CVE-2025-40196

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs: quota: create dedicated workqueue for quota_release_work

There is a kernel panic due to WARN_ONCE when panic_on_warn is set.

This issue occurs when writeback is triggered due to sync call for an opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance is needed at sync path, flush for quota_release_work is triggered. By default quota_release_work is queued to "events_unbound" queue which does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback" workqueue tries to flush quota_release_work causing kernel panic due to MEM_RECLAIM flag mismatch errors.

This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag for work quota_release_work.

————[ cut here ]———— WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148 Call trace: check_flush_dependency+0x13c/0x148 __flush_work+0xd0/0x398 flush_delayed_work+0x44/0x5c dquot_writeback_dquots+0x54/0x318 f2fs_do_quota_sync+0xb8/0x1a8 f2fs_write_checkpoint+0x3cc/0x99c f2fs_gc+0x190/0x750 f2fs_balance_fs+0x110/0x168 f2fs_write_single_data_page+0x474/0x7dc f2fs_write_data_pages+0x7d0/0xd0c do_writepages+0xe0/0x2f4 __writeback_single_inode+0x44/0x4ac writeback_sb_inodes+0x30c/0x538 wb_writeback+0xf4/0x440 wb_workfn+0x128/0x5d4 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1b0 ret_from_fork+0x10/0x20 Kernel panic - not syncing: kernel: panic_on_warn set …

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxbcacb52a985f1b6d280f698a470b873dfe52728a < f846eacde280ecc3daedfe001580e3033565179eaffected
LinuxLinux8ea87e34792258825d290f4dc5216276e91cb224 < f12039df1515d5daf7d92e586ece5cefeb39561baffected
LinuxLinuxac6f420291b3fee1113f21d612fa88b628afab5b < 8a09a62f0c8c6123c2f1864ed6d5f9eb144afaf0affected
LinuxLinuxac6f420291b3fee1113f21d612fa88b628afab5b < 72b7ceca857f38a8ca7c5629feffc63769638974affected
LinuxLinuxa5abba5e0e586e258ded3e798fe5f69c66fec198affected
LinuxLinux6f3821acd7c3143145999248087de5fb4b48cf26affected
LinuxLinuxab6cfcf8ed2c7496f55d020b65b1d8cd55d9a2cbaffected
LinuxLinux3e6ff207cd5bd924ad94cd1a7c633bcdac0ba1cbaffected
LinuxLinux6.6.64 < 6.6.114affected
LinuxLinux6.12.4 < 6.12.54affected
LinuxLinux5.4.287 < 5.5affected
LinuxLinux5.10.231 < 5.11affected
LinuxLinux5.15.174 < 5.16affected
LinuxLinux6.1.120 < 6.2affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux6.6.114 <= 6.6.*unaffected
LinuxLinux6.12.54 <= 6.12.*unaffected
LinuxLinux6.17.4 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References