CVE-2026-23292

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: Fix recursive locking in __configfs_open_file()<br /> <br /> In flush_write_buffer, &amp;p-&gt;frag_sem is acquired and then the loaded store<br /> function is called, which, here, is target_core_item_dbroot_store(). This<br /> function called filp_open(), following which these functions were called<br /> (in reverse order), according to the call trace:<br /> <br /> down_read<br /> __configfs_open_file<br /> do_dentry_open<br /> vfs_open<br /> do_open<br /> path_openat<br /> do_filp_open<br /> file_open_name<br /> filp_open<br /> target_core_item_dbroot_store<br /> flush_write_buffer<br /> configfs_write_iter<br /> <br /> target_core_item_dbroot_store() tries to validate the new file path by<br /> trying to open the file path provided to it; however, in this case, the bug<br /> report shows:<br /> <br /> db_root: not a directory: /sys/kernel/config/target/dbroot<br /> <br /> indicating that the same configfs file was tried to be opened, on which it<br /> is currently working on. Thus, it is trying to acquire frag_sem semaphore<br /> of the same file of which it already holds the semaphore obtained in<br /> flush_write_buffer(), leading to acquiring the semaphore in a nested manner<br /> and a possibility of recursive locking.<br /> <br /> Fix this by modifying target_core_item_dbroot_store() to use kern_path()<br /> instead of filp_open() to avoid opening the file using filesystem-specific<br /> function __configfs_open_file(), and further modifying it to make this fix<br /> compatible.