CVE-2026-45895 - Vulnerability Details

- quota: fix livelock between quotactl and freeze_super

Description

In the Linux kernel, the following vulnerability has been resolved:

quota: fix livelock between quotactl and freeze_super

When a filesystem is frozen, quotactl_block() enters a retry loop
waiting for the filesystem to thaw. It acquires s_umount, checks the
freeze state, drops s_umount and uses sb_start_write() - sb_end_write()
pair to wait for the unfreeze.

However, this retry loop can trigger a livelock issue, specifically on
kernels with preemption disabled.

The mechanism is as follows:
1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().
2. sb_wait_write() calls percpu_down_write(), which initiates
synchronize_rcu().
3. Simultaneously, quotactl_block() spins in its retry loop, immediately
executing the sb_start_write() - sb_end_write() pair.
4. Because the kernel is non-preemptible and the loop contains no
scheduling points, quotactl_block() never yields the CPU. This
prevents that CPU from reaching an RCU quiescent state.
5. synchronize_rcu() in the freezer thread waits indefinitely for the
quotactl_block() CPU to report a quiescent state.
6. quotactl_block() spins indefinitely waiting for the freezer to
advance, which it cannot do as it is blocked on the RCU sync.

This results in a hang of the freezer process and 100% CPU usage by the
quota process.

While this can occur intermittently on multi-core systems, it is
reliably reproducing on a node with the following script, running both
the freezer and the quota toggle on the same CPU:

# mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount
# mount /dev/sda -o quota,usrquota,grpquota a_mount
# taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \
xfs_freeze -u a_mount; done" &
# taskset -c 3 bash -c "while true; do quotaon a_mount; \
quotaoff a_mount; done" &

Adding cond_resched() to the retry loop fixes the issue. It acts as an
RCU quiescent state, allowing synchronize_rcu() in percpu_down_write()
to complete.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A livelock occurs when the kernel’s quota handling routine, quotactl_block(), repeatedly retries waiting for a frozen filesystem to thaw. Because the kernel is running with preemption disabled, this retry loop never yields the CPU, preventing the RCU quiescent state needed for the freezer thread to proceed. The result is a freeze of the freezer process and sustained 100 % CPU usage by the quota process, effectively locking the system until the kernel is rebooted. This vulnerability can be triggered by concurrent usage of xfs_freeze and quota toggling on the same CPU core and represents a classic denial‑of‑service condition for filesystem administration.

Affected Systems

The flaw affects all Linux kernel releases that include the upstream quotactl and freeze_super code paths prior to the patch that inserts a cond_resched() call. No specific version range is listed, so any kernel version affected by the linked commit is considered vulnerable.

Risk and Exploitability

Official CVSS or EPSS metrics are not provided, and the vulnerability is not catalogued in the CISA KEV list, indicating no known public exploitation. However, the livelock can be reliably reproduced on multi‑core systems and causes a full system hang, making it a high‑risk local denial‑of‑service. The lack of scheduling points makes the attack kernel‑level and requires the ability to invoke quota toggling while a filesystem is frozen on a shared CPU core.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`576215cffdefc1f0ceebffd87abb390926e6b037`	affected	< 37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82
`576215cffdefc1f0ceebffd87abb390926e6b037`	affected	< 414259caf81a397563fc9baca9c0ef856c4a97cf
`576215cffdefc1f0ceebffd87abb390926e6b037`	affected	< 02bb1500f1479750e6557c8044f6a2d7e9d30c12
`576215cffdefc1f0ceebffd87abb390926e6b037`	affected	< 53b2314b26b6640a3657cc924de63a1a8f26ac4d
`576215cffdefc1f0ceebffd87abb390926e6b037`	affected	< 77449e453dfc006ad738dec55374c4cbc056fd39

Linux

affected

Version	Status	Constraints
`6.5`	affected	—
`0`	unaffected	< 6.5
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[576215cffdefc1f0ceebffd87abb390926e6b037,37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82)`	affected	code_commit	—
`[576215cffdefc1f0ceebffd87abb390926e6b037,414259caf81a397563fc9baca9c0ef856c4a97cf)`	affected	code_commit	—
`[576215cffdefc1f0ceebffd87abb390926e6b037,02bb1500f1479750e6557c8044f6a2d7e9d30c12)`	affected	code_commit	—
`[576215cffdefc1f0ceebffd87abb390926e6b037,53b2314b26b6640a3657cc924de63a1a8f26ac4d)`	affected	code_commit	—
`[576215cffdefc1f0ceebffd87abb390926e6b037,77449e453dfc006ad738dec55374c4cbc056fd39)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.5`	affected	generic	—
`[0,6.5)`	unaffected	semver	—
`[6.6.128,7.0.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the cond_resched() change in quotactl_block()
If an immediate upgrade is not feasible, avoid running XFS freeze and quota toggle commands on the same CPU core; schedule them on separate cores or stagger their execution
As a temporary work‑around, disable or limit the use of filesystem freeze operations while quota adjustments are expected to occur until a patch can be applied

Generated by OpenCVE AI on May 27, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12
https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82
https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf
https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d
https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39

History

Wed, 27 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-754

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: quota: fix livelock between quotactl and freeze_super When a filesystem is frozen, quotactl_block() enters a retry loop waiting for the filesystem to thaw. It acquires s_umount, checks the freeze state, drops s_umount and uses sb_start_write() - sb_end_write() pair to wait for the unfreeze. However, this retry loop can trigger a livelock issue, specifically on kernels with preemption disabled. The mechanism is as follows: 1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write(). 2. sb_wait_write() calls percpu_down_write(), which initiates synchronize_rcu(). 3. Simultaneously, quotactl_block() spins in its retry loop, immediately executing the sb_start_write() - sb_end_write() pair. 4. Because the kernel is non-preemptible and the loop contains no scheduling points, quotactl_block() never yields the CPU. This prevents that CPU from reaching an RCU quiescent state. 5. synchronize_rcu() in the freezer thread waits indefinitely for the quotactl_block() CPU to report a quiescent state. 6. quotactl_block() spins indefinitely waiting for the freezer to advance, which it cannot do as it is blocked on the RCU sync. This results in a hang of the freezer process and 100% CPU usage by the quota process. While this can occur intermittently on multi-core systems, it is reliably reproducing on a node with the following script, running both the freezer and the quota toggle on the same CPU: # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount # mount /dev/sda -o quota,usrquota,grpquota a_mount # taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \ xfs_freeze -u a_mount; done" & # taskset -c 3 bash -c "while true; do quotaon a_mount; \ quotaoff a_mount; done" & Adding cond_resched() to the retry loop fixes the issue. It acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete.
Title		quota: fix livelock between quotactl and freeze_super
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12 https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82 https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:05.666Z

Updated: 2026-05-27T12:17:05.666Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45895

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.733

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45895

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses

CWE-754

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object