| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260115032012.yb5ylmumcirrmsbr@inspiron>
Date: Thu, 15 Jan 2026 08:50:12 +0530
From: Prithvi <activprithvi@...il.com>
To: martin.petersen@...cle.com
Cc: linux-scsi@...r.kernel.org, target-devel@...r.kernel.org,
linux-kernel@...r.kernel.org, hch@....de, jlbec@...lplan.org,
linux-fsdevel@...r.kernel.org, linux-kernel-mentees@...ts.linux.dev,
skhan@...uxfoundation.org, david.hunter.linux@...il.com,
khalid@...nel.org,
syzbot+f6e8174215573a84b797@...kaller.appspotmail.com,
stable@...r.kernel.org
Subject: Re: [PATCH] scsi: target: Fix recursive locking in
__configfs_open_file()
On Fri, Jan 09, 2026 at 12:45:23AM +0530, Prithvi Tambewagh wrote:
> In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
> function is called, which, here, is target_core_item_dbroot_store().
> This function called filp_open(), following which these functions were
> called (in reverse order), according to the call trace:
>
> down_read
> __configfs_open_file
> do_dentry_open
> vfs_open
> do_open
> path_openat
> do_filp_open
> file_open_name
> filp_open
> target_core_item_dbroot_store
> flush_write_buffer
> configfs_write_iter
>
> Hence ultimately, __configfs_open_file() was called, indirectly by
> target_core_item_dbroot_store(), and it also attempted to acquire
> &p->frag_sem, which was already held by the same thread, acquired earlier
> in flush_write_buffer. This poses a possibility of recursive locking,
> which triggers the lockdep warning.
>
> Fix this by modifying target_core_item_dbroot_store() to use kern_path()
> instead of filp_open() to avoid opening the file using filesystem-specific
> function __configfs_open_file(), and further modifying it to make this
> fix compatible.
>
> Reported-by: syzbot+f6e8174215573a84b797@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797
> Tested-by: syzbot+f6e8174215573a84b797@...kaller.appspotmail.com
> Cc: stable@...r.kernel.org
> Signed-off-by: Prithvi Tambewagh <activprithvi@...il.com>
> ---
> drivers/target/target_core_configfs.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
> index b19acd662726..f29052e6a87d 100644
> --- a/drivers/target/target_core_configfs.c
> +++ b/drivers/target/target_core_configfs.c
> @@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
> const char *page, size_t count)
> {
> ssize_t read_bytes;
> - struct file *fp;
> ssize_t r = -EINVAL;
> + struct path path = {};
>
> mutex_lock(&target_devices_lock);
> if (target_devices) {
> @@ -131,17 +131,18 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
> db_root_stage[read_bytes - 1] = '\0';
>
> /* validate new db root before accepting it */
> - fp = filp_open(db_root_stage, O_RDONLY, 0);
> - if (IS_ERR(fp)) {
> + r = kern_path(db_root_stage, LOOKUP_FOLLOW, &path);
> + if (r) {
> pr_err("db_root: cannot open: %s\n", db_root_stage);
> goto unlock;
> }
> - if (!S_ISDIR(file_inode(fp)->i_mode)) {
> - filp_close(fp, NULL);
> + if (!d_is_dir(path.dentry)) {
> + path_put(&path);
> pr_err("db_root: not a directory: %s\n", db_root_stage);
> + r = -ENOTDIR;
> goto unlock;
> }
> - filp_close(fp, NULL);
> + path_put(&path);
>
> strscpy(db_root, db_root_stage);
> pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
>
> base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787
> --
> 2.34.1
>
Hello all,
Just a gentle ping on this thread.
Thanks,
Prithvi
Powered by blists - more mailing lists