From nobody Fri Apr  3 12:42:54 2026
Received: from mail-qt1-f179.google.com (mail-qt1-f179.google.com
 [209.85.160.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C171926056A
	for <linux-kernel@vger.kernel.org>; Fri, 20 Feb 2026 15:27:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.160.179
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771601230; cv=pass;
 b=GBM4sdr3L5/eaX6brC6E+BsLK2OXuba1vHBmDD+Irfv4oX2QBSvv6XvPLMApMjpZE4DTsbucIrQv7/7v3+f4Uva9PiOLQ25k6z90zgGcc0HpwZewQ+sU2QeQOKDlcsuXXdWiJPtHGAwulDbfVcsYo9U9mmFNuBj1JT7FEDT+JxA=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771601230; c=relaxed/simple;
	bh=UsTxEqI60FIDQDJ62eJrtnCUKWPao+6YP9VhYLewEg4=;
	h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=Hs453wOCI8c5Nm08LKNzzVB4PvXi0TDGVMqQTu6McoCZiXC5elNykBlovi9ztWjIY9DNRLOnmCQCSELQP1oGgoDGkXGHxNdc4J30s9MQPFzN+UBlKM+UJS9R0ytqsnkefTeqAAiAGlOGcvLQnzgfUK8hXkCDecUw3qTf95ATf0c=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ErcyzmzV; arc=pass smtp.client-ip=209.85.160.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ErcyzmzV"
Received: by mail-qt1-f179.google.com with SMTP id
 d75a77b69052e-50334dd44d2so24699631cf.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Feb 2026 07:27:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771601227; cv=none;
        d=google.com; s=arc-20240605;
        b=S1vxtdJ9Smv3xOsg22+GlSbE76cx/hAmbI25xkNYD5nCm3i7/RgBivvSgrfCM0vAJu
         TbaV63uVDPxgH6MOiLptj/a8TKzQ9hklcma+z5MsNt8RdiDYaoxGR1T/NTbNTh87E1md
         Pg/Sj2l1NA/bzG9G77cfhEJ92VNxx+BQNNEQnxJpxdFLGcCo9WkoZfJMEC7p+4q2PcMI
         D1zKMA6CKweKF9Y3pSU5niPbh3qkHaKRJDkg8cGJc/v1kGQA2FqciyimsbnyEhOkxVK3
         x+ave6HzdsmOy9ICOBvScWCcpft753wey5tL+F82r+JxP4do+7yjqxHTvpWUv3IOlwd3
         whvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=o0TiPXB0oN2yuUioB6DIeI7pNeI/NDU2bazrM1oSlgc=;
        fh=2SKFxdFGB77W5apSN/9TdM/rU/Hm2pF+mU76Ncq/s6M=;
        b=Lj6JlVx9TaNSnisb5+3kTOQX2AlcRAMmKxOazRu3w7VHF6HwCqUDM9ym0F9FIOnWIk
         ubV5zbuv2xYL+8Iw+aozgdRsZgfF4Q+/ReFbbXuKDJFqU/EQY8dXd7cJwvLqnZVmPPd8
         t2j+FCykR+tyPhN4yj2bv8hPPz3VVJx7MIkbGGqZIZWiH9RQkxb1gsrgCX0kn5gkOkfk
         C0v+RvSrEEV9pF1LGDmgv9IkO9WGmbw3gorMyaUNaSBuN9frKWTyaGAk/ERTKv4Lhi6U
         9X07otN6KJG4c2pi4Q7+s+6PGcaKScW+6y0wWJkBxF/tkAIbal4RKUmggnmeh8uQonhf
         DvbA==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771601227; x=1772206027;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=o0TiPXB0oN2yuUioB6DIeI7pNeI/NDU2bazrM1oSlgc=;
        b=ErcyzmzVTNUnMPN7ihanSLxlbFg1sBXZCBAwMUYach2yVyGfOf53cdAqj6EO+jevj5
         4LQjPXdrubQeIRkX4IGRbDKynKN9wdx8apW40Wp8ZpXguuNtSmye+gTjccIlKfPygk6e
         TQ72xvVqe1EN0Ii3L2n7XYw9JE/wnylkpkKGnPwNl6R9WVcwKHZAub3G93E5hhKD9od7
         TUgdt+lH+/qTe5BPRl3eujEFeKGz8Kr3tZr633AbRdplGR4NI/CVxDG7FRnaxQgS8VRS
         Pn1fb8uAHfp9aSXkL4O/cya9xzsvyfd/Ohzm43D2dH3q4pKSdF+aa8WKHihXdOQtP846
         73Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771601227; x=1772206027;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=o0TiPXB0oN2yuUioB6DIeI7pNeI/NDU2bazrM1oSlgc=;
        b=WDjLDvxvrxN7Eww3rn1Z8YS3spSdYcTpF2xQLgFsaP0s9pY6AEPs+Kg9zw2pXYvS9u
         TW6KtJ6cPWOVjbiZzwFMlhlMISCzyCHkEPI/HGYG4dqcu7lfi7d9E7bAe42EIcsEfovm
         LzkQPLdUmywcOxmeos2dB1ovlWJiH39tT7DH1ivGnk0b6FbF3VDS/FLX061y+LRCjvlL
         DR67EZ97Saz/+y9Ma0hq1lTOgyvmckmRZ9YHwWsATy4CRMQqpc2Qy5s8FaJRpJcyEC5H
         nhOpGsUFHIAhSAvG+QvUvSxVc49G7662pp6gE74zP5svQjUu1CsBF8o5iFyTPycYBwQl
         Kybg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWv33FLYwfUhvXhkMUfmOxXd6izKEOED6LO3AXovciqfhR/SQ9dDd2tea6CWzz+AMYE2sdzlhhcg88xj3Y=@vger.kernel.org
X-Gm-Message-State: AOJu0YzTpPtwk40ieLefpqCtwt+785go39xOhQzbz7bv0s8u2S4QHERB
	ur6sRQp2T7qnCha0lepOvRrq4QsK6UFxGUUnF8zaXJ/etkodL3Qmi8Urodpw43YPmkRRRpprDC5
	6J6hfwaMbPVVTGXABhOG46wKIS+ho4io=
X-Gm-Gg: AZuq6aLmKlEYPPyM878gRaBj4E6+PYXN1z3z4lApY0UVJccwDCv+2Qi2YdxwpYrwocd
	bwOg7HPLIK3pwmWTtLSOSLpyrKtE9SbcL9xwvatK4x7bUv0DFNjs65DVlqFNSBUk8kbp3psO1c9
	1syeUP/4z91HHoq5mZ29OvQn8LmMFaS4qwgBYO4iyj7JoPSGhWPO00rDSzhpCzFAbXZltUxcBfr
	4TJB2pejXxkRAq0ma6y0Wqg9hZWWrV4jcicF56Bkd4cMXKhu7f1ulZJOt6iIYDoKTs2Msq0SS1N
	2l3mV6/J
X-Received: by 2002:a05:622a:1496:b0:4f0:23b6:c285 with SMTP id
 d75a77b69052e-5070bc66bddmr1796141cf.41.1771601226964; Fri, 20 Feb 2026
 07:27:06 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
From: Sam Sun <samsun1006219@gmail.com>
Date: Fri, 20 Feb 2026 23:26:55 +0800
X-Gm-Features: AaiRm52yx-PyPTkPT3wX7239FVtI6OjtptnFf6W3hkj9qSQyow-oTgRTUL2gPNI
Message-ID: 
 <CAEkJfYPTt3uP1vAYnQ5V2ZWn5O9PLhhGi5HbOcAzyP9vbXyjeg@mail.gmail.com>
Subject: [Linux bug] WARNING in quota_release_workfn
To: jack@suse.com, linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Dear developers and maintainers,

We hit the following WARNING while running a modified syzkaller on
v6.19 (commit 2961f841b025). We use the kernel config on syzbot to
compile the kernel
(https://syzkaller.appspot.com/text?tag=3DKernelConfig&x=3De2f061f80b102378=
),
unfortunately no reproducer is available now. The bug was previously
reported by syzbot and marked as invalid due to no more occurrence
(https://syzkaller.appspot.com/bug?extid=3D0b3a51c4b82c0d16d60d):

------------[ cut here ]------------
atomic_read(&dquot->dq_count)
WARNING: fs/quota/dquot.c:829 at quota_release_workfn+0x6cf/0x980
fs/quota/dquot.c:829, CPU#1: kworker/u10:7/11898
Modules linked in:
CPU: 1 UID: 0 PID: 11898 Comm: kworker/u10:7 Tainted: G             L
    6.19.0-11564-g2961f841b025-dirty #18 PREEMPT(full)
Tainted: [L]=3DSOFTLOCKUP
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/=
2014
Workqueue: quota_events_unbound quota_release_workfn
RIP: 0010:quota_release_workfn+0x6cf/0x980 fs/quota/dquot.c:829
Code: c3 cc cc cc cc e8 21 63 5b ff be 08 00 00 00 4c 89 e7 e8 84 cf
c5 ff f0 80 a3 10 01 00 00 bf e9 c2 fe ff ff e8 02 63 5b ff 90 <0f> 0b
90 e9 ca fa ff ff e8 f4 62 5b ff 48 c7 c7 40 6a 21 8e e8 08
RSP: 0018:ffa00000099e7b98 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ff110000418f9620 RCX: ffffffff82637d58
RDX: ff1100011034a4c0 RSI: ffffffff8263828e RDI: 0000000000000005
RBP: dffffc0000000000 R08: 0000000000000000 R09: ffe21c000831f2e2
R10: 0000000000000002 R11: 0000000000000086 R12: 0000000000000002
R13: ffffffff90b7aa54 R14: 0000000000000001 R15: ff110000418f9600
FS:  0000000000000000(0000) GS:ff110001a1195000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff39e0723f0 CR3: 0000000027620000 CR4: 0000000000753ef0
PKRU: 55555554
Call Trace:
 <TASK>
 process_one_work+0x9fb/0x1d00 kernel/workqueue.c:3349
 process_scheduled_works kernel/workqueue.c:3448 [inline]
 worker_thread+0x67e/0xe90 kernel/workqueue.c:3529
 kthread+0x38d/0x4a0 kernel/kthread.c:467
 ret_from_fork+0xb32/0xde0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>


The WARN_ON_ONCE at dquot.c:829 fires inside quota_release_workfn() when
a dquot on the releasing list has dq_count !=3D 0:

    WARN_ON_ONCE(atomic_read(&dquot->dq_count));

We analyzed the root cause of this warning, and doubt this is a race
between dquot_scan_active() and quota_release_workfn(). dqput() drops
dq_count to 0 immediately (while DQ_ACTIVE_B is still set) and marks
the dquot with DQ_RELEASING_B. Several places were updated to check
DQ_RELEASING_B accordingly (invalidate_dquots,
dquot_writeback_dquots), but dquot_scan_active() was not.

The race window is as follows:

  CPU0 (quota_release_workfn)         CPU1 (dquot_scan_active)
  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D      =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
  spin_lock(&dq_list_lock);
  list_replace_init(
    &releasing_dquots, &rls_head);
    /* dquot X on rls_head,
       dq_count =3D=3D 0,
       DQ_ACTIVE_B still set */
  spin_unlock(&dq_list_lock);
  synchronize_srcu(&dquot_srcu);
    /* takes a while... */
                                      spin_lock(&dq_list_lock);
                                      list_for_each_entry(dquot,
                                          &inuse_list, dq_inuse) {
                                        /* finds dquot X */
                                        dquot_active(X) -> true
                                        /* DQ_RELEASING_B not checked! */
                                        atomic_inc(&X->dq_count);
                                        /* X still on rls_head,
                                           dq_count is now 1 */
                                      }
                                      spin_unlock(&dq_list_lock);
  /* srcu done */
  spin_lock(&dq_list_lock);
  dquot =3D list_first_entry(&rls_head);
  WARN_ON_ONCE(atomic_read(
    &dquot->dq_count));
    /* dq_count =3D=3D 1 -> WARN! */

dquot_scan_active() increments dq_count on a dquot it finds via
inuse_list without checking DQ_RELEASING_B and without calling
remove_free_dquot(). The dquot thus remains on the worker's rls_head
list with a non-zero reference count.

A possible fix could add a DQ_RELEASING_B check to dquot_scan_active(), sim=
ilar
to what was done for invalidate_dquots() and dquot_writeback_dquots() in
commit 869b6ea1609f. Something like:

--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -639,6 +639,14 @@ int dquot_scan_active(struct super_block *sb,
         if (dquot->dq_sb !=3D sb)
             continue;
- /* Now we have active dquot so we can just increase use count */
+ /*
+ * dquot is being released via quota_release_workfn().
+ * Skip it - it will be cleaned up by the worker.
+ */
+ if (test_bit(DQ_RELEASING_B, &dquot->dq_flags))
+ continue;
+ if (!atomic_read(&dquot->dq_count))
+ remove_free_dquot(dquot);
+ /* Now we have active dquot, increase use count */
         atomic_inc(&dquot->dq_count);


If you have any questions, please let me know.

Best Regards,
Yue