This bug, which was probably introduced in Linux 2.6.28, was assigned CVE.
In drivers/scsi/sg.c in function start_req(), there was code segment vulnerable to number wraparound in the calculation of total number of pages in bio_map_user_iov().
This can result to allocating small array of pointers to pages that would be overflowed. It was fixed in Linux 4.1-rc1.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1250034]
This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 6, 7 MRG-2 and realtime kernels and does not plan be addressed in a future update.