CVE-2026-23292

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: Fix recursive locking in __configfsopenfile()

In flushwritebuffer, &p->fragsem is acquired and then the loaded store function is called, which, here, is targetcoreitemdbrootstore(). This function called filpopen(), following which these functions were called (in reverse order), according to the call trace:

down_read __configfsopenfile dodentryopen vfsopen doopen pathopenat dofilpopen fileopenname filpopen targetcoreitemdbrootstore flushwritebuffer configfswriteiter

targetcoreitemdbrootstore() tries to validate the new file path by trying to open the file path provided to it; however, in this case, the bug report shows:

db_root: not a directory: /sys/kernel/config/target/dbroot

indicating that the same configfs file was tried to be opened, on which it is currently working on. Thus, it is trying to acquire fragsem semaphore of the same file of which it already holds the semaphore obtained in flushwrite_buffer(), leading to acquiring the semaphore in a nested manner and a possibility of recursive locking.

Fix this by modifying targetcoreitemdbrootstore() to use kernpath() instead of filpopen() to avoid opening the file using filesystem-specific function __configfsopenfile(), and further modifying it to make this fix compatible.