In the Linux kernel, the following vulnerability has been resolved:

quota: Fix race of dquot_scan_active() with quota deactivation

dquot_scan_active() can race with quota deactivation in
quota_release_workfn() like:

CPU0 (quota_release_workfn) CPU1 (dquot_scan_active)
============================== ==============================
spin_lock(&dq_list_lock);
list_replace_init(
&releasing_dquots, &rls_head);
/* dquot X on rls_head,
dq_count == 0,
DQ_ACTIVE_B still set */
spin_unlock(&dq_list_lock);
synchronize_srcu(&dquot_srcu);
spin_lock(&dq_list_lock);
list_for_each_entry(dquot,
&inuse_list, dq_inuse) {
/* finds dquot X */
dquot_active(X) -> true
atomic_inc(&X->dq_count);
}
spin_unlock(&dq_list_lock);
spin_lock(&dq_list_lock);
dquot = list_first_entry(&rls_head);
WARN_ON_ONCE(atomic_read(&dquot->dq_count));

The problem is not only a cosmetic one as under memory pressure the
caller of dquot_scan_active() can end up working on freed dquot.

Fix the problem by making sure the dquot is removed from releasing list
when we acquire a reference to it.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
22c06bf1f99ec3ec16b1a81342becba4c59a1f16 affected < 2bdc80f4619411e5bd4a3ef23f51e14021ed457c
56e96b38d2f7cd95b3c30eb70decac7233915e0a affected < f9438cb8c8ec3adc84b2b450a3aab0123d074c3b
12a820a9923c11e8e898da9f82c8aded70cdcd16 affected < ac8a2e0d287ebf35e5d7e51e260b4e146648ba4a
869b6ea1609f655a43251bf41757aa44e5350a8f affected < 6678dde265708003c2b42551af4a2e3cb05decd5
869b6ea1609f655a43251bf41757aa44e5350a8f affected < 61e25f664dc2a08299e07d84c85776abc2350f75
869b6ea1609f655a43251bf41757aa44e5350a8f affected < fdd424d7c35633ac577fd87d1b043d1b8a6cd350
869b6ea1609f655a43251bf41757aa44e5350a8f affected < 82cbdb4c1ebb5ea7d7bd45c18d3483b5bd32ebc1
869b6ea1609f655a43251bf41757aa44e5350a8f affected < e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d
bb7e3a019b52d829949d02b64ebab37838148fbf affected
061a18239ced5eb086967a2b4451cb1cc5ce0702 affected
2a1ddddba6541143c8f73962f3021f1789114284 affected
5.10.199 affected < 5.10.258
5.15.136 affected < 5.15.209
6.1.59 affected < 6.1.175
4.19.297 affected < 4.20
5.4.259 affected < 5.5
6.5.8 affected < 6.6
Linux Linux affected
Version Status Constraints
6.6 affected
0 unaffected < 6.6
5.10.258 unaffected ≤ 5.10.*
5.15.209 unaffected ≤ 5.15.*
6.1.175 unaffected ≤ 6.1.*
6.6.141 unaffected ≤ 6.6.*
6.12.91 unaffected ≤ 6.12.*
6.18.33 unaffected ≤ 6.18.*
7.0.10 unaffected ≤ 7.0.*
7.1 unaffected ≤ *

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/2bdc80f4619411e5bd4a3ef23f51e14021ed457c cve-icon
https://git.kernel.org/stable/c/61e25f664dc2a08299e07d84c85776abc2350f75 cve-icon
https://git.kernel.org/stable/c/6678dde265708003c2b42551af4a2e3cb05decd5 cve-icon
https://git.kernel.org/stable/c/82cbdb4c1ebb5ea7d7bd45c18d3483b5bd32ebc1 cve-icon
https://git.kernel.org/stable/c/ac8a2e0d287ebf35e5d7e51e260b4e146648ba4a cve-icon
https://git.kernel.org/stable/c/e93ab401da4b2e2c1b8ef2424de2f238d51c8b2d cve-icon
https://git.kernel.org/stable/c/f9438cb8c8ec3adc84b2b450a3aab0123d074c3b cve-icon
https://git.kernel.org/stable/c/fdd424d7c35633ac577fd87d1b043d1b8a6cd350 cve-icon
History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.
Title quota: Fix race of dquot_scan_active() with quota deactivation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:56.043Z

Reserved: 2026-06-09T07:44:35.381Z

Link: CVE-2026-53050

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.