CVE-2026-23292
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Fix recursive locking in __configfs_open_file()
In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace:
down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter
target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows:
db_root: not a directory: /sys/kernel/config/target/dbroot
indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking.
Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b0841eefd9693827afb9888235e26ddd098f9cef < 3161ef61f121d4573cad5b57c92188dcd9b284b3 | affected |
| Linux | Linux | b0841eefd9693827afb9888235e26ddd098f9cef < e8ef82cb6443d5f3260b1b830e17f03dda4229ea | affected |
| Linux | Linux | b0841eefd9693827afb9888235e26ddd098f9cef < 4fcfa424a581d823cb1a9676e3eefe6ca17e453a | affected |
| Linux | Linux | b0841eefd9693827afb9888235e26ddd098f9cef < 9a5641024fbfd9b24fe65984ad85fea10a3ae438 | affected |
| Linux | Linux | b0841eefd9693827afb9888235e26ddd098f9cef < 142eacb50fb903a4c10dee7e67b6e79ebb36a582 | affected |
| Linux | Linux | b0841eefd9693827afb9888235e26ddd098f9cef < 14d4ac19d1895397532eec407433c5d74d9da53b | affected |
| Linux | Linux | 49824b5c875087a52672b0c8e8ecbefe6f773532 | affected |
| Linux | Linux | 09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1 | affected |
| Linux | Linux | 0dfc45be875a378c2a3a4d6ed8e668ec8eb75073 | affected |
| Linux | Linux | 4.9.201 < 4.10 | affected |
| Linux | Linux | 4.14.154 < 4.15 | affected |
| Linux | Linux | 4.19.84 < 4.20 | affected |
| Linux | Linux | 5.3 | affected |
| Linux | Linux | 0 < 5.3 | unaffected |
| Linux | Linux | 6.1.167 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.130 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.77 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.17 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.7 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/3161ef61f121d4573cad5b57c92188dcd9b284b3
- https://git.kernel.org/stable/c/e8ef82cb6443d5f3260b1b830e17f03dda4229ea
- https://git.kernel.org/stable/c/4fcfa424a581d823cb1a9676e3eefe6ca17e453a
- https://git.kernel.org/stable/c/9a5641024fbfd9b24fe65984ad85fea10a3ae438
- https://git.kernel.org/stable/c/142eacb50fb903a4c10dee7e67b6e79ebb36a582
- https://git.kernel.org/stable/c/14d4ac19d1895397532eec407433c5d74d9da53b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.