scsi: target: core: Fix integer overflow in UNMAP bounds check

avasummer · gregkh · commit 3facdecc3fcf · 2026-05-23T13:04:45.000+02:00
[ Upstream commit 2bf2d65 ] sbc_execute_unmap() checks LBA + range does not exceed the device capacity, but does not guard against LBA + range wrapping around on 64-bit overflow. Add an overflow check matching the pattern already used for WRITE_SAME in the same file. Fixes: 86d7182 ("target: Add sbc_execute_unmap() helper") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
@@ -1136,7 +1136,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
 			goto err;
 		}
 
-		if (lba + range > dev->transport->get_blocks(dev) + 1) {
+		if (lba + range < lba ||
+		    lba + range > dev->transport->get_blocks(dev) + 1) {
 			ret = TCM_ADDRESS_OUT_OF_RANGE;
 			goto err;
 		}

Original file line number	Diff line number	Diff line change
`@@ -1136,7 +1136,8 @@ sbc_execute_unmap(struct se_cmd *cmd)`
`1136`	`1136`	`goto err;`
`1137`	`1137`	`}`
`1138`	`1138`
`1139`		`- if (lba + range > dev->transport->get_blocks(dev) + 1) {`
	`1139`	`+ if (lba + range < lba \|\|`
	`1140`	`+ lba + range > dev->transport->get_blocks(dev) + 1) {`
`1140`	`1141`	`ret = TCM_ADDRESS_OUT_OF_RANGE;`
`1141`	`1142`	`goto err;`
`1142`	`1143`	`}`