Re: [PATCH] scsi: target: fix integer overflow in UNMAP bounds check

Next message: Zhang Heng: "[PATCH] ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone"
Previous message: Theodore Tso: "Re: [PATCH] ext4: rralloc - (former rotalloc) improved round-robin allocation policy"
In reply to: James Bottomley: "Re: [PATCH] scsi: target: fix integer overflow in UNMAP bounds check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Wed Mar 04 2026 - 21:49:22 EST

On Wed, Mar 04, 2026 at 12:00:17PM -0500, James Bottomley wrote:
> What's the theory about how this could occur and the problem it causes?

lba is not the device's actual LBA range - it comes directly from the
initiator's UNMAP parameter block descriptor:

lba = get_unaligned_be64(&ptr[0]);

where ptr points into the data buffer received from the initiator via
transport_kmap_data_sg(). An initiator can put any 64-bit value here
regardless of device size.

> If we send an unmap with lba and range that wraps 64 bits then the
> device should error or truncate it anyway, shouldn't it?

The backends will catch it in practice. But without this check, the
initiator gets TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE instead of
TCM_ADDRESS_OUT_OF_RANGE and WRITE_SAME already has this exact guard in
the same file.

Thanks,
Junrui Luo