scsi: target: tcm_loop: Drain commands in target_reset handler
Summary
| CVE | CVE-2026-43054 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-01 15:16:51 UTC |
| Updated | 2026-05-07 18:28:19 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd — this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset. |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.000240000 probability, percentile 0.068060000 (date 2026-05-05)
Problem Types: CWE-772
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 757c43c692294cdfad31390accc0e90429b2ef8a git | Not specified |
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 103f79e4949513247d763c6e7f3cbbf62017afdf git | Not specified |
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 15f5241d5a52364a7e7867b49128b0442dbcad9d git | Not specified |
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 7cbd69aaa507b1245240a28022bf5da0f07c68d9 git | Not specified |
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 a836054ea81014117ec6b73529a21626a9e1f829 git | Not specified |
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 05ac3754467363558a0a54ae4bb7c89b2c9574cf git | Not specified |
| CNA | Linux | Linux | affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 git | Not specified |
| CNA | Linux | Linux | affected 5.13 | Not specified |
| CNA | Linux | Linux | unaffected 5.13 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.203 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.168 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.134 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.81 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.22 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.12 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.