scsi: target: tcm_loop: Drain commands in target_reset handler

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-43054
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-01 15:16:51 UTC
Updated2026-05-01 15:24:14 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd — this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 757c43c692294cdfad31390accc0e90429b2ef8a git Not specified
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 103f79e4949513247d763c6e7f3cbbf62017afdf git Not specified
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 15f5241d5a52364a7e7867b49128b0442dbcad9d git Not specified
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 7cbd69aaa507b1245240a28022bf5da0f07c68d9 git Not specified
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 a836054ea81014117ec6b73529a21626a9e1f829 git Not specified
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 05ac3754467363558a0a54ae4bb7c89b2c9574cf git Not specified
CNA Linux Linux affected e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 git Not specified
CNA Linux Linux affected 5.13 Not specified
CNA Linux Linux unaffected 5.13 semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.168 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.134 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.81 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.22 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.12 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report