CVE-2026-45895
Description
In the Linux kernel, the following vulnerability has been resolved:
quota: fix livelock between quotactl and freeze_super
When a filesystem is frozen, quotactl_block() enters a retry loop waiting for the filesystem to thaw. It acquires s_umount, checks the freeze state, drops s_umount and uses sb_start_write() - sb_end_write() pair to wait for the unfreeze.
However, this retry loop can trigger a livelock issue, specifically on kernels with preemption disabled.
The mechanism is as follows: 1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write(). 2. sb_wait_write() calls percpu_down_write(), which initiates synchronize_rcu(). 3. Simultaneously, quotactl_block() spins in its retry loop, immediately executing the sb_start_write() - sb_end_write() pair. 4. Because the kernel is non-preemptible and the loop contains no scheduling points, quotactl_block() never yields the CPU. This prevents that CPU from reaching an RCU quiescent state. 5. synchronize_rcu() in the freezer thread waits indefinitely for the quotactl_block() CPU to report a quiescent state. 6. quotactl_block() spins indefinitely waiting for the freezer to advance, which it cannot do as it is blocked on the RCU sync.
This results in a hang of the freezer process and 100% CPU usage by the quota process.
While this can occur intermittently on multi-core systems, it is reliably reproducing on a node with the following script, running both the freezer and the quota toggle on the same CPU:
# mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount # mount /dev/sda -o quota,usrquota,grpquota a_mount # taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \ xfs_freeze -u a_mount; done" & # taskset -c 3 bash -c "while true; do quotaon a_mount; \ quotaoff a_mount; done" &
Adding cond_resched() to the retry loop fixes the issue. It acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A livelock in Linux kernel's quota subsystem between quotactl and freeze_super can cause system hang when both operations run on the same CPU.
Vulnerability
A livelock exists in the Linux kernel's quota subsystem when a filesystem is frozen. The quotactl_block() function enters a retry loop waiting for the filesystem to thaw, acquiring and dropping s_umount and using sb_start_write()/sb_end_write() pairs. On kernels with preemption disabled, this loop can prevent the CPU from reaching an RCU quiescent state, causing freeze_super() to hang indefinitely. The issue affects all kernels with quota and freeze support; the fix is in commit 53b2314b26b6 [1].
Exploitation
An attacker needs local access to run both quotactl (e.g., quotaon/quotaoff) and filesystem freeze (e.g., xfs_freeze) operations on the same CPU. The provided reproduction script uses taskset to pin both processes to the same core. No special privileges beyond mount and quota commands are required. The attacker triggers the livelock by repeatedly toggling quota and freeze concurrently [1].
Impact
Successful exploitation results in a denial of service: the freezer process hangs indefinitely, and the quota process consumes 100% CPU. The system becomes unresponsive for affected filesystem operations. No data corruption or privilege escalation occurs.
Mitigation
The fix is included in Linux kernel commit 53b2314b26b6 [1], which adds cond_resched() to the retry loop to allow RCU quiescent states. Users should apply the patch or update to a kernel containing this commit. No workaround is documented; the issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1077449e453dfcquota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
37ccd48cf35fquota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 0e41fb84060f52..5be53cae2c95d7 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 0e41fb84060f52..5be53cae2c95d7 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
414259caf81aquota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 290157bc7bec2c..04c6712d4031ca 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 290157bc7bec2c..04c6712d4031ca 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
02bb1500f147quota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
53b2314b26b6quota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
02bb1500f147quota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
37ccd48cf35fquota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 0e41fb84060f52..5be53cae2c95d7 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 0e41fb84060f52..5be53cae2c95d7 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
414259caf81aquota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 290157bc7bec2c..04c6712d4031ca 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 290157bc7bec2c..04c6712d4031ca 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
53b2314b26b6quota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
77449e453dfcquota: fix livelock between quotactl and freeze_super
2 files changed · +2 −2
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
fs/quota/quota.c+1 −1 modifieddiff --git a/fs/quota/quota.c b/fs/quota/quota.c index 7c2b75a4448528..de4379a9c79208 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -899,6 +899,7 @@ retry: sb_start_write(sb); sb_end_write(sb); put_super(sb); + cond_resched(); goto retry; } return sb; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing scheduling point (cond_resched()) in the quotactl_block() retry loop prevents the CPU from reaching an RCU quiescent state, causing a livelock between quotactl and freeze_super."
Attack vector
An attacker with local access and the ability to issue quotactl and filesystem freeze operations on the same CPU can trigger a livelock. When freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write(), which invokes percpu_down_write() and synchronize_rcu(), the quotactl_block() function spins in a tight retry loop with sb_start_write()/sb_end_write() but no cond_resched(). On a non-preemptible kernel, this prevents the CPU from reaching an RCU quiescent state, so synchronize_rcu() never completes, the freezer cannot advance, and both processes hang indefinitely with 100% CPU usage [patch_id=2661587].
Affected code
The vulnerable code is in the quotactl_block() function in fs/quota/quota.c. The retry loop at line 899 (after the diff context) acquires s_umount, checks the freeze state, drops s_umount, calls sb_start_write()/sb_end_write(), and put_super(sb) before looping back — all without a scheduling point [patch_id=2661587].
What the fix does
The patch adds a single cond_resched() call in the quotactl_block() retry loop at fs/quota/quota.c line 902, immediately after put_super(sb) and before the goto retry [patch_id=2661587]. cond_resched() acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete. This breaks the livelock by giving the freezer thread a chance to advance past the SB_FREEZE_WRITE stage and ultimately thaw the filesystem.
Preconditions
- configThe kernel must be configured with preemption disabled (non-preemptible).
- authThe attacker must have local access and the ability to run both filesystem freeze (xfs_freeze) and quota toggle (quotaon/quotaoff) commands.
- inputBoth the freeze and quota processes must be pinned to the same CPU (e.g., via taskset).
- configThe filesystem must be mounted with quota enabled (e.g., -o quota,usrquota,grpquota).
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12nvd
- git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82nvd
- git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cfnvd
- git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4dnvd
- git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39nvd
News mentions
0No linked articles in our index yet.