From: Tom Yan <tom.ty89@xxxxxxxxx> Commit 7780081c1f04 ("libata-scsi: Set information sense field for invalid parameter") changed how ata_mselect_*() make sure read-only bits are not modified. The new implementation introduced a bug that the read-only bits in the byte that has a changeable bit will not be checked. Added the necessary check, with comments explaining the heuristic. Signed-off-by: Tom Yan <tom.ty89@xxxxxxxxx> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index eb5e8ff..ac90676 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3631,8 +3631,18 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc, */ ata_msense_caching(dev->id, mpage, false); for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) { - if (i == 0) - continue; + /* Check the first byte */ + if (i == 0) { + /* except the WCE bit */ + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) { + *fp = i; + return -EINVAL; + } else { + continue; + } + } + + /* Check the remaining bytes */ if (mpage[i + 2] != buf[i]) { *fp = i; return -EINVAL; @@ -3686,8 +3696,18 @@ static int ata_mselect_control(struct ata_queued_cmd *qc, */ ata_msense_control(dev, mpage, false); for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) { - if (i == 0) - continue; + /* Check the first byte */ + if (i == 0) { + /* except the D_SENSE bit */ + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) { + *fp = i; + return -EINVAL; + } else { + continue; + } + } + + /* Check the remaining bytes */ if (mpage[2 + i] != buf[i]) { *fp = i; return -EINVAL; -- 2.9.0 -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html