CVE-2026-53050

In the Linux kernel, the following vulnerability has been resolved:

quota: Fix race of dquot scan active() with quota deactivation

dquot scan active() can race with quota deactivation in quota release workfn() like:

CPU0 (quota release workfn) CPU1 (dquot scan active) ============================== ============================== spin lock(&dq list lock); list replace init( &releasing dquots, &rls head); /* dquot X on rls head, dq count == 0, DQ ACTIVE B still set / spin unlock(&dq list lock); synchronize srcu(&dquot srcu); spin lock(&dq list lock); list for each entry(dquot, &inuse list, dq inuse) { / finds dquot X */ dquot active(X) -> true atomic inc(&X->dq count); } spin unlock(&dq list lock); spin lock(&dq list lock); dquot = list first entry(&rls head); WARN ON ONCE(atomic read(&dquot->dq count));

The problem is not only a cosmetic one as under memory pressure the caller of dquot scan active() can end up working on freed dquot.

Fix the problem by making sure the dquot is removed from releasing list when we acquire a reference to it.