update ABI file for 5.0.21-5-pve

(generated with debian/scripts/abi-generate)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

.gitmodules

@@ -1,6 +1,6 @@
 [submodule "submodules/zfsonlinux"]
 	path = submodules/zfsonlinux
 	url = ../zfsonlinux
-[submodule "submodules/ubuntu-kernel"]
-	path = submodules/ubuntu-kernel
-	url = ../mirror_ubuntu-kernels
+[submodule "submodules/ubuntu-disco"]
+	path = submodules/ubuntu-disco
+	url = ../mirror_ubuntu-disco-kernel

Makefile

@@ -1,12 +1,12 @@
 # also bump pve-kernel-meta if either of MAJ.MIN, PATCHLEVEL or KREL change
-KERNEL_MAJ=6
-KERNEL_MIN=2
-KERNEL_PATCHLEVEL=6
+KERNEL_MAJ=5
+KERNEL_MIN=0
+KERNEL_PATCHLEVEL=21
 # increment KREL if the ABI changes (abicheck target in debian/rules)
 # rebuild packages with new KREL and run 'make abiupdate'
-KREL=2
+KREL=5
 
-PKGREL=2~secureboot1
+PKGREL=10
 
 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)
@@ -31,7 +31,7 @@ SKIPABI=0
 
 BUILD_DIR=build
 
-KERNEL_SRC=ubuntu-kernel
+KERNEL_SRC=ubuntu-disco
 KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
 KERNEL_CFG_ORG=config-${KERNEL_VER}.org
 
@@ -46,11 +46,9 @@ DIRS=KERNEL_SRC ZFSDIR MODULES
 
 DST_DEB=${PACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 HDR_DEB=${HDRPACKAGE}_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-USR_HDR_DEB=pve-kernel-libc-dev_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
-LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_${KERNEL_VER}-${PKGREL}_${ARCH}.deb
 
-DEBS=${DST_DEB} ${HDR_DEB} ${LINUX_TOOLS_DEB} ${LINUX_TOOLS_DBG_DEB} # ${USR_HDR_DEB}
+DEBS=${DST_DEB} ${HDR_DEB} ${LINUX_TOOLS_DEB}
 
 all: deb
 deb: ${DEBS}
@@ -84,7 +82,7 @@ ${KERNEL_SRC}.prepared: ${KERNEL_SRC_SUBMODULE} | submodule
 	mkdir -p ${BUILD_DIR}
 	cp -a ${KERNEL_SRC_SUBMODULE} ${BUILD_DIR}/${KERNEL_SRC}
 # TODO: split for archs, track and diff in our repository?
-	cd ${BUILD_DIR}/${KERNEL_SRC}; python3 debian/scripts/misc/annotations --arch amd64 --export >../../${KERNEL_CFG_ORG}
+	cat ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/config.common.ubuntu ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.common.${ARCH} ${BUILD_DIR}/${KERNEL_SRC}/debian.master/config/${ARCH}/config.flavour.generic > ${KERNEL_CFG_ORG}
 	cp ${KERNEL_CFG_ORG} ${BUILD_DIR}/${KERNEL_SRC}/.config
 	sed -i ${BUILD_DIR}/${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
 	rm -rf ${BUILD_DIR}/${KERNEL_SRC}/debian ${BUILD_DIR}/${KERNEL_SRC}/debian.master
@@ -104,7 +102,7 @@ ${ZFSDIR}.prepared: ${ZFSONLINUX_SUBMODULE}
 
 .PHONY: upload
 upload: ${DEBS}
-	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg,pbs --dist bullseye --arch ${ARCH}
+	tar cf - ${DEBS}|ssh -X repoman@repo.proxmox.com -- upload --product pve,pmg --dist buster --arch ${ARCH}
 
 .PHONY: distclean
 distclean: clean

README

@@ -1,17 +1,13 @@
 KERNEL SOURCE:
 ==============
 
-We currently use the Ubuntu kernel sources, available from our mirror:
+We currently use the Ubuntu kernel sources, available from:
 
- https://git.proxmox.com/?p=mirror_ubuntu-kernels.git;a=summary
+ http://kernel.ubuntu.com/git/ubuntu/ubuntu-disco.git/
 
 Ubuntu will maintain those kernels till:
 
  https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
- or
- https://pve.proxmox.com/pve-docs/chapter-pve-faq.html#faq-support-table
-
- whatever happens to be earlier.
 
 
 Additional/Updated Modules:
@@ -35,7 +31,7 @@ get applied with the `patch` tool. From a git point-of-view, the copied
 directory remains clean even with extra patches applied since it does not
 contain a .git directory, but a reference to the (still pristine) submodule:
 
-$ cat build/ubuntu-kernel/.git
+$ cat build/ubuntu-bionic/.git
 
 If you mistakenly cloned the upstream repo as "normal" clone (not via the
 submodule mechanics) this means that you have a real .git directory with its
@@ -63,15 +59,15 @@ git clone git://git.proxmox.com/git/proxmox-ve.git
 pve-kernel-meta
 ---------------
 
-Depends on latest kernel and header package within a certain kernel series,
-e.g., pve-kernel-5.15 / pve-headers-5.15
+depends on latest kernel and header package within a certain kernel series,
+e.g., pve-kernel-4.15 / pve-headers-4.15
 
 git clone git://git.proxmox.com/git/pve-kernel-meta.git
 
 pve-firmware
 ------------
 
-Contains the firmware for all released PVE kernels.
+contains the firmware for all released PVE kernels.
 
 git clone git://git.proxmox.com/git/pve-firmware.git
 
@@ -102,18 +98,6 @@ which device is actually used for /dev/watchdog.
 We ship this list in /lib/modprobe.d/blacklist_pve-kernel-<VERSION>.conf
 The user typically edit /etc/modules to enable a specific watchdog device.
 
-Debug kernel and modules
-------------------------
-
-In order to build a -dbgsym package containing an unstripped copy of the kernel
-image and modules, enable the 'pkg.pve-kernel.debug' build profile (e.g. by
-exporting DEB_BUILD_PROFILES='pkg.pve-kernel.debug'). The resulting package can
-be used together with 'crash'/'kdump-tools' to debug kernel crashes.
-
-Note: the -dbgsym package is only valid for the pve-kernel packages produced by
-the same build. A kernel/module from a different build will likely not match,
-even if both builds are of the same kernel and package version.
-
 Additional information
 ----------------------
 
@@ -137,39 +121,55 @@ NOTE: For the exact and current list see debian/rules (PVE_CONFIG_OPTS)
   	 CONFIG_BLK_DEV_SR=y
   	 CONFIG_BLK_DEV_DM=y
 
+- add workaround for Debian bug #807000 (see
+  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807000)
+
+  	 CONFIG_BLK_DEV_NVME=y
+
 - compile NBD and RBD modules
 	 CONFIG_BLK_DEV_NBD=m
 	 CONFIG_BLK_DEV_RBD=m
 
 - enable IBM JFS file system as module
-  requested by users (bug #64)
+
+  enable it as requested by users (bug #64)
 
 - enable apple HFS and HFSPLUS as module
-  requested by users
+
+  enable it as requested by users
 
 - enable CONFIG_BCACHE=m (requested by user)
 
 - enable CONFIG_BRIDGE=y
-  to avoid warnings on boot, e.g. that net.bridge.bridge-nf-call-iptables is an unknown key
+
+  Else we get warnings on boot, that
+  net.bridge.bridge-nf-call-iptables is an unknown key
 
 - enable CONFIG_DEFAULT_SECURITY_APPARMOR
+
   We need this for lxc
 
 - set CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
+
   because if not set, it can give some dynamic memory or cpu frequencies 
   change, and vms can crash (mainly windows guest).
+
   see http://forum.proxmox.com/threads/18238-Windows-7-x64-VMs-crashing-randomly-during-process-termination?p=93273#post93273
 
 - use 'deadline' as default scheduler
-  This is the suggested setting for KVM. We also measure bad fsync performance with ext4 and cfq.
+
+  This is the suggested setting for KVM. We also measure bad fsync
+  performance with ext4 and cfq.
 
 - disable CONFIG_INPUT_EVBUG
-  Module evbug is not blacklisted on debian, so we simply disable it to avoid
-  key-event logs (which is a big security problem)
+
+  Module evbug is not blacklisted on debian, so we simply disable it
+  to avoid key-event logs (which is a big security problem)
 
 - enable CONFIG_MODVERSIONS (needed for ABI tracking)
 
 - switch default UNWINDER to FRAME_POINTER
+
   the recently introduced ORC_UNWINDER is not 100% stable yet, especially in combination with ZFS
 
 - enable CONFIG_PAGE_TABLE_ISOLATION (Meltdown mitigation)

debian/certs/proxmox-uefi-ca.pem

@@ -1,37 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGbjCCBFagAwIBAgIUTVo8veNlt0qzt14J+H2mhEB2SNUwDQYJKoZIhvcNAQEL
-BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
-ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
-BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
-eG1veC5jb20wHhcNMjMwMzA2MTM1MTM0WhcNMzMwMzAzMTM1MTM0WjCBkzELMAkG
-A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
-VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEXMBUGA1UEAwwOU2Vj
-dXJlIEJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEm9mZmljZUBwcm94bW94LmNvbTCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ59mP8gRLqsA6P53ejy0wMk
-0qLlICtDkPXsJoi4QRHjlPErxXv5zsZ4WqSG2bQ8EW95FAf8EOF6ge+G17neYt1w
-DmlvHzLBfqTJj5EBRgVjdWOjX3AkS/elOyzHdq4rKOteUSpQlMP4ub2cAUdy/8rp
-ouTbduttNv8mymAO89/kbXCEmKFiRS+av+hykFFyXH/KTRa2QnvLVadMEkmtA+vm
-+yQhYWCTD8hdisa1o3dKM0Z2l8LyzfIOsVXcwHHB7AhtR4tbLR9Tz2p/m9Gz//vj
-82dBaChh6kxIMZ8kACP28dA561R2P6ZcjzLSJ0Tq5e4tiW9SNEzuTYKTRvFeQoQh
-4usDdSF3ifXDuimShpv8Yaf4fntyIaUfnm6H5tvNr9b9Rw6ZL200LV5VugQ1EpfE
-F0+c3LQfurwT7svISgXSY62Fe/TiHFANOVXM5j3/Dr2ktKyce7BUGN4ewpWPvP99
-io+rdd4bTReuDh8j0nhsSdYKfvuOmvQpgL8Smzno54/hdpuO6cv+slCr1ApDexl8
-gAPPwCZRsH7aPc92g+YPzDm3k77RqkCXPA19KKQLYKvL7a+H3rnqgO81CdGFPHOz
-I5UruKLLeDGAWR0bo0JqDMEL8/oPh9IvGo8lFcTros0NEof6A7p8SGmxM2NodTo9
-spDVs84xDPlp4yX4u8A9AgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFLXxsR5I
-LbWGkynLl1qjUgX4cs16MB8GA1UdIwQYMBaAFLXxsR5ILbWGkynLl1qjUgX4cs16
-MB0GA1UdEQQWMBSBEm9mZmljZUBwcm94bW94LmNvbTAdBgNVHRIEFjAUgRJvZmZp
-Y2VAcHJveG1veC5jb20wDQYJKoZIhvcNAQELBQADggIBAAUGWTt792ibVtE9yKgq
-9YtmybKGWjDHdMKl5AcnxLD60z7cEgcUBpEXaUbTzic5rz7fYhUM29LZkF8NIA2a
-rzrF0w+J1zZZKG2VvTWmdgynNNKQ/iTRbhgSZ94hEWOwumlEW4O6HwUN+VYFx8wf
-jvyWc1K6cdCc70IeC5POjYTlXKPoDq8ysPMLhxm7dsk7DDWcR0siMbYqGLLK5cJB
-lZE+9Q3Nj/q4m3odjK1ILrDGKqWWJgxopE21e903Ej+TNw+TduXygHqwVloEXUi4
-clmMMwCfhEBI9Vuy0+QSLxvrHKbwYpWd59RBQEsUubi8sT8Oh7njgmEd/Pf9uD7U
-1Rd9I+1MkNOZXyoyvaJQl9NZ9RpyG+ZbeQoFcL2CeCy0jJQQSilI5k4RtiDrGn6R
-GxlRL/FTvGWBkQGNwvoeFwD6i7zYainf1Z7f1Dh83MxKarxpAwX61K+rHpvAvjN/
-Hd4dslj5C+p188FnGaqiFlFAgVcF//F+yZFGYu1sTIQJ5f0C3LiFLeQYi3SPTf0L
-wk78eHgo6x1cIOM3/Ct4mflHBxnrfOJ9YdEAn2MklpDT5dif+9+zpN1myCQn4HoW
-OgoWIacSuvuFczHTQf2IX4ZEEE5SZwE31f7E0cqjgXmwbz1a81UMZHzvr71rDeWi
-oRgE3Pe1htzpOmw5Ygvjtn8k
------END CERTIFICATE-----

debian/certs/proxmox-uefi-signer-2023.pem

@@ -1,37 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGbzCCBFegAwIBAgIUakjebPHbd0vTEj9dEa3OF+gioGMwDQYJKoZIhvcNAQEL
-BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
-ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
-BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
-eG1veC5jb20wHhcNMjMwMzA2MTQwNTI1WhcNMjcwNDE0MTQwNTI1WjCBmjELMAkG
-A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
-VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEeMBwGA1UEAwwVU2Vj
-dXJlIEJvb3QgU2lnbiAyMDIzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1v
-eC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJGReH5i3aihb/
-frdbzzNueHBt7DC9W2/GXYf0wfl8izCXz2SYM/UIZavbpzF2uhgxli3Dj4M0FyR2
-oTKRseWyy+YMiwuhQcqCw0KRS6uOUiGjOtPHsEqDFO6DP8d1gNjYkF0jzY/CNf0N
-5Sc+w8jknQJgZ9G1RGcC2ihZATx2pgG9nYA30Op8qHyhcF2KrUmh8wpXky21u0Ja
-0/whsNFNSfQrvosgUroxLd2TvBdcBJu3SXt0B15jfY4Qssjmwgfs/oU8YGaAYnIp
-PLJRqzho/kpDA3PH2lsgxv5BJHQgDuODLj3Q3dx09C71Qdb3FlQ6z9hIdFUoPrvC
-kUpZ5lEwGUyvFZtJJQvGm/1BpDj1G7P8lqODyfkJ4c77XoH7M9z945HmxrfAyjP7
-9Jk8NXA9bSy+ygPHPHlTLEc10HKvk/SRg/sGGUveTr9C6rObfP8EmvXogpS46xSn
-W9s2vFSVFyOBvLpdIhU91McBFinvQaqY0r2XTNrsU3Zp5YG3z6hh6BOLCpD/pixc
-BQyfT8wGeI59dobVSSrWqt+1vNxO02I5t7Mlam687Ix1e3C/nk7+i44WMcmB8n+x
-Dq/v/L+UJlQ75u2dsaAiYUrGcsHQWAZ34oIAfec9qCgG+OLTwobwXXiOlaWiO51n
-0xCQ4ePK+vZuDxRHaXL7hOxFCe3iKwIDAQABo4GxMIGuMB0GA1UdDgQWBBRr/2t+
-Hu0KTVTbNhd31p7aJH15IjAfBgNVHSMEGDAWgBS18bEeSC21hpMpy5dao1IF+HLN
-ejAdBgNVHREEFjAUgRJvZmZpY2VAcHJveG1veC5jb20wHQYDVR0SBBYwFIESb2Zm
-aWNlQHByb3htb3guY29tMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
-AwMwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQBYmLgWPJSK/pP/CkZE
-iYttW1Vd0Wm4DeZVSyUh2c9AI+A+IT5otEXjCflU8sYU4vm0eEtNwhmGdVf8oZe4
-tS/2eFawDAqEQ8xMsinbMJoqvcYx9uEZPiOOo3GS2YjfUy03Q3BAOV3rMFOjP4y+
-dfYF3IWnKQxvUV0wapRyDbT62plKt4UCtBagUPcm838YRD6ax+4yK/5sojMQM1IW
-2yGgEz8jeCyPI19Ots2RBZTJU2BZ1QqRPLybvLfsENtKgKqOE14BEp6WqtYBaj89
-QZD4tbP9Mqcmnj8AfG89pb1Fj6tq0MLZsboF6i0J7uuQ6CKkb5ksQhLODLMwAZi1
-1EAgWk5btwj6ZvoOHFOjAXGJ13tmUeYt/Zipyy/ie+5LSEdFevQ+zmZzsglfX3QK
-6skoBpHs3kLcuPsoe8uhCvn/b22lHkFdYYkIwIUQFPJgdvBzD8LYHnD8P60UdsQO
-vSSt9qzsq04DCEjwhmNJUeddL9ESGNL8vgpB9GvNjFEq6QMncELkdXDoAeqGFolE
-/dj+8sVq+34plRsvD1GDDx70UWk0ZtQlvhqDJ0kxeT+yYASrwLoujK44SLq8cMJr
-JYxDoxFOy5MSw+EzEXTP9LLkYNdPv/nzPbEz3lEctczyOgBWr22272Kdv3QCHBdP
-v4+vFbHnrXmu8cC9T45r2aX3rQ==
------END CERTIFICATE-----

debian/changelog

@@ -1,648 +1,28 @@
-pve-kernel (6.2.6-2~secureboot1) bullseye; urgency=medium
+pve-kernel (5.0.21-10) pve pmg; urgency=medium
 
-  * test build with lockdown, trusted key and module signing
+  * update to Ubuntu-5.0.0-35.38
 
- -- Proxmox Support Team <support@proxmox.com>  Thu, 16 Mar 2023 14:56:01 +0100
+  * bump ABI to 5.0.21-5
 
-pve-kernel (6.2.6-1) bullseye; urgency=medium
+  * avoid bouds error message about PC Speaker module being already registered
 
-  * update to Ubuntu-6.2.0-17.17 based on 6.2.6
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 13 Nov 2019 08:27:10 +0100
 
- -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Mar 2023 18:08:23 +0100
+pve-kernel (5.0.21-9) pve pmg; urgency=medium
 
-pve-kernel (6.2.2-1) bullseye; urgency=medium
+  * fix #2458: fix issues with Linux KVM guest on old Intel CPUs
 
-  * update to Ubuntu-6.2.0-1.1
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 11 Nov 2019 14:12:37 +0100
 
- -- Proxmox Support Team <support@proxmox.com>  Mon, 13 Mar 2023 17:57:00 +0100
+pve-kernel (5.0.21-8) pve pmg; urgency=medium
 
-pve-kernel (6.1.15-1) bullseye; urgency=medium
+  * update to Ubuntu-5.0.0-33.35
 
-  * update to Proxmox-6.1.15-1
+  * bump ABI to 5.0.21-4
 
-  * backport patch to fix issue with large IO requests
+  * update ZFS FPU/SIMD implementation to upstream proposal
 
- -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Mar 2023 09:53:18 +0100
-
-pve-kernel (6.1.14-1) bullseye; urgency=medium
-
-  * update to Proxmox-6.1.14-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Feb 2023 18:09:47 +0100
-
-pve-kernel (6.1.10-1) bullseye; urgency=medium
-
-  * update to Proxmox-6.1.10-1
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 07 Feb 2023 14:10:10 +0100
-
-pve-kernel (6.1.6-1) bullseye; urgency=medium
-
-  * update ZFS to 2.1.9
-
-  * update to Ubuntu-6.1.0-14.14 based on upstream 6.1.6
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 28 Jan 2023 15:05:09 +0100
-
-pve-kernel (6.1.2-1) bullseye; urgency=medium
-
-  * backport ZFS compat fixes for Linux 6.1 w.r.t. a OTMPFILE open syscall
-
-  * update to Ubuntu-6.1.0-12.12
-
-  * backport a few newer fixes-of-fixes from 6.1.4
-
-  * bump ABI to 6.1.2-1
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 07 Jan 2023 14:56:01 +0100
-
-pve-kernel (6.1.0-1) bullseye; urgency=medium
-
-  * update to Ubuntu-6.1.0-1.1 based on upstram v6.1
-
-  * update ZFS to 2.1.7
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 13 Dec 2022 15:08:53 +0100
-
-pve-kernel (5.19.17-1) bullseye; urgency=medium
-
-  * update to Ubuntu-5.19.0-24.25
-
-  * bump ABI to 5.19.17-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 14 Nov 2022 20:25:12 +0100
-
-pve-kernel (5.19.7-2) bullseye; urgency=medium
-
-  * update ZFS to 2.1.6
-
-  * update to Ubuntu-5.19.0-19.19
-
-  * bump ABI to 5.19.7-2
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 04 Oct 2022 17:18:40 +0200
-
-pve-kernel (5.19.7-1) bullseye; urgency=medium
-
-  * update to 5.19.7 based on Ubuntu-5.19.0-16.16
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 06 Sep 2022 07:54:58 +0200
-
-pve-kernel (5.19.0-1) bullseye; urgency=medium
-
-  * update to 5.19.0 based from Ubuntu-5.19.0-14.14
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 02 Aug 2022 09:18:39 +0200
-
-pve-kernel (5.19.0-1~rc8+2) bullseye; urgency=medium
-
-  * backport smm fixes
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 27 Jul 2022 11:27:10 +0200
-
-pve-kernel (5.19.0-1~rc8+1) bullseye; urgency=medium
-
-  * update to 5.19.0-rc8 based from Ubuntu-5.19.0-11.11
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 26 Jul 2022 11:47:30 +0200
-
-pve-kernel (5.15.53-1) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-48.54
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 26 Aug 2022 16:53:52 +0200
-
-pve-kernel (5.15.39-4) bullseye; urgency=medium
-
-  * update "SMM emulation and interrupt shadow fixes" to v3
-
-  * bump ABI to 5.15.35-4
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Aug 2022 15:11:15 +0200
-
-pve-kernel (5.15.39-3) bullseye; urgency=medium
-
-  * backport "SMM emulation and interrupt shadow fixes"
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 27 Jul 2022 13:45:39 +0200
-
-pve-kernel (5.15.39-2) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-45.48
-
-  * update ZFS to 2.1.5
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 20 Jul 2022 17:22:19 +0200
-
-pve-kernel (5.15.39-1) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-41.44
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 22 Jun 2022 17:22:00 +0200
-
-pve-kernel (5.15.35-6) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-40.43
-
-  * bump ABI to 5.15.35-3
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 17 Jun 2022 13:42:35 +0200
-
-pve-kernel (5.15.35-5) bullseye; urgency=medium
-
-  * backport netfilter nf_table sanitiation fixes
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 08 Jun 2022 15:02:51 +0200
-
-pve-kernel (5.15.35-4) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-36.37
-
-  * fix #4083: backport "EDAC/amd64: Add PCI device IDs for family 19h
-    model 50h"
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 02 Jun 2022 13:48:41 +0200
-
-pve-kernel (5.15.35-3) bullseye; urgency=medium
-
-  * fix #4039: backport aquantia atlantic NIC fixes
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 11 May 2022 07:57:51 +0200
-
-pve-kernel (5.15.35-2) bullseye; urgency=medium
-
-  * cherry pick "NFSv4.1 provide mount option to toggle trunking discovery"
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 05 May 2022 13:54:35 +0200
-
-pve-kernel (5.15.35-1) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-29.30
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 04 May 2022 12:32:49 +0200
-
-pve-kernel (5.15.30-3) bullseye; urgency=medium
-
-  * backport "io_uring: fix race between timeout flush and removal"
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 22 Apr 2022 18:08:27 +0200
-
-pve-kernel (5.15.30-2) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.15.0-27.28
-
-  * bump ABI to 5.15.30-2
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 22 Apr 2022 11:15:56 +0200
-
-pve-kernel (5.15.30-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.15.0-24.24 based on 5.15.30
-
-  * update ZFS to 2.1.4
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Mar 2022 10:36:02 +0200
-
-pve-kernel (5.15.27-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.15.0-23.23 based on 5.15.27
-
-  * update ZFS to 2.1.3
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 12 Mar 2022 15:16:17 +0100
-
-pve-kernel (5.15.19-3) bullseye; urgency=medium
-
-  * backport "lib/iov_iter: initialize "flags" in new pipe_buffer"
-    fixing CVE-2022-0847 "dirty pipe"
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 07 Mar 2022 16:23:02 +0100
-
-pve-kernel (5.15.19-2) bullseye; urgency=medium
-
-  * backport fbdev memory region release improvements
-
-  * ensure 'simpledrm' module gets build, allowing it to take over any system
-    VGA/VBE/EFI framebuffer directly
-
-  * bump ABI to 5.15.19-2
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 08 Feb 2022 11:19:02 +0100
-
-pve-kernel (5.15.19-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.15.0-20.20 based on 5.15.19
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 04 Feb 2022 06:09:14 +0100
-
-pve-kernel (5.15.17-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.15.0-19.19 based on 5.15.17
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 31 Jan 2022 09:41:30 +0100
-
-pve-kernel (5.15.12-3) bullseye; urgency=medium
-
-  * backport "vfs: fs_context: fix up param length parsing in
-    legacy_parse_param"
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 20 Jan 2022 16:36:44 +0100
-
-pve-kernel (5.15.12-2) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.15.0-16.16 based on 5.15.12
-
-  * update ZFS to 2.1.2
-
-  * ZFS: cherry-pick lock-inversion patch for zvol_open
-
-  * cherry-pick "blk-cgroup: always terminate io.stat lines"
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 11 Jan 2022 16:43:18 +0100
-
-pve-kernel (5.15.7-1) bullseye; urgency=medium
-
-  * update to Ubuntu-5.15.0-14.14
-
-  * bump ABI to 5.15.7-1
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Dec 2021 16:42:34 +0100
-
-pve-kernel (5.15.5-1) bullseye; urgency=medium
-
-  * update to upcomming Ubuntu 22.04, Jammy Jellyfish kernel
-
-  * bump ABI to 5.15.5-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Nov 2021 18:49:57 +0100
-
-pve-kernel (5.13.19-4) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.13.0-23.23
-
-  * bump ABI to 5.13.19-2
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Nov 2021 12:10:09 +0100
-
-pve-kernel (5.13.19-3) bullseye; urgency=medium
-
-  * backport two io-wq fixes relevant for io_uring
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 23 Nov 2021 13:31:19 +0100
-
-pve-kernel (5.13.19-2) bullseye; urgency=medium
-
-  * re-enable retrying to get a blockdev on ERESTARTSYS to work around
-    ZFS still depending on that
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 09 Nov 2021 12:59:38 +0100
-
-pve-kernel (5.13.19-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.13.0-22.22
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 06 Nov 2021 13:08:30 +0100
-
-pve-kernel (5.13.18-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.13.0-21.21
-
-  * bump ABI to 5.13.18-1
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 19 Oct 2021 13:42:26 +0200
-
-pve-kernel (5.13.14-1) bullseye; urgency=medium
-
-  * update kernel-base to Ubuntu 21.10 Impish kernel
-
-  * update ZFS to 2.1.1
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 28 Sep 2021 06:16:44 +0200
-
-pve-kernel (5.11.22-9) bullseye; urgency=medium
-
-  * backport "blk-mq: fix kernel panic during iterating over flush
-    request"
-
-  * d/rules: kconfig: enable SQUASHFS_DECOMP_MULTI_PERCPU to speed up
-    decompression of mounted squashfs images
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 22 Sep 2021 10:11:11 +0200
-
-pve-kernel (5.11.22-8) bullseye; urgency=medium
-
-  * update to Ubuntu-5.11.0-34.36
-
-  * fix #3552: cherry-pick PCI probe fixes
-
-  * build nvme as a module again to satisfy some inflexible (mellanox) modules
-    insisting in being able to load the nvme-core module as dependency
-
-  * bump ABI to 5.11.22-4
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 27 Aug 2021 11:51:34 +0200
-
-pve-kernel (5.11.22-7) bullseye; urgency=medium
-
-  * cherry-pick fixes for CVE-2021-3656 and CVE-2021-3653
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 18 Aug 2021 15:06:12 +0200
-
-pve-kernel (5.11.22-6) bullseye; urgency=medium
-
-  * io_uring: don't block level reissue off completion path
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 28 Jul 2021 10:51:12 +0200
-
-pve-kernel (5.11.22-5) bullseye; urgency=medium
-
-  * import Ubuntu-5.11.0-26.28
-
-  * pull in upstream stable releases from v5.10.44, v5.12.11
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 21 Jul 2021 18:25:44 +0200
-
-pve-kernel (5.11.22-4) bullseye; urgency=medium
-
-  * fix CVE-2021-33909: seq_file: disallow extremely large seq buffer
-    allocations
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 20 Jul 2021 21:40:02 +0200
-
-pve-kernel (5.11.22-3) bullseye; urgency=medium
-
-  * update ZFS to 2.0.5
-
-  * pull in upstream stable releases from v5.10.43, v5.12.10
-
-  * ensure 'performance' is the default frequency CPU governor again, as
-    schedutil seems to cause still some issues in with a few VM workloads
-
- -- Proxmox Support Team <support@proxmox.com>  Sun, 11 Jul 2021 13:45:15 +0200
-
-pve-kernel (5.11.22-2) bullseye; urgency=medium
-
-  * net: bridge: sync fdb to new unicast-filtering ports
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 02 Jul 2021 16:22:45 +0200
-
-pve-kernel (5.11.22-1) bullseye; urgency=medium
-
-  * update sources to stable release 5.11.22 with Ubuntu-5.11.0-23.24
-
-  * pve-kernel-libc-dev: add version to Provides dependency field for
-    linux-libc-dev to satisfy versioned dependencies from other packages
-
-  * build perf with python3
-
-  * fixes #3465: keep unstripped kernel and module files, allowing one to use
-    kdump-tools
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 23 Jun 2021 08:53:17 +0200
-
-pve-kernel (5.11.21-1) bullseye; urgency=medium
-
-  * update sources to stable release 5.11.21 with Ubuntu-5.11.0-19.20
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 01 Jun 2021 16:38:57 +0200
-
-pve-kernel (5.11.17-1) bullseye; urgency=medium
-
-  * update sources to stable release 5.11.17 with Ubuntu-5.11.0-18.19
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 12 May 2021 12:45:37 +0200
-
-pve-kernel (5.11.12-1) bullseye; urgency=medium
-
-  * update sources to Ubuntu-5.11.0-14.15
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 09 Apr 2021 10:31:19 +0200
-
-pve-kernel (5.11.7-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.11.0-12.13
-
-  * update ZFS to 2.0.4
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 18 Mar 2021 14:07:05 +0100
-
-pve-kernel (5.11.0-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.11.0-11.12
-
-  * update ZFS to 2.0.3
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 02 Mar 2021 13:36:01 +0100
-
-pve-kernel (5.10.6-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.10.0-12.13
-
-  * update ZFS to 2.0.1
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 14 Jan 2021 14:27:01 +0100
-
-pve-kernel (5.4.78-2) pve pmg; urgency=medium
-
-  * revert commit 552b270b5784dc3 "scsi: be2iscsi: Fix a theoretical leak in
-    beiscsi_create_eqs()" to avoid hangs and kernel oopses on module load
-
-  * cherry-pick patch to allow unprivileged whiteout device creation
-
-  * bump ABI to 5.4.78-2
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 03 Dec 2020 14:26:17 +0100
-
-pve-kernel (5.4.78-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-57.63
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 30 Nov 2020 10:57:47 +0100
-
-pve-kernel (5.4.73-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-55.61
-
-  * update ZFS to 0.8.5
-
-  * downgrade unregister_netdev waiting to become free error from emergency to
-    error log
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 16 Nov 2020 10:52:16 +0100
-
-pve-kernel (5.4.65-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-49.53
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 21 Sep 2020 15:40:22 +0200
-
-pve-kernel (5.4.60-2) pve pmg; urgency=medium
-
-  * improve guards against a packet offset calculation overflow for certain raw
-    packet sockets
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 04 Sep 2020 10:24:50 +0200
-
-pve-kernel (5.4.60-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-46.50
-
-  * bump ABI to 5.4.60-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 31 Aug 2020 10:36:22 +0200
-
-pve-kernel (5.4.55-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-43.47
-
-  * bump ABI to 5.4.55-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 10 Aug 2020 10:26:27 +0200
-
-pve-kernel (5.4.44-2) pve pmg; urgency=medium
-
-  * fix #2814: config: disable lockdown
-
-  * backport: cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
-
-  * bump ABI to 5.4.44-2
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 01 Jul 2020 16:37:57 +0200
-
-pve-kernel (5.4.44-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-38.42
-
-  * bump ABI to 5.4.44-1
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 12 Jun 2020 08:18:46 +0200
-
-pve-kernel (5.4.41-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.4.0-32.36
-
-  * update ZFS to 0.8.4
-
-  * Revert "scsi: lpfc: Fix broken Credit Recovery after driver load" as a
-    workaround for some LP Fibre Channel SCSI boxes.
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 15 May 2020 15:06:08 +0200
-
-pve-kernel (5.4.34-2) pve pmg; urgency=medium
-
-  * backport fix for overlayfs
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 07 May 2020 10:02:02 +0200
-
-pve-kernel (5.4.34-1) pve pmg; urgency=medium
-
-  * update to Ubuntu-5.4.0-30.34
-
-  * bump ABI to 5.4.34-1
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 06 May 2020 10:16:59 +0200
-
-pve-kernel (5.4.30-1) pve pmg; urgency=medium
-
-  * update to Ubuntu-5.4.0-24.28
-
-  * bump ABI to 5.4.30-1
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 10 Apr 2020 09:12:42 +0200
-
-pve-kernel (5.4.27-1) pve pmg; urgency=medium
-
-  * update to Ubuntu-5.4.0-19.23
-
-  * bump ABI to 5.4.27-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 23 Mar 2020 15:02:22 +0100
-
-pve-kernel (5.4.24-1) pve pmg; urgency=medium
-
-  * update to Ubuntu-5.4.0-18.22
-
-  * bump ABI to 5.4.24-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 09 Mar 2020 12:59:46 +0100
-
-pve-kernel (5.4.22-1) pve pmg; urgency=medium
-
-  * Initial Ubuntu Focal Kernel build, based on 5.4
-
-  * update sources to Ubuntu-5.4.0-17.21
-
-  * bump ABI to 5.4.22-1
-
- -- Proxmox Support Team <support@proxmox.com>  Mon, 02 Mar 2020 15:49:45 +0100
-
-pve-kernel (5.3.18-2) pve pmg; urgency=medium
-
-  * bump ABI to 5.3.18-2
-
-  * update to Ubuntu-5.3.0-41.33
-
- -- Proxmox Support Team <support@proxmox.com>  Sat, 15 Feb 2020 15:11:52 +0100
-
-pve-kernel (5.3.18-1) pve pmg; urgency=medium
-
-  * bump ABI to 5.3.18-1
-
-  * update sources to Ubuntu-5.3.0-40.32
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 05 Feb 2020 11:49:10 +0100
-
-pve-kernel (5.3.13-3) pve pmg; urgency=medium
-
-  * backport fixes for information leak within a KVM guest
-
-  * bump ABI to 5.3.13-3
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 31 Jan 2020 08:17:11 +0100
-
-pve-kernel (5.3.13-2) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.3.0-29.31
-
-  * update ZFS to 0.8.3
-
- -- Proxmox Support Team <support@proxmox.com>  Fri, 24 Jan 2020 09:49:36 +0100
-
-pve-kernel (5.3.13-1) pve pmg; urgency=medium
-
-  * bump ABI to 5.3.13-1
-
-  * update sources to Ubuntu-5.3.0-25.27
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 05 Dec 2019 07:18:14 +0100
-
-pve-kernel (5.3.10-1) pve pmg; urgency=medium
-
-  * bump ABI to 5.3.10-1
-
-  * update sources to Ubuntu-5.3.0-24.26
-
- -- Proxmox Support Team <support@proxmox.com>  Thu, 14 Nov 2019 10:43:13 +0100
-
-pve-kernel (5.3.7-1) pve pmg; urgency=medium
-
-  * update sources to Ubuntu-5.3.0-20.21
-
-  * bump ABI to 5.3.7-1
-
-  * update ZFS submodule to include FPU/SIMD fixes
-
- -- Proxmox Support Team <support@proxmox.com>  Wed, 23 Oct 2019 19:00:21 +0200
-
-pve-kernel (5.3.1-1) pve pmg; urgency=medium
-
-  * Initial Ubuntu Eoan Kernel build, based on 5.3
-
-  * update sources to Ubuntu-5.3.0-16.17
-
-  * bump ABI to 5.3.0-1
-
- -- Proxmox Support Team <support@proxmox.com>  Tue, 01 Oct 2019 18:57:21 +0200
+ -- Proxmox Support Team <support@proxmox.com>  Wed, 23 Oct 2019 17:49:13 +0200
 
 pve-kernel (5.0.21-7) pve pmg; urgency=medium
 

debian/control.in

@@ -9,7 +9,6 @@ Build-Depends: asciidoc-base,
                cpio,
                debhelper (>= 10~),
                dh-python,
-               dwarves,
                file,
                flex,
                gcc (>= 8.3.0-6),
@@ -24,17 +23,15 @@ Build-Depends: asciidoc-base,
                libssl-dev,
                libtool,
                lintian,
-               lz4,
                perl-modules,
-               python3-minimal,
+               python-minimal,
                rsync,
                sed,
                sphinx-common,
                tar,
                xmlto,
                zlib1g-dev,
-               zstd,
-Build-Conflicts: pve-headers-@KVNAME@
+Build-Conflicts: pve-headers-@KVNAME@,
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
 
@@ -42,7 +39,9 @@ Package: linux-tools-@KVMAJMIN@
 Architecture: any
 Section: devel
 Priority: optional
-Depends: linux-base, ${misc:Depends}, ${shlibs:Depends}
+Depends: linux-base,
+         ${misc:Depends},
+         ${shlibs:Depends},
 Description: Linux kernel version specific tools for version @KVMAJMIN@
  This package provides the architecture dependent parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy)
@@ -51,50 +50,21 @@ Package: pve-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers-@KVNAME@-amd64
-Depends: coreutils | fileutils (>= 4.0)
-Description: Proxmox Kernel Headers
+Provides: linux-headers,
+          linux-headers-2.6,
+Depends: coreutils | fileutils (>= 4.0),
+Description: The Proxmox PVE Kernel Headers
  This package contains the linux kernel headers
 
 Package: pve-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image-@KVNAME@-amd64
-Suggests: pve-firmware
-Depends: busybox, initramfs-tools | linux-initramfs-tool
-Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64
-Description: Proxmox Kernel Image
+Provides: linux-image,
+          linux-image-2.6,
+Suggests: pve-firmware,
+Depends: busybox,
+         initramfs-tools,
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
+Description: The Proxmox PVE Kernel Image
  This package contains the linux kernel and initial ramdisk used for booting
-
-Package: pve-kernel-@KVNAME@-dbgsym
-Architecture: any
-Provides: linux-debug
-Section: devel
-Priority: optional
-Build-Profiles: <pkg.pve-kernel.debug>
-Description: Proxmox Kernel debug image
- This package provides the kernel debug image for version @KVNAME@. The debug
- kernel image contained in this package is NOT meant to boot from - it is
- uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
- to analyze kernel crashes. This package also contains the pve-kernel modules
- in their unstripped version.
-
-Package: pve-kernel-@KVNAME@-signed-template
-Architecture: amd64
-Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
-Description: Template for signed kernel package
- This package is used to control code signing by the Proxmox signing
- service.
-
-Package: pve-kernel-libc-dev
-Section: devel
-Priority: optional
-Architecture: any
-Provides: linux-libc-dev (=${binary:Version})
-Conflicts: linux-libc-dev
-Replaces: linux-libc-dev
-Depends: ${misc:Depends}
-Description: Linux support headers for userspace development
- This package provides userspaces headers from the Linux kernel.  These headers
- are used by the installed headers for GNU libc and other system libraries.

debian/copyright

@@ -1,8 +1,11 @@
 This is a prepackaged version of the Linux kernel binary image.
 
-For the packaging and all files in the debian/ folder consider:
- Copyright (C) 2007-2022 Proxmox Server Solutions GmbH
- Licensed under the AGPL-3.0-or-later
+This package was put together by Proxmox Server
+Solutions GmbH <support@proxmox.com>.
+
+We use the RHEL7 kernel sources, available from:
+
+ftp://ftp.redhat.com/redhat/rhel/
 
 Linux is copyrighted by Linus Torvalds and others.
 

debian/rules

@@ -12,14 +12,9 @@ include debian/rules.d/env.mk
 include debian/rules.d/${DEB_BUILD_ARCH}.mk
 
 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
-CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)
 
 PVE_KERNEL_PKG=pve-kernel-${KVNAME}
-PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym
 PVE_HEADER_PKG=pve-headers-${KVNAME}
-PVE_USR_HEADER_PKG=pve-kernel-libc-dev
-PVE_KERNEL_SIGNING_TEMPLATE_PKG=pve-kernel-${KVNAME}-signed-template
-PVE_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
 LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
 KERNEL_SRC_COPY=${KERNEL_SRC}_tmp
 
@@ -32,69 +27,35 @@ PVE_CONFIG_OPTS= \
 -m CONFIG_CEPH_FS \
 -m CONFIG_BLK_DEV_NBD \
 -m CONFIG_BLK_DEV_RBD \
--m CONFIG_BLK_DEV_UBLK \
 -d CONFIG_SND_PCSP \
 -m CONFIG_BCACHE \
 -m CONFIG_JFS_FS \
 -m CONFIG_HFS_FS \
 -m CONFIG_HFSPLUS_FS \
--e CIFS_SMB_DIRECT \
--e CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU \
 -e CONFIG_BRIDGE \
 -e CONFIG_BRIDGE_NETFILTER \
 -e CONFIG_BLK_DEV_SD \
 -e CONFIG_BLK_DEV_SR \
 -e CONFIG_BLK_DEV_DM \
--m CONFIG_BLK_DEV_NVME \
+-e CONFIG_BLK_DEV_NVME \
 -e CONFIG_NLS_ISO8859_1 \
 -d CONFIG_INPUT_EVBUG \
 -d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
--d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
--e CONFIG_SYSFB_SIMPLEFB \
--e CONFIG_DRM_SIMPLEDRM \
--e CONFIG_MODULE_SIG \
--e CONFIG_MODULE_SIG_ALL \
--e CONFIG_MODULE_SIG_FORMAT \
---set-str CONFIG_MODULE_SIG_HASH sha512 \
---set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
--e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
--e CONFIG_MODULE_SIG_SHA512 \
+-d CONFIG_MODULE_SIG \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
 -e CONFIG_HYPERV \
--m CONFIG_VFIO_IOMMU_TYPE1 \
--m CONFIG_VFIO_VIRQFD \
--m CONFIG_VFIO \
--m CONFIG_VFIO_PCI \
--m CONFIG_USB_XHCI_HCD \
--m CONFIG_USB_XHCI_PCI \
--m CONFIG_USB_EHCI_HCD \
--m CONFIG_USB_EHCI_PCI \
--m CONFIG_USB_EHCI_HCD_PLATFORM \
--m CONFIG_USB_OHCI_HCD \
--m CONFIG_USB_OHCI_HCD_PCI \
--m CONFIG_USB_OHCI_HCD_PLATFORM \
--d CONFIG_USB_OHCI_HCD_SSB \
--m CONFIG_USB_UHCI_HCD \
--d CONFIG_USB_SL811_HCD_ISO \
 -e CONFIG_MEMCG_KMEM \
 -d CONFIG_DEFAULT_CFQ \
 -e CONFIG_DEFAULT_DEADLINE \
 -e CONFIG_MODVERSIONS \
--e CONFIG_ZSTD_COMPRESS \
 -d CONFIG_DEFAULT_SECURITY_DAC \
 -e CONFIG_DEFAULT_SECURITY_APPARMOR \
 --set-str CONFIG_DEFAULT_SECURITY apparmor \
--e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
 -d CONFIG_UNWINDER_ORC \
 -d CONFIG_UNWINDER_GUESS \
 -e CONFIG_UNWINDER_FRAME_POINTER \
---set-str CONFIG_SYSTEM_TRUSTED_KEYS "../debian/certs/combined.pem"\
---set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--e CONFIG_SECURITY_LOCKDOWN_LSM \
--e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
 -e CONFIG_PAGE_TABLE_ISOLATION
 
 debian/control: $(wildcard debian/*.in)
@@ -108,23 +69,9 @@ debian/control: $(wildcard debian/*.in)
 	chmod +x debian/${PVE_HEADER_PKG}.postinst
 	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
 
-	# combine trusted certificates
-	cat debian/certs/*.pem > debian/certs/combined.pem
-
-	# signing-template
-	sed -e '1 s/pve-kernel/pve-kernel-signed/' -e '1 s/${DEB_VERSION}/${PVE_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
-	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
-	sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
-	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/signing-template/prerm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/signing-template/postrm
-	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/signing-template/postinst
-	rm debian/signing-template/*.in
-	cp debian/SOURCE debian/signing-template/
-
 build: .compile_mark .tools_compile_mark .modules_compile_mark
 
-install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
+install: .install_mark .tools_install_mark .headers_install_mark
 	dh_installdocs -A debian/copyright debian/SOURCE
 	dh_installchangelogs
 	dh_installman
@@ -134,7 +81,7 @@ install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_in
 
 binary: install
 	debian/rules fwcheck abicheck
-	dh_strip -N${PVE_HEADER_PKG} -N${PVE_USR_HEADER_PKG}
+	dh_strip -N${PVE_HEADER_PKG}
 	dh_makeshlibs
 	dh_shlibdeps
 	dh_installdeb
@@ -145,13 +92,10 @@ binary: install
 .config_mark:
 	cd ${KERNEL_SRC}; scripts/config ${PVE_CONFIG_OPTS}
 	${MAKE} -C ${KERNEL_SRC} oldconfig
-	# copy to allow building in parallel to kernel/module compilation without interference
-	rm -rf ${KERNEL_SRC_COPY}
-	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
 	touch $@
 
 .compile_mark: .config_mark
-	${MAKE} -C ${KERNEL_SRC} KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${DEB_VERSION} (${CHANGELOG_DATE_UTC_ISO})"
+	${MAKE} -C ${KERNEL_SRC} KBUILD_BUILD_VERSION_TIMESTAMP="PVE ${DEB_VERSION} (${CHANGELOG_DATE})"
 	touch $@
 
 .install_mark: .compile_mark .modules_compile_mark
@@ -164,33 +108,11 @@ binary: install
 	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
 	# install zfs drivers
 	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 $(addprefix ${MODULES}/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 $(addprefix ${MODULES}/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko) debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
 	# remove firmware
 	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
-
-ifeq ($(filter pkg.pve-kernel.debug,$(DEB_BUILD_PROFILES)),)
-	echo "'pkg.pve-kernel.debug' build profile disabled, skipping -dbgsym creation"
-else
-	echo "'pkg.pve-kernel.debug' build profile enabled, creating -dbgsym contents"
-	mkdir -p debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}
-	mkdir debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot
-	install -m 644 ${KERNEL_SRC}/vmlinux debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/boot/vmlinux-${KVNAME}
-	cp -r debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/source
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/build
-	rm -f debian/${PVE_DEBUG_KERNEL_PKG}/usr/lib/debug/lib/modules/${KVNAME}/modules.*
-endif
-
 	# strip debug info
 	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
-
-	# sign modules using ephemeral, embedded key
-	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
-		find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do \
-			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
-		done; \
-		rm ./ubuntu-kernel/certs/signing_key.pem ; \
-	fi
 	# finalize
 	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
 	# Autogenerate blacklist for watchdog devices (see README)
@@ -200,26 +122,10 @@ endif
 	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
 	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
 	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
-
-	# copy signing template contents
-	rm -rf debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}
-	mkdir -p debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
-	cp -R debian/copyright \
-		debian/signing-template/rules \
-		debian/signing-template/control \
-		debian/signing-template/source \
-		debian/signing-template/changelog \
-		debian/signing-template/prerm \
-		debian/signing-template/postrm \
-		debian/signing-template/postinst \
-		debian/signing-template/SOURCE \
-		debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
-	cp debian/signing-template/files.json debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/
-
 	touch $@
 
 .tools_compile_mark: .compile_mark
-	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
+	${MAKE} -C ${KERNEL_SRC}/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python2.7
 	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
 	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
 	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
@@ -241,6 +147,9 @@ endif
 	rm -rf debian/${PVE_HEADER_PKG}
 	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
 	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	# copy to allow building in parallel to kernel/module compilation without interference
+	rm -rf ${KERNEL_SRC_COPY}
+	cp -ar ${KERNEL_SRC} ${KERNEL_SRC_COPY}
 	make -C ${KERNEL_SRC_COPY} mrproper
 	cd ${KERNEL_SRC_COPY}; find . -path './debian/*' -prune \
 	    -o -path './include/*' -prune \
@@ -255,6 +164,7 @@ endif
 	        -o -name '*.pl' \
 	    \) \
 	    -print | cpio -pd --preserve-modification-time ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	cd ${KERNEL_SRC_COPY}; cp -a include scripts ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
 	cd ${KERNEL_SRC_COPY}; \
 	    ( \
 	        find arch/${KERNEL_HEADER_ARCH} -name include -type d -print | \
@@ -268,9 +178,8 @@ endif
 	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
 	mkdir -p ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}
 	cp ${KERNEL_SRC}/.config ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/.config
-	${MAKE} -C ${KERNEL_SRC_COPY} O=${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -j1 syncconfig modules_prepare prepare scripts
-	cd ${KERNEL_SRC_COPY}; cp -a include scripts ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
-	find ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
+	${MAKE} -C ${KERNEL_SRC_COPY} O=${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -j1 syncconfig prepare scripts
+	find ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG} -name \*.o.ur-\* | xargs rm -f
 	rsync --ignore-existing -r -v -a $(addprefix ${BUILD_DIR}/${KERNEL_SRC_COPY}/${PVE_HEADER_PKG}/,arch include kernel scripts tools) ${BUILD_DIR}/debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}/
 	rm -rf ${BUILD_DIR}/${KERNEL_SRC_COPY}
 	touch $@
@@ -282,22 +191,6 @@ endif
 	ln -sf /usr/src/linux-headers-${KVNAME} debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}/build
 	touch $@
 
-.usr_headers_install_mark: PKG_DIR = debian/${PVE_USR_HEADER_PKG}
-.usr_headers_install_mark: OUT_DIR = ${PKG_DIR}/usr
-.usr_headers_install_mark: .config_mark
-	rm -rf '${PKG_DIR}'
-	mkdir -p  '${PKG_DIR}'
-	$(MAKE) -C ${KERNEL_SRC} headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
-	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
-	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +
-
-# Move include/asm to arch-specific directory
-	mkdir -p $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)
-	mv $(OUT_DIR)/include/asm $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
-	test ! -d $(OUT_DIR)/include/arch || \
-		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
-	touch $@
-
 .modules_compile_mark: ${MODULES}/zfs.ko
 	touch $@
 
@@ -313,7 +206,6 @@ ${MODULES}/zfs.ko: .compile_mark
 	cp ${MODULES}/${ZFSDIR}/module/zfs/zfs.ko ${MODULES}/
 	cp ${MODULES}/${ZFSDIR}/module/lua/zlua.ko ${MODULES}/
 	cp ${MODULES}/${ZFSDIR}/module/spl/spl.ko ${MODULES}/
-	cp ${MODULES}/${ZFSDIR}/module/zstd/zzstd.ko ${MODULES}/
 
 fwlist-${KVNAME}: .compile_mark .modules_compile_mark
 	debian/scripts/find-firmware.pl debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME} >fwlist.tmp

debian/scripts/abi-check

@@ -5,7 +5,8 @@ my $abiold = shift;
 my $skipabi = shift;
 
 # to catch multiple abi-prev-* files being passed in
-die "invalid value '$skipabi' for skipabi parameter\n" if defined($skipabi) && $skipabi !~ /^[01]$/;
+die "invalid value for skipabi parameter\n"
+	if (defined($skipabi) && $skipabi !~ /^[01]$/);
 
 $abinew =~ /abi-(.*)/;
 my $abistr = $1;

debian/scripts/export-patchqueue

@@ -6,7 +6,7 @@ top=$(pwd)
 
 if [ "$#" -ne 3 ]; then
     echo "USAGE: $0 repo patchdir ref"
-    printf "\t exports patches from 'repo' to 'patchdir' based on 'ref'\n"
+    echo "\t exports patches from 'repo' to 'patchdir' based on 'ref'"
     exit 1
 fi
 
@@ -26,9 +26,10 @@ git format-patch \
     --zero-commit \
     --no-signature \
     --diff-algorithm=myers \
-    --output-directory="${top}/${kernel_patchdir}" \
+    --output-dir \
+    "${top}/${kernel_patchdir}" \
     "${base_ref}.."
 
-git checkout "${base_ref}"
+git checkout ${base_ref}
 
 cd "${top}"

debian/scripts/find-firmware.pl

@@ -8,7 +8,7 @@ die "no directory to scan" if !$dir;
 
 die "no such directory" if ! -d $dir;
 
-warn "\n\nNOTE: strange directory name: $dir\n\n" if $dir !~ m|^(.*/)?(\d+.\d+.\d+\-\d+\-pve)(/+)?$|;
+die "strange directory name" if $dir !~ m|^(.*/)?(5.0.\d+\-\d+\-pve)(/+)?$|;
 
 my $apiver = $2;
 

debian/signing-template/control.in

@@ -1,25 +0,0 @@
-Source: pve-kernel-signed
-Section: kernel
-Priority: optional
-Maintainer: Proxmox Support Team <support@proxmox.com>
-Standards-Version: 4.2.0
-Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, pve-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
-Rules-Requires-Root: no
-Vcs-Git: git://git.proxmox.com/git/pve-kernel
-Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
-
-Package: pve-kernel-@KVNAME@-signed
-Section: admin
-Priority: optional
-Architecture: any
-Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
-Depends: ${unsigned:Depends}, ${misc:Depends}
-Recommends: ${unsigned:Recommends}
-Suggests: ${unsigned:Suggests}
-Breaks: ${unsigned:Breaks}
-Conflicts: pve-kernel-@KVNAME@
-Replaces: pve-kernel-@KVNAME@
-Description: ${unsigned:DescriptionShort} (signed)
- ${unsigned:DescriptionLong}
- .
- This package contains the kernel image signed by the Proxmox Secure Boot CA.

debian/signing-template/files.json.in

@@ -1,13 +0,0 @@
-{
-	"packages": {
-		"pve-kernel-@KVNAME@": {
-			"trusted_certs": [],
-			"files": [
-				{
-					"sig_type": "efi",
-					"file": "boot/vmlinuz-@KVNAME@"
-				}
-			]
-		}
-	}
-}

debian/signing-template/rules.in

@@ -1,58 +0,0 @@
-#!/usr/bin/make -f
-
-SHELL := bash -e
-
-export DH_OPTIONS
-
-include /usr/share/dpkg/architecture.mk
-
-KERNEL_VERSION=@KVNAME@
-IMAGE_PACKAGE_NAME=pve-kernel-$(KERNEL_VERSION)
-PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
-PACKAGE_VERSION=@PKG_VERSION@
-PACKAGE_DIR=debian/$(PACKAGE_NAME)
-SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
-
-build: build-arch build-indep
-build-arch:
-build-indep:
-
-clean:
-	dh_testdir
-	dh_clean
-
-binary: binary-arch binary-indep
-binary-arch:
-	dh_testdir
-	mkdir -p $(PACKAGE_DIR)/boot
-	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
-	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
-		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
-			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
-	else \
-		echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
-		false; \
-	fi
-	mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
-	rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
-	mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
-	cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
-	dh_install
-	dh_installchangelogs
-	dh_installdocs -A debian/copyright debian/SOURCE
-	dh_lintian
-	dh_compress
-	dh_fixperms
-	dh_installdeb
-	# Copy most package relations and description from unsigned package
-	for field in Depends Suggests Recommends Breaks; do \
-		echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
-	done
-	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
-	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
-	dh_gencontrol -- -v$(PACKAGE_VERSION)
-	dh_md5sums
-	dh_builddeb
-binary-indep:
-
-.PHONY: build build-arch build-indep clean binary binary-arch binary-indep

debian/signing-template/source/format

@@ -1 +0,0 @@
-3.0 (native)

patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch

@@ -17,19 +17,28 @@ $KBUILD_BUILD_TIMESTAMP.
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- init/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ scripts/mkcompile_h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
 
-diff --git a/init/Makefile b/init/Makefile
-index 26de459006c4..3157d9c79901 100644
---- a/init/Makefile
-+++ b/init/Makefile
-@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
- preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
+diff --git a/scripts/mkcompile_h b/scripts/mkcompile_h
+index 87f1fc9801d7..4ef868f1f244 100755
+--- a/scripts/mkcompile_h
++++ b/scripts/mkcompile_h
+@@ -33,10 +33,14 @@ else
+ 	VERSION=$KBUILD_BUILD_VERSION
+ fi
  
- build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
--build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
-+build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
- 
- # Maximum length of UTS_VERSION is 64 chars
- filechk_uts_version = \
+-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
+-	TIMESTAMP=`date`
++if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then
++	if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then
++		TIMESTAMP=`date`
++	else
++		TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
++	fi
+ else
+-	TIMESTAMP=$KBUILD_BUILD_TIMESTAMP
++	TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP
+ fi
+ if test -z "$KBUILD_BUILD_USER"; then
+ 	LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/')

patches/kernel/0002-bridge-keep-MAC-of-first-assigned-port.patch

@@ -19,10 +19,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 4 deletions(-)
 
 diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index 75204d36d7f9..1fb5ff73ec1e 100644
+index 808e2b914015..b0ad54384826 100644
 --- a/net/bridge/br_stp_if.c
 +++ b/net/bridge/br_stp_if.c
-@@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
+@@ -259,10 +259,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
  		return false;
  
  	list_for_each_entry(p, &br->port_list, list) {

patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch

@@ -55,10 +55,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 111 insertions(+)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 2e77ecc12692..eae6fdc4c683 100644
+index 988d3f3ad29d..cd1a1bddb997 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -4188,6 +4188,15 @@
+@@ -3312,6 +3312,15 @@
  				Also, it enforces the PCI Local Bus spec
  				rule that those bits should be 0 in system reset
  				events (useful for kexec/kdump cases).
@@ -75,7 +75,7 @@ index 2e77ecc12692..eae6fdc4c683 100644
  				Safety option to keep boot IRQs enabled. This
  				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 267e6002e29f..fac76ca1d16a 100644
+index e2479ccedc91..4981d0ec7960 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
 @@ -194,6 +194,106 @@ static int __init pci_apply_final_quirks(void)
@@ -185,8 +185,8 @@ index 267e6002e29f..fac76ca1d16a 100644
  /*
   * Decoding should be disabled for a PCI device during BAR sizing to avoid
   * conflict. But doing so may cause problems on host bridge and perhaps other
-@@ -4959,6 +5059,8 @@ static const struct pci_dev_acs_enabled {
- 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
+@@ -4564,6 +4664,8 @@ static const struct pci_dev_acs_enabled {
+ 	{ PCI_VENDOR_ID_CAVIUM, PCI_ANY_ID, pci_quirk_cavium_acs },
  	/* APM X-Gene */
  	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
 +	/* Enable overrides for missing ACS capabilities */

patches/kernel/0004-kvm-disable-default-dynamic-halt-polling-growth.patch

@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 07aae60288f9..949b7204cf52 100644
+index 6f50cf5b9ef5..a3d541f23204 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -79,7 +79,7 @@ module_param(halt_poll_ns, uint, 0644);
+@@ -78,7 +78,7 @@ module_param(halt_poll_ns, uint, 0644);
  EXPORT_SYMBOL_GPL(halt_poll_ns);
  
  /* Default doubles per-vcpu halt_poll_ns. */

patches/kernel/0005-Revert-KVM-VMX-enable-nested-virtualization-by-defau.patch

@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 7 Jun 2019 21:16:42 +0200
+Subject: [PATCH] Revert "KVM: VMX: enable nested virtualization by default"
+
+This reverts commit 1e58e5e59148916fa43444a406335a990783fb78
+
+As we're not yet there, and this effectively breaks live migration
+for all VMs using host or +vmx which did not manually enabled nesting
+
+Those which already enabled nesting manually have already breakage,
+but that was something to expect. The situation will get better in
+the future (probably post qemu 4.1).
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/vmx/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 2bb8fa904b9f..835edf9b2954 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -106,7 +106,7 @@ module_param(enable_apicv, bool, S_IRUGO);
+  * VMX and be a hypervisor for its own guests. If nested=0, guests may not
+  * use VMX instructions.
+  */
+-static bool __read_mostly nested = 1;
++static bool __read_mostly nested = 0;
+ module_param(nested, bool, S_IRUGO);
+ 
+ static u64 __read_mostly host_xss;

patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch

@@ -1,28 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Wed, 7 Oct 2020 17:18:28 +0200
-Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
- emergency to error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- net/core/dev.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/core/dev.c b/net/core/dev.c
-index fce980d531bd..5079a3851798 100644
---- a/net/core/dev.c
-+++ b/net/core/dev.c
-@@ -10257,7 +10257,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
- 		if (time_after(jiffies, warning_time +
- 			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
- 			list_for_each_entry(dev, list, todo_list) {
--				pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
-+				pr_err("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
- 					 dev->name, netdev_refcnt_read(dev));
- 				ref_tracker_dir_print(&dev->refcnt_tracker, 10);
- 			}

patches/kernel/0006-rbd-don-t-assert-on-writes-to-snapshots.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Fri, 3 May 2019 17:27:03 +0200
+Subject: [PATCH] rbd: don't assert on writes to snapshots
+
+The check added in commit 721c7fc701c7 ("block: fail op_is_write()
+requests to read-only partitions") was lifted in commit a32e236eb93e
+("Partially revert "block: fail op_is_write() requests to read-only
+partitions"").  Basic things like user triggered writes and discards
+are still caught, but internal kernel users can submit anything.  In
+particular, ext4 will attempt to write to the superblock if it detects
+errors in the filesystem, even if the filesystem is mounted read-only
+on a read-only partition.
+
+The assert is overkill regardless.
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/block/rbd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
+index 1e92b61d0bd5..339cdd4062bb 100644
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -3664,8 +3664,12 @@ static void rbd_queue_workfn(struct work_struct *work)
+ 		goto err_rq;
+ 	}
+ 
+-	rbd_assert(op_type == OBJ_OP_READ ||
+-		   rbd_dev->spec->snap_id == CEPH_NOSNAP);
++	if (op_type != OBJ_OP_READ && rbd_dev->spec->snap_id != CEPH_NOSNAP) {
++		rbd_warn(rbd_dev, "%s on read-only snapshot",
++			 obj_op_name(op_type));
++		result = -EIO;
++		goto err;
++	}
+ 
+ 	/*
+ 	 * Quit early if the mapped snapshot no longer exists.  It's

patches/kernel/0007-Revert-RDMA-irdma-Report-the-correct-link-speed.patch

@@ -1,72 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Sat, 7 Jan 2023 13:48:41 +0100
-Subject: [PATCH] Revert "RDMA/irdma: Report the correct link speed"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-seem to cause a regression with some NICs:
-https://lore.kernel.org/netdev/CAK8fFZ6A_Gphw_3-QMGKEFQk=sfCw1Qmq0TVZK3rtAi7vb621A@mail.gmail.com/
-
-This reverts commit e8553504e366c8a47d1f6156c30d6eb9778cda13.
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- drivers/infiniband/hw/irdma/verbs.c | 35 ++++++++++++++++++++++++++---
- 1 file changed, 32 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
-index f6973ea55eda..132fe91bb799 100644
---- a/drivers/infiniband/hw/irdma/verbs.c
-+++ b/drivers/infiniband/hw/irdma/verbs.c
-@@ -63,6 +63,36 @@ static int irdma_query_device(struct ib_device *ibdev,
- 	return 0;
- }
- 
-+/**
-+ * irdma_get_eth_speed_and_width - Get IB port speed and width from netdev speed
-+ * @link_speed: netdev phy link speed
-+ * @active_speed: IB port speed
-+ * @active_width: IB port width
-+ */
-+static void irdma_get_eth_speed_and_width(u32 link_speed, u16 *active_speed,
-+					  u8 *active_width)
-+{
-+	if (link_speed <= SPEED_1000) {
-+		*active_width = IB_WIDTH_1X;
-+		*active_speed = IB_SPEED_SDR;
-+	} else if (link_speed <= SPEED_10000) {
-+		*active_width = IB_WIDTH_1X;
-+		*active_speed = IB_SPEED_FDR10;
-+	} else if (link_speed <= SPEED_20000) {
-+		*active_width = IB_WIDTH_4X;
-+		*active_speed = IB_SPEED_DDR;
-+	} else if (link_speed <= SPEED_25000) {
-+		*active_width = IB_WIDTH_1X;
-+		*active_speed = IB_SPEED_EDR;
-+	} else if (link_speed <= SPEED_40000) {
-+		*active_width = IB_WIDTH_4X;
-+		*active_speed = IB_SPEED_FDR10;
-+	} else {
-+		*active_width = IB_WIDTH_4X;
-+		*active_speed = IB_SPEED_EDR;
-+	}
-+}
-+
- /**
-  * irdma_query_port - get port attributes
-  * @ibdev: device pointer from stack
-@@ -90,9 +120,8 @@ static int irdma_query_port(struct ib_device *ibdev, u32 port,
- 		props->state = IB_PORT_DOWN;
- 		props->phys_state = IB_PORT_PHYS_STATE_DISABLED;
- 	}
--
--	ib_get_eth_speed(ibdev, port, &props->active_speed,
--			 &props->active_width);
-+	irdma_get_eth_speed_and_width(SPEED_100000, &props->active_speed,
-+				      &props->active_width);
- 
- 	if (rdma_protocol_roce(ibdev, 1)) {
- 		props->gid_tbl_len = 32;

patches/kernel/0007-x86-fpu-backport-copy_kernel_to_XYZ_err-helpers.patch

@@ -0,0 +1,103 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Wed, 3 Apr 2019 18:41:50 +0200
+Subject: [PATCH] x86/fpu: backport copy_kernel_to_XYZ_err helpers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+partial cherry-pick from upstream 5.2 "86/fpu: Restore from kernel
+memory on the 64-bit path too"
+commit 926b21f37b072ae4c117052de45a975c6d468fec
+Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+Namely, only backport the added helpers, none of the semantic changes.
+
+relevant parts of the original commit message:
+> In order to avoid that mess, copy the FPU state from userland, validate
+> it and then load it. The copy_kernel_…() helpers are basically just
+> like the old helpers except that they operate on kernel memory and the
+> fault handler just sets the error value and the caller handles it.
+
+Link: https://lkml.kernel.org/r/20190403164156.19645-22-bigeasy@linutronix.de
+(partial cherry picked from commit 926b21f37b072ae4c117052de45a975c6d468fec)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/include/asm/fpu/internal.h | 43 +++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
+index fa2c93cb42a2..f3193ab0a2fb 100644
+--- a/arch/x86/include/asm/fpu/internal.h
++++ b/arch/x86/include/asm/fpu/internal.h
+@@ -122,6 +122,21 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
+ 	err;								\
+ })
+ 
++#define kernel_insn_err(insn, output, input...)				\
++({									\
++	int err;							\
++	asm volatile("1:" #insn "\n\t"					\
++		     "2:\n"						\
++		     ".section .fixup,\"ax\"\n"				\
++		     "3:  movl $-1,%[err]\n"				\
++		     "    jmp  2b\n"					\
++		     ".previous\n"					\
++		     _ASM_EXTABLE(1b, 3b)				\
++		     : [err] "=r" (err), output				\
++		     : "0"(0), input);					\
++	err;								\
++})
++
+ #define kernel_insn(insn, output, input...)				\
+ 	asm volatile("1:" #insn "\n\t"					\
+ 		     "2:\n"						\
+@@ -158,6 +173,14 @@ static inline void copy_kernel_to_fxregs(struct fxregs_state *fx)
+ 	}
+ }
+ 
++static inline int copy_kernel_to_fxregs_err(struct fxregs_state *fx)
++{
++	if (IS_ENABLED(CONFIG_X86_32))
++		return kernel_insn_err(fxrstor %[fx], "=m" (*fx), [fx] "m" (*fx));
++	else
++		return kernel_insn_err(fxrstorq %[fx], "=m" (*fx), [fx] "m" (*fx));
++}
++
+ static inline int copy_user_to_fxregs(struct fxregs_state __user *fx)
+ {
+ 	if (IS_ENABLED(CONFIG_X86_32))
+@@ -175,6 +198,11 @@ static inline void copy_kernel_to_fregs(struct fregs_state *fx)
+ 	kernel_insn(frstor %[fx], "=m" (*fx), [fx] "m" (*fx));
+ }
+ 
++static inline int copy_kernel_to_fregs_err(struct fregs_state *fx)
++{
++	return kernel_insn_err(frstor %[fx], "=m" (*fx), [fx] "m" (*fx));
++}
++
+ static inline int copy_user_to_fregs(struct fregs_state __user *fx)
+ {
+ 	return user_insn(frstor %[fx], "=m" (*fx), [fx] "m" (*fx));
+@@ -400,6 +428,21 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
+ 	return err;
+ }
+ 
++/*
++ * Restore xstate from kernel space xsave area, return an error code instead of
++ * an exception.
++ */
++static inline int copy_kernel_to_xregs_err(struct xregs_state *xstate, u64 mask)
++{
++	u32 lmask = mask;
++	u32 hmask = mask >> 32;
++	int err;
++
++	XSTATE_OP(XRSTOR, xstate, lmask, hmask, err);
++
++	return err;
++}
++
+ /*
+  * These must be called with preempt disabled. Returns
+  * 'true' if the FPU state is still intact and we can

patches/kernel/0008-KVM-x86-introduce-is_pae_paging.patch

@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 6 Jun 2019 18:52:44 +0200
+Subject: [PATCH] KVM: x86: introduce is_pae_paging
+
+Checking for 32-bit PAE is quite common around code that fiddles with
+the PDPTRs.  Add a function to compress all checks into a single
+invocation.
+
+Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit bf03d4f9334728bf7c8ffc7de787df48abd6340e)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/vmx/nested.c | 3 +--
+ arch/x86/kvm/vmx/vmx.c    | 4 ++--
+ arch/x86/kvm/x86.c        | 8 ++++----
+ arch/x86/kvm/x86.h        | 5 +++++
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index d7c52e748966..7bb5801b5e11 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -944,8 +944,7 @@ static int nested_vmx_load_cr3(struct kvm_vcpu *vcpu, unsigned long cr3, bool ne
+ 		 * If PAE paging and EPT are both on, CR3 is not used by the CPU and
+ 		 * must not be dereferenced.
+ 		 */
+-		if (!is_long_mode(vcpu) && is_pae(vcpu) && is_paging(vcpu) &&
+-		    !nested_ept) {
++		if (is_pae_paging(vcpu) && !nested_ept) {
+ 			if (!load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3)) {
+ 				*entry_failure_code = ENTRY_FAIL_PDPTE;
+ 				return 1;
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 835edf9b2954..86c5ab3728ac 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2729,7 +2729,7 @@ static void ept_load_pdptrs(struct kvm_vcpu *vcpu)
+ 		      (unsigned long *)&vcpu->arch.regs_dirty))
+ 		return;
+ 
+-	if (is_paging(vcpu) && is_pae(vcpu) && !is_long_mode(vcpu)) {
++	if (is_pae_paging(vcpu)) {
+ 		vmcs_write64(GUEST_PDPTR0, mmu->pdptrs[0]);
+ 		vmcs_write64(GUEST_PDPTR1, mmu->pdptrs[1]);
+ 		vmcs_write64(GUEST_PDPTR2, mmu->pdptrs[2]);
+@@ -2741,7 +2741,7 @@ void ept_save_pdptrs(struct kvm_vcpu *vcpu)
+ {
+ 	struct kvm_mmu *mmu = vcpu->arch.walk_mmu;
+ 
+-	if (is_paging(vcpu) && is_pae(vcpu) && !is_long_mode(vcpu)) {
++	if (is_pae_paging(vcpu)) {
+ 		mmu->pdptrs[0] = vmcs_read64(GUEST_PDPTR0);
+ 		mmu->pdptrs[1] = vmcs_read64(GUEST_PDPTR1);
+ 		mmu->pdptrs[2] = vmcs_read64(GUEST_PDPTR2);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index eed14def2a6b..c69f12af5c01 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -725,7 +725,7 @@ bool pdptrs_changed(struct kvm_vcpu *vcpu)
+ 	gfn_t gfn;
+ 	int r;
+ 
+-	if (is_long_mode(vcpu) || !is_pae(vcpu) || !is_paging(vcpu))
++	if (!is_pae_paging(vcpu))
+ 		return false;
+ 
+ 	if (!test_bit(VCPU_EXREG_PDPTR,
+@@ -968,8 +968,8 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu, unsigned long cr3)
+ 	if (is_long_mode(vcpu) &&
+ 	    (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 63)))
+ 		return 1;
+-	else if (is_pae(vcpu) && is_paging(vcpu) &&
+-		   !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3))
++	else if (is_pae_paging(vcpu) &&
++		 !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3))
+ 		return 1;
+ 
+ 	kvm_mmu_new_cr3(vcpu, cr3, skip_tlb_flush);
+@@ -8590,7 +8590,7 @@ static int __set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
+ 		kvm_update_cpuid(vcpu);
+ 
+ 	idx = srcu_read_lock(&vcpu->kvm->srcu);
+-	if (!is_long_mode(vcpu) && is_pae(vcpu) && is_paging(vcpu)) {
++	if (is_pae_paging(vcpu)) {
+ 		load_pdptrs(vcpu, vcpu->arch.walk_mmu, kvm_read_cr3(vcpu));
+ 		mmu_reset_needed = 1;
+ 	}
+diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
+index 7e89ed889707..03de3f3c830c 100644
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -139,6 +139,11 @@ static inline int is_paging(struct kvm_vcpu *vcpu)
+ 	return likely(kvm_read_cr0_bits(vcpu, X86_CR0_PG));
+ }
+ 
++static inline bool is_pae_paging(struct kvm_vcpu *vcpu)
++{
++	return !is_long_mode(vcpu) && is_pae(vcpu) && is_paging(vcpu);
++}
++
+ static inline u32 bit(int bitno)
+ {
+ 	return 1 << (bitno & 31);

patches/kernel/0008-Revert-fortify-Do-not-cast-to-unsigned-char.patch

@@ -1,29 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Date: Tue, 10 Jan 2023 08:52:40 +0100
-Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
-Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
----
- include/linux/fortify-string.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
-index 7cad8bb031e9..acc24887db3e 100644
---- a/include/linux/fortify-string.h
-+++ b/include/linux/fortify-string.h
-@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
- 
- #define __compiletime_strlen(p)					\
- ({								\
--	char *__p = (char *)(p);				\
-+	unsigned char *__p = (unsigned char *)(p);		\
- 	size_t __ret = SIZE_MAX;				\
- 	size_t __p_size = __member_size(p);			\
- 	if (__p_size != SIZE_MAX &&				\