quota: Fix race of dquot_scan_active() with quota deactivation_CVE-2026-53050

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

quota: Fix race of dquot_scan_active() with quota deactivation

dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:

CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));

The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.

Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.

Basic Information

ID CVE-2026-53050

Source Linux

Published Jun 24, 2026 at 16:29

Modified Jun 28, 2026 at 06:38

Affected Product

Vendor Linux

Product Linux

Version 22c06bf1f99ec3ec16b1a81342becba4c59a1f16

Affected Versions Linux Linux 22c06bf1f99ec3ec16b1a81342becba4c59a1f16
Linux Linux 56e96b38d2f7cd95b3c30eb70decac7233915e0a
Linux Linux 12a820a9923c11e8e898da9f82c8aded70cdcd16
Linux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f
Linux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f
Linux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f
Linux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f
Linux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f
Linux Linux bb7e3a019b52d829949d02b64ebab37838148fbf
Linux Linux 061a18239ced5eb086967a2b4451cb1cc5ce0702
Linux Linux 2a1ddddba6541143c8f73962f3021f1789114284
Linux Linux 5.10.199
Linux Linux 5.15.136
Linux Linux 6.1.59
Linux Linux 4.19.297
Linux Linux 5.4.259
Linux Linux 6.5.8
Linux Linux 6.6

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: Fix race of dquot_scan_active() with quota deactivation\n\ndquot_scan_active() can race with quota deactivation in\nquota_release_workfn() like:\n\n  CPU0 (quota_release_workfn)         CPU1 (dquot_scan_active)\n  ==============================      ==============================\n  spin_lock(&dq_list_lock);\n  list_replace_init(\n    &releasing_dquots, &rls_head);\n    /* dquot X on rls_head,\n       dq_count == 0,\n       DQ_ACTIVE_B still set */\n  spin_unlock(&dq_list_lock);\n  synchronize_srcu(&dquot_srcu);\n                                      spin_lock(&dq_list_lock);\n                                      list_for_each_entry(dquot,\n                                          &inuse_list, dq_inuse) {\n                                        /* finds dquot X */\n                                        dquot_active(X) -> true\n                                        atomic_inc(&X->dq_count);\n                                      }\n                                      spin_unlock(&dq_list_lock);\n  spin_lock(&dq_list_lock);\n  dquot = list_first_entry(&rls_head);\n  WARN_ON_ONCE(atomic_read(&dquot->dq_count));\n\nThe problem is not only a cosmetic one as under memory pressure the\ncaller of dquot_scan_active() can end up working on freed dquot.\n\nFix the problem by making sure the dquot is removed from releasing list\nwhen we acquire a reference to it.",
    "published": "2026-06-24T16:29:56.043Z",
    "modified": "2026-06-28T06:38:37.088Z",
    "type": "cve",
    "title": "quota: Fix race of dquot_scan_active() with quota deactivation",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/2bdc80f4619411e5bd4a3ef23f51e14021ed457c\nhttps://git.kernel.org/stable/c/f9438cb8c8ec3adc84b2b450a3aab0123d074c3b\nhttps://git.kernel.org/stable/c/ac8a2e0d287ebf35e5d7e51e260b4e146648ba4a\nhttps://git.kernel.org/stable/c/6678dde265708003c2b42551af4a2e3cb05decd5\nhttps://git.kernel.org/stable/c/61e25f664dc2a08299e07d84c85776abc2350f75\nhttps://git.kernel.org/stable/c/fdd424d7c35633ac577fd87d1b043d1b8a6cd350\nhttps://git.kernel.org/stable/c/82cbdb4c1ebb5ea7d7bd45c18d3483b5bd32ebc1\nhttps://git.kernel.org/stable/c/e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d",
    "id": "CVE-2026-53050",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 22c06bf1f99ec3ec16b1a81342becba4c59a1f16\nLinux Linux 56e96b38d2f7cd95b3c30eb70decac7233915e0a\nLinux Linux 12a820a9923c11e8e898da9f82c8aded70cdcd16\nLinux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f\nLinux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f\nLinux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f\nLinux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f\nLinux Linux 869b6ea1609f655a43251bf41757aa44e5350a8f\nLinux Linux bb7e3a019b52d829949d02b64ebab37838148fbf\nLinux Linux 061a18239ced5eb086967a2b4451cb1cc5ce0702\nLinux Linux 2a1ddddba6541143c8f73962f3021f1789114284\nLinux Linux 5.10.199\nLinux Linux 5.15.136\nLinux Linux 6.1.59\nLinux Linux 4.19.297\nLinux Linux 5.4.259\nLinux Linux 6.5.8\nLinux Linux 6.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "22c06bf1f99ec3ec16b1a81342becba4c59a1f16",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply