CVE-2026-53050

HIGH

quota: Fix race of dquot_scan_active() with quota deactivation

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (34)
linux/Kernel < 5.10.258linux
linux/Kernel 5.11.0 - 5.15.209linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.6.0 - 6.12.91linux
linux/Kernel 6.7.0 - 6.18.33linux
Linux/Linux < 6.6
Linux/Linux 061a18239ced5eb086967a2b4451cb1cc5ce0702
Linux/Linux 12a820a9923c11e8e898da9f82c8aded70cdcd16 - ac8a2e0d287ebf35e5d7e51e260b4e146648ba4a
... and 24 more
Published Jun 24, 2026
Tracked Since Jun 24, 2026