CVE-2026-43054
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd — this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-43054 NameCVE-2026-43054 DescriptionIn the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has…
CVE-2026-43054
| Name | CVE-2026-43054 |
| Description | In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd — this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4561-1, DSA-6243-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | fixed |
| bullseye (security) | 5.10.257-1 | fixed | |
| bookworm | 6.1.170-3 | fixed | |
| bookworm (security) | 6.1.172-1 | fixed | |
| trixie | 6.12.86-1 | fixed | |
| trixie (security) | 6.12.90-1 | fixed | |
| forky | 7.0.9-1 | fixed | |
| sid | 7.0.10-1 | fixed | |
| linux-6.1 (PTS) | bullseye (security) | 6.1.174-1~deb11u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | bullseye | (not affected) | |||
| linux | source | bookworm | 6.1.170-1 | DSA-6243-1 | ||
| linux | source | trixie | 6.12.85-1 | |||
| linux | source | (unstable) | 6.19.12-1 | |||
| linux-6.1 | source | bullseye | 6.1.170-1~deb11u1 | DLA-4561-1 |
Notes
[bullseye] - linux <not-affected> (Vulnerable code not present)
https://git.kernel.org/linus/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 (7.0-rc6)
Apply commands
[bullseye] - linux <not-affected> (Vulnerable code not present)https://git.kernel.org/linus/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026 (7.0-rc6)OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.170-1 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.19.12-1 |
| debian | sid | fixed | 6.19.12-1 |
| debian | trixie | fixed | 6.12.85-1 |
| linux-kernel | affected | 5.15.203 | |
| linux-kernel | 7.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gcp | | |
References
- https://git.kernel.org/stable/c/05ac3754467363558a0a54ae4bb7c89b2c9574cf
- https://git.kernel.org/stable/c/103f79e4949513247d763c6e7f3cbbf62017afdf
- https://git.kernel.org/stable/c/1333eee56cdf3f0cf67c6ab4114c2c9e0a952026
- https://git.kernel.org/stable/c/15f5241d5a52364a7e7867b49128b0442dbcad9d
- https://git.kernel.org/stable/c/757c43c692294cdfad31390accc0e90429b2ef8a
- https://git.kernel.org/stable/c/7cbd69aaa507b1245240a28022bf5da0f07c68d9
- https://git.kernel.org/stable/c/a836054ea81014117ec6b73529a21626a9e1f829
- https://www.suse.com/security/cve/CVE-2026-43054.html
- https://security-tracker.debian.org/tracker/CVE-2026-43054
CWEs
CWE-772
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.