diff --git a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
index a6b4391..56da886 100644
--- a/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
+++ b/patches/kernel/0003-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
@@ -54,10 +54,10 @@ Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  2 files changed, 111 insertions(+)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index 1bbfe73fcd6c..073e3023b515 100644
+index ce24cb1e8f46..0cc1d4200c24 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
-@@ -2935,6 +2935,15 @@
+@@ -2938,6 +2938,15 @@
  		nomsi		[MSI] If the PCI_MSI kernel config parameter is
  				enabled, this kernel boot option can be used to
  				disable the use of MSI interrupts system-wide.
diff --git a/patches/kernel/0009-KVM-SVM-obey-guest-PAT.patch b/patches/kernel/0009-KVM-SVM-obey-guest-PAT.patch
index cc64a62..38f2062 100644
--- a/patches/kernel/0009-KVM-SVM-obey-guest-PAT.patch
+++ b/patches/kernel/0009-KVM-SVM-obey-guest-PAT.patch
@@ -34,7 +34,7 @@ Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index a8c911fcd73f..e9d0f80fd83a 100644
+index 6b1744499a90..5c37c1a1a949 100644
 --- a/arch/x86/kvm/svm.c
 +++ b/arch/x86/kvm/svm.c
 @@ -3650,6 +3650,13 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
diff --git a/patches/kernel/0012-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch b/patches/kernel/0012-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch
index d69b9a6..d6c117f 100644
--- a/patches/kernel/0012-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch
+++ b/patches/kernel/0012-KVM-x86-Add-memory-barrier-on-vmcs-field-lookup.patch
@@ -22,7 +22,7 @@ Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
-index 6704e716efdc..5b5413c23395 100644
+index 0510bc11beb2..c79de3ac9d49 100644
 --- a/arch/x86/kvm/vmx.c
 +++ b/arch/x86/kvm/vmx.c
 @@ -883,8 +883,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
diff --git a/patches/kernel/0015-module-retpoline-Warn-about-missing-retpoline-in-mod.patch b/patches/kernel/0015-module-retpoline-Warn-about-missing-retpoline-in-mod.patch
index ace11c2..484f700 100644
--- a/patches/kernel/0015-module-retpoline-Warn-about-missing-retpoline-in-mod.patch
+++ b/patches/kernel/0015-module-retpoline-Warn-about-missing-retpoline-in-mod.patch
@@ -34,14 +34,14 @@ Conflicts:
 context changes
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 ---
- arch/x86/kernel/cpu/bugs.c | 19 +++++++++++++++++--
+ arch/x86/kernel/cpu/bugs.c | 18 +++++++++++++++++-
  include/linux/module.h     |  9 +++++++++
  kernel/module.c            | 11 +++++++++++
  scripts/mod/modpost.c      |  9 +++++++++
- 4 files changed, 46 insertions(+), 2 deletions(-)
+ 4 files changed, 46 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index d5bafcdb4891..e623bd731a74 100644
+index 2443b9580e94..e0b6aa62b253 100644
 --- a/arch/x86/kernel/cpu/bugs.c
 +++ b/arch/x86/kernel/cpu/bugs.c
 @@ -11,6 +11,7 @@
@@ -49,13 +49,13 @@ index d5bafcdb4891..e623bd731a74 100644
  #include <linux/cpu.h>
  #include <linux/smp.h>
 +#include <linux/module.h>
+ #include <linux/nospec.h>
+ #include <linux/prctl.h>
  
- #include <asm/nospec-branch.h>
- #include <asm/cmdline.h>
-@@ -93,6 +94,19 @@ static const char *spectre_v2_strings[] = {
- #define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
+@@ -130,6 +131,19 @@ static const char *spectre_v2_strings[] = {
  
- static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+ static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
+ 	SPECTRE_V2_NONE;
 +static bool spectre_v2_bad_module;
 +
 +#ifdef RETPOLINE
@@ -70,19 +70,19 @@ index d5bafcdb4891..e623bd731a74 100644
 +}
 +#endif
  
- static void __init spec2_print_if_insecure(const char *reason)
+ void x86_spec_ctrl_set(u64 val)
  {
-@@ -299,7 +313,8 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
- 	if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
- 		return sprintf(buf, "Not affected\n");
+@@ -615,7 +629,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
+ 			return sprintf(buf, "Mitigation: OSB (observable speculation barrier, Intel v6)\n");
  
--	return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled],
--		       ibpb_inuse ? ", IBPB (Intel v4)" : "");
-+	return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-+		       ibpb_inuse ? ", IBPB (Intel v4)" : "",
-+		       spectre_v2_bad_module ? " - vulnerable module loaded" : "");
- }
- #endif
+ 	case X86_BUG_SPECTRE_V2:
+-		return sprintf(buf, "%s%s\n", spectre_v2_strings[spectre_v2_enabled], ibpb_inuse ? ", IBPB (Intel v4)" : "");
++		return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
++		               ibpb_inuse ? ",IBPB (Intel v4)" : "",
++		               spectre_v2_bad_module ? " - vulnerable module loaded" : "");
+ 
+ 	case X86_BUG_SPEC_STORE_BYPASS:
+ 		return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
 diff --git a/include/linux/module.h b/include/linux/module.h
 index e7bdd549e527..c4fdf7661f82 100644
 --- a/include/linux/module.h