Linux Kernel ConfigFS Recursive Locking Vulnerability in SCSI Target Component

A vulnerability has been identified in the Linux kernel's SCSI target component, specifically within the ConfigFS file handling. The issue arises in the 'target_core_item_dbroot_store' function, which is responsible for validating file paths by opening them through a series of function calls that eventually lead to 'filp_open'. This process can inadvertently cause a deadlock situation. When the 'flush_write_buffer' function is called, it acquires a semaphore for the same ConfigFS file that 'target_core_item_dbroot_store' is currently processing. This overlapping access can lead to a recursive locking scenario, where the same semaphore is held multiple times, potentially causing the system to hang.

Impact

The vulnerability can lead to a deadlock situation, where the system becomes unresponsive due to circular waiting conditions created by the recursive locking of semaphores.

Reproduction

To reproduce this vulnerability, write a store function that opens a ConfigFS file path using 'filp_open'. Ensure that this function is called after 'flush_write_buffer', which acquires the 'frag_sem' semaphore. The overlapping access to the same ConfigFS file will create a recursive locking situation. This vulnerability can be reproduced manually or potentially automated with a fuzzer, such as syzkaller.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.