CVE-2026-45895
Awaiting Analysis Awaiting Analysis - Queue
Linux Kernel Quota Livelock Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: quota: fix livelock between quotactl and freeze_super When a filesystem is frozen, quotactl_block() enters a retry loop waiting for the filesystem to thaw. It acquires s_umount, checks the freeze state, drops s_umount and uses sb_start_write() - sb_end_write() pair to wait for the unfreeze. However, this retry loop can trigger a livelock issue, specifically on kernels with preemption disabled. The mechanism is as follows: 1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write(). 2. sb_wait_write() calls percpu_down_write(), which initiates synchronize_rcu(). 3. Simultaneously, quotactl_block() spins in its retry loop, immediately executing the sb_start_write() - sb_end_write() pair. 4. Because the kernel is non-preemptible and the loop contains no scheduling points, quotactl_block() never yields the CPU. This prevents that CPU from reaching an RCU quiescent state. 5. synchronize_rcu() in the freezer thread waits indefinitely for the quotactl_block() CPU to report a quiescent state. 6. quotactl_block() spins indefinitely waiting for the freezer to advance, which it cannot do as it is blocked on the RCU sync. This results in a hang of the freezer process and 100% CPU usage by the quota process. While this can occur intermittently on multi-core systems, it is reliably reproducing on a node with the following script, running both the freezer and the quota toggle on the same CPU: # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount # mount /dev/sda -o quota,usrquota,grpquota a_mount # taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \ xfs_freeze -u a_mount; done" & # taskset -c 3 bash -c "while true; do quotaon a_mount; \ quotaoff a_mount; done" & Adding cond_resched() to the retry loop fixes the issue. It acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45895
EUVD
EUVD-2026-32361
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's quota subsystem when the filesystem is frozen. Specifically, a function called quotactl_block() enters a retry loop waiting for the filesystem to thaw. During this loop, it repeatedly executes a pair of functions (sb_start_write() and sb_end_write()) without yielding the CPU.

Because the kernel is non-preemptible in this context and the loop lacks scheduling points, quotactl_block() never yields the CPU. This prevents the kernel from reaching a required RCU (Read-Copy-Update) quiescent state, causing another process (the freezer) to wait indefinitely. This results in a livelock where the freezer process hangs and the quota process consumes 100% CPU.

The issue happens because the freezer process waits for an RCU synchronization that never completes due to quotactl_block() spinning without yielding. Adding a scheduling point (cond_resched()) in the retry loop fixes the problem by allowing the necessary RCU quiescent state to occur.

Impact Analysis

This vulnerability can cause a hang of the freezer process and 100% CPU usage by the quota process on affected Linux systems.

Such a hang can lead to system performance degradation, resource exhaustion, and potentially disrupt normal filesystem operations, especially those involving quota management and filesystem freezing.

On multi-core systems, this may occur intermittently, but it can reliably reproduce under certain conditions, potentially causing system instability or denial of service.

Detection Guidance

This vulnerability can be detected by observing a hang of the freezer process and 100% CPU usage by the quota process on affected Linux kernels.

A reliable way to reproduce and thus detect the issue on a system is by running the following commands on the same CPU core:

  • # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount
  • # mount /dev/sda -o quota,usrquota,grpquota a_mount
  • # taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; xfs_freeze -u a_mount; done" &
  • # taskset -c 3 bash -c "while true; do quotaon a_mount; quotaoff a_mount; done" &

If the system hangs or the quota process consumes 100% CPU, the vulnerability is present.

Mitigation Strategies

The vulnerability is fixed by adding a cond_resched() call to the retry loop in quotactl_block(), which allows the kernel to reach an RCU quiescent state and prevents the livelock.

Immediate mitigation steps include updating the Linux kernel to a version where this fix is applied.

Until the kernel is updated, avoid running quota toggle operations (quotaon/quotaoff) concurrently with filesystem freeze operations (xfs_freeze) on the same CPU core to reduce the risk of triggering the livelock.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart