Re: [PATCH] scsi: target: Fix recursive locking in __configfs_open_file()

[Dmitry Bogdanov <d.bogdanov@yadro.com>]

On Thu, Jan 15, 2026 at 08:50:12AM +0530, Prithvi wrote:
> 
> On Fri, Jan 09, 2026 at 12:45:23AM +0530, Prithvi Tambewagh wrote:
> > In flush_write_buffer, &p->frag_sem is acquired and then the loaded store
> > function is called, which, here, is target_core_item_dbroot_store().
> > This function called filp_open(), following which these functions were
> > called (in reverse order), according to the call trace:
> >
> > down_read
> > __configfs_open_file
> > do_dentry_open
> > vfs_open
> > do_open
> > path_openat
> > do_filp_open
> > file_open_name
> > filp_open
> > target_core_item_dbroot_store
> > flush_write_buffer
> > configfs_write_iter
> >
> > Hence ultimately, __configfs_open_file() was called, indirectly by
> > target_core_item_dbroot_store(), and it also attempted to acquire
> > &p->frag_sem, which was already held by the same thread, acquired earlier
> > in flush_write_buffer. This poses a possibility of recursive locking,
> > which triggers the lockdep warning.
> >
> > Fix this by modifying target_core_item_dbroot_store() to use kern_path()
> > instead of filp_open() to avoid opening the file using filesystem-specific
> > function __configfs_open_file(), and further modifying it to make this
> > fix compatible.
> >
> > Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797
> > Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
> > ---
> >  drivers/target/target_core_configfs.c | 13 +++++++------
> >  1 file changed, 7 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
> > index b19acd662726..f29052e6a87d 100644
> > --- a/drivers/target/target_core_configfs.c
> > +++ b/drivers/target/target_core_configfs.c
> > @@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
> >                                       const char *page, size_t count)
> >  {
> >       ssize_t read_bytes;
> > -     struct file *fp;
> >       ssize_t r = -EINVAL;
> > +     struct path path = {};
> >
> >       mutex_lock(&target_devices_lock);
> >       if (target_devices) {
> > @@ -131,17 +131,18 @@ static ssize_t target_core_item_dbroot_store(struct config_item *item,
> >               db_root_stage[read_bytes - 1] = '\0';
> >
> >       /* validate new db root before accepting it */
> > -     fp = filp_open(db_root_stage, O_RDONLY, 0);
> > -     if (IS_ERR(fp)) {
> > +     r = kern_path(db_root_stage, LOOKUP_FOLLOW, &path);
> > +     if (r) {
> >               pr_err("db_root: cannot open: %s\n", db_root_stage);
> >               goto unlock;
> >       }
> > -     if (!S_ISDIR(file_inode(fp)->i_mode)) {
> > -             filp_close(fp, NULL);
> > +     if (!d_is_dir(path.dentry)) {
> > +             path_put(&path);
> >               pr_err("db_root: not a directory: %s\n", db_root_stage);
> > +             r = -ENOTDIR;
> >               goto unlock;
> >       }
> > -     filp_close(fp, NULL);
> > +     path_put(&path);
> >
> >       strscpy(db_root, db_root_stage);
> >       pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root);
> >
> > base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787
> > --
> > 2.34.1
> >

You missed the very significant thing in the commit message - that this
lockdep warning is due to try to write its own filename to dbroot file:

	db_root: not a directory: /sys/kernel/config/target/dbroot

That is why the semaphore is the same - it is of the same file.

Without that explanation nobody understands wheter it is a false positive or not.

The fix itself looks good.

Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>