CVE-2025-40196
Description
In the Linux kernel, the following vulnerability has been resolved:
fs: quota: create dedicated workqueue for quota_release_work
There is a kernel panic due to WARN_ONCE when panic_on_warn is set.
This issue occurs when writeback is triggered due to sync call for an opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance is needed at sync path, flush for quota_release_work is triggered. By default quota_release_work is queued to "events_unbound" queue which does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback" workqueue tries to flush quota_release_work causing kernel panic due to MEM_RECLAIM flag mismatch errors.
This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag for work quota_release_work.
------------[ cut here ]------------ WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148 Call trace: check_flush_dependency+0x13c/0x148 __flush_work+0xd0/0x398 flush_delayed_work+0x44/0x5c dquot_writeback_dquots+0x54/0x318 f2fs_do_quota_sync+0xb8/0x1a8 f2fs_write_checkpoint+0x3cc/0x99c f2fs_gc+0x190/0x750 f2fs_balance_fs+0x110/0x168 f2fs_write_single_data_page+0x474/0x7dc f2fs_write_data_pages+0x7d0/0xd0c do_writepages+0xe0/0x2f4 __writeback_single_inode+0x44/0x4ac writeback_sb_inodes+0x30c/0x538 wb_writeback+0xf4/0x440 wb_workfn+0x128/0x5d4 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1b0 ret_from_fork+0x10/0x20 Kernel panic - not syncing: kernel: panic_on_warn set ...
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A kernel panic in Linux quota subsystem due to WARN_ONCE when quota_release_work is flushed during writeback; fixed by creating dedicated workqueue with WQ_MEM_RECLAIM flag.
The vulnerability is a kernel panic triggered in the Linux kernel's quota subsystem when panic_on_warn is enabled. The root cause is that quota_release_work was queued to the global events_unbound workqueue, which lacks the WQ_MEM_RECLAIM flag. When a flush operation is attempted from a context that expects reclaim-safe workqueues, a WARN_ON in check_flush_dependency fires, leading to a kernel panic if panic_on_warn is set.
The issue is exploited via a specific I/O path. When writeback is initiated by a sync call (writeback reason WB_REASON_SYNC), and f2fs (a flash-friendly file system) triggers a balance operation, a quota sync is performed. This calls dquot_writeback_dquots, which tries to flush quota_release_work. Because the work was scheduled on events_unbound without WQ_MEM_RECLAIM, and the flushing context (f2fs writeback) is itself a reclaim path, the kernel detects a dependency violation and issues a warning.
The impact is severe: on systems with panic_on_warn enabled (common in production for reliability), the warning causes an immediate kernel panic, resulting in denial of service. Even without panic_on_warn, the warning may indicate potential deadlocks or system instability. The vulnerability affects all kernels using the quota subsystem with f2fs, particularly during synchronous writeback scenarios.
The fix involves creating a dedicated workqueue quota_release_wq with the WQ_MEM_RECLAIM flag, ensuring that flushing from reclaim contexts is safe. The patches have been applied to the Linux kernel stable branches as commits [1] and [2]. Users should apply the latest stable kernel updates to mitigate this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4f846eacde280f12039df15158a09a62f0c8c72b7ceca857fVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.