This is actually a bit clumsy. Sending a rewritten version.
On 22 July 2016 at 02:41, <tom.ty89@xxxxxxxxx> wrote:
> From: Tom Yan <tom.ty89@xxxxxxxxx>
>
> Commit 7780081c1f04 ("libata-scsi: Set information sense field for
> invalid parameter") changed how ata_mselect_*() make sure read-only
> bits are not modified. The new implementation introduced a bug that
> the read-only bits in the byte that has a changeable bit will not
> be checked.
>
> Added the necessary check, with comments explaining the heuristic.
>
> Signed-off-by: Tom Yan <tom.ty89@xxxxxxxxx>
>
> diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
> index eb5e8ff..ac90676 100644
> --- a/drivers/ata/libata-scsi.c
> +++ b/drivers/ata/libata-scsi.c
> @@ -3631,8 +3631,18 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc,
> */
> ata_msense_caching(dev->id, mpage, false);
> for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) {
> - if (i == 0)
> - continue;
> + /* Check the first byte */
> + if (i == 0) {
> + /* except the WCE bit */
> + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) {
> + *fp = i;
> + return -EINVAL;
> + } else {
> + continue;
> + }
> + }
> +
> + /* Check the remaining bytes */
> if (mpage[i + 2] != buf[i]) {
> *fp = i;
> return -EINVAL;
> @@ -3686,8 +3696,18 @@ static int ata_mselect_control(struct ata_queued_cmd *qc,
> */
> ata_msense_control(dev, mpage, false);
> for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) {
> - if (i == 0)
> - continue;
> + /* Check the first byte */
> + if (i == 0) {
> + /* except the D_SENSE bit */
> + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) {
> + *fp = i;
> + return -EINVAL;
> + } else {
> + continue;
> + }
> + }
> +
> + /* Check the remaining bytes */
> if (mpage[2 + i] != buf[i]) {
> *fp = i;
> return -EINVAL;
> --
> 2.9.0
>
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
