KernelScan.io

HIGH

quota DquotScan Race

CVE-2026-53050

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI5.8MEDIUM

01

In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.

02

Engine v0.3.0

Risk summary

A race condition in the Linux kernel quota subsystem allows dquot_scan_active() to acquire a reference to a dquot that is concurrently being freed during quota deactivation. Under memory pressure, this results in a use-after-free on a heap dquot object, enabling information leak (C:L) and limited memory corruption (I:L), and can cause a kernel panic/oops (A:H). Exploitation requires local access and the ability to trigger quota scan operations concurrently with quota deactivation.

Affectedfs/quota/dquot.c (quota subsystem)

Vulnerability analysis

The vulnerability is a race condition between dquot_scan_active() and quota_release_workfn(). When quota_release_workfn() moves a dquot to the releasing list with dq_count==0 but DQ_ACTIVE_B still set, it yields the CPU. During this window, dquot_scan_active() can iterate inuse_list, find the dquot (still marked active), and increment its reference count via atomic_inc(), while the deactivation path proceeds to free the dquot. The resulting use-after-free can leak kernel heap/Quota information and corrupt memory; under memory pressure it reliably induces a kernel panic. The fix introduces __dqgrab() which atomically removes a zero-ref dquot from the releasing list when acquiring a reference, preventing the free. The dqgrab() helper is also hardened. Because the exploitable primitive is a heap use-after-free (not merely the race itself), the correct CWE is CWE-416.

03

BranchFixed inPatch commit
4.194.206678dde26570
5.105.10.2582bdc80f46194
5.155.15.209f9438cb8c8ec
5.45.561e25f664dc2
6.16.1.175ac8a2e0d287e
6.126.12.91e93ab401da4b
6.186.18.33
6.56.6fdd424d7c356
6.66.6.14182cbdb4c1ebb
7.07.0.10
mainline7.1