Linux Kernel SCSI Target tcm_loop Command Drain Vulnerability in Target Reset Handler

A vulnerability exists in the Linux kernel's SCSI target loopback module (tcm_loop) within the target reset handler. This issue arises because the handler improperly returns success without first draining in-flight commands, violating the SCSI error handling contract. As a result, the SCSI error handling mechanism may reuse command structures for recovery tasks while asynchronous completion work for the original commands is still pending. This oversight can lead to a leaked reference that prevents proper cleanup, causing operations to hang indefinitely. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause a denial of service by leaking a SCSI Logical Unit Number (LUN) reference, which interferes with the normal unlinking process of LUNs in the configfs filesystem. This disruption can leave a task blocked for an extended period, effectively causing a hang state.

Reproduction

To reproduce this vulnerability, initiate a SCSI target reset operation using the tcm_loop module. The reset handler will return success without draining any in-flight commands, creating a blockage in the LUN unlink process that can be observed as a task remaining in a D-state for an extended duration.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.