CVE-2026-23292

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix recursive locking in configfs open file()

In flush write buffer, &p->frag sem is acquired and then the loaded store function is called, which, here, is target core item dbroot store(). This function called filp open(), following which these functions were called (in reverse order), according to the call trace:

down read configfs open file do dentry open vfs open do open path openat do filp open file open name filp open target core item dbroot store flush write buffer configfs write iter

target core item dbroot store() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows:

db root: not a directory: /sys/kernel/config/target/dbroot

indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire frag sem semaphore of the same file of which it already holds the semaphore obtained in flush write buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking.

Fix this by modifying target core item dbroot store() to use kern path() instead of filp open() to avoid opening the file using filesystem-specific function configfs open file(), and further modifying it to make this fix compatible.