CVE-2024-56780: quota: flush quota_release_work upon quota writeback
In the Linux kernel, the following vulnerability has been resolved:
quota: flush quota_release_work upon quota writeback
One of the paths quota writeback is called from is:
freeze_super()
sync_filesystem()
ext4_sync_fs()
dquot_writeback_dquots()
Since we currently don't always flush the quota_release_work queue in
this path, we can end up with the following race:
1. dquot are added to releasing_dquots list during regular operations.
2. FS Freeze starts, however, this does not flush the quota_release_work queue.
3. Freeze completes.
4. Kernel eventually tries to flush the workqueue while FS is frozen which
hits a WARN_ON since transaction gets started during frozen state:
ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)
__ext4_journal_start_sb+0x64/0x1c0 [ext4]
ext4_release_dquot+0x90/0x1d0 [ext4]
quota_release_workfn+0x43c/0x4d0
Which is the following line:
WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);
Which ultimately results in generic/390 failing due to dmesg
noise. This was detected on powerpc machine 15 cores.
To avoid this, make sure to flush the workqueue during
dquot_writeback_dquots() so we dont have any pending workitems after
freeze.
This Linux kernel issue can cause a system availability problem during filesystem freeze operations. A quota cleanup task may run after the filesystem is frozen and trigger a kernel warning in ext4 journaling. The source describes a local, low-privilege, availability-only vulnerability, not data theft or remote compromise.
Executive priority
Handle through normal kernel maintenance unless the environment relies heavily on quotas and filesystem freeze operations. It is not evidenced as remotely exploitable or actively exploited, but availability impact can matter for shared servers, storage hosts, and operational platforms.
Technical view
Quota writeback can occur through freeze_super, sync_filesystem, ext4_sync_fs, and dquot_writeback_dquots. The vulnerable path did not always flush quota_release_work, allowing pending quota release work to start a transaction after SB_FREEZE_COMPLETE. The fix flushes the workqueue during dquot_writeback_dquots to avoid pending work after freeze.
Likely exposure
Exposure is most likely on Linux systems using affected kernel builds with filesystem quota handling and freeze activity. The CVSS vector is local, low complexity, low privilege, no user interaction, availability high. The provided data does not identify remote exposure, confidentiality impact, or integrity impact.
Exploitation context
The source bundle does not show KEV listing or active exploitation. Evidence points to a race found through testing, with generic/390 failing due to dmesg noise on a 15-core powerpc machine. Treat exploitation status as unconfirmed and local-only based on the provided CVSS vector.
Researcher notes
Key evidence is a kernel race between quota release work and filesystem freeze. The fix direction is workqueue flushing in dquot_writeback_dquots. Affected-version evidence in the bundle is version-list based and should be reconciled against vendor kernel package backports before declaring exposure.
Mitigation direction
Update Linux kernels to vendor builds containing the referenced stable quota fix.
Apply relevant Debian LTS kernel updates where Debian advisories match deployed releases.
Prioritize systems that use filesystem quotas and filesystem freeze workflows.
Monitor vendor advisories for distribution-specific fixed package versions.
Avoid treating this as remotely exploitable without new vendor evidence.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and container hosts.
Check whether deployed kernels include one of the referenced stable commits.
Identify systems using quota-enabled filesystems and freeze operations.
Review dmesg or kernel logs for ext4_journal_check_start freeze warnings.
Confirm distribution advisories map to installed kernel packages.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-56780 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.