CVE-2024-26845

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: core: Add TMF to tmr_list handling<br /> <br /> An abort that is responded to by iSCSI itself is added to tmr_list but does<br /> not go to target core. A LUN_RESET that goes through tmr_list takes a<br /> refcounter on the abort and waits for completion. However, the abort will<br /> be never complete because it was not started in target core.<br /> <br /> Unable to locate ITT: 0x05000000 on CID: 0<br /> Unable to locate RefTaskTag: 0x05000000 on CID: 0.<br /> wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop<br /> wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop<br /> ...<br /> INFO: task kworker/0:2:49 blocked for more than 491 seconds.<br /> task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800<br /> Workqueue: events target_tmr_work [target_core_mod]<br /> Call Trace:<br /> __switch_to+0x2c4/0x470<br /> _schedule+0x314/0x1730<br /> schedule+0x64/0x130<br /> schedule_timeout+0x168/0x430<br /> wait_for_completion+0x140/0x270<br /> target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]<br /> core_tmr_lun_reset+0x30/0xa0 [target_core_mod]<br /> target_tmr_work+0xc8/0x1b0 [target_core_mod]<br /> process_one_work+0x2d4/0x5d0<br /> worker_thread+0x78/0x6c0<br /> <br /> To fix this, only add abort to tmr_list if it will be handled by target<br /> core.