CVE-2026-23292

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix recursive locking in __configfs_open_file()

In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This function called filp_open(), following which these functions were called (in reverse order), according to the call trace:

down_read __configfs_open_file do_dentry_open vfs_open do_open path_openat do_filp_open file_open_name filp_open target_core_item_dbroot_store flush_write_buffer configfs_write_iter

target_core_item_dbroot_store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows:

db_root: not a directory: /sys/kernel/config/target/dbroot

indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag_sem semaphore of the same file of which it already holds the semaphore obtained in flush_write_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking.

Fix this by modifying target_core_item_dbroot_store() to use kern_path() instead of filp_open() to avoid opening the file using filesystem-specific function __configfs_open_file(), and further modifying it to make this fix compatible.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb0841eefd9693827afb9888235e26ddd098f9cef < 3161ef61f121d4573cad5b57c92188dcd9b284b3affected
LinuxLinuxb0841eefd9693827afb9888235e26ddd098f9cef < e8ef82cb6443d5f3260b1b830e17f03dda4229eaaffected
LinuxLinuxb0841eefd9693827afb9888235e26ddd098f9cef < 4fcfa424a581d823cb1a9676e3eefe6ca17e453aaffected
LinuxLinuxb0841eefd9693827afb9888235e26ddd098f9cef < 9a5641024fbfd9b24fe65984ad85fea10a3ae438affected
LinuxLinuxb0841eefd9693827afb9888235e26ddd098f9cef < 142eacb50fb903a4c10dee7e67b6e79ebb36a582affected
LinuxLinuxb0841eefd9693827afb9888235e26ddd098f9cef < 14d4ac19d1895397532eec407433c5d74d9da53baffected
LinuxLinux49824b5c875087a52672b0c8e8ecbefe6f773532affected
LinuxLinux09e21253d17f53bdb5aac0e0dbd057a29fcbe8d1affected
LinuxLinux0dfc45be875a378c2a3a4d6ed8e668ec8eb75073affected
LinuxLinux4.9.201 < 4.10affected
LinuxLinux4.14.154 < 4.15affected
LinuxLinux4.19.84 < 4.20affected
LinuxLinux5.3affected
LinuxLinux0 < 5.3unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.77 <= 6.12.*unaffected
LinuxLinux6.18.17 <= 6.18.*unaffected
LinuxLinux6.19.7 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References