From 4ee33426cdd80d74e1efacccc272166c1e004b51 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Oct 2024 09:59:32 +0200 Subject: [PATCH] 5.15-stable patches added patches: bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch bluetooth-remove-debugfs-directory-on-module-init-failure.patch parport-proper-fix-for-array-out-of-bounds-access.patch usb-serial-option-add-support-for-quectel-eg916q-gl.patch usb-serial-option-add-telit-fn920c04-mbim-compositions.patch x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch x86-entry_32-do-not-clobber-user-eflags.zf.patch x86-resctrl-annotate-get_mem_config-functions-as-__init.patch xhci-fix-incorrect-stream-context-type-macro.patch xhci-mitigate-failed-set-dequeue-pointer-commands.patch --- ...-with-fake-csr-controllers-0a12-0001.patch | 67 ++++++++++ ...gfs-directory-on-module-init-failure.patch | 74 ++++++++++++ ...r-fix-for-array-out-of-bounds-access.patch | 105 ++++++++++++++++ queue-5.15/series | 11 ++ ...on-add-support-for-quectel-eg916q-gl.patch | 73 +++++++++++ ...add-telit-fn920c04-mbim-compositions.patch | 114 ++++++++++++++++++ ...explicitly-disarm-tsc-deadline-timer.patch | 73 +++++++++++ ...after-register-restore-in-nmi-return.patch | 53 ++++++++ ...try_32-do-not-clobber-user-eflags.zf.patch | 46 +++++++ ...e-get_mem_config-functions-as-__init.patch | 60 +++++++++ ...-incorrect-stream-context-type-macro.patch | 44 +++++++ ...-failed-set-dequeue-pointer-commands.patch | 39 ++++++ 12 files changed, 759 insertions(+) create mode 100644 queue-5.15/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch create mode 100644 queue-5.15/bluetooth-remove-debugfs-directory-on-module-init-failure.patch create mode 100644 queue-5.15/parport-proper-fix-for-array-out-of-bounds-access.patch create mode 100644 queue-5.15/usb-serial-option-add-support-for-quectel-eg916q-gl.patch create mode 100644 queue-5.15/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch create mode 100644 queue-5.15/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch create mode 100644 queue-5.15/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch create mode 100644 queue-5.15/x86-entry_32-do-not-clobber-user-eflags.zf.patch create mode 100644 queue-5.15/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch create mode 100644 queue-5.15/xhci-fix-incorrect-stream-context-type-macro.patch create mode 100644 queue-5.15/xhci-mitigate-failed-set-dequeue-pointer-commands.patch diff --git a/queue-5.15/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch b/queue-5.15/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch new file mode 100644 index 00000000000..291c31da95e --- /dev/null +++ b/queue-5.15/bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch @@ -0,0 +1,67 @@ +From 2c1dda2acc4192d826e84008d963b528e24d12bc Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 16 Oct 2024 11:47:00 -0400 +Subject: Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luiz Augusto von Dentz + +commit 2c1dda2acc4192d826e84008d963b528e24d12bc upstream. + +Fake CSR controllers don't seem to handle short-transfer properly which +cause command to time out: + +kernel: usb 1-1: new full-speed USB device number 19 using xhci_hcd +kernel: usb 1-1: New USB device found, idVendor=0a12, idProduct=0001, bcdDevice=88.91 +kernel: usb 1-1: New USB device strings: Mfr=0, Product=2, SerialNumber=0 +kernel: usb 1-1: Product: BT DONGLE10 +... +Bluetooth: hci1: Opcode 0x1004 failed: -110 +kernel: Bluetooth: hci1: command 0x1004 tx timeout + +According to USB Spec 2.0 Section 5.7.3 Interrupt Transfer Packet Size +Constraints a interrupt transfer is considered complete when the size is 0 +(ZPL) or < wMaxPacketSize: + + 'When an interrupt transfer involves more data than can fit in one + data payload of the currently established maximum size, all data + payloads are required to be maximum-sized except for the last data + payload, which will contain the remaining data. An interrupt transfer + is complete when the endpoint does one of the following: + + • Has transferred exactly the amount of data expected + • Transfers a packet with a payload size less than wMaxPacketSize or + transfers a zero-length packet' + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219365 +Fixes: 7b05933340f4 ("Bluetooth: btusb: Fix not handling ZPL/short-transfer") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1002,10 +1002,15 @@ static int btusb_submit_intr_urb(struct + if (!urb) + return -ENOMEM; + +- /* Use maximum HCI Event size so the USB stack handles +- * ZPL/short-transfer automatically. +- */ +- size = HCI_MAX_EVENT_SIZE; ++ if (le16_to_cpu(data->udev->descriptor.idVendor) == 0x0a12 && ++ le16_to_cpu(data->udev->descriptor.idProduct) == 0x0001) ++ /* Fake CSR devices don't seem to support sort-transter */ ++ size = le16_to_cpu(data->intr_ep->wMaxPacketSize); ++ else ++ /* Use maximum HCI Event size so the USB stack handles ++ * ZPL/short-transfer automatically. ++ */ ++ size = HCI_MAX_EVENT_SIZE; + + buf = kmalloc(size, mem_flags); + if (!buf) { diff --git a/queue-5.15/bluetooth-remove-debugfs-directory-on-module-init-failure.patch b/queue-5.15/bluetooth-remove-debugfs-directory-on-module-init-failure.patch new file mode 100644 index 00000000000..d0375423ad0 --- /dev/null +++ b/queue-5.15/bluetooth-remove-debugfs-directory-on-module-init-failure.patch @@ -0,0 +1,74 @@ +From 1db4564f101b47188c1b71696bd342ef09172b22 Mon Sep 17 00:00:00 2001 +From: Aaron Thompson +Date: Fri, 4 Oct 2024 23:04:10 +0000 +Subject: Bluetooth: Remove debugfs directory on module init failure + +From: Aaron Thompson + +commit 1db4564f101b47188c1b71696bd342ef09172b22 upstream. + +If bt_init() fails, the debugfs directory currently is not removed. If +the module is loaded again after that, the debugfs directory is not set +up properly due to the existing directory. + + # modprobe bluetooth + # ls -laF /sys/kernel/debug/bluetooth + total 0 + drwxr-xr-x 2 root root 0 Sep 27 14:26 ./ + drwx------ 31 root root 0 Sep 27 14:25 ../ + -r--r--r-- 1 root root 0 Sep 27 14:26 l2cap + -r--r--r-- 1 root root 0 Sep 27 14:26 sco + # modprobe -r bluetooth + # ls -laF /sys/kernel/debug/bluetooth + ls: cannot access '/sys/kernel/debug/bluetooth': No such file or directory + # + + # modprobe bluetooth + modprobe: ERROR: could not insert 'bluetooth': Invalid argument + # dmesg | tail -n 6 + Bluetooth: Core ver 2.22 + NET: Registered PF_BLUETOOTH protocol family + Bluetooth: HCI device and connection manager initialized + Bluetooth: HCI socket layer initialized + Bluetooth: Faking l2cap_init() failure for testing + NET: Unregistered PF_BLUETOOTH protocol family + # ls -laF /sys/kernel/debug/bluetooth + total 0 + drwxr-xr-x 2 root root 0 Sep 27 14:31 ./ + drwx------ 31 root root 0 Sep 27 14:26 ../ + # + + # modprobe bluetooth + # dmesg | tail -n 7 + Bluetooth: Core ver 2.22 + debugfs: Directory 'bluetooth' with parent '/' already present! + NET: Registered PF_BLUETOOTH protocol family + Bluetooth: HCI device and connection manager initialized + Bluetooth: HCI socket layer initialized + Bluetooth: L2CAP socket layer initialized + Bluetooth: SCO socket layer initialized + # ls -laF /sys/kernel/debug/bluetooth + total 0 + drwxr-xr-x 2 root root 0 Sep 27 14:31 ./ + drwx------ 31 root root 0 Sep 27 14:26 ../ + # + +Cc: stable@vger.kernel.org +Fixes: ffcecac6a738 ("Bluetooth: Create root debugfs directory during module init") +Signed-off-by: Aaron Thompson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/af_bluetooth.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -779,6 +779,7 @@ cleanup_sysfs: + bt_sysfs_cleanup(); + cleanup_led: + bt_leds_cleanup(); ++ debugfs_remove_recursive(bt_debugfs); + return err; + } + diff --git a/queue-5.15/parport-proper-fix-for-array-out-of-bounds-access.patch b/queue-5.15/parport-proper-fix-for-array-out-of-bounds-access.patch new file mode 100644 index 00000000000..b701d5542a5 --- /dev/null +++ b/queue-5.15/parport-proper-fix-for-array-out-of-bounds-access.patch @@ -0,0 +1,105 @@ +From 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 20 Sep 2024 12:32:19 +0200 +Subject: parport: Proper fix for array out-of-bounds access + +From: Takashi Iwai + +commit 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9 upstream. + +The recent fix for array out-of-bounds accesses replaced sprintf() +calls blindly with snprintf(). However, since snprintf() returns the +would-be-printed size, not the actually output size, the length +calculation can still go over the given limit. + +Use scnprintf() instead of snprintf(), which returns the actually +output letters, for addressing the potential out-of-bounds access +properly. + +Fixes: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk") +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20240920103318.19271-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/procfs.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/parport/procfs.c ++++ b/drivers/parport/procfs.c +@@ -51,12 +51,12 @@ static int do_active_device(struct ctl_t + + for (dev = port->devices; dev ; dev = dev->next) { + if(dev == port->cad) { +- len += snprintf(buffer, sizeof(buffer), "%s\n", dev->name); ++ len += scnprintf(buffer, sizeof(buffer), "%s\n", dev->name); + } + } + + if(!len) { +- len += snprintf(buffer, sizeof(buffer), "%s\n", "none"); ++ len += scnprintf(buffer, sizeof(buffer), "%s\n", "none"); + } + + if (len > *lenp) +@@ -87,19 +87,19 @@ static int do_autoprobe(struct ctl_table + } + + if ((str = info->class_name) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); + + if ((str = info->model) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); + + if ((str = info->mfr) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); + + if ((str = info->description) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); + + if ((str = info->cmdset) != NULL) +- len += snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); ++ len += scnprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); + + if (len > *lenp) + len = *lenp; +@@ -128,7 +128,7 @@ static int do_hardware_base_addr(struct + if (write) /* permissions prevent this anyway */ + return -EACCES; + +- len += snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); ++ len += scnprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); + + if (len > *lenp) + len = *lenp; +@@ -155,7 +155,7 @@ static int do_hardware_irq(struct ctl_ta + if (write) /* permissions prevent this anyway */ + return -EACCES; + +- len += snprintf (buffer, sizeof(buffer), "%d\n", port->irq); ++ len += scnprintf (buffer, sizeof(buffer), "%d\n", port->irq); + + if (len > *lenp) + len = *lenp; +@@ -182,7 +182,7 @@ static int do_hardware_dma(struct ctl_ta + if (write) /* permissions prevent this anyway */ + return -EACCES; + +- len += snprintf (buffer, sizeof(buffer), "%d\n", port->dma); ++ len += scnprintf (buffer, sizeof(buffer), "%d\n", port->dma); + + if (len > *lenp) + len = *lenp; +@@ -213,7 +213,7 @@ static int do_hardware_modes(struct ctl_ + #define printmode(x) \ + do { \ + if (port->modes & PARPORT_MODE_##x) \ +- len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ ++ len += scnprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ + } while (0) + int f = 0; + printmode(PCSPP); diff --git a/queue-5.15/series b/queue-5.15/series index 2a231123bb4..6ad7f8af042 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -58,3 +58,14 @@ iio-light-veml6030-fix-iio-device-retrieval-from-embedded-device.patch iio-light-opt3001-add-missing-full-scale-range-value.patch iio-proximity-mb1232-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch iio-adc-ti-ads124s08-add-missing-select-iio_-triggered_-buffer-in-kconfig.patch +bluetooth-remove-debugfs-directory-on-module-init-failure.patch +bluetooth-btusb-fix-regression-with-fake-csr-controllers-0a12-0001.patch +xhci-fix-incorrect-stream-context-type-macro.patch +xhci-mitigate-failed-set-dequeue-pointer-commands.patch +usb-serial-option-add-support-for-quectel-eg916q-gl.patch +usb-serial-option-add-telit-fn920c04-mbim-compositions.patch +parport-proper-fix-for-array-out-of-bounds-access.patch +x86-resctrl-annotate-get_mem_config-functions-as-__init.patch +x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch +x86-entry_32-do-not-clobber-user-eflags.zf.patch +x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch diff --git a/queue-5.15/usb-serial-option-add-support-for-quectel-eg916q-gl.patch b/queue-5.15/usb-serial-option-add-support-for-quectel-eg916q-gl.patch new file mode 100644 index 00000000000..9a46d01ce35 --- /dev/null +++ b/queue-5.15/usb-serial-option-add-support-for-quectel-eg916q-gl.patch @@ -0,0 +1,73 @@ +From 540eff5d7faf0c9330ec762da49df453263f7676 Mon Sep 17 00:00:00 2001 +From: "Benjamin B. Frost" +Date: Wed, 11 Sep 2024 10:54:05 +0200 +Subject: USB: serial: option: add support for Quectel EG916Q-GL + +From: Benjamin B. Frost + +commit 540eff5d7faf0c9330ec762da49df453263f7676 upstream. + +Add Quectel EM916Q-GL with product ID 0x6007 + +T: Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=6007 Rev= 2.00 +S: Manufacturer=Quectel +S: Product=EG916Q-GL +C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=200mA +A: FirstIf#= 4 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=84(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 16 Ivl=32ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether +E: Ad=88(I) Atr=03(Int.) MxPS= 32 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I:* If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +MI_00 Quectel USB Diag Port +MI_01 Quectel USB NMEA Port +MI_02 Quectel USB AT Port +MI_03 Quectel USB Modem Port +MI_04 Quectel USB Net Port + +Signed-off-by: Benjamin B. Frost +Reviewed-by: Lars Melin +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -279,6 +279,7 @@ static void option_instat_callback(struc + #define QUECTEL_PRODUCT_EG912Y 0x6001 + #define QUECTEL_PRODUCT_EC200S_CN 0x6002 + #define QUECTEL_PRODUCT_EC200A 0x6005 ++#define QUECTEL_PRODUCT_EG916Q 0x6007 + #define QUECTEL_PRODUCT_EM061K_LWW 0x6008 + #define QUECTEL_PRODUCT_EM061K_LCN 0x6009 + #define QUECTEL_PRODUCT_EC200T 0x6026 +@@ -1270,6 +1271,7 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG912Y, 0xff, 0, 0) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG916Q, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) }, + + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, diff --git a/queue-5.15/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch b/queue-5.15/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch new file mode 100644 index 00000000000..9662725f5bd --- /dev/null +++ b/queue-5.15/usb-serial-option-add-telit-fn920c04-mbim-compositions.patch @@ -0,0 +1,114 @@ +From 6d951576ee16430822a8dee1e5c54d160e1de87d Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Thu, 3 Oct 2024 11:38:08 +0200 +Subject: USB: serial: option: add Telit FN920C04 MBIM compositions + +From: Daniele Palmas + +commit 6d951576ee16430822a8dee1e5c54d160e1de87d upstream. + +Add the following Telit FN920C04 compositions: + +0x10a2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a2 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10a7: MBIM + tty (AT) + tty (AT) + tty (diag) +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 18 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10a7 Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +0x10aa: MBIM + tty (AT) + tty (diag) + DPL (data packet logging) + adb +T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 15 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=10aa Rev=05.15 +S: Manufacturer=Telit Cinterion +S: Product=FN920 +S: SerialNumber=92c4c4d8 +C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Daniele Palmas +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1382,10 +1382,16 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a0, 0xff), /* Telit FN20C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a2, 0xff), /* Telit FN920C04 (MBIM) */ ++ .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a4, 0xff), /* Telit FN20C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a7, 0xff), /* Telit FN920C04 (MBIM) */ ++ .driver_info = NCTRL(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a9, 0xff), /* Telit FN20C04 (rmnet) */ + .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10aa, 0xff), /* Telit FN920C04 (MBIM) */ ++ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), diff --git a/queue-5.15/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch b/queue-5.15/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch new file mode 100644 index 00000000000..f825f4f0077 --- /dev/null +++ b/queue-5.15/x86-apic-always-explicitly-disarm-tsc-deadline-timer.patch @@ -0,0 +1,73 @@ +From ffd95846c6ec6cf1f93da411ea10d504036cab42 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Tue, 15 Oct 2024 14:15:22 +0800 +Subject: x86/apic: Always explicitly disarm TSC-deadline timer + +From: Zhang Rui + +commit ffd95846c6ec6cf1f93da411ea10d504036cab42 upstream. + +New processors have become pickier about the local APIC timer state +before entering low power modes. These low power modes are used (for +example) when you close your laptop lid and suspend. If you put your +laptop in a bag and it is not in this low power mode, it is likely +to get quite toasty while it quickly sucks the battery dry. + +The problem boils down to some CPUs' inability to power down until the +CPU recognizes that the local APIC timer is shut down. The current +kernel code works in one-shot and periodic modes but does not work for +deadline mode. Deadline mode has been the supported and preferred mode +on Intel CPUs for over a decade and uses an MSR to drive the timer +instead of an APIC register. + +Disable the TSC Deadline timer in lapic_timer_shutdown() by writing to +MSR_IA32_TSC_DEADLINE when in TSC-deadline mode. Also avoid writing +to the initial-count register (APIC_TMICT) which is ignored in +TSC-deadline mode. + +Note: The APIC_LVTT|=APIC_LVT_MASKED operation should theoretically be +enough to tell the hardware that the timer will not fire in any of the +timer modes. But mitigating AMD erratum 411[1] also requires clearing +out APIC_TMICT. Solely setting APIC_LVT_MASKED is also ineffective in +practice on Intel Lunar Lake systems, which is the motivation for this +change. + +1. 411 Processor May Exit Message-Triggered C1E State Without an Interrupt if Local APIC Timer Reaches Zero - https://www.amd.com/content/dam/amd/en/documents/archived-tech-docs/revision-guides/41322_10h_Rev_Gd.pdf + +Fixes: 279f1461432c ("x86: apic: Use tsc deadline for oneshot when available") +Suggested-by: Dave Hansen +Signed-off-by: Zhang Rui +Signed-off-by: Dave Hansen +Reviewed-by: Rafael J. Wysocki +Tested-by: Srinivas Pandruvada +Tested-by: Todd Brandt +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20241015061522.25288-1-rui.zhang%40intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -493,7 +493,19 @@ static int lapic_timer_shutdown(struct c + v = apic_read(APIC_LVTT); + v |= (APIC_LVT_MASKED | LOCAL_TIMER_VECTOR); + apic_write(APIC_LVTT, v); +- apic_write(APIC_TMICT, 0); ++ ++ /* ++ * Setting APIC_LVT_MASKED (above) should be enough to tell ++ * the hardware that this timer will never fire. But AMD ++ * erratum 411 and some Intel CPU behavior circa 2024 say ++ * otherwise. Time for belt and suspenders programming: mask ++ * the timer _and_ zero the counter registers: ++ */ ++ if (v & APIC_LVT_TIMER_TSCDEADLINE) ++ wrmsrl(MSR_IA32_TSC_DEADLINE, 0); ++ else ++ apic_write(APIC_TMICT, 0); ++ + return 0; + } + diff --git a/queue-5.15/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch b/queue-5.15/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch new file mode 100644 index 00000000000..3117a794ff3 --- /dev/null +++ b/queue-5.15/x86-entry_32-clear-cpu-buffers-after-register-restore-in-nmi-return.patch @@ -0,0 +1,53 @@ +From 48a2440d0f20c826b884e04377ccc1e4696c84e9 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Wed, 25 Sep 2024 15:25:44 -0700 +Subject: x86/entry_32: Clear CPU buffers after register restore in NMI return + +From: Pawan Gupta + +commit 48a2440d0f20c826b884e04377ccc1e4696c84e9 upstream. + +CPU buffers are currently cleared after call to exc_nmi, but before +register state is restored. This may be okay for MDS mitigation but not for +RDFS. Because RDFS mitigation requires CPU buffers to be cleared when +registers don't have any sensitive data. + +Move CLEAR_CPU_BUFFERS after RESTORE_ALL_NMI. + +Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") +Suggested-by: Dave Hansen +Signed-off-by: Pawan Gupta +Signed-off-by: Dave Hansen +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-2-1de0daca2d42%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_32.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -1176,7 +1176,6 @@ SYM_CODE_START(asm_exc_nmi) + + /* Not on SYSENTER stack. */ + call exc_nmi +- CLEAR_CPU_BUFFERS + jmp .Lnmi_return + + .Lnmi_from_sysenter_stack: +@@ -1197,6 +1196,7 @@ SYM_CODE_START(asm_exc_nmi) + + CHECK_AND_APPLY_ESPFIX + RESTORE_ALL_NMI cr3_reg=%edi pop=4 ++ CLEAR_CPU_BUFFERS + jmp .Lirq_return + + #ifdef CONFIG_X86_ESPFIX32 +@@ -1238,6 +1238,7 @@ SYM_CODE_START(asm_exc_nmi) + * 1 - orig_ax + */ + lss (1+5+6)*4(%esp), %esp # back to espfix stack ++ CLEAR_CPU_BUFFERS + jmp .Lirq_return + #endif + SYM_CODE_END(asm_exc_nmi) diff --git a/queue-5.15/x86-entry_32-do-not-clobber-user-eflags.zf.patch b/queue-5.15/x86-entry_32-do-not-clobber-user-eflags.zf.patch new file mode 100644 index 00000000000..2679cba2f0a --- /dev/null +++ b/queue-5.15/x86-entry_32-do-not-clobber-user-eflags.zf.patch @@ -0,0 +1,46 @@ +From 2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Wed, 25 Sep 2024 15:25:38 -0700 +Subject: x86/entry_32: Do not clobber user EFLAGS.ZF + +From: Pawan Gupta + +commit 2e2e5143d4868163d6756c8c6a4d28cbfa5245e5 upstream. + +Opportunistic SYSEXIT executes VERW to clear CPU buffers after user EFLAGS +are restored. This can clobber user EFLAGS.ZF. + +Move CLEAR_CPU_BUFFERS before the user EFLAGS are restored. This ensures +that the user EFLAGS.ZF is not clobbered. + +Closes: https://lore.kernel.org/lkml/yVXwe8gvgmPADpRB6lXlicS2fcHoV5OHHxyuFbB_MEleRPD7-KhGe5VtORejtPe-KCkT8Uhcg5d7-IBw4Ojb4H7z5LQxoZylSmJ8KNL3A8o=@protonmail.com/ +Fixes: a0e2dab44d22 ("x86/entry_32: Add VERW just before userspace transition") +Reported-by: Jari Ruusu +Signed-off-by: Pawan Gupta +Signed-off-by: Dave Hansen +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20240925-fix-dosemu-vm86-v7-1-1de0daca2d42%40linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_32.S | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/entry/entry_32.S ++++ b/arch/x86/entry/entry_32.S +@@ -902,6 +902,8 @@ SYM_FUNC_START(entry_SYSENTER_32) + + /* Now ready to switch the cr3 */ + SWITCH_TO_USER_CR3 scratch_reg=%eax ++ /* Clobbers ZF */ ++ CLEAR_CPU_BUFFERS + + /* + * Restore all flags except IF. (We restore IF separately because +@@ -912,7 +914,6 @@ SYM_FUNC_START(entry_SYSENTER_32) + BUG_IF_WRONG_CR3 no_user_check=1 + popfl + popl %eax +- CLEAR_CPU_BUFFERS + + /* + * Return back to the vDSO, which will pop ecx and edx. diff --git a/queue-5.15/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch b/queue-5.15/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch new file mode 100644 index 00000000000..004f19d4aa1 --- /dev/null +++ b/queue-5.15/x86-resctrl-annotate-get_mem_config-functions-as-__init.patch @@ -0,0 +1,60 @@ +From d5fd042bf4cfb557981d65628e1779a492cd8cfa Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 17 Sep 2024 09:02:53 -0700 +Subject: x86/resctrl: Annotate get_mem_config() functions as __init + +From: Nathan Chancellor + +commit d5fd042bf4cfb557981d65628e1779a492cd8cfa upstream. + +After a recent LLVM change [1] that deduces __cold on functions that only call +cold code (such as __init functions), there is a section mismatch warning from +__get_mem_config_intel(), which got moved to .text.unlikely. as a result of +that optimization: + + WARNING: modpost: vmlinux: section mismatch in reference: \ + __get_mem_config_intel+0x77 (section: .text.unlikely.) -> thread_throttle_mode_init (section: .init.text) + +Mark __get_mem_config_intel() as __init as well since it is only called +from __init code, which clears up the warning. + +While __rdt_get_mem_config_amd() does not exhibit a warning because it +does not call any __init code, it is a similar function that is only +called from __init code like __get_mem_config_intel(), so mark it __init +as well to keep the code symmetrical. + +CONFIG_SECTION_MISMATCH_WARN_ONLY=n would turn this into a fatal error. + +Fixes: 05b93417ce5b ("x86/intel_rdt/mba: Add primary support for Memory Bandwidth Allocation (MBA)") +Fixes: 4d05bf71f157 ("x86/resctrl: Introduce AMD QOS feature") +Signed-off-by: Nathan Chancellor +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Reinette Chatre +Cc: +Link: https://github.com/llvm/llvm-project/commit/6b11573b8c5e3d36beee099dbe7347c2a007bf53 [1] +Link: https://lore.kernel.org/r/20240917-x86-restctrl-get_mem_config_intel-init-v3-1-10d521256284@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/resctrl/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/resctrl/core.c ++++ b/arch/x86/kernel/cpu/resctrl/core.c +@@ -175,7 +175,7 @@ static inline bool rdt_get_mb_table(stru + return false; + } + +-static bool __get_mem_config_intel(struct rdt_resource *r) ++static __init bool __get_mem_config_intel(struct rdt_resource *r) + { + struct rdt_hw_resource *hw_res = resctrl_to_arch_res(r); + union cpuid_0x10_3_eax eax; +@@ -210,7 +210,7 @@ static bool __get_mem_config_intel(struc + return true; + } + +-static bool __rdt_get_mem_config_amd(struct rdt_resource *r) ++static __init bool __rdt_get_mem_config_amd(struct rdt_resource *r) + { + struct rdt_hw_resource *hw_res = resctrl_to_arch_res(r); + union cpuid_0x10_3_eax eax; diff --git a/queue-5.15/xhci-fix-incorrect-stream-context-type-macro.patch b/queue-5.15/xhci-fix-incorrect-stream-context-type-macro.patch new file mode 100644 index 00000000000..1287ad6ae8e --- /dev/null +++ b/queue-5.15/xhci-fix-incorrect-stream-context-type-macro.patch @@ -0,0 +1,44 @@ +From 6599b6a6fa8060145046d0744456b6abdb3122a7 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 16 Oct 2024 16:59:57 +0300 +Subject: xhci: Fix incorrect stream context type macro + +From: Mathias Nyman + +commit 6599b6a6fa8060145046d0744456b6abdb3122a7 upstream. + +The stream contex type (SCT) bitfield is used both in the stream context +data structure, and in the 'Set TR Dequeue pointer' command TRB. +In both cases it uses bits 3:1 + +The SCT_FOR_TRB(p) macro used to set the stream context type (SCT) field +for the 'Set TR Dequeue pointer' command TRB incorrectly shifts the value +1 bit left before masking the three bits. + +Fix this by first masking and rshifting, just like the similar +SCT_FOR_CTX(p) macro does + +This issue has not been visibile as the lost bit 3 is only used with +secondary stream arrays (SSA). Xhci driver currently only supports using +a primary stream array with Linear stream addressing. + +Fixes: 95241dbdf828 ("xhci: Set SCT field for Set TR dequeue on streams") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241016140000.783905-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1286,7 +1286,7 @@ enum xhci_setup_dev { + /* Set TR Dequeue Pointer command TRB fields, 6.4.3.9 */ + #define TRB_TO_STREAM_ID(p) ((((p) & (0xffff << 16)) >> 16)) + #define STREAM_ID_FOR_TRB(p) ((((p)) & 0xffff) << 16) +-#define SCT_FOR_TRB(p) (((p) << 1) & 0x7) ++#define SCT_FOR_TRB(p) (((p) & 0x7) << 1) + + /* Link TRB specific fields */ + #define TRB_TC (1<<1) diff --git a/queue-5.15/xhci-mitigate-failed-set-dequeue-pointer-commands.patch b/queue-5.15/xhci-mitigate-failed-set-dequeue-pointer-commands.patch new file mode 100644 index 00000000000..553faaf64a1 --- /dev/null +++ b/queue-5.15/xhci-mitigate-failed-set-dequeue-pointer-commands.patch @@ -0,0 +1,39 @@ +From fe49df60cdb7c2975aa743dc295f8786e4b7db10 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 16 Oct 2024 16:59:58 +0300 +Subject: xhci: Mitigate failed set dequeue pointer commands + +From: Mathias Nyman + +commit fe49df60cdb7c2975aa743dc295f8786e4b7db10 upstream. + +Avoid xHC host from processing a cancelled URB by always turning +cancelled URB TDs into no-op TRBs before queuing a 'Set TR Deq' command. + +If the command fails then xHC will start processing the cancelled TD +instead of skipping it once endpoint is restarted, causing issues like +Babble error. + +This is not a complete solution as a failed 'Set TR Deq' command does not +guarantee xHC TRB caches are cleared. + +Fixes: 4db356924a50 ("xhci: turn cancelled td cleanup to its own function") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20241016140000.783905-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1013,7 +1013,7 @@ static int xhci_invalidate_cancelled_tds + td_to_noop(xhci, ring, cached_td, false); + cached_td->cancel_status = TD_CLEARED; + } +- ++ td_to_noop(xhci, ring, td, false); + td->cancel_status = TD_CLEARING_CACHE; + cached_td = td; + break; -- 2.47.3