Re: [PATCH] scsi: target: fix integer overflow in UNMAP bounds check

Next message: Wolfram Sang: "Re: [PATCH] i2c: i2c-core-base: fix devicetree alias handling"
Previous message: Reinette Chatre: "Re: [PATCH v1 1/4] x86,fs/resctrl: Make resctrl_arch_is_evt_configurable() aware of mbm_assign_mode"
In reply to: Junrui Luo: "[PATCH] scsi: target: fix integer overflow in UNMAP bounds check"
Next in thread: Junrui Luo: "Re: [PATCH] scsi: target: fix integer overflow in UNMAP bounds check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: James Bottomley

Date: Wed Mar 04 2026 - 12:08:10 EST

On Wed, 2026-03-04 at 23:42 +0800, Junrui Luo wrote:
> sbc_execute_unmap() checks lba + range does not exceed the device
> capacity, but does not guard against lba + range wrapping around on
> 64-bit overflow.

What's the theory about how this could occur and the problem it causes?
range is a u32 so lba would have to have all 1's in the upper 32 bits
for this to happen (i.e. be a 15 ExB device). Plus do we even care?
If we send an unmap with lba and range that wraps 64 bits then the
device should error or truncate it anyway, shouldn't it?

Regards,

James