forgejo: add test build

* Update to zfs 2.1.12

.forgejo/workflows/release-build.yml

@@ -0,0 +1,55 @@
+name: Kernel Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release-build:
+    name: Build
+    runs-on: aarch64
+    container:
+      image: debian:bookworm
+    steps:
+    - name: Setup build environment
+      run: | 
+        cat /etc/os-release
+        cp /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian-src.sources
+        sed 's/Types: deb/Types: deb-src/' -i /etc/apt/sources.list.d/debian-src.sources
+        apt-get update
+        apt-get install -y devscripts debhelper equivs git nodejs sudo
+        sudo hostname host.docker.internal
+    - name: Checkout Sources
+      uses: actions/checkout@v4
+      with:
+          path: pve-kernel-thunderx
+    - name: Checkout submodules
+      run: git -C pve-kernel-thunderx submodule update --init --depth 16 --jobs 3
+    - name: Build Kernel
+      run: |
+        cd pve-kernel-thunderx
+        debian/rules debian/control
+        sudo mk-build-deps --tool 'apt-get --no-install-recommends --yes' --install debian/control
+        debuild --no-lintian -ePVE* --jobs=auto -b -uc -us
+    - name: Upload Artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: debs
+        path: "*.deb"
+  release-deploy:
+    needs: [release-build]
+    runs-on: aarch64
+    container:
+      image: alpine:latest
+    steps:
+      - name: Setting up environment
+        run: apk add nodejs curl findutils
+      - name: Package download
+        uses: actions/download-artifact@v3
+      - name: Package deployment
+        run: |
+          find -name '*.deb' > deb.list
+          while read file; do
+            curl --user ${{ vars.FORGE_REPO_USER }}:${{ secrets.FORGE_REPO_PRIVKEY }} --upload-file "$file" https://ayakael.net/api/packages/forge/debian/pool/bookworm/main/upload
+          done < deb.list

.forgejo/workflows/test-build.yml

@@ -0,0 +1,38 @@
+name: Kernel Test
+
+on:
+  pull_request:
+    types: [ assigned, opened, synchronize, reopened ]
+
+jobs:
+  test-build:
+    name: Build
+    runs-on: aarch64
+    container:
+      image: debian:bookworm
+    steps:
+    - name: Setup build environment
+      run: | 
+        cat /etc/os-release
+        cp /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian-src.sources
+        sed 's/Types: deb/Types: deb-src/' -i /etc/apt/sources.list.d/debian-src.sources
+        apt-get update
+        apt-get install -y devscripts debhelper equivs git nodejs sudo
+        sudo hostname host.docker.internal
+    - name: Checkout Sources
+      uses: actions/checkout@v4
+      with:
+          path: pve-kernel-thunderx
+    - name: Checkout submodules
+      run: git -C pve-kernel-thunderx submodule update --init --depth 16 --jobs 3
+    - name: Build Kernel
+      run: |
+        cd pve-kernel-thunderx
+        debian/rules debian/control
+        sudo mk-build-deps --tool 'apt-get --no-install-recommends --yes' --install debian/control
+        debuild --no-lintian -ePVE* --jobs=auto -b -uc -us
+    - name: Upload Artifacts
+      uses: actions/upload-artifact@v3
+      with:
+        name: debs
+        path: "*.deb"

.github/FUNDING.yml

@@ -1 +0,0 @@
-custom: https://www.buymeacoffee.com/fabianishere

.github/workflows/release.yml

@@ -1,87 +0,0 @@
-name: Kernel Release
-
-on:
-  pull_request:
-    types: [closed]
-    branches:
-      - v*
-      - flavor/*/v*
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build (${{ matrix.debian }})
-    runs-on: [self-hosted, '${{ matrix.debian }}']
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
-    strategy:
-      matrix:
-        debian: [bullseye]
-        include:
-          - build_profile: 'generic'
-            build_cc: gcc
-            build_cflags: ''
-    steps:
-    - name: Clean Workspace
-      run: rm -rf *.deb *.ddeb *.build *.buildinfo *.changes
-    - name: Checkout Sources
-      uses: actions/checkout@v3
-      with:
-          submodules: recursive
-          path: pve-edge-kernel
-    - name: Clean Repository
-      run: git -C pve-edge-kernel submodule foreach git clean -ffdx
-    - name: Build Kernel
-      run: |
-        cd pve-edge-kernel
-        debian/rules debian/control
-        if [ "$PVE_BUILD_PROFILE" != "generic" ]; then
-        	debchange -l +$PVE_BUILD_PROFILE -D edge --force-distribution -U -M "Specialization for $PVE_BUILD_PROFILE"
-        fi
-        debuild --no-lintian -e PVE* -e CCACHE_DIR=/var/cache/ccache --prepend-path=/usr/lib/ccache --jobs=auto -b -uc -us
-      env:
-          PVE_BUILD_PROFILE: ${{ matrix.build_profile }}
-          PVE_KERNEL_CC: ${{ matrix.build_cc }}
-          PVE_KERNEL_CFLAGS: ${{ matrix.build_cflags }}
-          PVE_ZFS_CC: ${{ matrix.build_cc }}
-    - name: Upload Artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: ${{ matrix.debian }}-${{ matrix.build_profile }}
-        path: "*.deb"
-  publish:
-    name: Publish
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
-    needs: build
-    steps:
-    - name: Checkout Sources
-      uses: actions/checkout@v3
-    - name: Download Artifacts
-      uses: actions/download-artifact@v3
-      with:
-          path: artifacts
-    - name: Delete Debug Symbols
-      run: rm -f artifacts/*/*dbgsym*.deb
-    - name: Format Release Name
-      id: format_release
-      run: |
-        echo "release=$(scripts/version.sh)" >> $GITHUB_OUTPUT
-        changelog=$(dpkg-parsechangelog -c 1 -l debian/changelog)
-        echo "changelog<<EOF\n$changelog\nEOF" >> $GITHUB_OUTPUT
-    - name: Create Release
-      uses: ncipollo/release-action@v1
-      with:
-        commit: ${{ github.sha }}
-        tag: v${{ steps.format_release.outputs.release }}
-        body: ${{ steps.format_release.outputs.changelog }}
-        token: ${{ secrets.PAT }}
-        artifacts: "artifacts/bullseye-generic/pve-headers-*.deb,artifacts/bullseye-generic/pve-kernel-*.deb,artifacts/bullseye-generic/linux-tools-*.deb"
-    - name: Release to CloudSmith
-      run: |
-        pip install --upgrade cloudsmith-cli
-        find artifacts/bullseye-generic \
-             -name '*.deb' \
-             -not -name "*dbgsym*" \
-             -exec cloudsmith push deb pve-edge/kernel/debian/bullseye {} --republish \;
-      env:
-        CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

.github/workflows/update.yml

@@ -1,62 +0,0 @@
-name: Kernel Update
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Tag of the Linux Kernel to update to'
-        required: true
-      version:
-        description: 'Custom version number'
-        required: false
-      release:
-        description: 'Custom release number'
-        required: false
-
-jobs:
-  update:
-    name: Update
-    runs-on: [ubuntu-latest]
-    steps:
-    - name: Checkout Sources
-      uses: actions/checkout@v3
-      with:
-          submodules: recursive
-    - name: Setup System Dependencies
-      run: sudo apt update && sudo apt install devscripts
-    - name: Update Kernel
-      id: update
-      run: |
-        TAG=${{ github.event.inputs.tag }}
-        VERSION=${{ github.event.inputs.version }}
-        RELEASE=${{ github.event.inputs.release }}
-        VERSION_OPT=${VERSION:+-v ${VERSION}}
-        RELEASE_OPT=${RELEASE:+-r ${RELEASE}}
-        ./scripts/update.sh -t ${{ github.event.inputs.tag }} $VERSION_OPT $RELEASE_OPT
-        echo "version=$(scripts/version.sh -L)" >> $GITHUB_OUTPUT
-        echo "full=$(scripts/version.sh)" >> $GITHUB_OUTPUT
-        changelog=$(dpkg-parsechangelog -c 1 -l debian/changelog)
-        echo "changelog<<EOF\n$changelog\nEOF" >> $GITHUB_OUTPUT
-        echo "branch=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v4
-      with:
-        token: ${{ secrets.PAT }} # Custom token needed to recursively trigger workflows
-        author: Fabian Mastenbroek <mail.fabianm@gmail.com>
-        commit-message: |
-          Add Linux ${{ steps.update.outputs.version }}
-
-          This change updates the kernel to Linux ${{ steps.update.outputs.version }}.
-        branch: staging/v${{ steps.update.outputs.full }}
-        branch-suffix: short-commit-hash
-        delete-branch: true
-        title: "Add Linux ${{ steps.update.outputs.version }}"
-        body: |
-          Automated pull request to update the kernel to Linux ${{ steps.update.outputs.version }}.
-
-          **Changelog:**
-          ```
-          ${{ steps.update.outputs.changelog }}
-          ```
-        labels: |
-          release

.github/workflows/watch.yml

@@ -1,47 +0,0 @@
-name: Kernel Watch
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 12 * * *' # Every day
-
-jobs:
-  check:
-    name: Check for new Release
-    runs-on: [ubuntu-latest]
-    strategy:
-      matrix:
-        branch: ['v6.0.x']
-    steps:
-    - name: Checkout Sources
-      uses: actions/checkout@v3
-      with:
-        ref: ${{ matrix.branch }}
-        submodules: recursive
-    - name: Setup System Dependencies
-      run: sudo apt install jq curl
-    - name: Check for Release
-      id: check
-      run: |
-        NEW=$(scripts/check.sh ${{ matrix.branch }})
-        if [[ -z $NEW ]]; then
-            echo "No new release found"
-            exit 0
-        fi
-        echo "Found new Linux kernel version $NEW"
-        STAGING=$(git ls-remote --heads origin "staging/v$NEW*")
-        if [[ $STAGING ]]; then
-            echo "Existing staging update found"
-            exit 0
-        fi
-        echo "No staging update found: triggering update"
-        echo "version=$NEW" >> $GITHUB_OUTPUT
-    - name: Trigger Update
-      if: ${{ steps.check.outputs.version }}
-      uses: benc-uk/workflow-dispatch@v1
-      with:
-        workflow: Kernel Update
-        token: ${{ secrets.PAT }} # Custom token needed to recursively trigger workflows
-        inputs: '{ "tag": "v${{ steps.check.outputs.version }}" }'
-        ref: ${{ matrix.branch }}
-

.gitmodules

@@ -3,4 +3,4 @@
 	url = https://github.com/openzfs/zfs.git
 [submodule "linux"]
 	path = linux
-	url = git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
+	url = https://git.proxmox.com/git/mirror_ubuntu-kernels.git

README.md

@@ -1,41 +1,20 @@
-# Proxmox Edge kernels
-Custom Linux kernels for Proxmox VE 7 arm64
+# Proxmox Thunderx kernels
+Custom Linux kernels for Proxmox VE arm64 ThunderX (CN88xx) system based on Ubuntu linux
 
 #### Available Versions
-1. Linux 6.0
-
-Older builds are still available at the [Releases](https://github.com/fabianishere/pve-edge-kernel/releases) page.
+1. Linux 5.15 -> branch:v5.15
+2. Linux 6.5 -> branch:v6.5
+3. Linux 6.8 -> master
 
 ## Installation
-[![Hosted By: Cloudsmith](https://img.shields.io/badge/OSS%20hosting%20by-cloudsmith-blue?logo=cloudsmith&style=flat-square)](https://cloudsmith.com)
-
-First, set up our Debian repository on your Proxmox installation: 
-1. **Add the repository's GPG key:**  
-   ```bash
-   curl -1sLf 'https://dl.cloudsmith.io/public/pve-edge/kernel/gpg.8EC01CCF309B98E7.key' | gpg --dearmor -o /usr/share/keyrings/pve-edge-kernel.gpg
-   ```
-2. **Set up the `pve-edge-kernel` repository:**  
-   ```bash
-   echo "deb [signed-by=/usr/share/keyrings/pve-edge-kernel.gpg] https://dl.cloudsmith.io/public/pve-edge/kernel/deb/debian bullseye main" > /etc/apt/sources.list.d/pve-edge-kernel.list
-   ```
-3. **Install a kernel package:**  
-   ```bash
-   apt update
-   apt install pve-kernel-6.0-edge
-   ```
-
-Package repository hosting is graciously provided by  [Cloudsmith](https://cloudsmith.com).
-Cloudsmith is the only fully hosted, cloud-native, universal package management solution, that
-enables your organization to create, store and share packages in any format, to any place, with total
-confidence.
-
-### Manual
-Alternatively, you may manually install the kernels. Select from the [Releases](https://github.com/fabianishere/pve-edge-kernel/releases)
-page the kernel version you want to install and download the appropriate Debian package.
-Then, you can install the package as follows:
+add arm64 kernel repo.
 
 ```sh
-apt install ./pve-kernel-VERSION_amd64.deb
+curl https://ayakael.net/api/packages/forge/debian/repository.key -o /etc/apt/keyrings/forgejo-forge.asc
+echo "deb [signed-by=/etc/apt/keyrings/forgejo-forge.asc] https://ayakael.net/api/packages/forge/debian bookworm main" | tee -a /etc/apt/sources.list.d/forgejo.list
+apt update
+apt search pve-kernel
+apt install pve-kernel-xxxx
 ```
 
 ## Building manually
@@ -52,12 +31,12 @@ apt install devscripts debhelper equivs git
 #### Obtaining the source
 Obtain the source code as follows:
 ```bash
-git clone https://github.com/fabianishere/pve-edge-kernel
-cd pve-edge-kernel
+git https://ayakael.net/forge/pve-kernel-thunderx
+cd pve-kernel-thunderx
 ```
-Then, select the branch of your likings (e.g. `v6.0.x`) and update the submodules:
+Then, select the branch of your likings (e.g. `v5.15`) and update the submodules:
 ```bash
-git checkout v6.0.x
+git checkout master
 git submodule update --init --depth=1 --recursive linux
 git submodule update --init --recursive
 ```
@@ -98,14 +77,14 @@ to remove all packages from a particular kernel release, use the following
 command:
 
 ```bash
-apt remove pve-kernel-6.0*edge pve-headers-6.0*edge
+apt remove pve-kernel-6.8* pve-headers-6.8*
 ```
 
 ## Contributing
 Questions, suggestions and contributions are welcome and appreciated!
 You can contribute in various meaningful ways:
 
-* Report a bug through [Github issues](https://github.com/fabianishere/pve-edge-kernel/issues).
+* Report a bug by email <dev@ayakael.net>
 * Propose new patches and flavors for the project.
 * Contribute improvements to the documentation.
 * Provide feedback about how we can improve the project.

autobuild.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+sudo apt install devscripts  rsync -y
+#git submodule update --init --depth=1
+rm build -rf
+mkdir build && rsync -ra * build/
+cd build
+debian/rules debian/control
+yes | sudo mk-build-deps --install --remove
+dpkg-buildpackage -b -us -uc

debian/changelog

@@ -1,13 +1,74 @@
+pve-kernel (6.8.12-1) generic; urgency=medium
+
+  * Update to Ubuntu Linux 6.8.0-45.45
+  * Update to zfs 2.2.6
+
+ -- ayakael <dev@ayakael.net> Mon, 7 Oct 2024 08:03:00 +0800
+
+pve-kernel (6.5.3) generic; urgency=medium
+
+  * Update to Ubuntu Linux 6.5.3
+
+ -- ayakael <dev@ayakael.net>  Sun, 19 Nov 2023 21:35:31 +0800
+
+pve-kernel (6.5.11) generic; urgency=medium
+
+  * Update to Linux 6.5.11
+
+ -- jiangcuo <jiangcuo@bingsin.com>  Sun, 19 Nov 2023 21:35:31 +0800
+
+pve-kernel (6.1.62) generic; urgency=medium
+
+  * Update to Linux 6.1.62
+
+ -- jiangcuo <jiangcuo@bingsin.com>  Sun, 19 Nov 2023 03:52:02 +0000
+
+pve-kernel (6.1.60) generic; urgency=medium
+
+  * Update to Linux 6.1.60
+  * Update to zfs 2.2.0
+
+ -- jiangcuo <jiangcuo@bingsin.com>  Tue, 31 Oct 2023 10:58:30 +0800
+
+pve-kernel (6.1.51) generic; urgency=medium
+
+  * Update to Linux 6.1.51
+
+ -- jiangcuo <jiangcuo@bingsin.com>  Sat, 02 Sep 2023 21:56:34 +0800
+
+pve-kernel (6.1.42) generic; urgency=medium
+
+  * Update to Linux 6.1.42  
+  * Update to zfs 2.1.12 
+
+ -- jiangcuo <jiangcuo@bingsin.com>  Thu, 27 Jul 2023 15:23:29 +0000
+
+pve-kernel (6.1.24) generic; urgency=medium
+
+  * Update to Linux 6.1.24
+  * Delete PSCI checker
+
+ -- Jiangcuo <jiangcuo@bingsin.com>  Wed, 17 Apr 2023 16:15:18 +0800
+
+pve-kernel (6.1.21) generic; urgency=medium
+
+  * Update to Linux 6.1.21
+
+ -- Jiangcuo <jiangcuo@bingsin.com>  Wed, 29 Mar 2023 18:55:28 +0800
+
+pve-kernel (6.1.20) generic; urgency=medium
+
+  * Update to Linux 6.1.20
+  * delete CONFIG_ARM_SMMU_DISABLE_BYPASS_BY_DEFAULT=y
+  * builtin br_netfilter
+  * Update to ZFS 2.1.9
+  * ready for proxmox ve 7.4-1
+
+ -- Jiangcuo <jiangcuo@bingsin.com>  Tue, 28 Mar 2023 23:49:28 +0800
+
 pve-kernel (6.1.19) generic; urgency=medium
 
   * Update to Linux 6.1.19   
   * Update to ZFS 2.1.9
 
  -- Jiangcuo <jiangcuo@bingsin.com>  Tue, 14 Mar 2023 23:49:28 +0800
-
-pve-kernel (5.11.0) bcm95880; urgency=medium
-
-  * Update to Linux 5.11-rc3
-  * Update to ZFS 2.1.9
-
- -- Jiangcuo <jiangcuo@bingsin.com>  Tue, 14 Mar 2023 11:00:00 +0000

debian/patches/pve/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 12 May 2015 19:29:22 +0100
+Subject: [PATCH] Make mkcompile_h accept an alternate timestamp string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We want to include the Debian version in the utsname::version string
+instead of a full timestamp string.  However, we still need to provide
+a standard timestamp string for gen_initramfs_list.sh to make the
+kernel image reproducible.
+
+Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
+$KBUILD_BUILD_TIMESTAMP.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ init/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/Makefile b/init/Makefile
+index cbac576c57d6..479b1253fcbe 100644
+--- a/init/Makefile
++++ b/init/Makefile
+@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
+ preempt-flag-$(CONFIG_PREEMPT_RT)	:= PREEMPT_RT
+ 
+ build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto))
+-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
++build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto))
+ 
+ # Maximum length of UTS_VERSION is 64 chars
+ filechk_uts_version = \

debian/patches/pve/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch

@@ -0,0 +1,196 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mark Weiman <mark.weiman@markzz.com>
+Date: Wed, 7 Feb 2018 16:04:03 -0500
+Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.15)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This an updated version of Alex Williamson's patch from:
+https://lkml.org/lkml/2013/5/30/513
+
+Original commit message follows:
+PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that
+allows us to control whether transactions are allowed to be redirected
+in various subnodes of a PCIe topology.  For instance, if two
+endpoints are below a root port or downsteam switch port, the
+downstream port may optionally redirect transactions between the
+devices, bypassing upstream devices.  The same can happen internally
+on multifunction devices.  The transaction may never be visible to the
+upstream devices.
+
+One upstream device that we particularly care about is the IOMMU.  If
+a redirection occurs in the topology below the IOMMU, then the IOMMU
+cannot provide isolation between devices.  This is why the PCIe spec
+encourages topologies to include ACS support.  Without it, we have to
+assume peer-to-peer DMA within a hierarchy can bypass IOMMU isolation.
+
+Unfortunately, far too many topologies do not support ACS to make this
+a steadfast requirement.  Even the latest chipsets from Intel are only
+sporadically supporting ACS.  We have trouble getting interconnect
+vendors to include the PCIe spec required PCIe capability, let alone
+suggested features.
+
+Therefore, we need to add some flexibility.  The pcie_acs_override=
+boot option lets users opt-in specific devices or sets of devices to
+assume ACS support.  The "downstream" option assumes full ACS support
+on root ports and downstream switch ports.  The "multifunction"
+option assumes the subset of ACS features available on multifunction
+endpoints and upstream switch ports are supported.  The "id:nnnn:nnnn"
+option enables ACS support on devices matching the provided vendor
+and device IDs, allowing more strategic ACS overrides.  These options
+may be combined in any order.  A maximum of 16 id specific overrides
+are available.  It's suggested to use the most limited set of options
+necessary to avoid completely disabling ACS across the topology.
+Note to hardware vendors, we have facilities to permanently quirk
+specific devices which enforce isolation but not provide an ACS
+capability.  Please contact me to have your devices added and save
+your customers the hassle of this boot option.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ .../admin-guide/kernel-parameters.txt         |   9 ++
+ drivers/pci/quirks.c                          | 102 ++++++++++++++++++
+ 2 files changed, 111 insertions(+)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index e58f3bbb7643..d574123d82bd 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -4403,6 +4403,15 @@
+ 				Also, it enforces the PCI Local Bus spec
+ 				rule that those bits should be 0 in system reset
+ 				events (useful for kexec/kdump cases).
++		pci_acs_override =
++				[PCIE] Override missing PCIe ACS support for:
++				downstream
++					All downstream ports - full ACS capabilities
++				multifunction
++					Add multifunction devices - multifunction ACS subset
++				id:nnnn:nnnn
++					Specific device - full ACS capabilities
++					Specified as vid:did (vendor/device ID) in hex
+ 		noioapicquirk	[APIC] Disable all boot interrupt quirks.
+ 				Safety option to keep boot IRQs enabled. This
+ 				should never be necessary.
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index ce469d84ebae..4f163ef55e7b 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -287,6 +287,106 @@ static int __init pci_apply_final_quirks(void)
+ }
+ fs_initcall_sync(pci_apply_final_quirks);
+ 
++static bool acs_on_downstream;
++static bool acs_on_multifunction;
++
++#define NUM_ACS_IDS 16
++struct acs_on_id {
++	unsigned short vendor;
++	unsigned short device;
++};
++static struct acs_on_id acs_on_ids[NUM_ACS_IDS];
++static u8 max_acs_id;
++
++static __init int pcie_acs_override_setup(char *p)
++{
++	if (!p)
++		return -EINVAL;
++
++	while (*p) {
++		if (!strncmp(p, "downstream", 10))
++			acs_on_downstream = true;
++		if (!strncmp(p, "multifunction", 13))
++			acs_on_multifunction = true;
++		if (!strncmp(p, "id:", 3)) {
++			char opt[5];
++			int ret;
++			long val;
++
++			if (max_acs_id >= NUM_ACS_IDS - 1) {
++				pr_warn("Out of PCIe ACS override slots (%d)\n",
++						NUM_ACS_IDS);
++				goto next;
++			}
++
++			p += 3;
++			snprintf(opt, 5, "%s", p);
++			ret = kstrtol(opt, 16, &val);
++			if (ret) {
++				pr_warn("PCIe ACS ID parse error %d\n", ret);
++				goto next;
++			}
++			acs_on_ids[max_acs_id].vendor = val;
++			p += strcspn(p, ":");
++			if (*p != ':') {
++				pr_warn("PCIe ACS invalid ID\n");
++				goto next;
++			}
++
++			p++;
++			snprintf(opt, 5, "%s", p);
++			ret = kstrtol(opt, 16, &val);
++			if (ret) {
++				pr_warn("PCIe ACS ID parse error %d\n", ret);
++				goto next;
++			}
++			acs_on_ids[max_acs_id].device = val;
++			max_acs_id++;
++		}
++next:
++		p += strcspn(p, ",");
++		if (*p == ',')
++			p++;
++	}
++
++	if (acs_on_downstream || acs_on_multifunction || max_acs_id)
++		pr_warn("Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n");
++
++	return 0;
++}
++early_param("pcie_acs_override", pcie_acs_override_setup);
++
++static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags)
++{
++	int i;
++
++	/* Never override ACS for legacy devices or devices with ACS caps */
++	if (!pci_is_pcie(dev) ||
++		pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS))
++			return -ENOTTY;
++
++	for (i = 0; i < max_acs_id; i++)
++		if (acs_on_ids[i].vendor == dev->vendor &&
++			acs_on_ids[i].device == dev->device)
++				return 1;
++
++	switch (pci_pcie_type(dev)) {
++		case PCI_EXP_TYPE_DOWNSTREAM:
++		case PCI_EXP_TYPE_ROOT_PORT:
++			if (acs_on_downstream)
++				return 1;
++			break;
++		case PCI_EXP_TYPE_ENDPOINT:
++		case PCI_EXP_TYPE_UPSTREAM:
++		case PCI_EXP_TYPE_LEG_END:
++		case PCI_EXP_TYPE_RC_END:
++			if (acs_on_multifunction && dev->multifunction)
++				return 1;
++	}
++
++	return -ENOTTY;
++}
++
+ /*
+  * Decoding should be disabled for a PCI device during BAR sizing to avoid
+  * conflict. But doing so may cause problems on host bridge and perhaps other
+@@ -5100,6 +5200,8 @@ static const struct pci_dev_acs_enabled {
+ 	{ PCI_VENDOR_ID_CAVIUM, 0xA060, pci_quirk_mf_endpoint_acs },
+ 	/* APM X-Gene */
+ 	{ PCI_VENDOR_ID_AMCC, 0xE004, pci_quirk_xgene_acs },
++	/* Enable overrides for missing ACS capabilities */
++	{ PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides },
+ 	/* Ampere Computing */
+ 	{ PCI_VENDOR_ID_AMPERE, 0xE005, pci_quirk_xgene_acs },
+ 	{ PCI_VENDOR_ID_AMPERE, 0xE006, pci_quirk_xgene_acs },

debian/patches/pve/0005-kvm-disable-default-dynamic-halt-polling-growth.patch

@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index fab4d3790578..adae153354c2 100644
+index 6a56de7ff82e..96bd40a73e0e 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
-@@ -79,7 +79,7 @@ module_param(halt_poll_ns, uint, 0644);
+@@ -82,7 +82,7 @@ module_param(halt_poll_ns, uint, 0644);
  EXPORT_SYMBOL_GPL(halt_poll_ns);
  
  /* Default doubles per-vcpu halt_poll_ns. */

debian/patches/pve/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch

@@ -3,17 +3,21 @@ From: Thomas Lamprecht <t.lamprecht@proxmox.com>
 Date: Wed, 7 Oct 2020 17:18:28 +0200
 Subject: [PATCH] net: core: downgrade unregister_netdevice refcount leak from
  emergency to error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 ---
  net/core/dev.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 3be256051e99..e79b1695a4cb 100644
+index a32811aebde5..15078ab81ec8 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
-@@ -10273,7 +10273,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
+@@ -10471,7 +10471,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
  		if (time_after(jiffies, warning_time +
  			       READ_ONCE(netdev_unregister_timeout_secs) * HZ)) {
  			list_for_each_entry(dev, list, todo_list) {

debian/patches/pve/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Tue, 10 Jan 2023 08:52:40 +0100
+Subject: [PATCH] Revert "fortify: Do not cast to "unsigned char""
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit 106b7a61c488d2022f44e3531ce33461c7c0685f.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ include/linux/fortify-string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index e99dbc052575..9e9cdb198b82 100644
+--- a/include/linux/fortify-string.h
++++ b/include/linux/fortify-string.h
+@@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ 
+ #define __compiletime_strlen(p)					\
+ ({								\
+-	char *__p = (char *)(p);				\
++	unsigned char *__p = (unsigned char *)(p);		\
+ 	size_t __ret = SIZE_MAX;				\
+ 	const size_t __p_size = __member_size(p);		\
+ 	if (__p_size != SIZE_MAX &&				\

debian/patches/pve/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch

@@ -0,0 +1,133 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Fri, 14 Jul 2023 18:10:32 +0200
+Subject: [PATCH] kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no
+ support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes live-migrations & snapshot-rollback of VMs with a restricted
+CPU type (e.g., qemu64) from our 5.15 based kernel (default Proxmox
+VE 7.4) to the 6.2 (and future newer) of Proxmox VE 8.0.
+
+Previous to ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to
+supported bits of XCR0") the PKRU bit of the host could leak into the
+state from the guest, which caused trouble when migrating between
+hosts with different CPUs, i.e., where the source supported it but
+the target did not, causing a general protection fault when the guest
+tried to use a pkru related instruction after the migration.
+
+But the fix, while welcome, caused a temporary out-of-sync state when
+migrating such a VM from a kernel without the fix to a kernel with
+the fix, as it threw of KVM when the CPUID of the guest and most of
+the state doesn't report XSAVE and thus any xfeatures, but PKRU and
+the related state is set as enabled, causing the vCPU to spin at 100%
+without any progress forever.
+
+The fix could be at two sites, either in QEMU or in the kernel, I
+choose the kernel as we have all the info there for a targeted
+heuristic so that we don't have to adapt QEMU and qemu-server, the
+latter even on both sides.
+
+Still, a short summary of the possible fixes and short drawbacks:
+* on QEMU-side either
+  - clear the PKRU state in the migration saved state would be rather
+    complicated to implement as the vCPU is initialised way before we
+    have the saved xfeature state available to check what we'd need
+    to do, plus the user-space only gets a memory blob from ioctl
+    KVM_GET_XSAVE2 that it passes to KVM_SET_XSAVE ioctl, there are
+    no ABI guarantees, and while the struct seem stable for 5.15 to
+    6.5-rc1, that doesn't has to be for future kernels, so off the
+    table.
+  - enforce that the CPUID reports PKU support even if it normally
+    wouldn't. While this works (tested by hard-coding it as POC) it
+    is a) not really nice and b) needs some interaction from
+    qemu-server to enable this flag as otherwise we have no good info
+    to decide when it's OK to do this, which means we need to adapt
+    both PVE 7 and 8's qemu-server and also pve-qemu, workable but
+    not optimal
+
+* on Kernel/KVM-side we can hook into the set XSAVE ioctl specific to
+  the KVM subsystem, which already reduces chance of regression for
+  all other places. There we have access to the union/struct
+  definitions of the saved state and thus can savely cast to that.
+  We also got access to the vCPU's CPUID capabilities, meaning we can
+  check if the XCR0 (first XSAVE Control Register) reports
+  that it support the PKRU feature, and if it does *NOT* but the
+  saved xfeatures register from XSAVE *DOES* report it, we can safely
+  assume that this combination is due to an migration from an older,
+  leaky kernel – and clear the bit in the xfeature register before
+  restoring it to the guest vCPU KVM state, avoiding the confusing
+  situation that made the vCPU spin at 100%.
+  This should be safe to do, as the guest vCPU CPUID never reported
+  support for the PKRU feature, and it's also a relatively niche and
+  newish feature.
+
+If it gains us something we can drop this patch a bit in the future
+Proxmox VE 9 major release, but we should ensure that VMs that where
+started before PVE 8 cannot be directly live-migrated to the release
+that includes that change; so we should rather only drop it if the
+maintenance burden is high.
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/cpuid.c |  6 ++++++
+ arch/x86/kvm/cpuid.h |  2 ++
+ arch/x86/kvm/x86.c   | 13 +++++++++++++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index ce1499732cb8..d68c04bde5ed 100644
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -262,6 +262,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
+ 	return (best->eax | ((u64)best->edx << 32)) & kvm_caps.supported_xcr0;
+ }
+ 
++bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu) {
++	u64 guest_supported_xcr0 = cpuid_get_supported_xcr0(
++	    vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
++	return (guest_supported_xcr0 & XFEATURE_MASK_PKRU) != 0;
++}
++
+ static void __kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *entries,
+ 				       int nent)
+ {
+diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
+index 23dbb9eb277c..07da153802e4 100644
+--- a/arch/x86/kvm/cpuid.h
++++ b/arch/x86/kvm/cpuid.h
+@@ -32,6 +32,8 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
+ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
+ 	       u32 *ecx, u32 *edx, bool exact_only);
+ 
++bool vcpu_supports_xsave_pkru(struct kvm_vcpu *vcpu);
++
+ u32 xstate_required_size(u64 xstate_bv, bool compacted);
+ 
+ int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 3750a0c688b7..706348cbde7c 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5580,6 +5580,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ 	if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
+ 		return 0;
+ 
++	if (!vcpu_supports_xsave_pkru(vcpu)) {
++		void *buf = guest_xsave->region;
++		union fpregs_state *ustate = buf;
++		if (ustate->xsave.header.xfeatures & XFEATURE_MASK_PKRU) {
++			printk(
++				KERN_NOTICE "clearing PKRU xfeature bit as vCPU from PID %d"
++				" reports no PKRU support - migration from fpu-leaky kernel?",
++				current->pid
++			);
++			ustate->xsave.header.xfeatures &= ~XFEATURE_MASK_PKRU;
++		}
++	}
++
+ 	return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
+ 					      guest_xsave->region,
+ 					      kvm_caps.supported_xcr0,

debian/patches/pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: kiler129 <grzegorz@noflash.pl>
+Date: Mon, 18 Sep 2023 15:19:26 +0200
+Subject: [PATCH] allow opt-in to allow pass-through on broken hardware..
+
+adapted from https://github.com/kiler129/relax-intel-rmrr , licensed under MIT or GPL 2.0+
+
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ drivers/iommu/intel/iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
+index c4c6240d14f9..5e037a9ea6a6 100644
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -234,6 +234,7 @@ static int dmar_map_gfx = 1;
+ static int dmar_map_ipu = 1;
+ static int intel_iommu_superpage = 1;
+ static int iommu_identity_mapping;
++static int intel_relaxable_rmrr = 0;
+ static int iommu_skip_te_disable;
+ 
+ #define IDENTMAP_GFX		2
+@@ -296,6 +297,9 @@ static int __init intel_iommu_setup(char *str)
+ 		} else if (!strncmp(str, "tboot_noforce", 13)) {
+ 			pr_info("Intel-IOMMU: not forcing on after tboot. This could expose security risk for tboot\n");
+ 			intel_iommu_tboot_noforce = 1;
++		} else if (!strncmp(str, "relax_rmrr", 10)) {
++			pr_info("Intel-IOMMU: assuming all RMRRs are relaxable. This can lead to instability or data loss\n");
++			intel_relaxable_rmrr = 1;
+ 		} else {
+ 			pr_notice("Unknown option - '%s'\n", str);
+ 		}
+@@ -2470,7 +2474,7 @@ static bool device_rmrr_is_relaxable(struct device *dev)
+ 		return false;
+ 
+ 	pdev = to_pci_dev(dev);
+-	if (IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
++	if (intel_relaxable_rmrr || IS_USB_DEVICE(pdev) || IS_GFX_DEVICE(pdev))
+ 		return true;
+ 	else
+ 		return false;

debian/patches/pve/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch

@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 18 Oct 2023 12:41:04 -0700
+Subject: [PATCH] KVM: nSVM: Advertise support for flush-by-ASID
+
+Advertise support for FLUSHBYASID when nested SVM is enabled, as KVM can
+always emulate flushing TLB entries for a vmcb12 ASID, e.g. by running L2
+with a new, fresh ASID in vmcb02.  Some modern hypervisors, e.g. VMWare
+Workstation 17, require FLUSHBYASID support and will refuse to run if it's
+not present.
+
+Punt on proper support, as "Honor L1's request to flush an ASID on nested
+VMRUN" is one of the TODO items in the (incomplete) list of issues that
+need to be addressed in order for KVM to NOT do a full TLB flush on every
+nested SVM transition (see nested_svm_transition_tlb_flush()).
+
+Reported-by: Stefan Sterz <s.sterz@proxmox.com>
+Closes: https://lkml.kernel.org/r/b9915c9c-4cf6-051a-2d91-44cc6380f455%40proxmox.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ arch/x86/kvm/svm/svm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index cf86607bc696..e2c080780d9a 100644
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -5102,6 +5102,7 @@ static __init void svm_set_cpu_caps(void)
+ 	if (nested) {
+ 		kvm_cpu_cap_set(X86_FEATURE_SVM);
+ 		kvm_cpu_cap_set(X86_FEATURE_VMCBCLEAN);
++		kvm_cpu_cap_set(X86_FEATURE_FLUSHBYASID);
+ 
+ 		/*
+ 		 * KVM currently flushes TLBs on *every* nested SVM transition,

debian/patches/pve/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch

@@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thomas Lamprecht <t.lamprecht@proxmox.com>
+Date: Mon, 6 Nov 2023 10:17:02 +0100
+Subject: [PATCH] revert "memfd: improve userspace warnings for missing
+ exec-related flags".
+
+This warning is telling userspace developers to pass MFD_EXEC and
+MFD_NOEXEC_SEAL to memfd_create().  Commit 434ed3350f57 ("memfd: improve
+userspace warnings for missing exec-related flags") made the warning more
+frequent and visible in the hope that this would accelerate the fixing of
+errant userspace.
+
+But the overall effect is to generate far too much dmesg noise.
+
+Fixes: 434ed3350f57 ("memfd: improve userspace warnings for missing exec-related flags")
+Reported-by: Damian Tometzki <dtometzki@fedoraproject.org>
+Closes: https://lkml.kernel.org/r/ZPFzCSIgZ4QuHsSC@fedora.fritz.box
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Daniel Verkamp <dverkamp@chromium.org>
+Cc: Jeff Xu <jeffxu@google.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ (cherry picked from commit 2562d67b1bdf91c7395b0225d60fdeb26b4bc5a0)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ mm/memfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/memfd.c b/mm/memfd.c
+index d3a1ba4208c9..6a9de5d9105e 100644
+--- a/mm/memfd.c
++++ b/mm/memfd.c
+@@ -282,7 +282,7 @@ static int check_sysctl_memfd_noexec(unsigned int *flags)
+ 	}
+ 
+ 	if (!(*flags & MFD_NOEXEC_SEAL) && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) {
+-		pr_err_ratelimited(
++		pr_warn_once(
+ 			"%s[%d]: memfd_create() requires MFD_NOEXEC_SEAL with vm.memfd_noexec=%d\n",
+ 			current->comm, task_pid_nr(current), sysctl);
+ 		return -EACCES;

debian/patches/pve/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 10 Apr 2024 13:21:59 +0200
+Subject: [PATCH] apparmor: expect msg_namelen=0 for recvmsg calls
+
+When coming from sys_recvmsg, msg->msg_namelen is explicitly set to
+zero early on. (see ____sys_recvmsg in net/socket.c)
+We still end up in 'map_addr' where the assumption is that addr !=
+NULL means addrlen has a valid size.
+
+This is likely not a final fix, it was suggested by jjohansen on irc
+to get things going until this is resolved properly.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ security/apparmor/af_inet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/apparmor/af_inet.c b/security/apparmor/af_inet.c
+index 57b710054a76..35f905d9b960 100644
+--- a/security/apparmor/af_inet.c
++++ b/security/apparmor/af_inet.c
+@@ -766,7 +766,7 @@ int aa_inet_msg_perm(const char *op, u32 request, struct socket *sock,
+ 	/* do we need early bailout for !family ... */
+ 	return sk_has_perm2(sock->sk, op, request, profile, ad,
+ 			    map_sock_addr(sock, ADDR_LOCAL, &laddr, &ad),
+-			    map_addr(msg->msg_name, msg->msg_namelen, 0,
++			    map_addr(msg->msg_namelen == 0 ? NULL : msg->msg_name, msg->msg_namelen, 0,
+ 				     ADDR_REMOTE, &raddr, &ad),
+ 			    profile_remote_perm(profile, sock->sk, request,
+ 						&raddr, &laddr.maddr, &ad));

debian/patches/pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch

@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Sun, 24 Mar 2024 20:51:35 +0100
+Subject: [PATCH] x86/CPU/AMD: Improve the erratum 1386 workaround
+
+Disable XSAVES only on machines which haven't loaded the microcode
+revision containing the erratum fix.
+
+This will come in handy when running archaic OSes as guests. OSes whose
+brilliant programmers thought that CPUID is overrated and one should not
+query it but use features directly, ala shoot first, ask questions
+later... but only if you're alive after the shooting.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20240324200525.GBZgCHhYFsBj12PrKv@fat_crate.local
+---
+ arch/x86/include/asm/cpu_device_id.h |  8 ++++++++
+ arch/x86/kernel/cpu/amd.c            | 12 ++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/arch/x86/include/asm/cpu_device_id.h b/arch/x86/include/asm/cpu_device_id.h
+index e8e3dbe7f173..b6325ee30871 100644
+--- a/arch/x86/include/asm/cpu_device_id.h
++++ b/arch/x86/include/asm/cpu_device_id.h
+@@ -288,6 +288,14 @@ struct x86_cpu_desc {
+ 	.x86_microcode_rev	= (revision),			\
+ }
+ 
++#define AMD_CPU_DESC(fam, model, stepping, revision) {		\
++	.x86_family		= (fam),			\
++	.x86_vendor		= X86_VENDOR_AMD,		\
++	.x86_model		= (model),			\
++	.x86_stepping		= (stepping),			\
++	.x86_microcode_rev	= (revision),			\
++}
++
+ extern const struct x86_cpu_id *x86_match_cpu(const struct x86_cpu_id *match);
+ extern bool x86_cpu_has_min_microcode_rev(const struct x86_cpu_desc *table);
+ 
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 0838ea579eb0..ca6096dcc5c6 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -13,6 +13,7 @@
+ #include <asm/apic.h>
+ #include <asm/cacheinfo.h>
+ #include <asm/cpu.h>
++#include <asm/cpu_device_id.h>
+ #include <asm/spec-ctrl.h>
+ #include <asm/smp.h>
+ #include <asm/numa.h>
+@@ -925,6 +926,11 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
+ 	clear_rdrand_cpuid_bit(c);
+ }
+ 
++static const struct x86_cpu_desc erratum_1386_microcode[] = {
++	AMD_CPU_DESC(0x17,  0x1, 0x2, 0x0800126e),
++	AMD_CPU_DESC(0x17, 0x31, 0x0, 0x08301052),
++};
++
+ static void fix_erratum_1386(struct cpuinfo_x86 *c)
+ {
+ 	/*
+@@ -934,7 +940,13 @@ static void fix_erratum_1386(struct cpuinfo_x86 *c)
+ 	 *
+ 	 * Affected parts all have no supervisor XSAVE states, meaning that
+ 	 * the XSAVEC instruction (which works fine) is equivalent.
++	 *
++	 * Clear the feature flag only on microcode revisions which
++	 * don't have the fix.
+ 	 */
++	if (x86_cpu_has_min_microcode_rev(erratum_1386_microcode))
++		return;
++
+ 	clear_cpu_cap(c, X86_FEATURE_XSAVES);
+ }
+ 

debian/patches/pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch

@@ -0,0 +1,108 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yang Erkun <yangerkun@huawei.com>
+Date: Tue, 25 Jun 2024 11:43:32 +0800
+Subject: [PATCH] cifs: fix pagecache leak when do writepages
+
+After commit f3dc1bdb6b0b("cifs: Fix writeback data corruption"), the
+writepages for cifs will find all folio needed writepage with two phase.
+The first folio will be found in cifs_writepages_begin, and the latter
+various folios will be found in cifs_extend_writeback.
+
+All those will first get folio, and for normal case, once we set page
+writeback and after do really write, we should put the reference, folio
+found in cifs_extend_writeback do this with folio_batch_release. But the
+folio found in cifs_writepages_begin never get the chance do it. And
+every writepages call, we will leak a folio(found this problem while do
+xfstests over cifs, the latter show that we will leak about 600M+ every
+we run generic/074).
+
+echo 3 > /proc/sys/vm/drop_caches ; cat /proc/meminfo | grep file
+Active(file):      34092 kB
+Inactive(file):   176192 kB
+./check generic/074 (smb v1)
+...
+generic/074 50s ...  53s
+Ran: generic/074
+Passed all 1 tests
+
+echo 3 > /proc/sys/vm/drop_caches ; cat /proc/meminfo | grep file
+Active(file):      35036 kB
+Inactive(file):   854708 kB
+
+Besides, the exist path seem never handle this folio correctly, fix it too
+with this patch.
+
+The problem does not exist in mainline since writepages path for cifs
+has changed to netfs(3ee1a1fc3981 ("cifs: Cut over to using netfslib")).
+It's had to backport all related change, so try fix this problem with this
+single patch.
+
+Fixes: f3dc1bdb6b0b ("cifs: Fix writeback data corruption")
+Cc: stable@kernel.org # v6.6+
+Signed-off-by: Yang Erkun <yangerkun@huawei.com>
+(picked from https://lore.kernel.org/linux-cifs/20240625034332.750312-1-yangerkun@huawei.com/)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ fs/smb/client/file.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c
+index af5c476db6e6..8aee0f520300 100644
+--- a/fs/smb/client/file.c
++++ b/fs/smb/client/file.c
+@@ -2845,17 +2845,21 @@ static ssize_t cifs_write_back_from_locked_folio(struct address_space *mapping,
+ 	rc = cifs_get_writable_file(CIFS_I(inode), FIND_WR_ANY, &cfile);
+ 	if (rc) {
+ 		cifs_dbg(VFS, "No writable handle in writepages rc=%d\n", rc);
++		folio_unlock(folio);
+ 		goto err_xid;
+ 	}
+ 
+ 	rc = server->ops->wait_mtu_credits(server, cifs_sb->ctx->wsize,
+ 					   &wsize, credits);
+-	if (rc != 0)
++	if (rc != 0) {
++		folio_unlock(folio);
+ 		goto err_close;
++	}
+ 
+ 	wdata = cifs_writedata_alloc(cifs_writev_complete);
+ 	if (!wdata) {
+ 		rc = -ENOMEM;
++		folio_unlock(folio);
+ 		goto err_uncredit;
+ 	}
+ 
+@@ -3002,17 +3006,22 @@ static ssize_t cifs_writepages_begin(struct address_space *mapping,
+ lock_again:
+ 	if (wbc->sync_mode != WB_SYNC_NONE) {
+ 		ret = folio_lock_killable(folio);
+-		if (ret < 0)
++		if (ret < 0) {
++			folio_put(folio);
+ 			return ret;
++		}
+ 	} else {
+-		if (!folio_trylock(folio))
++		if (!folio_trylock(folio)) {
++			folio_put(folio);
+ 			goto search_again;
++		}
+ 	}
+ 
+ 	if (folio->mapping != mapping ||
+ 	    !folio_test_dirty(folio)) {
+ 		start += folio_size(folio);
+ 		folio_unlock(folio);
++		folio_put(folio);
+ 		goto search_again;
+ 	}
+ 
+@@ -3042,6 +3051,7 @@ static ssize_t cifs_writepages_begin(struct address_space *mapping,
+ out:
+ 	if (ret > 0)
+ 		*_start = start + ret;
++	folio_put(folio);
+ 	return ret;
+ }
+ 

debian/patches/pve/0015-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch

@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ma Jun <Jun.Ma2@amd.com>
+Date: Tue, 19 Mar 2024 11:02:29 +0800
+Subject: [PATCH] drm/amdgpu/pm: Don't use OD table on Arcturus
+
+OD is not supported on Arcturus, so the OD table
+should not be used.
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit bc55c344b06f7e6f99eb92d393ff0a84c1532514)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ .../gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 33 +++----------------
+ 1 file changed, 5 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
+index 40ba7227cca5..0c2d04f978ac 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
+@@ -1283,11 +1283,8 @@ static int arcturus_get_power_limit(struct smu_context *smu,
+ 					uint32_t *max_power_limit,
+ 					uint32_t *min_power_limit)
+ {
+-	struct smu_11_0_powerplay_table *powerplay_table =
+-		(struct smu_11_0_powerplay_table *)smu->smu_table.power_play_table;
+-	struct smu_11_0_overdrive_table *od_settings = smu->od_settings;
+ 	PPTable_t *pptable = smu->smu_table.driver_pptable;
+-	uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0;
++	uint32_t power_limit;
+ 
+ 	if (smu_v11_0_get_current_power_limit(smu, &power_limit)) {
+ 		/* the last hope to figure out the ppt limit */
+@@ -1303,30 +1300,10 @@ static int arcturus_get_power_limit(struct smu_context *smu,
+ 		*current_power_limit = power_limit;
+ 	if (default_power_limit)
+ 		*default_power_limit = power_limit;
+-
+-	if (powerplay_table) {
+-		if (smu->od_enabled &&
+-				od_settings->cap[SMU_11_0_ODCAP_POWER_LIMIT]) {
+-			od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+-			od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+-		} else if (od_settings->cap[SMU_11_0_ODCAP_POWER_LIMIT]) {
+-			od_percent_upper = 0;
+-			od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+-		}
+-	}
+-
+-	dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
+-							od_percent_upper, od_percent_lower, power_limit);
+-
+-	if (max_power_limit) {
+-		*max_power_limit = power_limit * (100 + od_percent_upper);
+-		*max_power_limit /= 100;
+-	}
+-
+-	if (min_power_limit) {
+-		*min_power_limit = power_limit * (100 - od_percent_lower);
+-		*min_power_limit /= 100;
+-	}
++	if (max_power_limit)
++		*max_power_limit = power_limit;
++	if (min_power_limit)
++		*min_power_limit = power_limit;
+ 
+ 	return 0;
+ }

debian/patches/pve/0016-SUNRPC-Fix-backchannel-reply-again.patch

@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 19 Jun 2024 09:51:08 -0400
+Subject: [PATCH] SUNRPC: Fix backchannel reply, again
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6ddc9deacc1312762c2edd9de00ce76b00f69f7c ]
+
+I still see "RPC: Could not send backchannel reply error: -110"
+quite often, along with slow-running tests. Debugging shows that the
+backchannel is still stumbling when it has to queue a callback reply
+on a busy transport.
+
+Note that every one of these timeouts causes a connection loss by
+virtue of the xprt_conditional_disconnect() call in that arm of
+call_cb_transmit_status().
+
+I found that setting to_maxval is necessary to get the RPC timeout
+logic to behave whenever to_exponential is not set.
+
+Fixes: 57331a59ac0d ("NFSv4.1: Use the nfs_client's rpc timeouts for backchannel")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+(cherry picked from commit bd1e42e0f2567c911d3df761cf7a33b021fdceeb)
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/sunrpc/svc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index bd61e257cda6..bac1886f07da 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1546,9 +1546,11 @@ void svc_process(struct svc_rqst *rqstp)
+  */
+ void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp)
+ {
++	struct rpc_timeout timeout = {
++		.to_increment		= 0,
++	};
+ 	struct rpc_task *task;
+ 	int proc_error;
+-	struct rpc_timeout timeout;
+ 
+ 	/* Build the svc_rqst used by the common processing routine */
+ 	rqstp->rq_xid = req->rq_xid;
+@@ -1601,6 +1603,7 @@ void svc_process_bc(struct rpc_rqst *req, struct svc_rqst *rqstp)
+ 		timeout.to_initval = req->rq_xprt->timeout->to_initval;
+ 		timeout.to_retries = req->rq_xprt->timeout->to_retries;
+ 	}
++	timeout.to_maxval = timeout.to_initval;
+ 	memcpy(&req->rq_snd_buf, &rqstp->rq_res, sizeof(req->rq_snd_buf));
+ 	task = rpc_run_bc_task(req, &timeout);
+ 

debian/patches/pve/0017-tap-add-missing-verification-for-short-frame.patch

@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+Date: Wed, 24 Jul 2024 10:04:51 -0700
+Subject: [PATCH] tap: add missing verification for short frame
+
+The cited commit missed to check against the validity of the frame length
+in the tap_get_user_xdp() path, which could cause a corrupted skb to be
+sent downstack. Even before the skb is transmitted, the
+tap_get_user_xdp()-->skb_set_network_header() may assume the size is more
+than ETH_HLEN. Once transmitted, this could either cause out-of-bound
+access beyond the actual length, or confuse the underlayer with incorrect
+or inconsistent header length in the skb metadata.
+
+In the alternative path, tap_get_user() already prohibits short frame which
+has the length less than Ethernet header size from being transmitted.
+
+This is to drop any frame shorter than the Ethernet header size just like
+how tap_get_user() does.
+
+CVE: CVE-2024-41090
+Link: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
+Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240724170452.16837-2-dongli.zhang@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit ed7f2afdd0e043a397677e597ced0830b83ba0b3)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ drivers/net/tap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/tap.c b/drivers/net/tap.c
+index 9f0495e8df4d..feeeac715c18 100644
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -1177,6 +1177,11 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
+ 	struct sk_buff *skb;
+ 	int err, depth;
+ 
++	if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
++		err = -EINVAL;
++		goto err;
++	}
++
+ 	if (q->flags & IFF_VNET_HDR)
+ 		vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
+ 

debian/patches/pve/0018-tun-add-missing-verification-for-short-frame.patch

@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dongli Zhang <dongli.zhang@oracle.com>
+Date: Wed, 24 Jul 2024 10:04:52 -0700
+Subject: [PATCH] tun: add missing verification for short frame
+
+The cited commit missed to check against the validity of the frame length
+in the tun_xdp_one() path, which could cause a corrupted skb to be sent
+downstack. Even before the skb is transmitted, the
+tun_xdp_one-->eth_type_trans() may access the Ethernet header although it
+can be less than ETH_HLEN. Once transmitted, this could either cause
+out-of-bound access beyond the actual length, or confuse the underlayer
+with incorrect or inconsistent header length in the skb metadata.
+
+In the alternative path, tun_get_user() already prohibits short frame which
+has the length less than Ethernet header size from being transmitted for
+IFF_TAP.
+
+This is to drop any frame shorter than the Ethernet header size just like
+how tun_get_user() does.
+
+CVE: CVE-2024-41091
+Inspired-by: https://lore.kernel.org/netdev/1717026141-25716-1-git-send-email-si-wei.liu@oracle.com/
+Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
+Reviewed-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20240724170452.16837-3-dongli.zhang@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 049584807f1d797fc3078b68035450a9769eb5c3)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ drivers/net/tun.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 86515f0c2b6c..e9cd3b810e2c 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -2459,6 +2459,9 @@ static int tun_xdp_one(struct tun_struct *tun,
+ 	bool skb_xdp = false;
+ 	struct page *page;
+ 
++	if (unlikely(datasize < ETH_HLEN))
++		return -EINVAL;
++
+ 	xdp_prog = rcu_dereference(tun->xdp_prog);
+ 	if (xdp_prog) {
+ 		if (gso->gso_type) {

debian/patches/pve/0019-apparmor-fix-possible-NULL-pointer-dereference.patch

@@ -0,0 +1,101 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leesoo Ahn <lsahn@ooseel.net>
+Date: Wed, 8 May 2024 01:12:29 +0900
+Subject: [PATCH] apparmor: fix possible NULL pointer dereference
+
+profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made
+from __create_missing_ancestors(..) and 'ent->old' is NULL in
+aa_replace_profiles(..).
+In that case, it must return an error code and the code, -ENOENT represents
+its state that the path of its parent is not existed yet.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000030
+PGD 0 P4D 0
+PREEMPT SMP PTI
+CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:aafs_create.constprop.0+0x7f/0x130
+Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
+RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS:  00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ ? show_regs+0x6d/0x80
+ ? __die+0x24/0x80
+ ? page_fault_oops+0x99/0x1b0
+ ? kernelmode_fixup_or_oops+0xb2/0x140
+ ? __bad_area_nosemaphore+0x1a5/0x2c0
+ ? find_vma+0x34/0x60
+ ? bad_area_nosemaphore+0x16/0x30
+ ? do_user_addr_fault+0x2a2/0x6b0
+ ? exc_page_fault+0x83/0x1b0
+ ? asm_exc_page_fault+0x27/0x30
+ ? aafs_create.constprop.0+0x7f/0x130
+ ? aafs_create.constprop.0+0x51/0x130
+ __aafs_profile_mkdir+0x3d6/0x480
+ aa_replace_profiles+0x83f/0x1270
+ policy_update+0xe3/0x180
+ profile_load+0xbc/0x150
+ ? rw_verify_area+0x47/0x140
+ vfs_write+0x100/0x480
+ ? __x64_sys_openat+0x55/0xa0
+ ? syscall_exit_to_user_mode+0x86/0x260
+ ksys_write+0x73/0x100
+ __x64_sys_write+0x19/0x30
+ x64_sys_call+0x7e/0x25c0
+ do_syscall_64+0x7f/0x180
+ entry_SYSCALL_64_after_hwframe+0x78/0x80
+RIP: 0033:0x7be9f211c574
+Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
+RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574
+RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004
+RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80
+R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30
+ </TASK>
+Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas
+CR2: 0000000000000030
+---[ end trace 0000000000000000 ]---
+RIP: 0010:aafs_create.constprop.0+0x7f/0x130
+Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
+RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS:  00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
+
+Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+(cherry picked from commit 3dd384108d53834002be5630132ad5c3f32166ad)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ security/apparmor/apparmorfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index be6c3293c9e0..822f2e6a96a7 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -1921,6 +1921,10 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
+ 		struct aa_profile *p;
+ 		p = aa_deref_parent(profile);
+ 		dent = prof_dir(p);
++		if (!dent) {
++			error = -ENOENT;
++			goto fail2;
++		}
+ 		/* adding to parent that previously didn't have children */
+ 		dent = aafs_create_dir("profiles", dent);
+ 		if (IS_ERR(dent))

debian/patches/pve/0020-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch

@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Blazej Kucman <blazej.kucman@intel.com>
+Date: Mon, 22 Jul 2024 16:14:40 +0200
+Subject: [PATCH] PCI: pciehp: Retain Power Indicator bits for userspace
+ indicators
+
+The sysfs "attention" file normally controls the Slot Control Attention
+Indicator with 0 (off), 1 (on), 2 (blink) settings.
+
+576243b3f9ea ("PCI: pciehp: Allow exclusive userspace control of
+indicators") added pciehp_set_raw_indicator_status() to allow userspace to
+directly control all four bits in both the Attention Indicator and the
+Power Indicator fields via the "attention" file.
+
+This is used on Intel VMD bridges so utilities like "ledmon" can use sysfs
+"attention" to control up to 16 indicators for NVMe device RAID status.
+
+abaaac4845a0 ("PCI: hotplug: Use FIELD_GET/PREP()") broke this by masking
+the sysfs data with PCI_EXP_SLTCTL_AIC, which discards the upper two bits
+intended for the Power Indicator Control field (PCI_EXP_SLTCTL_PIC).
+
+For NVMe devices behind an Intel VMD, ledmon settings that use the
+PCI_EXP_SLTCTL_PIC bits, i.e., ATTENTION_REBUILD (0x5), ATTENTION_LOCATE
+(0x7), ATTENTION_FAILURE (0xD), ATTENTION_OFF (0xF), no longer worked
+correctly.
+
+Mask with PCI_EXP_SLTCTL_AIC | PCI_EXP_SLTCTL_PIC to retain both the
+Attention Indicator and the Power Indicator bits.
+
+Fixes: abaaac4845a0 ("PCI: hotplug: Use FIELD_GET/PREP()")
+Link: https://lore.kernel.org/r/20240722141440.7210-1-blazej.kucman@intel.com
+Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org	# v6.7+
+---
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
+index b1d0a1b3917d..9d3c249207c4 100644
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -485,7 +485,9 @@ int pciehp_set_raw_indicator_status(struct hotplug_slot *hotplug_slot,
+ 	struct pci_dev *pdev = ctrl_dev(ctrl);
+ 
+ 	pci_config_pm_runtime_get(pdev);
+-	pcie_write_cmd_nowait(ctrl, FIELD_PREP(PCI_EXP_SLTCTL_AIC, status),
++
++	/* Attention and Power Indicator Control bits are supported */
++	pcie_write_cmd_nowait(ctrl, FIELD_PREP(PCI_EXP_SLTCTL_AIC | PCI_EXP_SLTCTL_PIC, status),
+ 			      PCI_EXP_SLTCTL_AIC | PCI_EXP_SLTCTL_PIC);
+ 	pci_config_pm_runtime_put(pdev);
+ 	return 0;

debian/patches/series.linux

@@ -1,2 +1,20 @@
-pve/0002-bridge-keep-MAC-of-first-assigned-port.patch
-pve/0004-kvm-disable-default-dynamic-halt-polling-growth.patch
+pve/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
+pve/0002-wireless-Add-Debian-wireless-regdb-certificates.patch
+pve/0003-bridge-keep-MAC-of-first-assigned-port.patch
+pve/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
+pve/0005-kvm-disable-default-dynamic-halt-polling-growth.patch
+pve/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch
+pve/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch
+pve/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch
+pve/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
+pve/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
+pve/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
+pve/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
+pve/0013-x86-CPU-AMD-Improve-the-erratum-1386-workaround.patch
+pve/0014-cifs-fix-pagecache-leak-when-do-writepages.patch
+pve/0015-drm-amdgpu-pm-Don-t-use-OD-table-on-Arcturus.patch
+pve/0016-SUNRPC-Fix-backchannel-reply-again.patch
+pve/0017-tap-add-missing-verification-for-short-frame.patch
+pve/0018-tun-add-missing-verification-for-short-frame.patch
+pve/0019-apparmor-fix-possible-NULL-pointer-dereference.patch
+pve/0020-PCI-pciehp-Retain-Power-Indicator-bits-for-userspace.patch

debian/patches/series.zfs

@@ -4,8 +4,7 @@ zfs/0003-Fix-the-path-to-the-zed-binary-on-the-systemd-unit.patch
 zfs/0004-import-with-d-dev-disk-by-id-in-scan-service.patch
 zfs/0005-Enable-zed-emails.patch
 zfs/0006-dont-symlink-zed-scripts.patch
-zfs/0007-Use-installed-python3.patch
-zfs/0008-Add-systemd-unit-for-importing-specific-pools.patch
-zfs/0009-Patch-move-manpage-arcstat-1-to-arcstat-8.patch
-zfs/0010-arcstat-Fix-integer-division-with-python3.patch
-zfs/0011-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch
+zfs/0007-Add-systemd-unit-for-importing-specific-pools.patch
+zfs/0008-Patch-move-manpage-arcstat-1-to-arcstat-8.patch
+zfs/0009-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch
+zfs/0012-change-zfs-lic-cddl-to-gpl.patch

debian/patches/zfs/0003-Fix-the-path-to-the-zed-binary-on-the-systemd-unit.patch

@@ -13,13 +13,13 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/etc/systemd/system/zfs-zed.service.in b/etc/systemd/system/zfs-zed.service.in
-index be80025a4..20ce8e632 100644
+index be2fc6734..7606604ec 100644
 --- a/etc/systemd/system/zfs-zed.service.in
 +++ b/etc/systemd/system/zfs-zed.service.in
-@@ -4,7 +4,7 @@ Documentation=man:zed(8)
- ConditionPathIsDirectory=/sys/module/zfs
+@@ -5,7 +5,7 @@ ConditionPathIsDirectory=/sys/module/zfs
  
  [Service]
+ EnvironmentFile=-@initconfdir@/zfs
 -ExecStart=@sbindir@/zed -F
 +ExecStart=/usr/sbin/zed -F
  Restart=always

debian/patches/zfs/0004-import-with-d-dev-disk-by-id-in-scan-service.patch

@@ -14,13 +14,13 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/etc/systemd/system/zfs-import-scan.service.in b/etc/systemd/system/zfs-import-scan.service.in
-index 598ef501b..e4f3a70c1 100644
+index c5dd45d87..1c792edf0 100644
 --- a/etc/systemd/system/zfs-import-scan.service.in
 +++ b/etc/systemd/system/zfs-import-scan.service.in
-@@ -13,7 +13,7 @@ ConditionPathIsDirectory=/sys/module/zfs
- [Service]
+@@ -14,7 +14,7 @@ ConditionPathIsDirectory=/sys/module/zfs
  Type=oneshot
  RemainAfterExit=yes
+ EnvironmentFile=-@initconfdir@/zfs
 -ExecStart=@sbindir@/zpool import -aN -o cachefile=none $ZPOOL_IMPORT_OPTS
 +ExecStart=@sbindir@/zpool import -aN -d /dev/disk/by-id -o cachefile=none $ZPOOL_IMPORT_OPTS
  

debian/patches/zfs/0005-Enable-zed-emails.patch

@@ -13,10 +13,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/cmd/zed/zed.d/zed.rc b/cmd/zed/zed.d/zed.rc
-index 227b26c26..240d0dbfa 100644
+index 78dc1afc7..41d5539ea 100644
 --- a/cmd/zed/zed.d/zed.rc
 +++ b/cmd/zed/zed.d/zed.rc
-@@ -42,7 +42,7 @@ ZED_EMAIL_ADDR="root"
+@@ -41,7 +41,7 @@ ZED_EMAIL_ADDR="root"
  ##
  # Minimum number of seconds between notifications for a similar event.
  #

debian/patches/zfs/0006-dont-symlink-zed-scripts.patch

@@ -3,28 +3,44 @@ From: Antonio Russo <antonio.e.russo@gmail.com>
 Date: Fri, 20 Mar 2020 17:28:43 +0100
 Subject: [PATCH] dont symlink zed scripts
 
-(cherry picked and adapted from 5cee380324d74e640d5dd7a360faba3994c8007f [0])
+Of the zedlet scripts shipped by upstream, a subset are enabled by
+default, by creating symlinks in /etc/zfs/zed.d.  These symlinks are
+shipped in the zfs-zed package.  dpkg, however, does not support
+conffile handling of symlinks, and therefore any changes (removals) to
+the symlinks are not preserved on package upgrade.
 
-[0] https://salsa.debian.org/zfsonlinux-team/zfs.git
+To address this policy violation, we:
 
-Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+ 1. During package build, create a list of enabled-by-default zedlets,
+    instead of creating symlinks.
+ 2. On package removal, identify all enabled-by-default zedlets whose
+    symlinks do not exist (i.e., were removed by the user). This is done
+    by creating "whiteout" links to /dev/null in their place).
+ 3. On package installation, create links to enabled-by-default zedlets
+    UNLESS there is already a file there (i.e., abort if there is a
+    whiteout link).
+ 4. We also clean up broken symlinks to removed zedlets at package
+    postinst.
 
 Description: track default symlinks, instead of symlinking
 Forwarded: no need
+(cherry picked from https://salsa.debian.org/zfsonlinux-team/zfs/-/commit/5cee380324d7)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
  cmd/zed/zed.d/Makefile.am | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/cmd/zed/zed.d/Makefile.am b/cmd/zed/zed.d/Makefile.am
-index 2c8173b3e..ad39292e4 100644
+index 812558cf6..f802cf140 100644
 --- a/cmd/zed/zed.d/Makefile.am
 +++ b/cmd/zed/zed.d/Makefile.am
-@@ -49,7 +49,7 @@ install-data-hook:
- 	for f in $(zedconfdefaults); do \
- 	  test -f "$(DESTDIR)$(zedconfdir)/$${f}" -o \
- 	       -L "$(DESTDIR)$(zedconfdir)/$${f}" || \
--	    ln -s "$(zedexecdir)/$${f}" "$(DESTDIR)$(zedconfdir)"; \
+@@ -48,7 +48,7 @@ zed-install-data-hook:
+ 	set -x; for f in $(zedconfdefaults); do \
+ 	  [ -f "$(DESTDIR)$(zedconfdir)/$${f}" ] ||\
+ 	    [ -L "$(DESTDIR)$(zedconfdir)/$${f}" ] || \
+-	    $(LN_S) "$(zedexecdir)/$${f}" "$(DESTDIR)$(zedconfdir)"; \
 +	    echo "$${f}" >> "$(DESTDIR)$(zedexecdir)/DEFAULT-ENABLED" ; \
  	done
- 	chmod 0600 "$(DESTDIR)$(zedconfdir)/zed.rc"
  
+ SHELLCHECKSCRIPTS += $(dist_zedconf_DATA) $(dist_zedexec_SCRIPTS) $(nodist_zedexec_SCRIPTS)

debian/patches/zfs/0007-Add-systemd-unit-for-importing-specific-pools.patch

@@ -11,17 +11,30 @@ the instance name is used unescaped (see systemd.unit(5)), since zpool names
 can contain characters which will be escaped by systemd.
 
 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- etc/systemd/system/50-zfs.preset.in       |  1 +
- etc/systemd/system/Makefile.am            |  1 +
+ etc/Makefile.am                           |  1 +
+ etc/systemd/system/50-zfs.preset          |  1 +
  etc/systemd/system/zfs-import@.service.in | 16 ++++++++++++++++
  3 files changed, 18 insertions(+)
  create mode 100644 etc/systemd/system/zfs-import@.service.in
 
-diff --git a/etc/systemd/system/50-zfs.preset.in b/etc/systemd/system/50-zfs.preset.in
+diff --git a/etc/Makefile.am b/etc/Makefile.am
+index 7187762d3..de131dc87 100644
+--- a/etc/Makefile.am
++++ b/etc/Makefile.am
+@@ -54,6 +54,7 @@ dist_systemdpreset_DATA = \
+ systemdunit_DATA = \
+ 	%D%/systemd/system/zfs-import-cache.service \
+ 	%D%/systemd/system/zfs-import-scan.service \
++	%D%/systemd/system/zfs-import@.service \
+ 	%D%/systemd/system/zfs-import.target \
+ 	%D%/systemd/system/zfs-mount.service \
+ 	%D%/systemd/system/zfs-scrub-monthly@.timer \
+diff --git a/etc/systemd/system/50-zfs.preset b/etc/systemd/system/50-zfs.preset
 index e4056a92c..030611419 100644
---- a/etc/systemd/system/50-zfs.preset.in
-+++ b/etc/systemd/system/50-zfs.preset.in
+--- a/etc/systemd/system/50-zfs.preset
++++ b/etc/systemd/system/50-zfs.preset
 @@ -1,6 +1,7 @@
  # ZFS is enabled by default
  enable zfs-import-cache.service
@@ -30,18 +43,6 @@ index e4056a92c..030611419 100644
  enable zfs-import.target
  enable zfs-mount.service
  enable zfs-share.service
-diff --git a/etc/systemd/system/Makefile.am b/etc/systemd/system/Makefile.am
-index 35f833de5..af3ae597c 100644
---- a/etc/systemd/system/Makefile.am
-+++ b/etc/systemd/system/Makefile.am
-@@ -7,6 +7,7 @@ systemdunit_DATA = \
- 	zfs-zed.service \
- 	zfs-import-cache.service \
- 	zfs-import-scan.service \
-+	zfs-import@.service \
- 	zfs-mount.service \
- 	zfs-share.service \
- 	zfs-volume-wait.service \
 diff --git a/etc/systemd/system/zfs-import@.service.in b/etc/systemd/system/zfs-import@.service.in
 new file mode 100644
 index 000000000..9b4ee9371

debian/patches/zfs/0007-Use-installed-python3.patch

@@ -1,55 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Antonio Russo <antonio.e.russo@gmail.com>
-Date: Tue, 5 May 2020 22:15:16 -0600
-Subject: [PATCH] Use installed python3
-
----
- .../functional/cli_root/zfs_program/zfs_program_json.ksh    | 6 +++---
- .../tests/functional/rsend/send_encrypted_files.ksh         | 2 +-
- .../tests/functional/rsend/send_realloc_dnode_size.ksh      | 2 +-
- 3 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/tests/zfs-tests/tests/functional/cli_root/zfs_program/zfs_program_json.ksh b/tests/zfs-tests/tests/functional/cli_root/zfs_program/zfs_program_json.ksh
-index 3788543b0..c7ee4ae9a 100755
---- a/tests/zfs-tests/tests/functional/cli_root/zfs_program/zfs_program_json.ksh
-+++ b/tests/zfs-tests/tests/functional/cli_root/zfs_program/zfs_program_json.ksh
-@@ -100,10 +100,10 @@ typeset -a pos_cmds_out=(
- # the same as the input and the --sort-keys option was added.  Detect when
- # --sort-keys is supported and apply the option to ensure the expected order.
- #
--if python -m json.tool --sort-keys <<< "{}"; then
--	JSON_TOOL_CMD="python -m json.tool --sort-keys"
-+if python3 -m json.tool --sort-keys <<< "{}"; then
-+	JSON_TOOL_CMD="python3 -m json.tool --sort-keys"
- else
--	JSON_TOOL_CMD="python -m json.tool"
-+	JSON_TOOL_CMD="python3 -m json.tool"
- fi
- 
- typeset -i cnt=0
-diff --git a/tests/zfs-tests/tests/functional/rsend/send_encrypted_files.ksh b/tests/zfs-tests/tests/functional/rsend/send_encrypted_files.ksh
-index 370f5382e..661fbe85d 100755
---- a/tests/zfs-tests/tests/functional/rsend/send_encrypted_files.ksh
-+++ b/tests/zfs-tests/tests/functional/rsend/send_encrypted_files.ksh
-@@ -87,7 +87,7 @@ log_must xattrtest -f 10 -x 3 -s 32768 -r -k -p /$TESTPOOL/$TESTFS2/xattrsadir
- # OpenZFS issue #7432
- log_must zfs set compression=on xattr=sa $TESTPOOL/$TESTFS2
- log_must touch /$TESTPOOL/$TESTFS2/attrs
--log_must eval "python -c 'print \"a\" * 4096' | \
-+log_must eval "python3 -c 'print \"a\" * 4096' | \
- 	set_xattr_stdin bigval /$TESTPOOL/$TESTFS2/attrs"
- log_must zfs set compression=off xattr=on $TESTPOOL/$TESTFS2
- 
-diff --git a/tests/zfs-tests/tests/functional/rsend/send_realloc_dnode_size.ksh b/tests/zfs-tests/tests/functional/rsend/send_realloc_dnode_size.ksh
-index 551ed15db..bd30488ea 100755
---- a/tests/zfs-tests/tests/functional/rsend/send_realloc_dnode_size.ksh
-+++ b/tests/zfs-tests/tests/functional/rsend/send_realloc_dnode_size.ksh
-@@ -88,7 +88,7 @@ log_must zfs snapshot $POOL/fs@c
- # 4. Create an empty file and add xattrs to it to exercise reclaiming a
- #    dnode that requires more than 1 slot for its bonus buffer (Zol #7433)
- log_must zfs set compression=on xattr=sa $POOL/fs
--log_must eval "python -c 'print \"a\" * 512' |
-+log_must eval "python3 -c 'print \"a\" * 512' |
-     set_xattr_stdin bigval /$POOL/fs/attrs"
- log_must zfs snapshot $POOL/fs@d
- 

debian/patches/zfs/0008-Patch-move-manpage-arcstat-1-to-arcstat-8.patch

@@ -7,6 +7,7 @@ Originally-By: Mo Zhou <cdluminate@gmail.com>
 Originally-By: Antonio Russo <aerusso@aerusso.net>
 
 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
  man/Makefile.am                        | 2 +-
  man/{man1/arcstat.1 => man8/arcstat.8} | 2 +-
@@ -14,36 +15,36 @@ Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
  rename man/{man1/arcstat.1 => man8/arcstat.8} (99%)
 
 diff --git a/man/Makefile.am b/man/Makefile.am
-index 64650c2b9..95a66a62f 100644
+index 36c1aede1..94fd96e58 100644
 --- a/man/Makefile.am
 +++ b/man/Makefile.am
-@@ -8,7 +8,6 @@ dist_man_MANS = \
- 	man1/ztest.1 \
- 	man1/raidz_test.1 \
- 	man1/zvol_wait.1 \
--	man1/arcstat.1 \
- 	\
- 	man5/vdev_id.conf.5 \
- 	\
+@@ -2,7 +2,6 @@ dist_noinst_man_MANS = \
+ 	%D%/man1/cstyle.1
+ 
+ dist_man_MANS = \
+-	%D%/man1/arcstat.1 \
+ 	%D%/man1/raidz_test.1 \
+ 	%D%/man1/test-runner.1 \
+ 	%D%/man1/zhack.1 \
 @@ -22,6 +21,7 @@ dist_man_MANS = \
- 	man7/zpoolconcepts.7 \
- 	man7/zpoolprops.7 \
+ 	%D%/man7/zpoolconcepts.7 \
+ 	%D%/man7/zpoolprops.7 \
  	\
-+	man8/arcstat.8 \
- 	man8/fsck.zfs.8 \
- 	man8/mount.zfs.8 \
- 	man8/vdev_id.8 \
++	%D%/man8/arcstat.8 \
+ 	%D%/man8/fsck.zfs.8 \
+ 	%D%/man8/mount.zfs.8 \
+ 	%D%/man8/vdev_id.8 \
 diff --git a/man/man1/arcstat.1 b/man/man8/arcstat.8
 similarity index 99%
 rename from man/man1/arcstat.1
 rename to man/man8/arcstat.8
-index a69cd8937..dfe9c971b 100644
+index 82358fa68..a8fb55498 100644
 --- a/man/man1/arcstat.1
 +++ b/man/man8/arcstat.8
 @@ -13,7 +13,7 @@
  .\" Copyright (c) 2020 by AJ Jordan. All rights reserved.
  .\"
- .Dd May 26, 2021
+ .Dd December 23, 2022
 -.Dt ARCSTAT 1
 +.Dt ARCSTAT 8
  .Os

debian/patches/zfs/0009-arc-stat-summary-guard-access-to-l2arc-MFU-MRU-stats.patch

@@ -20,16 +20,17 @@ also move l2_mfu_asize  l2_mru_asize l2_prefetch_asize
 l2_bufc_data_asize l2_bufc_metadata_asize to .get accessor
 (these are only present with a cache device in the pool)
 Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 ---
- cmd/arc_summary/arc_summary3 | 28 ++++++++++++++--------------
- cmd/arcstat/arcstat.in       | 14 +++++++-------
+ cmd/arc_summary | 28 ++++++++++++++--------------
+ cmd/arcstat.in  | 14 +++++++-------
  2 files changed, 21 insertions(+), 21 deletions(-)
 
-diff --git a/cmd/arc_summary/arc_summary3 b/cmd/arc_summary/arc_summary3
-index 301c485b3..ac46f5843 100755
---- a/cmd/arc_summary/arc_summary3
-+++ b/cmd/arc_summary/arc_summary3
-@@ -617,13 +617,13 @@ def section_arc(kstats_dict):
+diff --git a/cmd/arc_summary b/cmd/arc_summary
+index 426e02070..9de198150 100755
+--- a/cmd/arc_summary
++++ b/cmd/arc_summary
+@@ -655,13 +655,13 @@ def section_arc(kstats_dict):
      prt_i1('L2 cached evictions:', f_bytes(arc_stats['evict_l2_cached']))
      prt_i1('L2 eligible evictions:', f_bytes(arc_stats['evict_l2_eligible']))
      prt_i2('L2 eligible MFU evictions:',
@@ -47,7 +48,7 @@ index 301c485b3..ac46f5843 100755
      prt_i1('L2 ineligible evictions:',
             f_bytes(arc_stats['evict_l2_ineligible']))
      print()
-@@ -765,20 +765,20 @@ def section_l2arc(kstats_dict):
+@@ -851,20 +851,20 @@ def section_l2arc(kstats_dict):
             f_perc(arc_stats['l2_hdr_size'], arc_stats['l2_size']),
             f_bytes(arc_stats['l2_hdr_size']))
      prt_i2('MFU allocated size:',
@@ -78,11 +79,11 @@ index 301c485b3..ac46f5843 100755
  
      print()
      prt_1('L2ARC breakdown:', f_hits(l2_access_total))
-diff --git a/cmd/arcstat/arcstat.in b/cmd/arcstat/arcstat.in
-index 010f69ec0..50e5a7150 100755
---- a/cmd/arcstat/arcstat.in
-+++ b/cmd/arcstat/arcstat.in
-@@ -482,8 +482,8 @@ def calculate():
+diff --git a/cmd/arcstat.in b/cmd/arcstat.in
+index 8df1c62f7..833348d0e 100755
+--- a/cmd/arcstat.in
++++ b/cmd/arcstat.in
+@@ -565,8 +565,8 @@ def calculate():
      v["el2skip"] = d["evict_l2_skip"] // sint
      v["el2cach"] = d["evict_l2_cached"] // sint
      v["el2el"] = d["evict_l2_eligible"] // sint
@@ -93,7 +94,7 @@ index 010f69ec0..50e5a7150 100755
      v["el2inel"] = d["evict_l2_ineligible"] // sint
      v["mtxmis"] = d["mutex_miss"] // sint
  
-@@ -498,11 +498,11 @@ def calculate():
+@@ -581,11 +581,11 @@ def calculate():
          v["l2size"] = cur["l2_size"]
          v["l2bytes"] = d["l2_read_bytes"] // sint
  

debian/patches/zfs/0010-arcstat-Fix-integer-division-with-python3.patch

@@ -1,134 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Valmiky Arquissandas <kayvlim@gmail.com>
-Date: Fri, 8 Oct 2021 16:32:27 +0100
-Subject: [PATCH] arcstat: Fix integer division with python3
-
-The arcstat script requests compatibility with python2 and python3, but
-PEP 238 modified the / operator and results in erroneous output when
-run under python3.
-
-This commit replaces instances of / with //, yielding the expected
-result in both versions of Python.
-
-Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
-Reviewed-by: John Kennedy <john.kennedy@delphix.com>
-Reviewed-by: Ryan Moeller <ryan@ixsystems.com>
-Signed-off-by: Valmiky Arquissandas <foss@kayvlim.com>
-Closes #12603
-(cherry picked from commit 2d02bba23d83ae8fede8d281edc255f01ccd28e9)
-Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
----
- cmd/arcstat/arcstat.in | 66 +++++++++++++++++++++---------------------
- 1 file changed, 33 insertions(+), 33 deletions(-)
-
-diff --git a/cmd/arcstat/arcstat.in b/cmd/arcstat/arcstat.in
-index 425e52d1f..010f69ec0 100755
---- a/cmd/arcstat/arcstat.in
-+++ b/cmd/arcstat/arcstat.in
-@@ -441,73 +441,73 @@ def calculate():
- 
-     v = dict()
-     v["time"] = time.strftime("%H:%M:%S", time.localtime())
--    v["hits"] = d["hits"] / sint
--    v["miss"] = d["misses"] / sint
-+    v["hits"] = d["hits"] // sint
-+    v["miss"] = d["misses"] // sint
-     v["read"] = v["hits"] + v["miss"]
--    v["hit%"] = 100 * v["hits"] / v["read"] if v["read"] > 0 else 0
-+    v["hit%"] = 100 * v["hits"] // v["read"] if v["read"] > 0 else 0
-     v["miss%"] = 100 - v["hit%"] if v["read"] > 0 else 0
- 
--    v["dhit"] = (d["demand_data_hits"] + d["demand_metadata_hits"]) / sint
--    v["dmis"] = (d["demand_data_misses"] + d["demand_metadata_misses"]) / sint
-+    v["dhit"] = (d["demand_data_hits"] + d["demand_metadata_hits"]) // sint
-+    v["dmis"] = (d["demand_data_misses"] + d["demand_metadata_misses"]) // sint
- 
-     v["dread"] = v["dhit"] + v["dmis"]
--    v["dh%"] = 100 * v["dhit"] / v["dread"] if v["dread"] > 0 else 0
-+    v["dh%"] = 100 * v["dhit"] // v["dread"] if v["dread"] > 0 else 0
-     v["dm%"] = 100 - v["dh%"] if v["dread"] > 0 else 0
- 
--    v["phit"] = (d["prefetch_data_hits"] + d["prefetch_metadata_hits"]) / sint
-+    v["phit"] = (d["prefetch_data_hits"] + d["prefetch_metadata_hits"]) // sint
-     v["pmis"] = (d["prefetch_data_misses"] +
--                 d["prefetch_metadata_misses"]) / sint
-+                 d["prefetch_metadata_misses"]) // sint
- 
-     v["pread"] = v["phit"] + v["pmis"]
--    v["ph%"] = 100 * v["phit"] / v["pread"] if v["pread"] > 0 else 0
-+    v["ph%"] = 100 * v["phit"] // v["pread"] if v["pread"] > 0 else 0
-     v["pm%"] = 100 - v["ph%"] if v["pread"] > 0 else 0
- 
-     v["mhit"] = (d["prefetch_metadata_hits"] +
--                 d["demand_metadata_hits"]) / sint
-+                 d["demand_metadata_hits"]) // sint
-     v["mmis"] = (d["prefetch_metadata_misses"] +
--                 d["demand_metadata_misses"]) / sint
-+                 d["demand_metadata_misses"]) // sint
- 
-     v["mread"] = v["mhit"] + v["mmis"]
--    v["mh%"] = 100 * v["mhit"] / v["mread"] if v["mread"] > 0 else 0
-+    v["mh%"] = 100 * v["mhit"] // v["mread"] if v["mread"] > 0 else 0
-     v["mm%"] = 100 - v["mh%"] if v["mread"] > 0 else 0
- 
-     v["arcsz"] = cur["size"]
-     v["size"] = cur["size"]
-     v["c"] = cur["c"]
--    v["mfu"] = d["mfu_hits"] / sint
--    v["mru"] = d["mru_hits"] / sint
--    v["mrug"] = d["mru_ghost_hits"] / sint
--    v["mfug"] = d["mfu_ghost_hits"] / sint
--    v["eskip"] = d["evict_skip"] / sint
--    v["el2skip"] = d["evict_l2_skip"] / sint
--    v["el2cach"] = d["evict_l2_cached"] / sint
--    v["el2el"] = d["evict_l2_eligible"] / sint
--    v["el2mfu"] = d["evict_l2_eligible_mfu"] / sint
--    v["el2mru"] = d["evict_l2_eligible_mru"] / sint
--    v["el2inel"] = d["evict_l2_ineligible"] / sint
--    v["mtxmis"] = d["mutex_miss"] / sint
-+    v["mfu"] = d["mfu_hits"] // sint
-+    v["mru"] = d["mru_hits"] // sint
-+    v["mrug"] = d["mru_ghost_hits"] // sint
-+    v["mfug"] = d["mfu_ghost_hits"] // sint
-+    v["eskip"] = d["evict_skip"] // sint
-+    v["el2skip"] = d["evict_l2_skip"] // sint
-+    v["el2cach"] = d["evict_l2_cached"] // sint
-+    v["el2el"] = d["evict_l2_eligible"] // sint
-+    v["el2mfu"] = d["evict_l2_eligible_mfu"] // sint
-+    v["el2mru"] = d["evict_l2_eligible_mru"] // sint
-+    v["el2inel"] = d["evict_l2_ineligible"] // sint
-+    v["mtxmis"] = d["mutex_miss"] // sint
- 
-     if l2exist:
--        v["l2hits"] = d["l2_hits"] / sint
--        v["l2miss"] = d["l2_misses"] / sint
-+        v["l2hits"] = d["l2_hits"] // sint
-+        v["l2miss"] = d["l2_misses"] // sint
-         v["l2read"] = v["l2hits"] + v["l2miss"]
--        v["l2hit%"] = 100 * v["l2hits"] / v["l2read"] if v["l2read"] > 0 else 0
-+        v["l2hit%"] = 100 * v["l2hits"] // v["l2read"] if v["l2read"] > 0 else 0
- 
-         v["l2miss%"] = 100 - v["l2hit%"] if v["l2read"] > 0 else 0
-         v["l2asize"] = cur["l2_asize"]
-         v["l2size"] = cur["l2_size"]
--        v["l2bytes"] = d["l2_read_bytes"] / sint
-+        v["l2bytes"] = d["l2_read_bytes"] // sint
- 
-         v["l2pref"] = cur["l2_prefetch_asize"]
-         v["l2mfu"] = cur["l2_mfu_asize"]
-         v["l2mru"] = cur["l2_mru_asize"]
-         v["l2data"] = cur["l2_bufc_data_asize"]
-         v["l2meta"] = cur["l2_bufc_metadata_asize"]
--        v["l2pref%"] = 100 * v["l2pref"] / v["l2asize"]
--        v["l2mfu%"] = 100 * v["l2mfu"] / v["l2asize"]
--        v["l2mru%"] = 100 * v["l2mru"] / v["l2asize"]
--        v["l2data%"] = 100 * v["l2data"] / v["l2asize"]
--        v["l2meta%"] = 100 * v["l2meta"] / v["l2asize"]
-+        v["l2pref%"] = 100 * v["l2pref"] // v["l2asize"]
-+        v["l2mfu%"] = 100 * v["l2mfu"] // v["l2asize"]
-+        v["l2mru%"] = 100 * v["l2mru"] // v["l2asize"]
-+        v["l2data%"] = 100 * v["l2data"] // v["l2asize"]
-+        v["l2meta%"] = 100 * v["l2meta"] // v["l2asize"]
- 
-     v["grow"] = 0 if cur["arc_no_grow"] else 1
-     v["need"] = cur["arc_need_free"]

debian/patches/zfs/0010-zvol-Remove-broken-blk-mq-optimization.patch

@@ -0,0 +1,99 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tony Hutter <hutter2@llnl.gov>
+Date: Mon, 23 Oct 2023 14:45:06 -0700
+Subject: [PATCH] zvol: Remove broken blk-mq optimization
+
+This fix removes a dubious optimization in zfs_uiomove_bvec_rq()
+that saved the iterator contents of a rq_for_each_segment().  This
+optimization allowed restoring the "saved state" from a previous
+rq_for_each_segment() call on the same uio so that you wouldn't
+need to iterate though each bvec on every zfs_uiomove_bvec_rq() call.
+However, if the kernel is manipulating the requests/bios/bvecs under
+the covers between zfs_uiomove_bvec_rq() calls, then it could result
+in corruption from using the "saved state".  This optimization
+results in an unbootable system after installing an OS on a zvol
+with blk-mq enabled.
+
+Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
+Signed-off-by: Tony Hutter <hutter2@llnl.gov>
+Closes #15351
+(cherry picked from commit 7c9b6fed16ed5034fd1cdfdaedfad93dc97b1557)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ include/os/linux/spl/sys/uio.h |  8 --------
+ module/os/linux/zfs/zfs_uio.c  | 29 -----------------------------
+ 2 files changed, 37 deletions(-)
+
+diff --git a/include/os/linux/spl/sys/uio.h b/include/os/linux/spl/sys/uio.h
+index cce097e16..a4b600004 100644
+--- a/include/os/linux/spl/sys/uio.h
++++ b/include/os/linux/spl/sys/uio.h
+@@ -73,13 +73,6 @@ typedef struct zfs_uio {
+ 	size_t		uio_skip;
+ 
+ 	struct request	*rq;
+-
+-	/*
+-	 * Used for saving rq_for_each_segment() state between calls
+-	 * to zfs_uiomove_bvec_rq().
+-	 */
+-	struct req_iterator iter;
+-	struct bio_vec bv;
+ } zfs_uio_t;
+ 
+ 
+@@ -138,7 +131,6 @@ zfs_uio_bvec_init(zfs_uio_t *uio, struct bio *bio, struct request *rq)
+ 	} else {
+ 		uio->uio_bvec = NULL;
+ 		uio->uio_iovcnt = 0;
+-		memset(&uio->iter, 0, sizeof (uio->iter));
+ 	}
+ 
+ 	uio->uio_loffset = io_offset(bio, rq);
+diff --git a/module/os/linux/zfs/zfs_uio.c b/module/os/linux/zfs/zfs_uio.c
+index 3efd4ab15..c2ed67c43 100644
+--- a/module/os/linux/zfs/zfs_uio.c
++++ b/module/os/linux/zfs/zfs_uio.c
+@@ -204,22 +204,6 @@ zfs_uiomove_bvec_rq(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio)
+ 	this_seg_start = orig_loffset;
+ 
+ 	rq_for_each_segment(bv, rq, iter) {
+-		if (uio->iter.bio) {
+-			/*
+-			 * If uio->iter.bio is present, then we know we've saved
+-			 * uio->iter from a previous call to this function, and
+-			 * we can skip ahead in this rq_for_each_segment() loop
+-			 * to where we last left off.  That way, we don't need
+-			 * to iterate over tons of segments we've already
+-			 * processed - we can just restore the "saved state".
+-			 */
+-			iter = uio->iter;
+-			bv = uio->bv;
+-			this_seg_start = uio->uio_loffset;
+-			memset(&uio->iter, 0, sizeof (uio->iter));
+-			continue;
+-		}
+-
+ 		/*
+ 		 * Lookup what the logical offset of the last byte of this
+ 		 * segment is.
+@@ -260,19 +244,6 @@ zfs_uiomove_bvec_rq(void *p, size_t n, zfs_uio_rw_t rw, zfs_uio_t *uio)
+ 			copied = 1;	/* We copied some data */
+ 		}
+ 
+-		if (n == 0) {
+-			/*
+-			 * All done copying.  Save our 'iter' value to the uio.
+-			 * This allows us to "save our state" and skip ahead in
+-			 * the rq_for_each_segment() loop the next time we call
+-			 * call zfs_uiomove_bvec_rq() on this uio (which we
+-			 * will be doing for any remaining data in the uio).
+-			 */
+-			uio->iter = iter; /* make a copy of the struct data */
+-			uio->bv = bv;
+-			return (0);
+-		}
+-
+ 		this_seg_start = this_seg_end + 1;
+ 	}
+ 

debian/patches/zfs/0011-Revert-zvol-Temporally-disable-blk-mq.patch

@@ -0,0 +1,123 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tony Hutter <hutter2@llnl.gov>
+Date: Mon, 23 Oct 2023 14:39:59 -0700
+Subject: [PATCH] Revert "zvol: Temporally disable blk-mq"
+
+This reverts commit aefb6a2bd6c24597cde655e9ce69edd0a4c34357.
+
+aefb6a2bd temporally disabled blk-mq until we could fix a fix for
+
+Signed-off-by: Tony Hutter <hutter2@llnl.gov>
+Closes #15439
+(cherry picked from commit 05c4710e8958832afc2868102c9535a4f18115be)
+Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
+---
+ man/man4/zfs.4                       | 57 ++++++++++++++++++++++++++++
+ module/os/linux/zfs/zvol_os.c        | 12 ++++++
+ tests/zfs-tests/include/tunables.cfg |  2 +-
+ 3 files changed, 70 insertions(+), 1 deletion(-)
+
+diff --git a/man/man4/zfs.4 b/man/man4/zfs.4
+index 71a3e67ee..cfadd79d8 100644
+--- a/man/man4/zfs.4
++++ b/man/man4/zfs.4
+@@ -2317,6 +2317,63 @@ If
+ .Sy zvol_threads
+ to the number of CPUs present or 32 (whichever is greater).
+ .
++.It Sy zvol_blk_mq_threads Ns = Ns Sy 0 Pq uint
++The number of threads per zvol to use for queuing IO requests.
++This parameter will only appear if your kernel supports
++.Li blk-mq
++and is only read and assigned to a zvol at zvol load time.
++If
++.Sy 0
++(the default) then internally set
++.Sy zvol_blk_mq_threads
++to the number of CPUs present.
++.
++.It Sy zvol_use_blk_mq Ns = Ns Sy 0 Ns | Ns 1 Pq uint
++Set to
++.Sy 1
++to use the
++.Li blk-mq
++API for zvols.
++Set to
++.Sy 0
++(the default) to use the legacy zvol APIs.
++This setting can give better or worse zvol performance depending on
++the workload.
++This parameter will only appear if your kernel supports
++.Li blk-mq
++and is only read and assigned to a zvol at zvol load time.
++.
++.It Sy zvol_blk_mq_blocks_per_thread Ns = Ns Sy 8 Pq uint
++If
++.Sy zvol_use_blk_mq
++is enabled, then process this number of
++.Sy volblocksize Ns -sized blocks per zvol thread.
++This tunable can be use to favor better performance for zvol reads (lower
++values) or writes (higher values).
++If set to
++.Sy 0 ,
++then the zvol layer will process the maximum number of blocks
++per thread that it can.
++This parameter will only appear if your kernel supports
++.Li blk-mq
++and is only applied at each zvol's load time.
++.
++.It Sy zvol_blk_mq_queue_depth Ns = Ns Sy 0 Pq uint
++The queue_depth value for the zvol
++.Li blk-mq
++interface.
++This parameter will only appear if your kernel supports
++.Li blk-mq
++and is only applied at each zvol's load time.
++If
++.Sy 0
++(the default) then use the kernel's default queue depth.
++Values are clamped to the kernel's
++.Dv BLKDEV_MIN_RQ
++and
++.Dv BLKDEV_MAX_RQ Ns / Ns Dv BLKDEV_DEFAULT_RQ
++limits.
++.
+ .It Sy zvol_volmode Ns = Ns Sy 1 Pq uint
+ Defines zvol block devices behaviour when
+ .Sy volmode Ns = Ns Sy default :
+diff --git a/module/os/linux/zfs/zvol_os.c b/module/os/linux/zfs/zvol_os.c
+index 76521c959..7a95b54bd 100644
+--- a/module/os/linux/zfs/zvol_os.c
++++ b/module/os/linux/zfs/zvol_os.c
+@@ -1620,6 +1620,18 @@ MODULE_PARM_DESC(zvol_prefetch_bytes, "Prefetch N bytes at zvol start+end");
+ module_param(zvol_volmode, uint, 0644);
+ MODULE_PARM_DESC(zvol_volmode, "Default volmode property value");
+ 
++#ifdef HAVE_BLK_MQ
++module_param(zvol_blk_mq_queue_depth, uint, 0644);
++MODULE_PARM_DESC(zvol_blk_mq_queue_depth, "Default blk-mq queue depth");
++
++module_param(zvol_use_blk_mq, uint, 0644);
++MODULE_PARM_DESC(zvol_use_blk_mq, "Use the blk-mq API for zvols");
++
++module_param(zvol_blk_mq_blocks_per_thread, uint, 0644);
++MODULE_PARM_DESC(zvol_blk_mq_blocks_per_thread,
++    "Process volblocksize blocks per thread");
++#endif
++
+ #ifndef HAVE_BLKDEV_GET_ERESTARTSYS
+ module_param(zvol_open_timeout_ms, uint, 0644);
+ MODULE_PARM_DESC(zvol_open_timeout_ms, "Timeout for ZVOL open retries");
+diff --git a/tests/zfs-tests/include/tunables.cfg b/tests/zfs-tests/include/tunables.cfg
+index 8010a9451..80e7bcb3b 100644
+--- a/tests/zfs-tests/include/tunables.cfg
++++ b/tests/zfs-tests/include/tunables.cfg
+@@ -89,7 +89,7 @@ VDEV_VALIDATE_SKIP		vdev.validate_skip		vdev_validate_skip
+ VOL_INHIBIT_DEV			UNSUPPORTED			zvol_inhibit_dev
+ VOL_MODE			vol.mode			zvol_volmode
+ VOL_RECURSIVE			vol.recursive			UNSUPPORTED
+-VOL_USE_BLK_MQ			UNSUPPORTED			UNSUPPORTED
++VOL_USE_BLK_MQ			UNSUPPORTED			zvol_use_blk_mq
+ XATTR_COMPAT			xattr_compat			zfs_xattr_compat
+ ZEVENT_LEN_MAX			zevent.len_max			zfs_zevent_len_max
+ ZEVENT_RETAIN_MAX		zevent.retain_max		zfs_zevent_retain_max

debian/patches/zfs/0012-change-zfs-lic-cddl-to-gpl.patch

@@ -0,0 +1,13 @@
+diff --git a/META b/META
+index 0d7df10..76f5194 100644
+--- a/META
++++ b/META
+@@ -4,7 +4,7 @@ Branch:        1.0
+ Version:       2.2.0
+ Release:       1
+ Release-Tags:  relext
+-License:       CDDL
++License:       GPL
+ Author:        OpenZFS
+ Linux-Maximum: 6.5
+ Linux-Minimum: 3.10

debian/rules

@@ -43,11 +43,11 @@ override_dh_quilt_unpatch:
 	cd ${KERNEL_SRC}; \
 		QUILT_PATCHES=../debian/patches \
 		QUILT_SERIES=series.linux \
-		quilt --quiltrc /dev/null pop -a || test $$? = 2
+		quilt --quiltrc /dev/null pop -af || test $$? = 2
 	cd ${ZFS_SRC}; \
     	QUILT_PATCHES=../debian/patches \
     	QUILT_SERIES=series.zfs \
-    	quilt --quiltrc /dev/null pop -a || test $$? = 2
+    	quilt --quiltrc /dev/null pop -af || test $$? = 2
 	rm -rf ${KERNEL_SRC}/.pc ${ZFS_SRC}/.pc
 
 override_dh_autoreconf:
@@ -82,6 +82,9 @@ override_dh_auto_clean: debian/control
 	rm -f ${PVE_KERNEL_TEMPLATES} ${PVE_HEADER_TEMPLATES}
 	rm -f debian/SOURCE debian/*.tmp .*_mark
 
+override_dh_strip_nondeterminism:
+	# Disables dh_strip_nondeterminism to speed up the debian package creation
+
 ## Kernel
 PVE_KERNEL_TEMPLATES := $(patsubst debian/templates/pve-kernel.%.in, debian/${PVE_KERNEL_PKG}.%, $(wildcard debian/templates/pve-kernel.*.in))
 
@@ -101,19 +104,12 @@ debian/${PVE_KERNEL_PKG}.%: debian/templates/pve-kernel.%.in
 	install -m 644 ${KERNEL_SRC}/System.map debian/${PVE_KERNEL_PKG}/boot/System.map-${KVNAME}
 	install -m 644 ${KERNEL_SRC}/${KERNEL_IMAGE_PATH} debian/${PVE_KERNEL_PKG}/boot/${KERNEL_INSTALL_FILE}-${KVNAME}
 	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
-	${MAKE} -C ${KERNEL_SRC} INSTALL_PATH=${BUILD_DIR}debian/${PVE_KERNEL_PKG}/boot dtbs_install
+	${MAKE} -C ${KERNEL_SRC} INSTALL_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/boot dtbs_install
 	
 	# install zfs drivers
 	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/avl/zavl.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/nvpair/znvpair.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/unicode/zunicode.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/zcommon/zcommon.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/icp/icp.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/zfs/zfs.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/lua/zlua.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/spl/spl.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
-	install -m 644 ${ZFS_SRC}/module/zstd/zzstd.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/zfs.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/spl.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
 	# remove firmware
 	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
 	# strip debug info

debian/rules.cross

@@ -0,0 +1,215 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+include /usr/share/dpkg/default.mk
+export DH_VERBOSE = 1
+# Common variables for all architectures
+include debian/rules.d/common.mk
+
+# Pull in some arch specific stuff
+include debian/rules.d/arch/arm64.mk
+
+BUILD_DIR ?= ${CURDIR}
+KERNEL_SRC := linux
+ZFS_SRC := zfs
+
+%:
+	dh $@ --with quilt
+
+## Debian package metadata
+debian/control: debian/templates/control.in
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' -e 's/edge/${DEB_DISTRIBUTION}/g' < debian/templates/control.in > debian/control
+
+debian/SOURCE:
+	echo "git clone git@github.com:fabianishere/pve-edge-kernel.git \
+		  git checkout ${PKG_GIT_VERSION} \
+		  git submodule update --init --depth=1" > $@
+
+## Debhelper phases
+override_dh_quilt_patch:
+	# Apply crack bundle
+#	git -C ${KERNEL_SRC} fetch ../crack.bundle $$(git -C ${KERNEL_SRC} ls-remote ../crack.bundle | cut -f1)
+#	git -C ${KERNEL_SRC} checkout -f FETCH_HEAD
+	# Apply patches
+	cd ${KERNEL_SRC}; \
+		QUILT_PATCHES=../debian/patches  \
+		QUILT_SERIES=series.linux \
+		quilt --quiltrc /dev/null --color=always push -a || test $$? = 2
+	cd ${ZFS_SRC}; \
+    	QUILT_PATCHES=../debian/patches  \
+    	QUILT_SERIES=series.zfs \
+    	quilt --quiltrc /dev/null --color=always push -a || test $$? = 2
+
+override_dh_quilt_unpatch:
+	cd ${KERNEL_SRC}; \
+		QUILT_PATCHES=../debian/patches \
+		QUILT_SERIES=series.linux \
+		quilt --quiltrc /dev/null pop -a || test $$? = 2
+	cd ${ZFS_SRC}; \
+    	QUILT_PATCHES=../debian/patches \
+    	QUILT_SERIES=series.zfs \
+    	quilt --quiltrc /dev/null pop -a || test $$? = 2
+	rm -rf ${KERNEL_SRC}/.pc ${ZFS_SRC}/.pc
+
+override_dh_autoreconf:
+	dh_autoreconf -D ${ZFS_SRC}
+
+override_dh_auto_configure: ${KERNEL_SRC}/.config
+
+override_dh_auto_build:
+	# Kernel
+	dh_auto_build -D ${KERNEL_SRC} -- \
+		CC="${PVE_KERNEL_CC}" \
+		ARCH="arm64" \
+		LD_LIBRARY_PATH="/usr/local/lib64/" \
+		HOSTCC="${PVE_KERNEL_CC}" \
+		CROSS_COMPILE="aarch64-linux-gnu-" \
+		KCFLAGS="${PVE_KERNEL_CFLAGS}" \
+		EXTRAVERSION="${EXTRAVERSION}" \
+		LOCALVERSION="${LOCALVERSION}" \
+		KBUILD_BUILD_VERSION_TIMESTAMP="${PKG_DISTRIBUTOR} ${DEB_VERSION} (${PKG_DATE_UTC_ISO})"
+	# ZFS
+	dh_auto_configure -D ${ZFS_SRC} -- HOSTCC="${PVE_KERNEL_CC}" CC="${PVE_ZFS_CC}" --with-config=kernel --with-linux=$(realpath ${KERNEL_SRC}) --with-linux-obj=$(realpath ${KERNEL_SRC})
+	dh_auto_build -D ${ZFS_SRC}
+
+override_dh_auto_install: debian/SOURCE .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
+	dh_installdocs -A debian/copyright debian/SOURCE
+	dh_installchangelogs
+	dh_installman
+	dh_strip_nondeterminism
+	dh_compress
+	dh_fixperms
+
+override_dh_auto_clean: debian/control
+	dh_clean
+	dh_auto_clean -D ${KERNEL_SRC}
+	dh_auto_clean -D ${ZFS_SRC}
+	rm -f ${PVE_KERNEL_TEMPLATES} ${PVE_HEADER_TEMPLATES}
+	rm -f debian/SOURCE debian/*.tmp .*_mark
+
+## Kernel
+PVE_KERNEL_TEMPLATES := $(patsubst debian/templates/pve-kernel.%.in, debian/${PVE_KERNEL_PKG}.%, $(wildcard debian/templates/pve-kernel.*.in))
+
+${KERNEL_SRC}/.config:
+	cp debian/config/config.pve ${KERNEL_SRC}/.config
+	${MAKE} -C ${KERNEL_SRC} CC=${PVE_KERNEL_CC} olddefconfig
+
+debian/${PVE_KERNEL_PKG}.%: debian/templates/pve-kernel.%.in
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/templates/pve-kernel.$*.in > debian/${PVE_KERNEL_PKG}.$*
+	chmod +x debian/${PVE_KERNEL_PKG}.$*
+
+.install_mark: ${PVE_KERNEL_TEMPLATES}
+	rm -rf debian/${PVE_KERNEL_PKG}
+	mkdir -p debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}
+	mkdir debian/${PVE_KERNEL_PKG}/boot
+	install -m 644 ${KERNEL_SRC}/.config debian/${PVE_KERNEL_PKG}/boot/config-${KVNAME}
+	install -m 644 ${KERNEL_SRC}/System.map debian/${PVE_KERNEL_PKG}/boot/System.map-${KVNAME}
+	install -m 644 ${KERNEL_SRC}/${KERNEL_IMAGE_PATH} debian/${PVE_KERNEL_PKG}/boot/${KERNEL_INSTALL_FILE}-${KVNAME}
+	${MAKE} -C ${KERNEL_SRC} INSTALL_MOD_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/ modules_install
+	${MAKE} -C ${KERNEL_SRC} INSTALL_PATH=${BUILD_DIR}/debian/${PVE_KERNEL_PKG}/boot dtbs_install
+	
+	# install zfs drivers
+	install -d -m 0755 debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/avl/zavl.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/nvpair/znvpair.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/unicode/zunicode.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/zcommon/zcommon.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/icp/icp.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/zfs/zfs.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/lua/zlua.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/spl/spl.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	install -m 644 ${ZFS_SRC}/module/zstd/zzstd.ko debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/zfs
+	# remove firmware
+	rm -rf debian/${PVE_KERNEL_PKG}/lib/firmware
+	# strip debug info
+	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do aarch64-linux-gnu-strip --strip-debug "$$f"; done
+	# finalize
+	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
+	# Autogenerate blacklist for watchdog devices (see README)
+	install -m 0755 -d debian/${PVE_KERNEL_PKG}/lib/modprobe.d
+#	ls debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/kernel/drivers/watchdog/ > debian/watchdog-blacklist.tmp
+#	echo ipmi_watchdog.ko >> debian/watchdog-blacklist.tmp
+#	cat debian/watchdog-blacklist.tmp | sed -e 's/^/blacklist /' -e 's/.ko$$//' | sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
+	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
+	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
+	touch $@
+
+## Kernel tools
+.tools_compile_mark:
+	dh_auto_build -D ${KERNEL_SRC}/tools/perf -- prefix=/usr \
+		HAVE_NO_LIBBFD=1 \
+		ARCH=arm64 \
+		CC="${PVE_KERNEL_CC}" \ 
+		HOSTCC="${PVE_KERNEL_CC}" \
+		HAVE_CPLUS_DEMANGLE_SUPPORT=1 \
+		NO_LIBPYTHON=1 \
+		NO_LIBPERL=1 \
+		NO_LIBCRYPTO=1 \
+		PYTHON=python3
+#	echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
+#	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibbfd'
+#	! ldd ${KERNEL_SRC}/tools/perf/perf | grep -q -E '\blibcrypto'
+	${MAKE} -C ${KERNEL_SRC}/tools/perf  ARCH=arm64 man
+	touch $@
+
+.tools_install_mark: .tools_compile_mark
+	rm -rf debian/${LINUX_TOOLS_PKG}
+	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/bin
+	mkdir -p debian/${LINUX_TOOLS_PKG}/usr/share/man/man1
+	install -m 755 ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/perf debian/${LINUX_TOOLS_PKG}/usr/bin/perf_$(KERNEL_MAJMIN)
+	for i in ${BUILD_DIR}/${KERNEL_SRC}/tools/perf/Documentation/*.1; do \
+	    fname="$${i##*/}"; manname="$${fname%.1}"; \
+	    install -m644 "$$i" "debian/${LINUX_TOOLS_PKG}/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
+	done
+	touch $@
+
+## Headers
+PVE_HEADER_TEMPLATES := $(patsubst debian/templates/pve-headers.%.in, debian/${PVE_HEADER_PKG}.%, $(wildcard debian/templates/pve-headers.*.in))
+
+debian/${PVE_HEADER_PKG}.%: debian/templates/pve-headers.%.in
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/templates/pve-headers.$*.in > debian/${PVE_HEADER_PKG}.$*
+	chmod +x debian/${PVE_HEADER_PKG}.$*
+
+.headers_install_mark: ${PVE_HEADER_TEMPLATES}
+	rm -rf debian/${PVE_HEADER_PKG}
+	mkdir -p debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	install -m 0644 ${KERNEL_SRC}/.config debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	( \
+		cd ${KERNEL_SRC}; \
+		find . -path './debian/*' -prune \
+               	-o -path './include/*' -prune \
+                -o -path './scripts' -prune \
+                -o -type f \
+					\( \
+						-name 'Makefile*' \
+						-o -name 'Kconfig*' \
+						-o -name 'Kbuild*' \
+						-o -name '*.sh' \
+						-o -name '*.pl' \
+					\) \
+					-print; \
+		find include scripts -type f -o -type l; \
+		find arch/${KERNEL_BUILD_ARCH} -maxdepth 1 -name Makefile\*; \
+		find arch/${KERNEL_BUILD_ARCH} -name module.lds -o -name Kbuild.platforms -o -name Platform; \
+		find $$(find arch/${KERNEL_BUILD_ARCH} -name include -o -name scripts -type d) -type f; \
+		find arch/${KERNEL_BUILD_ARCH}/include Module.symvers include scripts -type f; \
+		find tools/ -name 'objtool' -type f \
+	) | rsync -avq --files-from=- ${KERNEL_SRC} debian/${PVE_HEADER_PKG}/usr/src/linux-headers-${KVNAME}
+	mkdir -p debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}
+	ln -sf /usr/src/linux-headers-${KVNAME} debian/${PVE_HEADER_PKG}/lib/modules/${KVNAME}/build
+	touch $@
+
+## User-space headers
+.usr_headers_install_mark: PKG_DIR = debian/${PVE_USR_HEADER_PKG}
+.usr_headers_install_mark: OUT_DIR = ${PKG_DIR}/usr
+.usr_headers_install_mark:
+	rm -rf '${PKG_DIR}'
+	mkdir -p  '${PKG_DIR}'
+	$(MAKE) -C ${KERNEL_SRC} headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
+	rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
+	find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +
+	# Move include/asm to arch-specific directory
+	mkdir -p $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)
+	mv $(OUT_DIR)/include/asm $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+	test ! -d $(OUT_DIR)/include/arch || \
+		mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
+	touch $@

debian/rules.d/common.mk

@@ -3,7 +3,7 @@ KERNEL_MAJMIN=$(shell ./scripts/version.sh -n)
 KERNEL_VER=$(shell ./scripts/version.sh -L)
 
 ## Debian package information
-PKG_DISTRIBUTOR ?= PVE Edge
+PKG_DISTRIBUTOR ?= PVE Port
 PKG_RELEASE = $(shell ./scripts/version.sh -r)
 PKG_DATE := $(shell dpkg-parsechangelog -SDate)
 PKG_DATE_UTC_ISO := $(shell date -u -d '$(PKG_DATE)' +%Y-%m-%d)

debian/templates/control.in

@@ -19,6 +19,12 @@ Build-Depends: asciidoc,
                libnuma-dev,
                libslang2-dev,
                libssl-dev,
+	       systemtap-sdt-dev,
+	       libunwind-dev,
+               libcap-dev,
+               libbabeltrace-dev,
+	       openjdk-17-jdk,
+               libtraceevent-dev,
                lz4,
                python3-minimal,
                python3-dev,

linux

@@ -1 +1 @@
-Subproject commit 6449a0ba6843fe70523eeb7855984054f36f6d24
+Subproject commit b31b11ad980d9d8204d19f55640bc910e5292a5d

scripts/clean.sh

@@ -0,0 +1,9 @@
+rm debian/pve-headers-* -rf
+rm debian/pve-kernel-* -rf
+rm .*_mark -rf
+rm debian/autoreconf* -rf
+rm debian/linux-tool* -rf
+rm debian/.debhelper/ -rf
+rm debian/SOURCE -rf
+rm debian/debhelper-build-stamp -rf
+rm debian/files -rf

scripts/cross_build.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+CROSS_COMPILE=aarch64-linux-gnu- \
+ARCH=arm64 \
+KERNEL_BUILD_ARCH=arm64 \
+DEB_BUILD_GNU_TYPE=aarch64-linux-gnu- \
+DEB_BUILD_ARCH=arm64 \
+DEB_BUILD_OPTIONS=nostrip \
+CONFIG_SITE=/etc/dpkg-cross/cross-config.arm64 \
+CC=/usr/bin/aarch64-linux-gnu-gcc \
+CROSS_COMPILE=aarch64-linux-gnu- \
+dpkg-buildpackage -b -us -uc  -aarm64 -Pcross,nocheck -d

zfs

@@ -1 +1 @@
-Subproject commit 92e0d9d183ce6752cd52f7277c8321d81df9ffee
+Subproject commit baa50314567afd986a00838f0fa65fdacbd12daf