| Message ID | b2ae6752649bc02641d38fee75ee35a59e8466d8.1469126217.git.tom.ty89@gmail.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
This is actually a bit clumsy. Sending a rewritten version. On 22 July 2016 at 02:41, <tom.ty89@gmail.com> wrote: > From: Tom Yan <tom.ty89@gmail.com> > > Commit 7780081c1f04 ("libata-scsi: Set information sense field for > invalid parameter") changed how ata_mselect_*() make sure read-only > bits are not modified. The new implementation introduced a bug that > the read-only bits in the byte that has a changeable bit will not > be checked. > > Added the necessary check, with comments explaining the heuristic. > > Signed-off-by: Tom Yan <tom.ty89@gmail.com> > > diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c > index eb5e8ff..ac90676 100644 > --- a/drivers/ata/libata-scsi.c > +++ b/drivers/ata/libata-scsi.c > @@ -3631,8 +3631,18 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc, > */ > ata_msense_caching(dev->id, mpage, false); > for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) { > - if (i == 0) > - continue; > + /* Check the first byte */ > + if (i == 0) { > + /* except the WCE bit */ > + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) { > + *fp = i; > + return -EINVAL; > + } else { > + continue; > + } > + } > + > + /* Check the remaining bytes */ > if (mpage[i + 2] != buf[i]) { > *fp = i; > return -EINVAL; > @@ -3686,8 +3696,18 @@ static int ata_mselect_control(struct ata_queued_cmd *qc, > */ > ata_msense_control(dev, mpage, false); > for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) { > - if (i == 0) > - continue; > + /* Check the first byte */ > + if (i == 0) { > + /* except the D_SENSE bit */ > + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) { > + *fp = i; > + return -EINVAL; > + } else { > + continue; > + } > + } > + > + /* Check the remaining bytes */ > if (mpage[2 + i] != buf[i]) { > *fp = i; > return -EINVAL; > -- > 2.9.0 > -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index eb5e8ff..ac90676 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3631,8 +3631,18 @@ static int ata_mselect_caching(struct ata_queued_cmd *qc, */ ata_msense_caching(dev->id, mpage, false); for (i = 0; i < CACHE_MPAGE_LEN - 2; i++) { - if (i == 0) - continue; + /* Check the first byte */ + if (i == 0) { + /* except the WCE bit */ + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) { + *fp = i; + return -EINVAL; + } else { + continue; + } + } + + /* Check the remaining bytes */ if (mpage[i + 2] != buf[i]) { *fp = i; return -EINVAL; @@ -3686,8 +3696,18 @@ static int ata_mselect_control(struct ata_queued_cmd *qc, */ ata_msense_control(dev, mpage, false); for (i = 0; i < CONTROL_MPAGE_LEN - 2; i++) { - if (i == 0) - continue; + /* Check the first byte */ + if (i == 0) { + /* except the D_SENSE bit */ + if ((mpage[i + 2] & 0xfb) != (buf[i] & 0xfb)) { + *fp = i; + return -EINVAL; + } else { + continue; + } + } + + /* Check the remaining bytes */ if (mpage[2 + i] != buf[i]) { *fp = i; return -EINVAL;