From: Tom Yan <tom.t...@gmail.com>
Commit 7780081c1f04 ("libata-scsi: Set information sense field for
invalid parameter") changed how ata_mselect_*() make sure read-only
bits are not modified. The new implementation introduced a bug that
the read-only bits in the byte that has a changeable bit will not
be checked.
Added the necessary check, with comments explaining the heuristic.
Signed-off-by: Tom Yan <tom.t...@gmail.com>
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
index eb5e8ff..ac90676 100644
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3631,8 +3631,18 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc,
*/
ata_msense_caching(dev->id, mpage, false);
for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) {
- if (i == 0)
- continue;
+ /* Check the first byte */
+ if (i == 0) {
+ /* except the WCE bit */
+ if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) {
+ *fp = i;
+ return -EINVAL;
+ } else {
+ continue;
+ }
+ }
+
+ /* Check the remaining bytes */
if (mpage[i + 2] != buf[i]) {
*fp = i;
return -EINVAL;
@@ -3686,8 +3696,18 @@ static int ata_mselect_control(struct ata_queued_cmd *qc,
*/
ata_msense_control(dev, mpage, false);
for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) {
- if (i == 0)
- continue;
+ /* Check the first byte */
+ if (i == 0) {
+ /* except the D_SENSE bit */
+ if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) {
+ *fp = i;
+ return -EINVAL;
+ } else {
+ continue;
+ }
+ }
+
+ /* Check the remaining bytes */
if (mpage[2 + i] != buf[i]) {
*fp = i;
return -EINVAL;
--
2.9.0
