scsi: target: core: Fix integer overflow in UNMAP bounds check

sbc_execute_unmap() checks LBA + range does not exceed the device capacity, but does not guard against LBA + range wrapping around on 64-bit overflow. Add an overflow check matching the pattern already used for WRITE_SAME in the same file. Fixes: 86d7182985d2 ("target: Add sbc_execute_unmap() helper") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Link: https://patch.msgid.link/SYBPR01MB7881593C61AD52C69FBDB0BDAF7CA@SYBPR01MB7881.ausprd01.prod.outlook.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
author: Junrui Luo <moonafterrain@outlook.com> 2026-03-04 18:42:58 +0300
committer: Martin K. Petersen <martin.petersen@oracle.com> 2026-03-11 04:56:39 +0300
commit: 2bf2d65f76697820dbc4227d13866293576dd90a (patch)
tree: 4fe8fbfe57d6222c9244e8f06687b3d670802973
parent: 20ca5460e5f95163b85dda555625a27d1c120ebf (diff)
download: linux-2bf2d65f76697820dbc4227d13866293576dd90a.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
index abe91dc8722e..21f5cb86d70c 100644
--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -1187,7 +1187,8 @@ sbc_execute_unmap(struct se_cmd *cmd)
 			goto err;
 		}
 
-		if (lba + range > dev->transport->get_blocks(dev) + 1) {
+		if (lba + range < lba ||
+		    lba + range > dev->transport->get_blocks(dev) + 1) {
 			ret = TCM_ADDRESS_OUT_OF_RANGE;
 			goto err;
 		}
author	Junrui Luo <moonafterrain@outlook.com>	2026-03-04 18:42:58 +0300
committer	Martin K. Petersen <martin.petersen@oracle.com>	2026-03-11 04:56:39 +0300
commit	2bf2d65f76697820dbc4227d13866293576dd90a (patch)
tree	4fe8fbfe57d6222c9244e8f06687b3d670802973
parent	20ca5460e5f95163b85dda555625a27d1c120ebf (diff)
download	linux-2bf2d65f76697820dbc4227d13866293576dd90a.tar.xz