From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-lb0-f181.google.com ([209.85.217.181]:32965 "EHLO
	mail-lb0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751508AbcDUWOA (ORCPT
	<rfc822;stable@vger.kernel.org>); Thu, 21 Apr 2016 18:14:00 -0400
Received: by mail-lb0-f181.google.com with SMTP id u8so34534927lbk.0
        for <stable@vger.kernel.org>; Thu, 21 Apr 2016 15:13:59 -0700 (PDT)
MIME-Version: 1.0
Date: Fri, 22 Apr 2016 03:13:58 +0500
Message-ID: <CAEmTpZGWqmSgxxExd7e-VSQeCvsF=EKz_7EWQ0nuju7N+yG2Fw@mail.gmail.com>
Subject: Integer overflow in target_core_device.c in Linux Kernel
From: =?UTF-8?B?0JzQsNGA0Log0JrQvtGA0LXQvdCx0LXRgNCz?=
	<socketpair@gmail.com>
To: Mike Christie <mchristi@redhat.com>
Cc: stable@vger.kernel.org, Nicholas Bellinger <nab@linux-iscsi.org>
Content-Type: text/plain; charset=UTF-8
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Linux kernel commit 8a9ebe717a133ba7bc90b06047f43cc6b8bcb8b3

attrib->max_unmap_lba_count = (q->limits.max_discard_sectors << 9)

Since max_discard_sectors is 32-bit, there may be integer overflow,
making wrong max_unmap_lba_count.

For example, LVM Thin provisioning reports that it have 16 GB maximal
discard block.

Exactly the same bug in DRBD9, I have already reported.


-- 
Segmentation fault