In the Linux kernel, the following vulnerability has been resolved:
quota: Fix race of dquotscanactive() with quota deactivation
dquotscanactive() can race with quota deactivation in quotareleaseworkfn() like:
CPU0 (quotareleaseworkfn) CPU1 (dquotscanactive) ============================== ============================== spinlock(&dqlistlock); listreplaceinit( &releasingdquots, &rlshead); /* dquot X on rlshead, dqcount == 0, DQACTIVEB still set */ spinunlock(&dqlistlock); synchronizesrcu(&dquotsrcu); spinlock(&dqlistlock); listforeachentry(dquot, &inuselist, dqinuse) { /* finds dquot X */ dquotactive(X) -> true atomicinc(&X->dqcount); } spinunlock(&dqlistlock); spinlock(&dqlistlock); dquot = listfirstentry(&rlshead); WARNONONCE(atomicread(&dquot->dqcount));
The problem is not only a cosmetic one as under memory pressure the caller of dquotscanactive() can end up working on freed dquot.
Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53050.json"
}