--- /dev/null
+From bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 22 Sep 2017 16:18:53 +0200
+Subject: ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 upstream.
+
+When a USB-audio device receives a maliciously adjusted or corrupted
+buffer descriptor, the USB-audio driver may access an out-of-bounce
+value at its parser. This was detected by syzkaller, something like:
+
+ BUG: KASAN: slab-out-of-bounds in usb_audio_probe+0x27b2/0x2ab0
+ Read of size 1 at addr ffff88006b83a9e8 by task kworker/0:1/24
+ CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Workqueue: usb_hub_wq hub_event
+ Call Trace:
+ __dump_stack lib/dump_stack.c:16
+ dump_stack+0x292/0x395 lib/dump_stack.c:52
+ print_address_description+0x78/0x280 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351
+ kasan_report+0x22f/0x340 mm/kasan/report.c:409
+ __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
+ snd_usb_create_streams sound/usb/card.c:248
+ usb_audio_probe+0x27b2/0x2ab0 sound/usb/card.c:605
+ usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
+ generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
+ usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
+ bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
+ __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
+ bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
+ device_add+0xd0b/0x1660 drivers/base/core.c:1835
+ usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
+ hub_port_connect drivers/usb/core/hub.c:4903
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+
+This patch adds the checks of out-of-bounce accesses at appropriate
+places and bails out when it goes out of the given buffer.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/card.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -220,6 +220,7 @@ static int snd_usb_create_streams(struct
+ struct usb_interface_descriptor *altsd;
+ void *control_header;
+ int i, protocol;
++ int rest_bytes;
+
+ /* find audiocontrol interface */
+ host_iface = &usb_ifnum_to_if(dev, ctrlif)->altsetting[0];
+@@ -234,6 +235,15 @@ static int snd_usb_create_streams(struct
+ return -EINVAL;
+ }
+
++ rest_bytes = (void *)(host_iface->extra + host_iface->extralen) -
++ control_header;
++
++ /* just to be sure -- this shouldn't hit at all */
++ if (rest_bytes <= 0) {
++ dev_err(&dev->dev, "invalid control header\n");
++ return -EINVAL;
++ }
++
+ switch (protocol) {
+ default:
+ dev_warn(&dev->dev,
+@@ -244,11 +254,21 @@ static int snd_usb_create_streams(struct
+ case UAC_VERSION_1: {
+ struct uac1_ac_header_descriptor *h1 = control_header;
+
++ if (rest_bytes < sizeof(*h1)) {
++ dev_err(&dev->dev, "too short v1 buffer descriptor\n");
++ return -EINVAL;
++ }
++
+ if (!h1->bInCollection) {
+ dev_info(&dev->dev, "skipping empty audio interface (v1)\n");
+ return -EINVAL;
+ }
+
++ if (rest_bytes < h1->bLength) {
++ dev_err(&dev->dev, "invalid buffer length (v1)\n");
++ return -EINVAL;
++ }
++
+ if (h1->bLength < sizeof(*h1) + h1->bInCollection) {
+ dev_err(&dev->dev, "invalid UAC_HEADER (v1)\n");
+ return -EINVAL;
usb-gadget-inode.c-fix-unbalanced-spin_lock-in-ep0_write.patch
usb-gadgetfs-fix-crash-caused-by-inadequate-synchronization.patch
+usb-gadgetfs-fix-copy_to_user-while-holding-spinlock.patch
+usb-storage-unusual_devs-entry-to-fix-write-access-regression-for-seagate-external-drives.patch
+usb-renesas_usbhs-fix-the-bclr-setting-condition-for-non-dcp-pipe.patch
+usb-renesas_usbhs-fix-usbhsf_fifo_clear-for-rx-direction.patch
+alsa-usb-audio-check-out-of-bounds-access-by-corrupted-buffer-descriptor.patch
+usb-pci-quirks.c-corrected-timeout-values-used-in-handshake.patch
+usb-dummy-hcd-fix-connection-failures-wrong-speed.patch
+usb-dummy-hcd-fix-infinite-loop-resubmission-bug.patch
+usb-devio-don-t-corrupt-user-memory.patch
--- /dev/null
+From fa1ed74eb1c233be6131ec92df21ab46499a15b6 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 22 Sep 2017 23:43:46 +0300
+Subject: USB: devio: Don't corrupt user memory
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit fa1ed74eb1c233be6131ec92df21ab46499a15b6 upstream.
+
+The user buffer has "uurb->buffer_length" bytes. If the kernel has more
+information than that, we should truncate it instead of writing past
+the end of the user's buffer. I added a WARN_ONCE() to help the user
+debug the issue.
+
+Reported-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1413,7 +1413,11 @@ static int proc_do_submiturb(struct usb_
+ totlen += isopkt[u].length;
+ }
+ u *= sizeof(struct usb_iso_packet_descriptor);
+- uurb->buffer_length = totlen;
++ if (totlen <= uurb->buffer_length)
++ uurb->buffer_length = totlen;
++ else
++ WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
++ totlen, uurb->buffer_length);
+ break;
+
+ default:
--- /dev/null
+From fe659bcc9b173bcfdd958ce2aec75e47651e74e1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 26 Sep 2017 15:15:22 -0400
+Subject: USB: dummy-hcd: fix connection failures (wrong speed)
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit fe659bcc9b173bcfdd958ce2aec75e47651e74e1 upstream.
+
+The dummy-hcd UDC driver is not careful about the way it handles
+connection speeds. It ignores the module parameter that is supposed
+to govern the maximum connection speed and it doesn't set the HCD
+flags properly for the case where it ends up running at full speed.
+
+The result is that in many cases, gadget enumeration over dummy-hcd
+fails because the bMaxPacketSize byte in the device descriptor is set
+incorrectly. For example, the default settings call for a high-speed
+connection, but the maxpacket value for ep0 ends up being set for a
+Super-Speed connection.
+
+This patch fixes the problem by initializing the gadget's max_speed
+and the HCD flags correctly.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -976,7 +976,12 @@ static int dummy_udc_probe(struct platfo
+ memzero_explicit(&dum->gadget, sizeof(struct usb_gadget));
+ dum->gadget.name = gadget_name;
+ dum->gadget.ops = &dummy_ops;
+- dum->gadget.max_speed = USB_SPEED_SUPER;
++ if (mod_data.is_super_speed)
++ dum->gadget.max_speed = USB_SPEED_SUPER;
++ else if (mod_data.is_high_speed)
++ dum->gadget.max_speed = USB_SPEED_HIGH;
++ else
++ dum->gadget.max_speed = USB_SPEED_FULL;
+
+ dum->gadget.dev.parent = &pdev->dev;
+ init_dummy_udc_hw(dum);
+@@ -2492,8 +2497,6 @@ static struct hc_driver dummy_hcd = {
+ .product_desc = "Dummy host controller",
+ .hcd_priv_size = sizeof(struct dummy_hcd),
+
+- .flags = HCD_USB3 | HCD_SHARED,
+-
+ .reset = dummy_setup,
+ .start = dummy_start,
+ .stop = dummy_stop,
+@@ -2522,8 +2525,12 @@ static int dummy_hcd_probe(struct platfo
+ dev_info(&pdev->dev, "%s, driver " DRIVER_VERSION "\n", driver_desc);
+ dum = *((void **)dev_get_platdata(&pdev->dev));
+
+- if (!mod_data.is_super_speed)
++ if (mod_data.is_super_speed)
++ dummy_hcd.flags = HCD_USB3 | HCD_SHARED;
++ else if (mod_data.is_high_speed)
+ dummy_hcd.flags = HCD_USB2;
++ else
++ dummy_hcd.flags = HCD_USB11;
+ hs_hcd = usb_create_hcd(&dummy_hcd, &pdev->dev, dev_name(&pdev->dev));
+ if (!hs_hcd)
+ return -ENOMEM;
--- /dev/null
+From 0173a68bfb0ad1c72a6ee39cc485aa2c97540b98 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 26 Sep 2017 15:15:40 -0400
+Subject: USB: dummy-hcd: fix infinite-loop resubmission bug
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 0173a68bfb0ad1c72a6ee39cc485aa2c97540b98 upstream.
+
+The dummy-hcd HCD/UDC emulator tries not to do too much work during
+each timer interrupt. But it doesn't try very hard; currently all
+it does is limit the total amount of bulk data transferred. Other
+transfer types aren't limited, and URBs that transfer no data (because
+of an error, perhaps) don't count toward the limit, even though on a
+real USB bus they would consume at least a minimum overhead.
+
+This means it's possible to get the driver stuck in an infinite loop,
+for example, if the host class driver resubmits an URB every time it
+completes (which is common for interrupt URBs). Each time the URB is
+resubmitted it gets added to the end of the pending-URBs list, and
+dummy-hcd doesn't stop until that list is empty. Andrey Konovalov was
+able to trigger this failure mode using the syzkaller fuzzer.
+
+This patch fixes the infinite-loop problem by restricting the URBs
+handled during each timer interrupt to those that were already on the
+pending list when the interrupt routine started. Newly added URBs
+won't be processed until the next timer interrupt. The problem of
+properly accounting for non-bulk bandwidth (as well as packet and
+transaction overhead) is not addressed here.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -173,6 +173,8 @@ struct dummy_hcd {
+
+ struct usb_device *udev;
+ struct list_head urbp_list;
++ struct urbp *next_frame_urbp;
++
+ u32 stream_en_ep;
+ u8 num_stream[30 / 2];
+
+@@ -1191,6 +1193,8 @@ static int dummy_urb_enqueue(
+
+ list_add_tail(&urbp->urbp_list, &dum_hcd->urbp_list);
+ urb->hcpriv = urbp;
++ if (!dum_hcd->next_frame_urbp)
++ dum_hcd->next_frame_urbp = urbp;
+ if (usb_pipetype(urb->pipe) == PIPE_CONTROL)
+ urb->error_count = 1; /* mark as a new urb */
+
+@@ -1694,6 +1698,7 @@ static void dummy_timer(unsigned long _d
+ spin_unlock_irqrestore(&dum->lock, flags);
+ return;
+ }
++ dum_hcd->next_frame_urbp = NULL;
+
+ for (i = 0; i < DUMMY_ENDPOINTS; i++) {
+ if (!ep_name[i])
+@@ -1710,6 +1715,10 @@ restart:
+ int type;
+ int status = -EINPROGRESS;
+
++ /* stop when we reach URBs queued after the timer interrupt */
++ if (urbp == dum_hcd->next_frame_urbp)
++ break;
++
+ urb = urbp->urb;
+ if (urb->unlinked)
+ goto return_urb;
--- /dev/null
+From 6e76c01e71551cb221c1f3deacb9dcd9a7346784 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 21 Sep 2017 16:12:01 -0400
+Subject: USB: gadgetfs: fix copy_to_user while holding spinlock
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 6e76c01e71551cb221c1f3deacb9dcd9a7346784 upstream.
+
+The gadgetfs driver as a long-outstanding FIXME, regarding a call of
+copy_to_user() made while holding a spinlock. This patch fixes the
+issue by dropping the spinlock and using the dev->udc_usage mechanism
+introduced by another recent patch to guard against status changes
+while the lock isn't held.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1067,11 +1067,14 @@ ep0_read (struct file *fd, char __user *
+ retval = -EIO;
+ else {
+ len = min (len, (size_t)dev->req->actual);
+-// FIXME don't call this with the spinlock held ...
++ ++dev->udc_usage;
++ spin_unlock_irq(&dev->lock);
+ if (copy_to_user (buf, dev->req->buf, len))
+ retval = -EFAULT;
+ else
+ retval = len;
++ spin_lock_irq(&dev->lock);
++ --dev->udc_usage;
+ clean_req (dev->gadget->ep0, dev->req);
+ /* NOTE userspace can't yet choose to stall */
+ }
--- /dev/null
+From 114ec3a6f9096d211a4aff4277793ba969a62c73 Mon Sep 17 00:00:00 2001
+From: Jim Dickerson <jim.dickerson@hpe.com>
+Date: Mon, 18 Sep 2017 17:39:14 +0300
+Subject: usb: pci-quirks.c: Corrected timeout values used in handshake
+
+From: Jim Dickerson <jim.dickerson@hpe.com>
+
+commit 114ec3a6f9096d211a4aff4277793ba969a62c73 upstream.
+
+Servers were emitting failed handoff messages but were not
+waiting the full 1 second as designated in section 4.22.1 of
+the eXtensible Host Controller Interface specifications. The
+handshake was using wrong units so calls were made with milliseconds
+not microseconds. Comments referenced 5 seconds not 1 second as
+in specs.
+
+The wrong units were also corrected in a second handshake call.
+
+Signed-off-by: Jim Dickerson <jim.dickerson@hpe.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/pci-quirks.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/pci-quirks.c
++++ b/drivers/usb/host/pci-quirks.c
+@@ -970,7 +970,7 @@ EXPORT_SYMBOL_GPL(usb_disable_xhci_ports
+ *
+ * Takes care of the handoff between the Pre-OS (i.e. BIOS) and the OS.
+ * It signals to the BIOS that the OS wants control of the host controller,
+- * and then waits 5 seconds for the BIOS to hand over control.
++ * and then waits 1 second for the BIOS to hand over control.
+ * If we timeout, assume the BIOS is broken and take control anyway.
+ */
+ static void quirk_usb_handoff_xhci(struct pci_dev *pdev)
+@@ -1016,9 +1016,9 @@ static void quirk_usb_handoff_xhci(struc
+ if (val & XHCI_HC_BIOS_OWNED) {
+ writel(val | XHCI_HC_OS_OWNED, base + ext_cap_offset);
+
+- /* Wait for 5 seconds with 10 microsecond polling interval */
++ /* Wait for 1 second with 10 microsecond polling interval */
+ timeout = handshake(base + ext_cap_offset, XHCI_HC_BIOS_OWNED,
+- 0, 5000, 10);
++ 0, 1000000, 10);
+
+ /* Assume a buggy BIOS and take HC ownership anyway */
+ if (timeout) {
+@@ -1046,7 +1046,7 @@ hc_init:
+ * operational or runtime registers. Wait 5 seconds and no more.
+ */
+ timeout = handshake(op_reg_base + XHCI_STS_OFFSET, XHCI_STS_CNR, 0,
+- 5000, 10);
++ 5000000, 10);
+ /* Assume a buggy HC and start HC initialization anyway */
+ if (timeout) {
+ val = readl(op_reg_base + XHCI_STS_OFFSET);
--- /dev/null
+From 6124607acc88fffeaadf3aacfeb3cc1304c87387 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 27 Sep 2017 18:47:12 +0900
+Subject: usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 6124607acc88fffeaadf3aacfeb3cc1304c87387 upstream.
+
+This patch fixes an issue that the driver sets the BCLR bit of
+{C,Dn}FIFOCTR register to 1 even when it's non-DCP pipe and
+the FRDY bit of {C,Dn}FIFOCTR register is set to 1.
+
+Fixes: e8d548d54968 ("usb: renesas_usbhs: fifo became independent from pipe.")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -287,11 +287,17 @@ static void usbhsf_fifo_clear(struct usb
+ struct usbhs_fifo *fifo)
+ {
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
++ int ret = 0;
+
+ if (!usbhs_pipe_is_dcp(pipe))
+- usbhsf_fifo_barrier(priv, fifo);
++ ret = usbhsf_fifo_barrier(priv, fifo);
+
+- usbhs_write(priv, fifo->ctr, BCLR);
++ /*
++ * if non-DCP pipe, this driver should set BCLR when
++ * usbhsf_fifo_barrier() returns 0.
++ */
++ if (!ret)
++ usbhs_write(priv, fifo->ctr, BCLR);
+ }
+
+ static int usbhsf_fifo_rcv_len(struct usbhs_priv *priv,
--- /dev/null
+From 0a2ce62b61f2c76d0213edf4e37aaf54a8ddf295 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 27 Sep 2017 18:47:13 +0900
+Subject: usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 0a2ce62b61f2c76d0213edf4e37aaf54a8ddf295 upstream.
+
+This patch fixes an issue that the usbhsf_fifo_clear() is possible
+to cause 10 msec delay if the pipe is RX direction and empty because
+the FRDY bit will never be set to 1 in such case.
+
+Fixes: e8d548d54968 ("usb: renesas_usbhs: fifo became independent from pipe.")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -289,8 +289,17 @@ static void usbhsf_fifo_clear(struct usb
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
+ int ret = 0;
+
+- if (!usbhs_pipe_is_dcp(pipe))
+- ret = usbhsf_fifo_barrier(priv, fifo);
++ if (!usbhs_pipe_is_dcp(pipe)) {
++ /*
++ * This driver checks the pipe condition first to avoid -EBUSY
++ * from usbhsf_fifo_barrier() with about 10 msec delay in
++ * the interrupt handler if the pipe is RX direction and empty.
++ */
++ if (usbhs_pipe_is_dir_in(pipe))
++ ret = usbhs_pipe_is_accessible(pipe);
++ if (!ret)
++ ret = usbhsf_fifo_barrier(priv, fifo);
++ }
+
+ /*
+ * if non-DCP pipe, this driver should set BCLR when
--- /dev/null
+From 113f6eb6d50cfa5e2a1cdcf1678b12661fa272ab Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 21 Sep 2017 15:59:30 -0400
+Subject: usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 113f6eb6d50cfa5e2a1cdcf1678b12661fa272ab upstream.
+
+Kris Lindgren reports that without the NO_WP_DETECT flag, his Seagate
+external disk drive fails all write accesses. This regresssion dates
+back approximately to the start of the 4.x kernel releases.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kris Lindgren <kris.lindgren@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1379,6 +1379,13 @@ UNUSUAL_DEV( 0x0bc2, 0x3010, 0x0000, 0x0
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_SANE_SENSE ),
+
++/* Reported by Kris Lindgren <kris.lindgren@gmail.com> */
++UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9999,
++ "Seagate",
++ "External",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_WP_DETECT ),
++
+ UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999,
+ "Maxtor",
+ "USB to SATA",
projects / thirdparty / kernel / stable-queue.git / commitdiff
