CVE-2026-43054 (GCVE-0-2026-43054)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
Title
scsi: target: tcm_loop: Drain commands in target_reset handler
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd — this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 757c43c692294cdfad31390accc0e90429b2ef8a (git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 103f79e4949513247d763c6e7f3cbbf62017afdf (git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 15f5241d5a52364a7e7867b49128b0442dbcad9d (git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 7cbd69aaa507b1245240a28022bf5da0f07c68d9 (git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < a836054ea81014117ec6b73529a21626a9e1f829 (git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 05ac3754467363558a0a54ae4bb7c89b2c9574cf (git)
Affected: e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3 , < 1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 (git)
Create a notification for this product.
    Linux Linux Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.168 , ≤ 6.1.* (semver)
Unaffected: 6.6.134 , ≤ 6.6.* (semver)
Unaffected: 6.12.81 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/loopback/tcm_loop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "757c43c692294cdfad31390accc0e90429b2ef8a",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            },
            {
              "lessThan": "103f79e4949513247d763c6e7f3cbbf62017afdf",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            },
            {
              "lessThan": "15f5241d5a52364a7e7867b49128b0442dbcad9d",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            },
            {
              "lessThan": "7cbd69aaa507b1245240a28022bf5da0f07c68d9",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            },
            {
              "lessThan": "a836054ea81014117ec6b73529a21626a9e1f829",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            },
            {
              "lessThan": "05ac3754467363558a0a54ae4bb7c89b2c9574cf",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            },
            {
              "lessThan": "1333eee56cdf3f0cf67c6ab4114c2c9e0a952026",
              "status": "affected",
              "version": "e0eb5d38b732b011cd9ed5b1bf9f59b83c2500d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/loopback/tcm_loop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Drain commands in target_reset handler\n\ntcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS\nwithout draining any in-flight commands.  The SCSI EH documentation\n(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver\nhas made lower layers \"forget about timed out scmds\" and is ready for new\ncommands.  Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,\nmpi3mr) enforces this by draining or completing outstanding commands before\nreturning SUCCESS.\n\nBecause tcm_loop_target_reset() doesn\u0027t drain, the SCSI EH reuses in-flight\nscsi_cmnd structures for recovery commands (e.g. TUR) while the target core\nstill has async completion work queued for the old se_cmd.  The memset in\nqueuecommand zeroes se_lun and lun_ref_active, causing\ntransport_lun_remove_cmd() to skip its percpu_ref_put().  The leaked LUN\nreference prevents transport_clear_lun_ref() from completing, hanging\nconfigfs LUN unlink forever in D-state:\n\n  INFO: task rm:264 blocked for more than 122 seconds.\n  rm              D    0   264    258 0x00004000\n  Call Trace:\n   __schedule+0x3d0/0x8e0\n   schedule+0x36/0xf0\n   transport_clear_lun_ref+0x78/0x90 [target_core_mod]\n   core_tpg_remove_lun+0x28/0xb0 [target_core_mod]\n   target_fabric_port_unlink+0x50/0x60 [target_core_mod]\n   configfs_unlink+0x156/0x1f0 [configfs]\n   vfs_unlink+0x109/0x290\n   do_unlinkat+0x1d5/0x2d0\n\nFix this by making tcm_loop_target_reset() actually drain commands:\n\n 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that\n    the target core knows about (those not yet CMD_T_COMPLETE).\n\n 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and\n    flush_work() on each se_cmd \u2014 this drains any deferred completion work\n    for commands that already had CMD_T_COMPLETE set before the TMR (which\n    the TMR skips via __target_check_io_state()).  This is the same pattern\n    used by mpi3mr, scsi_debug, and libsas to drain outstanding commands\n    during reset."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-01T14:15:47.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf"
        },
        {
          "url": "https://git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829"
        },
        {
          "url": "https://git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026"
        }
      ],
      "title": "scsi: target: tcm_loop: Drain commands in target_reset handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43054",
    "datePublished": "2026-05-01T14:15:47.396Z",
    "dateReserved": "2026-05-01T14:12:55.980Z",
    "dateUpdated": "2026-05-01T14:15:47.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43054",
      "date": "2026-05-04",
      "epss": "0.00024",
      "percentile": "0.06795"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43054\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:51.910\",\"lastModified\":\"2026-05-01T15:24:14.893\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: target: tcm_loop: Drain commands in target_reset handler\\n\\ntcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS\\nwithout draining any in-flight commands.  The SCSI EH documentation\\n(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver\\nhas made lower layers \\\"forget about timed out scmds\\\" and is ready for new\\ncommands.  Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,\\nmpi3mr) enforces this by draining or completing outstanding commands before\\nreturning SUCCESS.\\n\\nBecause tcm_loop_target_reset() doesn\u0027t drain, the SCSI EH reuses in-flight\\nscsi_cmnd structures for recovery commands (e.g. TUR) while the target core\\nstill has async completion work queued for the old se_cmd.  The memset in\\nqueuecommand zeroes se_lun and lun_ref_active, causing\\ntransport_lun_remove_cmd() to skip its percpu_ref_put().  The leaked LUN\\nreference prevents transport_clear_lun_ref() from completing, hanging\\nconfigfs LUN unlink forever in D-state:\\n\\n  INFO: task rm:264 blocked for more than 122 seconds.\\n  rm              D    0   264    258 0x00004000\\n  Call Trace:\\n   __schedule+0x3d0/0x8e0\\n   schedule+0x36/0xf0\\n   transport_clear_lun_ref+0x78/0x90 [target_core_mod]\\n   core_tpg_remove_lun+0x28/0xb0 [target_core_mod]\\n   target_fabric_port_unlink+0x50/0x60 [target_core_mod]\\n   configfs_unlink+0x156/0x1f0 [configfs]\\n   vfs_unlink+0x109/0x290\\n   do_unlinkat+0x1d5/0x2d0\\n\\nFix this by making tcm_loop_target_reset() actually drain commands:\\n\\n 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that\\n    the target core knows about (those not yet CMD_T_COMPLETE).\\n\\n 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and\\n    flush_work() on each se_cmd \u2014 this drains any deferred completion work\\n    for commands that already had CMD_T_COMPLETE set before the TMR (which\\n    the TMR skips via __target_check_io_state()).  This is the same pattern\\n    used by mpi3mr, scsi_debug, and libsas to drain outstanding commands\\n    during reset.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.