CVE-2026-43054
Awaiting Analysis Awaiting Analysis - Queue
SCSI Target Loop Driver Command Drain Failure in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd β€” this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-06
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43054
EUVD
EUVD-2026-26653
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel tcm_loop *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SCSI target driver tcm_loop. The function tcm_loop_target_reset() violates the SCSI error handling contract by returning SUCCESS without properly draining any in-flight SCSI commands. According to the SCSI error handling documentation, when a reset handler returns SUCCESS, it must ensure that all timed-out commands are forgotten and the driver is ready for new commands.

Because tcm_loop_target_reset() does not drain these commands, the system reuses command structures for recovery commands while the target core still has asynchronous completion work queued for the old commands. This causes certain references to leak, preventing the completion of LUN (Logical Unit Number) unlink operations and causing processes to hang indefinitely in an uninterruptible sleep state.

The fix involves making tcm_loop_target_reset() properly drain commands by issuing a LUN reset to clear all known commands and iterating over started requests to flush any deferred completion work, ensuring no commands remain pending before returning SUCCESS.


How can this vulnerability impact me? :

This vulnerability can cause processes that attempt to unlink SCSI LUNs to hang indefinitely in an uninterruptible sleep state (D-state). This happens because leaked references prevent the completion of LUN unlink operations, leading to resource leaks and potential system instability.

In practical terms, this means that storage devices managed by the affected driver may not be properly removed or reset, potentially causing system hangs or degraded performance when managing SCSI targets.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes the configfs LUN unlink operation to hang indefinitely in a D-state, which can be detected by observing blocked tasks related to LUN removal.

You can look for system logs or kernel messages indicating tasks blocked for extended periods, such as messages showing a process stuck in D-state with call traces involving transport_clear_lun_ref, core_tpg_remove_lun, or configfs_unlink.

Specific commands to detect this condition include:

  • Check for blocked tasks in D-state using: ps aux | grep ' D '
  • Examine kernel logs for hung tasks or call traces: dmesg | grep -i 'blocked' or dmesg | grep -i 'transport_clear_lun_ref'
  • Use system monitoring tools like top or htop to identify processes stuck in uninterruptible sleep (D-state).

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that the tcm_loop_target_reset() function properly drains all in-flight SCSI commands before returning success.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability.
  • If updating is not immediately possible, avoid using the tcm_loop target driver or disable it if feasible.
  • Monitor for symptoms such as hung configfs LUN unlink operations and blocked tasks in D-state, and restart affected services or the system if necessary.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart