target: Fix possible integer underflow in UNMAP emulation (b7fc7f37) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/target/target_core_iblock.c

+10 −10

Original line number	Diff line number	Diff line
		@@ -325,24 +325,24 @@ static int iblock_execute_unmap(struct se_cmd *cmd)
		struct iblock_dev *ibd = dev->dev_ptr;
		unsigned char buf, ptr = NULL;
		sector_t lba;
		unsigned int size = cmd->data_length, range;
		int ret = 0, offset;
		unsigned short dl, bd_dl;

		/* First UNMAP block descriptor starts at 8 byte offset */
		offset = 8;
		size -= 8;
		int size = cmd->data_length;
		u32 range;
		int ret = 0;
		int dl, bd_dl;

		buf = transport_kmap_data_sg(cmd);

		dl = get_unaligned_be16(&buf[0]);
		bd_dl = get_unaligned_be16(&buf[2]);

		ptr = &buf[offset];
		pr_debug("UNMAP: Sub: %s Using dl: %hu bd_dl: %hu size: %hu"
		size = min(size - 8, bd_dl);

		/* First UNMAP block descriptor starts at 8 byte offset */
		ptr = &buf[8];
		pr_debug("UNMAP: Sub: %s Using dl: %u bd_dl: %u size: %u"
		" ptr: %p\n", dev->transport->name, dl, bd_dl, size, ptr);

		while (size) {
		while (size >= 16) {
		lba = get_unaligned_be64(&ptr[0]);
		range = get_unaligned_be32(&ptr[8]);
		pr_debug("UNMAP: Using lba: %llu and range: %u\n",