{
  "threat_severity" : "Low",
  "public_date" : "2025-11-12T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: fs: quota: create dedicated workqueue for quota_release_work",
    "id" : "2414745",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2414745"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-821",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nfs: quota: create dedicated workqueue for quota_release_work\nThere is a kernel panic due to WARN_ONCE when panic_on_warn is set.\nThis issue occurs when writeback is triggered due to sync call for an\nopened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance\nis needed at sync path, flush for quota_release_work is triggered.\nBy default quota_release_work is queued to \"events_unbound\" queue which\ndoes not have WQ_MEM_RECLAIM flag. During f2fs balance \"writeback\"\nworkqueue tries to flush quota_release_work causing kernel panic due to\nMEM_RECLAIM flag mismatch errors.\nThis patch creates dedicated workqueue with WQ_MEM_RECLAIM flag\nfor work quota_release_work.\n------------[ cut here ]------------\nWARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148\nCall trace:\ncheck_flush_dependency+0x13c/0x148\n__flush_work+0xd0/0x398\nflush_delayed_work+0x44/0x5c\ndquot_writeback_dquots+0x54/0x318\nf2fs_do_quota_sync+0xb8/0x1a8\nf2fs_write_checkpoint+0x3cc/0x99c\nf2fs_gc+0x190/0x750\nf2fs_balance_fs+0x110/0x168\nf2fs_write_single_data_page+0x474/0x7dc\nf2fs_write_data_pages+0x7d0/0xd0c\ndo_writepages+0xe0/0x2f4\n__writeback_single_inode+0x44/0x4ac\nwriteback_sb_inodes+0x30c/0x538\nwb_writeback+0xf4/0x440\nwb_workfn+0x128/0x5d4\nprocess_scheduled_works+0x1c4/0x45c\nworker_thread+0x32c/0x3e8\nkthread+0x11c/0x1b0\nret_from_fork+0x10/0x20\nKernel panic - not syncing: kernel: panic_on_warn set ...", "A workqueue configuration mismatch was found in the Linux kernel's filesystem quota subsystem during writeback operations. A local user can trigger this issue when f2fs filesystem balancing initiates quota writeback during sync operations, causing the writeback workqueue to flush quota_release_work from the events_unbound queue. Since events_unbound lacks the WQ_MEM_RECLAIM flag while the writeback queue has it, this flag mismatch triggers workqueue dependency warnings and causes kernel panic when panic_on_warn is enabled, resulting in denial of service." ],
  "statement" : "Quota release work is queued to events_unbound (no WQ_MEM_RECLAIM flag) but gets flushed during f2fs writeback from a WQ_MEM_RECLAIM context. This flag mismatch triggers workqueue dependency checks that warn about potential deadlocks—if memory reclaim needs the work to complete but the work needs memory, deadlock could occur. Systems with panic_on_warn turn this warning into a hard panic. The fix creates a dedicated quota workqueue with the proper WQ_MEM_RECLAIM flag.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40196\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40196\nhttps://lore.kernel.org/linux-cve-announce/2025111245-CVE-2025-40196-f1fa@gregkh/T" ],
  "name" : "CVE-2025-40196",
  "csaw" : false
}