HIGH
quota DquotScan Race
CVE-2026-53050
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquot_scan_active() with quota deactivation dquot_scan_active() can race with quota deactivation in quota_release_workfn() like: CPU0 (quota_release_workfn) CPU1 (dquot_scan_active) ============================== ============================== spin_lock(&dq_list_lock); list_replace_init( &releasing_dquots, &rls_head); /* dquot X on rls_head, dq_count == 0, DQ_ACTIVE_B still set */ spin_unlock(&dq_list_lock); synchronize_srcu(&dquot_srcu); spin_lock(&dq_list_lock); list_for_each_entry(dquot, &inuse_list, dq_inuse) { /* finds dquot X */ dquot_active(X) -> true atomic_inc(&X->dq_count); } spin_unlock(&dq_list_lock); spin_lock(&dq_list_lock); dquot = list_first_entry(&rls_head); WARN_ON_ONCE(atomic_read(&dquot->dq_count)); The problem is not only a cosmetic one as under memory pressure the caller of dquot_scan_active() can end up working on freed dquot. Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.
02KernelScan AI Analysis
Risk summary
A race condition in the Linux kernel quota subsystem allows dquot_scan_active() to acquire a reference to a dquot that is concurrently being freed during quota deactivation. Under memory pressure, this results in a use-after-free on a heap dquot object, enabling information leak (C:L) and limited memory corruption (I:L), and can cause a kernel panic/oops (A:H). Exploitation requires local access and the ability to trigger quota scan operations concurrently with quota deactivation.
Vulnerability analysis
The vulnerability is a race condition between dquot_scan_active() and quota_release_workfn(). When quota_release_workfn() moves a dquot to the releasing list with dq_count==0 but DQ_ACTIVE_B still set, it yields the CPU. During this window, dquot_scan_active() can iterate inuse_list, find the dquot (still marked active), and increment its reference count via atomic_inc(), while the deactivation path proceeds to free the dquot. The resulting use-after-free can leak kernel heap/Quota information and corrupt memory; under memory pressure it reliably induces a kernel panic. The fix introduces __dqgrab() which atomically removes a zero-ref dquot from the releasing list when acquiring a reference, preventing the free. The dqgrab() helper is also hardened. Because the exploitable primitive is a heap use-after-free (not merely the race itself), the correct CWE is CWE-416.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 4.19 | 4.20 | 6678dde26570 |
| 5.10 | 5.10.258 | 2bdc80f46194 |
| 5.15 | 5.15.209 | f9438cb8c8ec |
| 5.4 | 5.5 | 61e25f664dc2 |
| 6.1 | 6.1.175 | ac8a2e0d287e |
| 6.12 | 6.12.91 | e93ab401da4b |
| 6.18 | 6.18.33 | — |
| 6.5 | 6.6 | fdd424d7c356 |
| 6.6 | 6.6.141 | 82cbdb4c1ebb |
| 7.0 | 7.0.10 | — |
| mainline | 7.1 | — |