{"api_version":"1","generated_at":"2026-06-02T12:04:25+00:00","cve":"CVE-2026-45895","urls":{"html":"https://cve.report/CVE-2026-45895","api":"https://cve.report/api/cve/CVE-2026-45895.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45895","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45895"},"summary":{"title":"quota: fix livelock between quotactl and freeze_super","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix livelock between quotactl and freeze_super\n\nWhen a filesystem is frozen, quotactl_block() enters a retry loop\nwaiting for the filesystem to thaw. It acquires s_umount, checks the\nfreeze state, drops s_umount and uses sb_start_write() - sb_end_write()\npair to wait for the unfreeze.\n\nHowever, this retry loop can trigger a livelock issue, specifically on\nkernels with preemption disabled.\n\nThe mechanism is as follows:\n1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().\n2. sb_wait_write() calls percpu_down_write(), which initiates\n   synchronize_rcu().\n3. Simultaneously, quotactl_block() spins in its retry loop, immediately\n   executing the sb_start_write() - sb_end_write() pair.\n4. Because the kernel is non-preemptible and the loop contains no\n   scheduling points, quotactl_block() never yields the CPU. This\n   prevents that CPU from reaching an RCU quiescent state.\n5. synchronize_rcu() in the freezer thread waits indefinitely for the\n   quotactl_block() CPU to report a quiescent state.\n6. quotactl_block() spins indefinitely waiting for the freezer to\n   advance, which it cannot do as it is blocked on the RCU sync.\n\nThis results in a hang of the freezer process and 100% CPU usage by the\nquota process.\n\nWhile this can occur intermittently on multi-core systems, it is\nreliably reproducing on a node with the following script, running both\nthe freezer and the quota toggle on the same CPU:\n\n  # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount\n  # mount /dev/sda -o quota,usrquota,grpquota a_mount\n  # taskset -c 3 bash -c \"while true; do xfs_freeze -f a_mount; \\\n    xfs_freeze -u a_mount; done\" &\n  # taskset -c 3 bash -c \"while true; do quotaon a_mount; \\\n    quotaoff a_mount; done\" &\n\nAdding cond_resched() to the retry loop fixes the issue. It acts as an\nRCU quiescent state, allowing synchronize_rcu() in percpu_down_write()\nto complete.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:03","updated_at":"2026-05-27 14:48:31"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12","name":"https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39","name":"https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf","name":"https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82","name":"https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d","name":"https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45895","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45895","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 576215cffdefc1f0ceebffd87abb390926e6b037 37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 576215cffdefc1f0ceebffd87abb390926e6b037 414259caf81a397563fc9baca9c0ef856c4a97cf git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 576215cffdefc1f0ceebffd87abb390926e6b037 02bb1500f1479750e6557c8044f6a2d7e9d30c12 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 576215cffdefc1f0ceebffd87abb390926e6b037 53b2314b26b6640a3657cc924de63a1a8f26ac4d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 576215cffdefc1f0ceebffd87abb390926e6b037 77449e453dfc006ad738dec55374c4cbc056fd39 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.5","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.5 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.128 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45895","cve":"CVE-2026-45895","epss":"0.000180000","percentile":"0.050770000","score_date":"2026-06-01","updated_at":"2026-06-02 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/quota/quota.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82","status":"affected","version":"576215cffdefc1f0ceebffd87abb390926e6b037","versionType":"git"},{"lessThan":"414259caf81a397563fc9baca9c0ef856c4a97cf","status":"affected","version":"576215cffdefc1f0ceebffd87abb390926e6b037","versionType":"git"},{"lessThan":"02bb1500f1479750e6557c8044f6a2d7e9d30c12","status":"affected","version":"576215cffdefc1f0ceebffd87abb390926e6b037","versionType":"git"},{"lessThan":"53b2314b26b6640a3657cc924de63a1a8f26ac4d","status":"affected","version":"576215cffdefc1f0ceebffd87abb390926e6b037","versionType":"git"},{"lessThan":"77449e453dfc006ad738dec55374c4cbc056fd39","status":"affected","version":"576215cffdefc1f0ceebffd87abb390926e6b037","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/quota/quota.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.5"},{"lessThan":"6.5","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.128","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.128","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"6.5","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.5","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix livelock between quotactl and freeze_super\n\nWhen a filesystem is frozen, quotactl_block() enters a retry loop\nwaiting for the filesystem to thaw. It acquires s_umount, checks the\nfreeze state, drops s_umount and uses sb_start_write() - sb_end_write()\npair to wait for the unfreeze.\n\nHowever, this retry loop can trigger a livelock issue, specifically on\nkernels with preemption disabled.\n\nThe mechanism is as follows:\n1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().\n2. sb_wait_write() calls percpu_down_write(), which initiates\n   synchronize_rcu().\n3. Simultaneously, quotactl_block() spins in its retry loop, immediately\n   executing the sb_start_write() - sb_end_write() pair.\n4. Because the kernel is non-preemptible and the loop contains no\n   scheduling points, quotactl_block() never yields the CPU. This\n   prevents that CPU from reaching an RCU quiescent state.\n5. synchronize_rcu() in the freezer thread waits indefinitely for the\n   quotactl_block() CPU to report a quiescent state.\n6. quotactl_block() spins indefinitely waiting for the freezer to\n   advance, which it cannot do as it is blocked on the RCU sync.\n\nThis results in a hang of the freezer process and 100% CPU usage by the\nquota process.\n\nWhile this can occur intermittently on multi-core systems, it is\nreliably reproducing on a node with the following script, running both\nthe freezer and the quota toggle on the same CPU:\n\n  # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount\n  # mount /dev/sda -o quota,usrquota,grpquota a_mount\n  # taskset -c 3 bash -c \"while true; do xfs_freeze -f a_mount; \\\n    xfs_freeze -u a_mount; done\" &\n  # taskset -c 3 bash -c \"while true; do quotaon a_mount; \\\n    quotaoff a_mount; done\" &\n\nAdding cond_resched() to the retry loop fixes the issue. It acts as an\nRCU quiescent state, allowing synchronize_rcu() in percpu_down_write()\nto complete."}],"providerMetadata":{"dateUpdated":"2026-05-27T12:17:05.666Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82"},{"url":"https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf"},{"url":"https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12"},{"url":"https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d"},{"url":"https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39"}],"title":"quota: fix livelock between quotactl and freeze_super","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45895","datePublished":"2026-05-27T12:17:05.666Z","dateReserved":"2026-05-13T15:03:33.083Z","dateUpdated":"2026-05-27T12:17:05.666Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:03","lastModifiedDate":"2026-05-27 14:48:31","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45895","Ordinal":"1","Title":"quota: fix livelock between quotactl and freeze_super","CVE":"CVE-2026-45895","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45895","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix livelock between quotactl and freeze_super\n\nWhen a filesystem is frozen, quotactl_block() enters a retry loop\nwaiting for the filesystem to thaw. It acquires s_umount, checks the\nfreeze state, drops s_umount and uses sb_start_write() - sb_end_write()\npair to wait for the unfreeze.\n\nHowever, this retry loop can trigger a livelock issue, specifically on\nkernels with preemption disabled.\n\nThe mechanism is as follows:\n1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write().\n2. sb_wait_write() calls percpu_down_write(), which initiates\n   synchronize_rcu().\n3. Simultaneously, quotactl_block() spins in its retry loop, immediately\n   executing the sb_start_write() - sb_end_write() pair.\n4. Because the kernel is non-preemptible and the loop contains no\n   scheduling points, quotactl_block() never yields the CPU. This\n   prevents that CPU from reaching an RCU quiescent state.\n5. synchronize_rcu() in the freezer thread waits indefinitely for the\n   quotactl_block() CPU to report a quiescent state.\n6. quotactl_block() spins indefinitely waiting for the freezer to\n   advance, which it cannot do as it is blocked on the RCU sync.\n\nThis results in a hang of the freezer process and 100% CPU usage by the\nquota process.\n\nWhile this can occur intermittently on multi-core systems, it is\nreliably reproducing on a node with the following script, running both\nthe freezer and the quota toggle on the same CPU:\n\n  # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount\n  # mount /dev/sda -o quota,usrquota,grpquota a_mount\n  # taskset -c 3 bash -c \"while true; do xfs_freeze -f a_mount; \\\n    xfs_freeze -u a_mount; done\" &\n  # taskset -c 3 bash -c \"while true; do quotaon a_mount; \\\n    quotaoff a_mount; done\" &\n\nAdding cond_resched() to the retry loop fixes the issue. It acts as an\nRCU quiescent state, allowing synchronize_rcu() in percpu_down_write()\nto complete.","Type":"Description","Title":"quota: fix livelock between quotactl and freeze_super"}]}}}