CVE-2025-68319
Description
In the Linux kernel, the following vulnerability has been resolved:
netconsole: Acquire su_mutex before navigating configs hierarchy
There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes.
Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex.
Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ).
Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children
The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Linux kernel netconsole allows list corruption when userdata items are added/removed concurrently during iteration.
Vulnerability
In the Linux kernel's netconsole subsystem, a race condition exists between operations that iterate over the userdata_group.cg_children list and concurrent addition or removal of userdata items through configfs. The functions update_userdata() and count_extradata_entries() traverse this list without holding the configfs subsystem mutex (su_mutex), violating the locking rules documented in Documentation/filesystems/configfs.rst [1]. Without proper synchronization, a concurrent add or remove can leave the list in an inconsistent state—for example, a node being removed via list_del_init() sets its .next pointer to itself, causing the list_for_each() loop to never terminate or to trigger a WARN_ON_ONCE in update_userdata().
Exploitation
An attacker with the ability to add or remove userdata items via configfs (typically requiring local access and appropriate privileges) can trigger this race. The attack surface is local; the attacker must time the configfs operation to coincide with a netconsole operation that iterates over the userdata list, such as writing to a userdatum_value sysfs file or toggling a sysdata_*_enabled attribute. No network access is required, and the attacker does not need to be authenticated to the netconsole subsystem beyond the ability to manipulate configfs entries.
Impact
Successful exploitation leads to a denial-of-service condition. The infinite loop caused by list corruption can hang the kernel thread performing the iteration, potentially causing a system lockup or crash. The description notes that the loop may never end or may reach a WARN_ON_ONCE, indicating a detectable but severe state. There is no evidence of privilege escalation or data leakage from this vulnerability alone.
Mitigation
The fix, merged into the Linux kernel stable branches, ensures that su_mutex is acquired before any operation that iterates over cg_children. The mutex is taken before dynamic_netconsole_mutex to avoid lock ordering issues, as configfs operations may already hold su_mutex when calling into netconsole code [2]. Users should apply the latest kernel updates from their distribution or compile a patched kernel. No workaround is available without the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.