[PATCH] scsi: target: fix integer overflow in UNMAP bounds check

Next message: Stefan Klug: "[PATCH v5 2/4] media: dw100: Implement dynamic vertex map update"
Previous message: Stefan Klug: "[PATCH v5 0/4] media: dw100: Dynamic vertex map updates and fixes for PREEMPT_RT"
Next in thread: James Bottomley: "Re: [PATCH] scsi: target: fix integer overflow in UNMAP bounds check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Wed Mar 04 2026 - 10:56:16 EST

sbc_execute_unmap() checks lba + range does not exceed the device
capacity, but does not guard against lba + range wrapping around on
64-bit overflow.

Add an overflow check matching the pattern already used for WRITE_SAME
in the same file.

Fixes: 86d7182985d2 ("target: Add sbc_execute_unmap() helper")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/target/target_core_sbc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index abe91dc8722e..21f5cb86d70c 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1187,7 +1187,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
goto err;
}

- if (lba + range > dev->transport->get_blocks(dev) + 1) {
+ if (lba + range < lba ||
+ lba + range > dev->transport->get_blocks(dev) + 1) {
ret = TCM_ADDRESS_OUT_OF_RANGE;
goto err;
}

---
base-commit: 0031c06807cfa8aa51a759ff8aa09e1aa48149af
change-id: 20260304-fixes-268e0eac427f

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>