CVE-2024-56780: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56780 is a vulnerability in the Linux kernel's quota system that was discovered and disclosed in January 2025. The issue affects multiple versions of the Linux kernel, including versions 4.19.295 through 6.13, and involves a race condition in the quota writeback functionality (NVD).

The vulnerability occurs in the quota subsystem's writeback functionality, specifically in the path involving freeze_super(), sync_filesystem(), ext4_sync_fs(), and dquot_writeback_dquots() functions. The issue arises because the quota_release_work queue is not always flushed in this path, leading to a race condition. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in a WARN_ON condition when the kernel attempts to flush the workqueue while the filesystem is frozen, causing transaction starts during a frozen state. This primarily affects system stability and can lead to system warnings and potential denial of service conditions (Kernel Patch).

The vulnerability has been patched in the Linux kernel by adding code to flush the workqueue during dquot_writeback_dquots(), ensuring no pending workitems remain after freeze. The fix has been backported to multiple stable kernel versions, including 4.19, 5.4, 5.10, 5.15, 6.1, and others (Debian LTS).