Lucene search
K

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989782)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

Kernel fix for blk-iolatency inflight requests counting and hangs when offline.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(273719);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2022-49394");

  script_name(english:"Unity Linux 20.1070e Security Update: kernel (UTSA-2025-989782)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989782 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    blk-iolatency: Fix inflight count imbalances and IO hangs on offline

    iolatency needs to track the number of inflight IOs per cgroup. As this
    tracking can be expensive, it is disabled when no cgroup has iolatency
    configured for the device. To ensure that the inflight counters stay
    balanced, iolatency_set_limit() freezes the request_queue while manipulating
    the enabled counter, which ensures that no IO is in flight and thus all
    counters are zero.

    Unfortunately, iolatency_set_limit() isn't the only place where the enabled
    counter is manipulated. iolatency_pd_offline() can also dec the counter and
    trigger disabling. As this disabling happens without freezing the q, this
    can easily happen while some IOs are in flight and thus leak the counts.

    This can be easily demonstrated by turning on iolatency on an one empty
    cgroup while IOs are in flight in other cgroups and then removing the
    cgroup. Note that iolatency shouldn't have been enabled elsewhere in the
    system to ensure that removing the cgroup disables iolatency for the whole
    device.

    The following keeps flipping on and off iolatency on sda:

      echo +io > /sys/fs/cgroup/cgroup.subtree_control
      while true; do
          mkdir -p /sys/fs/cgroup/test
          echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency
          sleep 1
          rmdir /sys/fs/cgroup/test
          sleep 1
      done

    and there's concurrent fio generating direct rand reads:

      fio --name test --filename=/dev/sda --direct=1 --rw=randread \
          --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k

    while monitoring with the following drgn script:

      while True:
        for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):
            for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):
                blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')
                pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]
                if pd.value_() == 0:
                    continue
                iolat = container_of(pd, 'struct iolatency_grp', 'pd')
                inflight = iolat.rq_wait.inflight.counter.value_()
                if inflight:
                    print(f'inflight={inflight} {disk_name(blkg.q.disk).decode(utf-8)} '
                          f'{cgroup_path(css.cgroup).decode(utf-8)}')
        time.sleep(1)

    The monitoring output looks like the following:

      inflight=1 sda /user.slice
      inflight=1 sda /user.slice
      ...
      inflight=14 sda /user.slice
      inflight=13 sda /user.slice
      inflight=17 sda /user.slice
      inflight=15 sda /user.slice
      inflight=18 sda /user.slice
      inflight=17 sda /user.slice
      inflight=20 sda /user.slice
      inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19
      inflight=19 sda /user.slice
      inflight=19 sda /user.slice

    If a cgroup with stuck inflight ends up getting throttled, the throttled IOs
    will never get issued as there's no completion event to wake it up leading
    to an indefinite hang.

    This patch fixes the bug by unifying enable handling into a work item which
    is automatically kicked off from iolatency_set_min_lat_nsec() which is
    called from both iolatency_set_limit() and iolatency_pd_offline() paths.
    Punting to a work item is necessary as iolatency_pd_offline() is called
    under spinlocks while freezing a request_queue requires a sleepable context.

    This also simplifies the code reducing LOC sans the comments and avoids the
    unnecessary freezes which were happening whenever a cgroup's latency target
    is newly set or cleared.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989782
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e976ce46");
  # https://lore.kernel.org/linux-cve-announce/2025022649-CVE-2022-49394-bcce@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e767995c");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2022-49394");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-49394");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/11/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070e([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070e', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070e',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070e', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.5
EPSS0.00253
2