET_SMSTATE(u32, smstate, 0x7f74);
-	dt.size =                  GET_SMSTATE(u32, smstate, 0x7f70);
-+	dt.address =               smstate->gdtr.base;
-+	dt.size =                  smstate->gdtr.limit;
- 	ctxt->ops->set_gdt(ctxt, &dt);
- 
-	dt.address =               GET_SMSTATE(u32, smstate, 0x7f58);
-	dt.size =                  GET_SMSTATE(u32, smstate, 0x7f54);
-+	dt.address =               smstate->idtr.base;
-+	dt.size =                  smstate->idtr.limit;
- 	ctxt->ops->set_idt(ctxt, &dt);
- 
-	for (i = 0; i < 6; i++) {
-		int r = rsm_load_seg_32(ctxt, smstate, i);
-		if (r != X86EMUL_CONTINUE)
-			return r;
-	}
-+	rsm_load_seg_32(ctxt, &smstate->es, smstate->es_sel, VCPU_SREG_ES);
-+	rsm_load_seg_32(ctxt, &smstate->cs, smstate->cs_sel, VCPU_SREG_CS);
-+	rsm_load_seg_32(ctxt, &smstate->ss, smstate->ss_sel, VCPU_SREG_SS);
- 
-	cr4 = GET_SMSTATE(u32, smstate, 0x7f14);
-+	rsm_load_seg_32(ctxt, &smstate->ds, smstate->ds_sel, VCPU_SREG_DS);
-+	rsm_load_seg_32(ctxt, &smstate->fs, smstate->fs_sel, VCPU_SREG_FS);
-+	rsm_load_seg_32(ctxt, &smstate->gs, smstate->gs_sel, VCPU_SREG_GS);
- 
-	ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smstate, 0x7ef8));
-+	ctxt->ops->set_smbase(ctxt, smstate->smbase);
- 
-	return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
-+	return rsm_enter_protected_mode(ctxt, smstate->cr0,
-+					smstate->cr3, smstate->cr4);
- }
- 
- #ifdef CONFIG_X86_64
-@@ -2636,7 +2611,7 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
- 		ret = rsm_load_state_64(ctxt, (const char *)&smram);
- 	else
- #endif
-		ret = rsm_load_state_32(ctxt, (const char *)&smram);
-+		ret = rsm_load_state_32(ctxt, &smram.smram32);
- 
- 	if (ret != X86EMUL_CONTINUE)
- 		goto emulate_shutdown;
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 37edf00584f8..11e62b1f1764 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -9025,22 +9025,18 @@ static u32 enter_smm_get_segment_flags(struct kvm_segment *seg)
- 	return flags;
- }
- 
-static void enter_smm_save_seg_32(struct kvm_vcpu *vcpu, char *buf, int n)
-+static void enter_smm_save_seg_32(struct kvm_vcpu *vcpu,
-+					 struct kvm_smm_seg_state_32 *state,
-+					 u32 *selector,
-+					 int n)
- {
- 	struct kvm_segment seg;
-	int offset;
- 
- 	kvm_get_segment(vcpu, &seg, n);
-	put_smstate(u32, buf, 0x7fa8 + n * 4, seg.selector);
-
-	if (n < 3)
-		offset = 0x7f84 + n * 12;
-	else
-		offset = 0x7f2c + (n - 3) * 12;
-
-	put_smstate(u32, buf, offset + 8, seg.base);
-	put_smstate(u32, buf, offset + 4, seg.limit);
-	put_smstate(u32, buf, offset, enter_smm_get_segment_flags(&seg));
-+	*selector = seg.selector;
-+	state->base = seg.base;
-+	state->limit = seg.limit;
-+	state->flags = enter_smm_get_segment_flags(&seg);
- }
- 
- #ifdef CONFIG_X86_64
-@@ -9061,54 +9057,47 @@ static void enter_smm_save_seg_64(struct kvm_vcpu *vcpu, char *buf, int n)
- }
- #endif
- 
-static void enter_smm_save_state_32(struct kvm_vcpu *vcpu, char *buf)
-+static void enter_smm_save_state_32(struct kvm_vcpu *vcpu, struct kvm_smram_state_32 *smram)
- {
- 	struct desc_ptr dt;
-	struct kvm_segment seg;
- 	unsigned long val;
- 	int i;
- 
-	put_smstate(u32, buf, 0x7ffc, kvm_read_cr0(vcpu));
-	put_smstate(u32, buf, 0x7ff8, kvm_read_cr3(vcpu));
-	put_smstate(u32, buf, 0x7ff4, kvm_get_rflags(vcpu));
-	put_smstate(u32, buf, 0x7ff0, kvm_rip_read(vcpu));
-+	smram->cr0     = kvm_read_cr0(vcpu);
-+	smram->cr3     = kvm_read_cr3(vcpu);
-+	smram->eflags  = kvm_get_rflags(vcpu);
-+	smram->eip     = kvm_rip_read(vcpu);
- 
- 	for (i = 0; i < 8; i++)
-		put_smstate(u32, buf, 0x7fd0 + i * 4, kvm_register_read_raw(vcpu, i));
-+		smram->gprs[i] = kvm_register_read_raw(vcpu, i);
- 
- 	kvm_get_dr(vcpu, 6, &val);
-	put_smstate(u32, buf, 0x7fcc, (u32)val);
-+	smram->dr6     = (u32)val;
- 	kvm_get_dr(vcpu, 7, &val);
-	put_smstate(u32, buf, 0x7fc8, (u32)val);
-+	smram->dr7     = (u32)val;
- 
-	kvm_get_segment(vcpu, &seg, VCPU_SREG_TR);
-	put_smstate(u32, buf, 0x7fc4, seg.selector);
-	put_smstate(u32, buf, 0x7f64, seg.base);
-	put_smstate(u32, buf, 0x7f60, seg.limit);
-	put_smstate(u32, buf, 0x7f5c, enter_smm_get_segment_flags(&seg));
-
-	kvm_get_segment(vcpu, &seg, VCPU_SREG_LDTR);
-	put_smstate(u32, buf, 0x7fc0, seg.selector);
-	put_smstate(u32, buf, 0x7f80, seg.base);
-	put_smstate(u32, buf, 0x7f7c, seg.limit);
-	put_smstate(u32, buf, 0x7f78, enter_smm_get_segment_flags(&seg));
-+	enter_smm_save_seg_32(vcpu, &smram->tr, &smram->tr_sel, VCPU_SREG_TR);
-+	enter_smm_save_seg_32(vcpu, &smram->ldtr, &smram->ldtr_sel, VCPU_SREG_LDTR);
- 
- 	static_call(kvm_x86_get_gdt)(vcpu, &dt);
-	put_smstate(u32, buf, 0x7f74, dt.address);
-	put_smstate(u32, buf, 0x7f70, dt.size);
-+	smram->gdtr.base = dt.address;
-+	smram->gdtr.limit = dt.size;
- 
- 	static_call(kvm_x86_get_idt)(vcpu, &dt);
-	put_smstate(u32, buf, 0x7f58, dt.address);
-	put_smstate(u32, buf, 0x7f54, dt.size);
-+	smram->idtr.base = dt.address;
-+	smram->idtr.limit = dt.size;
- 
-	for (i = 0; i < 6; i++)
-		enter_smm_save_seg_32(vcpu, buf, i);
-+	enter_smm_save_seg_32(vcpu, &smram->es, &smram->es_sel, VCPU_SREG_ES);
-+	enter_smm_save_seg_32(vcpu, &smram->cs, &smram->cs_sel, VCPU_SREG_CS);
-+	enter_smm_save_seg_32(vcpu, &smram->ss, &smram->ss_sel, VCPU_SREG_SS);
- 
-	put_smstate(u32, buf, 0x7f14, kvm_read_cr4(vcpu));
-+	enter_smm_save_seg_32(vcpu, &smram->ds, &smram->ds_sel, VCPU_SREG_DS);
-+	enter_smm_save_seg_32(vcpu, &smram->fs, &smram->fs_sel, VCPU_SREG_FS);
-+	enter_smm_save_seg_32(vcpu, &smram->gs, &smram->gs_sel, VCPU_SREG_GS);
- 
-	/* revision id */
-	put_smstate(u32, buf, 0x7efc, 0x00020000);
-	put_smstate(u32, buf, 0x7ef8, vcpu->arch.smbase);
-+	smram->cr4 = kvm_read_cr4(vcpu);
-+	smram->smm_revision = 0x00020000;
-+	smram->smbase = vcpu->arch.smbase;
- }
- 
- #ifdef CONFIG_X86_64
-@@ -9179,7 +9168,7 @@ static void enter_smm(struct kvm_vcpu *vcpu)
- 		enter_smm_save_state_64(vcpu, (char *)&smram);
- 	else
- #endif
-		enter_smm_save_state_32(vcpu, (char *)&smram);
-+		enter_smm_save_state_32(vcpu, &smram.smram32);
- 
- 	/*
- 	 * Give enter_smm() a chance to make ISA-specific changes to the vCPU
@@ -1,279 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:08 +0300
-Subject: [PATCH] KVM: x86: emulator/smm: use smram struct for 64 bit smram
- load/restore
-
-Use kvm_smram_state_64 struct to save/restore the 64 bit SMM state
-(used when X86_FEATURE_LM is present in the guest CPUID,
-regardless of 32-bitness of the guest).
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c | 88 ++++++++++++++----------------------------
- arch/x86/kvm/x86.c     | 75 ++++++++++++++++-------------------
- 2 files changed, 62 insertions(+), 101 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index ad5d2ab9ab84..4eb35a0a33a5 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2358,24 +2358,16 @@ static void rsm_load_seg_32(struct x86_emulate_ctxt *ctxt,
- }
- 
- #ifdef CONFIG_X86_64
-static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, const char *smstate,
-			   int n)
-+static void rsm_load_seg_64(struct x86_emulate_ctxt *ctxt,
-+			    const struct kvm_smm_seg_state_64 *state,
-+			    int n)
- {
- 	struct desc_struct desc;
-	int offset;
-	u16 selector;
-	u32 base3;
-
-	offset = 0x7e00 + n * 16;
-
-	selector =                GET_SMSTATE(u16, smstate, offset);
-	rsm_set_desc_flags(&desc, GET_SMSTATE(u16, smstate, offset + 2) << 8);
-	set_desc_limit(&desc,     GET_SMSTATE(u32, smstate, offset + 4));
-	set_desc_base(&desc,      GET_SMSTATE(u32, smstate, offset + 8));
-	base3 =                   GET_SMSTATE(u32, smstate, offset + 12);
- 
-	ctxt->ops->set_segment(ctxt, selector, &desc, base3, n);
-	return X86EMUL_CONTINUE;
-+	rsm_set_desc_flags(&desc, state->attributes << 8);
-+	set_desc_limit(&desc,     state->limit);
-+	set_desc_base(&desc,      (u32)state->base);
-+	ctxt->ops->set_segment(ctxt, state->selector, &desc, state->base >> 32, n);
- }
- #endif
- 
-@@ -2469,71 +2461,49 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
- 
- #ifdef CONFIG_X86_64
- static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
-			     const char *smstate)
-+			     const struct kvm_smram_state_64 *smstate)
- {
-	struct desc_struct desc;
- 	struct desc_ptr dt;
-	u64 val, cr0, cr3, cr4;
-	u32 base3;
-	u16 selector;
- 	int i, r;
- 
- 	for (i = 0; i < 16; i++)
-		*reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8);
-+		*reg_write(ctxt, i) = smstate->gprs[15 - i];
- 
-	ctxt->_eip   = GET_SMSTATE(u64, smstate, 0x7f78);
-	ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7f70) | X86_EFLAGS_FIXED;
-+	ctxt->_eip   = smstate->rip;
-+	ctxt->eflags = smstate->rflags | X86_EFLAGS_FIXED;
- 
-	val = GET_SMSTATE(u64, smstate, 0x7f68);
-
-	if (ctxt->ops->set_dr(ctxt, 6, val))
-+	if (ctxt->ops->set_dr(ctxt, 6, smstate->dr6))
- 		return X86EMUL_UNHANDLEABLE;
-
-	val = GET_SMSTATE(u64, smstate, 0x7f60);
-
-	if (ctxt->ops->set_dr(ctxt, 7, val))
-+	if (ctxt->ops->set_dr(ctxt, 7, smstate->dr7))
- 		return X86EMUL_UNHANDLEABLE;
- 
-	cr0 =                       GET_SMSTATE(u64, smstate, 0x7f58);
-	cr3 =                       GET_SMSTATE(u64, smstate, 0x7f50);
-	cr4 =                       GET_SMSTATE(u64, smstate, 0x7f48);
-	ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smstate, 0x7f00));
-	val =                       GET_SMSTATE(u64, smstate, 0x7ed0);
-+	ctxt->ops->set_smbase(ctxt, smstate->smbase);
- 
-	if (ctxt->ops->set_msr(ctxt, MSR_EFER, val & ~EFER_LMA))
-+	if (ctxt->ops->set_msr(ctxt, MSR_EFER, smstate->efer & ~EFER_LMA))
- 		return X86EMUL_UNHANDLEABLE;
- 
-	selector =                  GET_SMSTATE(u32, smstate, 0x7e90);
-	rsm_set_desc_flags(&desc,   GET_SMSTATE(u32, smstate, 0x7e92) << 8);
-	set_desc_limit(&desc,       GET_SMSTATE(u32, smstate, 0x7e94));
-	set_desc_base(&desc,        GET_SMSTATE(u32, smstate, 0x7e98));
-	base3 =                     GET_SMSTATE(u32, smstate, 0x7e9c);
-	ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_TR);
-+	rsm_load_seg_64(ctxt, &smstate->tr, VCPU_SREG_TR);
- 
-	dt.size =                   GET_SMSTATE(u32, smstate, 0x7e84);
-	dt.address =                GET_SMSTATE(u64, smstate, 0x7e88);
-+	dt.size =                   smstate->idtr.limit;
-+	dt.address =                smstate->idtr.base;
- 	ctxt->ops->set_idt(ctxt, &dt);
- 
-	selector =                  GET_SMSTATE(u32, smstate, 0x7e70);
-	rsm_set_desc_flags(&desc,   GET_SMSTATE(u32, smstate, 0x7e72) << 8);
-	set_desc_limit(&desc,       GET_SMSTATE(u32, smstate, 0x7e74));
-	set_desc_base(&desc,        GET_SMSTATE(u32, smstate, 0x7e78));
-	base3 =                     GET_SMSTATE(u32, smstate, 0x7e7c);
-	ctxt->ops->set_segment(ctxt, selector, &desc, base3, VCPU_SREG_LDTR);
-+	rsm_load_seg_64(ctxt, &smstate->ldtr, VCPU_SREG_LDTR);
- 
-	dt.size =                   GET_SMSTATE(u32, smstate, 0x7e64);
-	dt.address =                GET_SMSTATE(u64, smstate, 0x7e68);
-+	dt.size =                   smstate->gdtr.limit;
-+	dt.address =                smstate->gdtr.base;
- 	ctxt->ops->set_gdt(ctxt, &dt);
- 
-	r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
-+	r = rsm_enter_protected_mode(ctxt, smstate->cr0, smstate->cr3, smstate->cr4);
- 	if (r != X86EMUL_CONTINUE)
- 		return r;
- 
-	for (i = 0; i < 6; i++) {
-		r = rsm_load_seg_64(ctxt, smstate, i);
-		if (r != X86EMUL_CONTINUE)
-			return r;
-	}
-+	rsm_load_seg_64(ctxt, &smstate->es, VCPU_SREG_ES);
-+	rsm_load_seg_64(ctxt, &smstate->cs, VCPU_SREG_CS);
-+	rsm_load_seg_64(ctxt, &smstate->ss, VCPU_SREG_SS);
-+	rsm_load_seg_64(ctxt, &smstate->ds, VCPU_SREG_DS);
-+	rsm_load_seg_64(ctxt, &smstate->fs, VCPU_SREG_FS);
-+	rsm_load_seg_64(ctxt, &smstate->gs, VCPU_SREG_GS);
- 
- 	return X86EMUL_CONTINUE;
- }
-@@ -2608,7 +2578,7 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
- 
- #ifdef CONFIG_X86_64
- 	if (emulator_has_longmode(ctxt))
-		ret = rsm_load_state_64(ctxt, (const char *)&smram);
-+		ret = rsm_load_state_64(ctxt, &smram.smram64);
- 	else
- #endif
- 		ret = rsm_load_state_32(ctxt, &smram.smram32);
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 11e62b1f1764..5c4be3873c0d 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -9040,20 +9040,17 @@ static void enter_smm_save_seg_32(struct kvm_vcpu *vcpu,
- }
- 
- #ifdef CONFIG_X86_64
-static void enter_smm_save_seg_64(struct kvm_vcpu *vcpu, char *buf, int n)
-+static void enter_smm_save_seg_64(struct kvm_vcpu *vcpu,
-+				  struct kvm_smm_seg_state_64 *state,
-+				  int n)
- {
- 	struct kvm_segment seg;
-	int offset;
-	u16 flags;
- 
- 	kvm_get_segment(vcpu, &seg, n);
-	offset = 0x7e00 + n * 16;
-
-	flags = enter_smm_get_segment_flags(&seg) >> 8;
-	put_smstate(u16, buf, offset, seg.selector);
-	put_smstate(u16, buf, offset + 2, flags);
-	put_smstate(u32, buf, offset + 4, seg.limit);
-	put_smstate(u64, buf, offset + 8, seg.base);
-+	state->selector = seg.selector;
-+	state->attributes = enter_smm_get_segment_flags(&seg) >> 8;
-+	state->limit = seg.limit;
-+	state->base = seg.base;
- }
- #endif
- 
-@@ -9101,57 +9098,51 @@ static void enter_smm_save_state_32(struct kvm_vcpu *vcpu, struct kvm_smram_stat
- }
- 
- #ifdef CONFIG_X86_64
-static void enter_smm_save_state_64(struct kvm_vcpu *vcpu, char *buf)
-+static void enter_smm_save_state_64(struct kvm_vcpu *vcpu, struct kvm_smram_state_64 *smram)
- {
- 	struct desc_ptr dt;
-	struct kvm_segment seg;
- 	unsigned long val;
- 	int i;
- 
- 	for (i = 0; i < 16; i++)
-		put_smstate(u64, buf, 0x7ff8 - i * 8, kvm_register_read_raw(vcpu, i));
-+		smram->gprs[15 - i] = kvm_register_read_raw(vcpu, i);
-+
-+	smram->rip    = kvm_rip_read(vcpu);
-+	smram->rflags = kvm_get_rflags(vcpu);
- 
-	put_smstate(u64, buf, 0x7f78, kvm_rip_read(vcpu));
-	put_smstate(u32, buf, 0x7f70, kvm_get_rflags(vcpu));
- 
- 	kvm_get_dr(vcpu, 6, &val);
-	put_smstate(u64, buf, 0x7f68, val);
-+	smram->dr6 = val;
- 	kvm_get_dr(vcpu, 7, &val);
-	put_smstate(u64, buf, 0x7f60, val);
-
-	put_smstate(u64, buf, 0x7f58, kvm_read_cr0(vcpu));
-	put_smstate(u64, buf, 0x7f50, kvm_read_cr3(vcpu));
-	put_smstate(u64, buf, 0x7f48, kvm_read_cr4(vcpu));
-+	smram->dr7 = val;
- 
-	put_smstate(u32, buf, 0x7f00, vcpu->arch.smbase);
-+	smram->cr0 = kvm_read_cr0(vcpu);
-+	smram->cr3 = kvm_read_cr3(vcpu);
-+	smram->cr4 = kvm_read_cr4(vcpu);
- 
-	/* revision id */
-	put_smstate(u32, buf, 0x7efc, 0x00020064);
-+	smram->smbase = vcpu->arch.smbase;
-+	smram->smm_revison = 0x00020064;
- 
-	put_smstate(u64, buf, 0x7ed0, vcpu->arch.efer);
-+	smram->efer = vcpu->arch.efer;
- 
-	kvm_get_segment(vcpu, &seg, VCPU_SREG_TR);
-	put_smstate(u16, buf, 0x7e90, seg.selector);
-	put_smstate(u16, buf, 0x7e92, enter_smm_get_segment_flags(&seg) >> 8);
-	put_smstate(u32, buf, 0x7e94, seg.limit);
-	put_smstate(u64, buf, 0x7e98, seg.base);
-+	enter_smm_save_seg_64(vcpu, &smram->tr, VCPU_SREG_TR);
- 
- 	static_call(kvm_x86_get_idt)(vcpu, &dt);
-	put_smstate(u32, buf, 0x7e84, dt.size);
-	put_smstate(u64, buf, 0x7e88, dt.address);
-+	smram->idtr.limit = dt.size;
-+	smram->idtr.base = dt.address;
- 
-	kvm_get_segment(vcpu, &seg, VCPU_SREG_LDTR);
-	put_smstate(u16, buf, 0x7e70, seg.selector);
-	put_smstate(u16, buf, 0x7e72, enter_smm_get_segment_flags(&seg) >> 8);
-	put_smstate(u32, buf, 0x7e74, seg.limit);
-	put_smstate(u64, buf, 0x7e78, seg.base);
-+	enter_smm_save_seg_64(vcpu, &smram->ldtr, VCPU_SREG_LDTR);
- 
- 	static_call(kvm_x86_get_gdt)(vcpu, &dt);
-	put_smstate(u32, buf, 0x7e64, dt.size);
-	put_smstate(u64, buf, 0x7e68, dt.address);
-+	smram->gdtr.limit = dt.size;
-+	smram->gdtr.base = dt.address;
- 
-	for (i = 0; i < 6; i++)
-		enter_smm_save_seg_64(vcpu, buf, i);
-+	enter_smm_save_seg_64(vcpu, &smram->es, VCPU_SREG_ES);
-+	enter_smm_save_seg_64(vcpu, &smram->cs, VCPU_SREG_CS);
-+	enter_smm_save_seg_64(vcpu, &smram->ss, VCPU_SREG_SS);
-+	enter_smm_save_seg_64(vcpu, &smram->ds, VCPU_SREG_DS);
-+	enter_smm_save_seg_64(vcpu, &smram->fs, VCPU_SREG_FS);
-+	enter_smm_save_seg_64(vcpu, &smram->gs, VCPU_SREG_GS);
- }
- #endif
- 
-@@ -9165,7 +9156,7 @@ static void enter_smm(struct kvm_vcpu *vcpu)
- 	memset(smram.bytes, 0, sizeof(smram.bytes));
- #ifdef CONFIG_X86_64
- 	if (guest_cpuid_has(vcpu, X86_FEATURE_LM))
-		enter_smm_save_state_64(vcpu, (char *)&smram);
-+		enter_smm_save_state_64(vcpu, &smram.smram64);
- 	else
- #endif
- 		enter_smm_save_state_32(vcpu, &smram.smram32);
@@ -1,98 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:09 +0300
-Subject: [PATCH] KVM: x86: SVM: use smram structs
-
-This removes the last user of put_smstate/GET_SMSTATE so
-remove these functions as well.
-
-Also add a sanity check that we don't attempt to enter the SMM
-on non long mode capable guest CPU with a running nested guest.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/include/asm/kvm_host.h |  6 ------
- arch/x86/kvm/svm/svm.c          | 21 ++++++---------------
- 2 files changed, 6 insertions(+), 21 deletions(-)
-
-diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
-index fb48dd8773e1..0362d3fba42a 100644
--- a/arch/x86/include/asm/kvm_host.h
-+++ b/arch/x86/include/asm/kvm_host.h
-@@ -1932,12 +1932,6 @@ static inline int kvm_cpu_get_apicid(int mps_cpu)
- #endif
- }
- 
-#define put_smstate(type, buf, offset, val)                      \
-	*(type *)((buf) + (offset) - 0x7e00) = val
-
-#define GET_SMSTATE(type, buf, offset)		\
-	(*(type *)((buf) + (offset) - 0x7e00))
-
- int kvm_cpu_dirty_log_size(void);
- 
- int alloc_all_memslots_rmaps(struct kvm *kvm);
-diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index d903120811b9..742497b1d4c3 100644
--- a/arch/x86/kvm/svm/svm.c
-+++ b/arch/x86/kvm/svm/svm.c
-@@ -4308,15 +4308,11 @@ static int svm_enter_smm(struct kvm_vcpu *vcpu, union kvm_smram *smram)
- 	struct kvm_host_map map_save;
- 	int ret;
- 
-	char *smstate = (char *)smram;
-
- 	if (!is_guest_mode(vcpu))
- 		return 0;
- 
-	/* FED8h - SVM Guest */
-	put_smstate(u64, smstate, 0x7ed8, 1);
-	/* FEE0h - SVM Guest VMCB Physical Address */
-	put_smstate(u64, smstate, 0x7ee0, svm->nested.vmcb12_gpa);
-+	smram->smram64.svm_guest_flag = 1;
-+	smram->smram64.svm_guest_vmcb_gpa = svm->nested.vmcb12_gpa;
- 
- 	svm->vmcb->save.rax = vcpu->arch.regs[VCPU_REGS_RAX];
- 	svm->vmcb->save.rsp = vcpu->arch.regs[VCPU_REGS_RSP];
-@@ -4355,28 +4351,23 @@ static int svm_leave_smm(struct kvm_vcpu *vcpu, const union kvm_smram *smram)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
- 	struct kvm_host_map map, map_save;
-	u64 saved_efer, vmcb12_gpa;
- 	struct vmcb *vmcb12;
- 	int ret;
- 
-	const char *smstate = (const char *)smram;
-
- 	if (!guest_cpuid_has(vcpu, X86_FEATURE_LM))
- 		return 0;
- 
- 	/* Non-zero if SMI arrived while vCPU was in guest mode. */
-	if (!GET_SMSTATE(u64, smstate, 0x7ed8))
-+	if (!smram->smram64.svm_guest_flag)
- 		return 0;
- 
- 	if (!guest_cpuid_has(vcpu, X86_FEATURE_SVM))
- 		return 1;
- 
-	saved_efer = GET_SMSTATE(u64, smstate, 0x7ed0);
-	if (!(saved_efer & EFER_SVME))
-+	if (!(smram->smram64.efer & EFER_SVME))
- 		return 1;
- 
-	vmcb12_gpa = GET_SMSTATE(u64, smstate, 0x7ee0);
-	if (kvm_vcpu_map(vcpu, gpa_to_gfn(vmcb12_gpa), &map) == -EINVAL)
-+	if (kvm_vcpu_map(vcpu, gpa_to_gfn(smram->smram64.svm_guest_vmcb_gpa), &map) == -EINVAL)
- 		return 1;
- 
- 	ret = 1;
-@@ -4401,7 +4392,7 @@ static int svm_leave_smm(struct kvm_vcpu *vcpu, const union kvm_smram *smram)
- 
- 	vmcb12 = map.hva;
- 	nested_load_control_from_vmcb12(svm, &vmcb12->control);
-	ret = enter_svm_guest_mode(vcpu, vmcb12_gpa, vmcb12, false);
-+	ret = enter_svm_guest_mode(vcpu, smram->smram64.svm_guest_vmcb_gpa, vmcb12, false);
- 
- 	if (ret)
- 		goto unmap_save;
@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:10 +0300
-Subject: [PATCH] KVM: x86: SVM: don't save SVM state to SMRAM when VM is not
- long mode capable
-
-When the guest CPUID doesn't have support for long mode, 32 bit SMRAM
-layout is used and it has no support for preserving EFER and/or SVM
-state.
-
-Note that this isn't relevant to running 32 bit guests on VM which is
-long mode capable - such VM can still run 32 bit guests in compatibility
-mode.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/svm/svm.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index 742497b1d4c3..938b9b24f0ee 100644
--- a/arch/x86/kvm/svm/svm.c
-+++ b/arch/x86/kvm/svm/svm.c
-@@ -4311,6 +4311,15 @@ static int svm_enter_smm(struct kvm_vcpu *vcpu, union kvm_smram *smram)
- 	if (!is_guest_mode(vcpu))
- 		return 0;
- 
-+	/*
-+	 * 32 bit SMRAM format doesn't preserve EFER and SVM state.
-+	 * SVM should not be enabled by the userspace without marking
-+	 * the CPU as at least long mode capable.
-+	 */
-+
-+	if (!guest_cpuid_has(vcpu, X86_FEATURE_LM))
-+		return 1;
-+
- 	smram->smram64.svm_guest_flag = 1;
- 	smram->smram64.svm_guest_vmcb_gpa = svm->nested.vmcb12_gpa;
- 
@@ -1,180 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Wed, 3 Aug 2022 18:50:11 +0300
-Subject: [PATCH] KVM: x86: emulator/smm: preserve interrupt shadow in SMRAM
-
-When #SMI is asserted, the CPU can be in interrupt shadow
-due to sti or mov ss.
-
-It is not mandatory in  Intel/AMD prm to have the #SMI
-blocked during the shadow, and on top of
-that, since neither SVM nor VMX has true support for SMI
-window, waiting for one instruction would mean single stepping
-the guest.
-
-Instead, allow #SMI in this case, but both reset the interrupt
-window and stash its value in SMRAM to restore it on exit
-from SMM.
-
-This fixes rare failures seen mostly on windows guests on VMX,
-when #SMI falls on the sti instruction which mainfest in
-VM entry failure due to EFLAGS.IF not being set, but STI interrupt
-window still being set in the VMCS.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/emulate.c     | 17 ++++++++++++++---
- arch/x86/kvm/kvm_emulate.h | 10 ++++++----
- arch/x86/kvm/x86.c         | 12 ++++++++++++
- 3 files changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 4eb35a0a33a5..3e6ea2951e2b 100644
--- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -2420,7 +2420,7 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
- 			     const struct kvm_smram_state_32 *smstate)
- {
- 	struct desc_ptr dt;
-	int i;
-+	int i, r;
- 
- 	ctxt->eflags =  smstate->eflags | X86_EFLAGS_FIXED;
- 	ctxt->_eip =  smstate->eip;
-@@ -2455,8 +2455,16 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
- 
- 	ctxt->ops->set_smbase(ctxt, smstate->smbase);
- 
-	return rsm_enter_protected_mode(ctxt, smstate->cr0,
-					smstate->cr3, smstate->cr4);
-+	r = rsm_enter_protected_mode(ctxt, smstate->cr0,
-+				     smstate->cr3, smstate->cr4);
-+
-+	if (r != X86EMUL_CONTINUE)
-+		return r;
-+
-+	ctxt->ops->set_int_shadow(ctxt, 0);
-+	ctxt->interruptibility = (u8)smstate->int_shadow;
-+
-+	return X86EMUL_CONTINUE;
- }
- 
- #ifdef CONFIG_X86_64
-@@ -2505,6 +2513,9 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
- 	rsm_load_seg_64(ctxt, &smstate->fs, VCPU_SREG_FS);
- 	rsm_load_seg_64(ctxt, &smstate->gs, VCPU_SREG_GS);
- 
-+	ctxt->ops->set_int_shadow(ctxt, 0);
-+	ctxt->interruptibility = (u8)smstate->int_shadow;
-+
- 	return X86EMUL_CONTINUE;
- }
- #endif
-diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h
-index 3b37b3e17379..a64c190abf28 100644
--- a/arch/x86/kvm/kvm_emulate.h
-+++ b/arch/x86/kvm/kvm_emulate.h
-@@ -231,6 +231,7 @@ struct x86_emulate_ops {
- 	bool (*guest_has_rdpid)(struct x86_emulate_ctxt *ctxt);
- 
- 	void (*set_nmi_mask)(struct x86_emulate_ctxt *ctxt, bool masked);
-+	void (*set_int_shadow)(struct x86_emulate_ctxt *ctxt, u8 shadow);
- 
- 	unsigned (*get_hflags)(struct x86_emulate_ctxt *ctxt);
- 	void (*exiting_smm)(struct x86_emulate_ctxt *ctxt);
-@@ -497,7 +498,8 @@ struct kvm_smram_state_32 {
- 	u32 reserved1[62];
- 	u32 smbase;
- 	u32 smm_revision;
-	u32 reserved2[5];
-+	u32 reserved2[4];
-+	u32 int_shadow; /* KVM extension */
- 	u32 cr4; /* CR4 is not present in Intel/AMD SMRAM image */
- 	u32 reserved3[5];
- 
-@@ -545,6 +547,7 @@ static inline void __check_smram32_offsets(void)
- 	__CHECK_SMRAM32_OFFSET(smbase,		0xFEF8);
- 	__CHECK_SMRAM32_OFFSET(smm_revision,	0xFEFC);
- 	__CHECK_SMRAM32_OFFSET(reserved2,	0xFF00);
-+	__CHECK_SMRAM32_OFFSET(int_shadow,	0xFF10);
- 	__CHECK_SMRAM32_OFFSET(cr4,		0xFF14);
- 	__CHECK_SMRAM32_OFFSET(reserved3,	0xFF18);
- 	__CHECK_SMRAM32_OFFSET(ds,		0xFF2C);
-@@ -604,7 +607,7 @@ struct kvm_smram_state_64 {
- 	u64 io_restart_rsi;
- 	u64 io_restart_rdi;
- 	u32 io_restart_dword;
-	u32 reserved1;
-+	u32 int_shadow;
- 	u8 io_inst_restart;
- 	u8 auto_hlt_restart;
- 	u8 reserved2[6];
-@@ -642,7 +645,6 @@ struct kvm_smram_state_64 {
- 	u64 gprs[16]; /* GPRS in a reversed "natural" X86 order (R15/R14/../RCX/RAX.) */
- };
- 
-
- static inline void __check_smram64_offsets(void)
- {
- #define __CHECK_SMRAM64_OFFSET(field, offset) \
-@@ -663,7 +665,7 @@ static inline void __check_smram64_offsets(void)
- 	__CHECK_SMRAM64_OFFSET(io_restart_rsi,		0xFEB0);
- 	__CHECK_SMRAM64_OFFSET(io_restart_rdi,		0xFEB8);
- 	__CHECK_SMRAM64_OFFSET(io_restart_dword,	0xFEC0);
-	__CHECK_SMRAM64_OFFSET(reserved1,		0xFEC4);
-+	__CHECK_SMRAM64_OFFSET(int_shadow,		0xFEC4);
- 	__CHECK_SMRAM64_OFFSET(io_inst_restart,		0xFEC8);
- 	__CHECK_SMRAM64_OFFSET(auto_hlt_restart,	0xFEC9);
- 	__CHECK_SMRAM64_OFFSET(reserved2,		0xFECA);
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 5c4be3873c0d..461c9d815d6c 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -7299,6 +7299,11 @@ static void emulator_set_nmi_mask(struct x86_emulate_ctxt *ctxt, bool masked)
- 	static_call(kvm_x86_set_nmi_mask)(emul_to_vcpu(ctxt), masked);
- }
- 
-+static void emulator_set_int_shadow(struct x86_emulate_ctxt *ctxt, u8 shadow)
-+{
-+	 static_call(kvm_x86_set_interrupt_shadow)(emul_to_vcpu(ctxt), shadow);
-+}
-+
- static unsigned emulator_get_hflags(struct x86_emulate_ctxt *ctxt)
- {
- 	return emul_to_vcpu(ctxt)->arch.hflags;
-@@ -7368,6 +7373,7 @@ static const struct x86_emulate_ops emulate_ops = {
- 	.guest_has_fxsr      = emulator_guest_has_fxsr,
- 	.guest_has_rdpid     = emulator_guest_has_rdpid,
- 	.set_nmi_mask        = emulator_set_nmi_mask,
-+	.set_int_shadow      = emulator_set_int_shadow,
- 	.get_hflags          = emulator_get_hflags,
- 	.exiting_smm         = emulator_exiting_smm,
- 	.leave_smm           = emulator_leave_smm,
-@@ -9095,6 +9101,8 @@ static void enter_smm_save_state_32(struct kvm_vcpu *vcpu, struct kvm_smram_stat
- 	smram->cr4 = kvm_read_cr4(vcpu);
- 	smram->smm_revision = 0x00020000;
- 	smram->smbase = vcpu->arch.smbase;
-+
-+	smram->int_shadow = static_call(kvm_x86_get_interrupt_shadow)(vcpu);
- }
- 
- #ifdef CONFIG_X86_64
-@@ -9143,6 +9151,8 @@ static void enter_smm_save_state_64(struct kvm_vcpu *vcpu, struct kvm_smram_stat
- 	enter_smm_save_seg_64(vcpu, &smram->ds, VCPU_SREG_DS);
- 	enter_smm_save_seg_64(vcpu, &smram->fs, VCPU_SREG_FS);
- 	enter_smm_save_seg_64(vcpu, &smram->gs, VCPU_SREG_GS);
-+
-+	smram->int_shadow = static_call(kvm_x86_get_interrupt_shadow)(vcpu);
- }
- #endif
- 
-@@ -9179,6 +9189,8 @@ static void enter_smm(struct kvm_vcpu *vcpu)
- 	kvm_set_rflags(vcpu, X86_EFLAGS_FIXED);
- 	kvm_rip_write(vcpu, 0x8000);
- 
-+	static_call(kvm_x86_set_interrupt_shadow)(vcpu, 0);
-+
- 	cr0 = vcpu->arch.cr0 & ~(X86_CR0_PE | X86_CR0_EM | X86_CR0_TS | X86_CR0_PG);
- 	static_call(kvm_x86_set_cr0)(vcpu, cr0);
- 	vcpu->arch.cr0 = cr0;
@@ -1,37 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Maher Sanalla <msanalla@nvidia.com>
-Date: Sun, 24 Jul 2022 11:28:21 +0300
-Subject: [PATCH] net/mlx5: Adjust log_max_qp to be 18 at most
-
-[ Upstream commit a6e9085d791f8306084fd5bc44dd3fdd4e1ac27b ]
-
-The cited commit limited log_max_qp to be 17 due to FW capabilities.
-Recently, it turned out that there are old FW versions that supported
-more than 17, so the cited commit caused a degradation.
-
-Thus, set the maximum log_max_qp back to 18 as it was before the
-cited commit.
-
-Fixes: 7f839965b2d7 ("net/mlx5: Update log_max_qp value to be 17 at most")
-Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
-Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
-Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
-index 4ed740994279..5a6606c843ed 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
-@@ -516,7 +516,7 @@ static int handle_hca_cap(struct mlx5_core_dev *dev, void *set_ctx)
- 
- 	/* Check log_max_qp from HCA caps to set in current profile */
- 	if (prof->log_max_qp == LOG_MAX_SUPPORTED_QPS) {
-		prof->log_max_qp = min_t(u8, 17, MLX5_CAP_GEN_MAX(dev, log_max_qp));
-+		prof->log_max_qp = min_t(u8, 18, MLX5_CAP_GEN_MAX(dev, log_max_qp));
- 	} else if (MLX5_CAP_GEN_MAX(dev, log_max_qp) < prof->log_max_qp) {
- 		mlx5_core_warn(dev, "log_max_qp value in current profile is %d, changing it to HCA capability limit (%d)\n",
- 			       prof->log_max_qp,
@@ -1,60 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 4 Aug 2022 15:28:32 +0200
-Subject: [PATCH] KVM: x86: revalidate steal time cache if MSR value changes
-
-commit 901d3765fa804ce42812f1d5b1f3de2dfbb26723 upstream.
-
-Commit 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time
-/ preempted status", 2021-11-11) open coded the previous call to
-kvm_map_gfn, but in doing so it dropped the comparison between the cached
-guest physical address and the one in the MSR.  This cause an incorrect
-cache hit if the guest modifies the steal time address while the memslots
-remain the same.  This can happen with kexec, in which case the steal
-time data is written at the address used by the old kernel instead of
-the old one.
-
-While at it, rename the variable from gfn to gpa since it is a plain
-physical address and not a right-shifted one.
-
-Reported-by: Dave Young <ruyang@redhat.com>
-Reported-by: Xiaoying Yan  <yiyan@redhat.com>
-Analyzed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: stable@vger.kernel.org
-Fixes: 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status")
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/x86.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 461c9d815d6c..b46677baf396 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -3236,6 +3236,7 @@ static void record_steal_time(struct kvm_vcpu *vcpu)
- 	struct gfn_to_hva_cache *ghc = &vcpu->arch.st.cache;
- 	struct kvm_steal_time __user *st;
- 	struct kvm_memslots *slots;
-+	gpa_t gpa = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
- 	u64 steal;
- 	u32 version;
- 
-@@ -3253,13 +3254,12 @@ static void record_steal_time(struct kvm_vcpu *vcpu)
- 	slots = kvm_memslots(vcpu->kvm);
- 
- 	if (unlikely(slots->generation != ghc->generation ||
-+		     gpa != ghc->gpa ||
- 		     kvm_is_error_hva(ghc->hva) || !ghc->memslot)) {
-		gfn_t gfn = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
-
- 		/* We rely on the fact that it fits in a single page. */
- 		BUILD_BUG_ON((sizeof(*st) - 1) & KVM_STEAL_VALID_BITS);
- 
-		if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ghc, gfn, sizeof(*st)) ||
-+		if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ghc, gpa, sizeof(*st)) ||
- 		    kvm_is_error_hva(ghc->hva) || !ghc->memslot)
- 			return;
- 	}
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 4 Aug 2022 15:28:32 +0200
-Subject: [PATCH] KVM: x86: do not report preemption if the steal time cache is
- stale
-
-commit c3c28d24d910a746b02f496d190e0e8c6560224b upstream.
-
-Commit 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time
-/ preempted status", 2021-11-11) open coded the previous call to
-kvm_map_gfn, but in doing so it dropped the comparison between the cached
-guest physical address and the one in the MSR.  This cause an incorrect
-cache hit if the guest modifies the steal time address while the memslots
-remain the same.  This can happen with kexec, in which case the preempted
-bit is written at the address used by the old kernel instead of
-the old one.
-
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: stable@vger.kernel.org
-Fixes: 7e2175ebd695 ("KVM: x86: Fix recording of guest steal time / preempted status")
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- arch/x86/kvm/x86.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index b46677baf396..48aaff0ce3b9 100644
--- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -4370,6 +4370,7 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
- 	struct kvm_steal_time __user *st;
- 	struct kvm_memslots *slots;
- 	static const u8 preempted = KVM_VCPU_PREEMPTED;
-+	gpa_t gpa = vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS;
- 
- 	if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
- 		return;
-@@ -4384,6 +4385,7 @@ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
- 	slots = kvm_memslots(vcpu->kvm);
- 
- 	if (unlikely(slots->generation != ghc->generation ||
-+		     gpa != ghc->gpa ||
- 		     kvm_is_error_hva(ghc->hva) || !ghc->memslot))
- 		return;
- 
@@ -1,70 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nilesh Javali <njavali@marvell.com>
-Date: Tue, 12 Jul 2022 22:20:36 -0700
-Subject: [PATCH] scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover"
-
-commit 5bc7b01c513a4a9b4cfe306e8d1720cfcfd3b8a3 upstream.
-
-This fixes the regression of NVMe discovery failure during driver load
-time.
-
-This reverts commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-2-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- drivers/scsi/qla2xxx/qla_init.c | 5 ++---
- drivers/scsi/qla2xxx/qla_nvme.c | 5 -----
- 2 files changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index af8df5a800c6..7caf573af58e 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -5749,8 +5749,6 @@ qla2x00_reg_remote_port(scsi_qla_host_t *vha, fc_port_t *fcport)
- 	if (atomic_read(&fcport->state) == FCS_ONLINE)
- 		return;
- 
-	qla2x00_set_fcport_state(fcport, FCS_ONLINE);
-
- 	rport_ids.node_name = wwn_to_u64(fcport->node_name);
- 	rport_ids.port_name = wwn_to_u64(fcport->port_name);
- 	rport_ids.port_id = fcport->d_id.b.domain << 16 |
-@@ -5858,7 +5856,6 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport)
- 		qla2x00_reg_remote_port(vha, fcport);
- 		break;
- 	case MODE_TARGET:
-		qla2x00_set_fcport_state(fcport, FCS_ONLINE);
- 		if (!vha->vha_tgt.qla_tgt->tgt_stop &&
- 			!vha->vha_tgt.qla_tgt->tgt_stopped)
- 			qlt_fc_port_added(vha, fcport);
-@@ -5873,6 +5870,8 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport)
- 		break;
- 	}
- 
-+	qla2x00_set_fcport_state(fcport, FCS_ONLINE);
-+
- 	if (IS_IIDMA_CAPABLE(vha->hw) && vha->hw->flags.gpsc_supported) {
- 		if (fcport->id_changed) {
- 			fcport->id_changed = 0;
-diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
-index 42b29f4fd937..e63272487788 100644
--- a/drivers/scsi/qla2xxx/qla_nvme.c
-+++ b/drivers/scsi/qla2xxx/qla_nvme.c
-@@ -35,11 +35,6 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport)
- 		(fcport->nvme_flag & NVME_FLAG_REGISTERED))
- 		return 0;
- 
-	if (atomic_read(&fcport->state) == FCS_ONLINE)
-		return 0;
-
-	qla2x00_set_fcport_state(fcport, FCS_ONLINE);
-
- 	fcport->nvme_flag &= ~NVME_FLAG_RESETTING;
- 
- 	memset(&req, 0, sizeof(struct nvme_fc_port_info));
@@ -1,30 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Andreas Gruenbacher <agruenba@redhat.com>
-Date: Thu, 17 Mar 2022 14:47:24 +0100
-Subject: [PATCH] gfs2: Fix gfs2_file_buffered_write endless loop workaround
-
-[ Upstream commit 46f3e0421ccb5474b5c006b0089b9dfd42534bb6 ]
-
-Since commit 554c577cee95b, gfs2_file_buffered_write() can accidentally
-return a truncated iov_iter, which might confuse callers.  Fix that.
-
-Fixes: 554c577cee95b ("gfs2: Prevent endless loops in gfs2_file_buffered_write")
-Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
- fs/gfs2/file.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
-index 60390f9dc31f..e93185d804e0 100644
--- a/fs/gfs2/file.c
-+++ b/fs/gfs2/file.c
-@@ -1086,6 +1086,7 @@ static ssize_t gfs2_file_buffered_write(struct kiocb *iocb,
- 	gfs2_holder_uninit(gh);
- 	if (statfs_gh)
- 		kfree(statfs_gh);
-+	from->count = orig_count - read;
- 	return read ? read : ret;
- }
-