From: Tom Yan <tom.ty89@xxxxxxxxx> Commit 7780081c1f04 ("libata-scsi: Set information sense field for invalid parameter") changed how ata_mselect_*() make sure read-only bits are not modified. The new implementation introduced a bug that the read-only bits in the byte that has a changeable bit will not be checked. Added the necessary check, with comments explaining the heuristic. Signed-off-by: Tom Yan <tom.ty89@xxxxxxxxx> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 06afe63..b47c3ce 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3617,8 +3617,18 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc, */ ata_msense_caching(dev->id, mpage, false); for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) { - if (i == 0) - continue; + /* Check the first byte */ + if (i == 0) { + /* except the WCE bit */ + if (mpage[i + 2] & 0xfb != buf[i] & 0xfb) { + *fp = i; + return -EINVAL; + } else { + continue; + } + } + + /* Check the remaining bytes */ if (mpage[i + 2] != buf[i]) { *fp = i; return -EINVAL; @@ -3672,8 +3682,18 @@ static int ata_mselect_control(struct ata_queued_cmd *qc, */ ata_msense_control(dev, mpage, false); for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) { - if (i == 0) - continue; + /* Check the first byte */ + if (i == 0) { + /* except the D_SENSE bit */ + if (mpage[i + 2] & 0xfb != buf[i] & 0xfb) { + *fp = i; + return -EINVAL; + } else { + continue; + } + } + + /* Check the remaining bytes */ if (mpage[2 + i] != buf[i]) { *fp = i; return -EINVAL; -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html