Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:
- In the Linux kernel, the following vulnerability has been resolved: blk-iocost: do not WARN if iocg was
already offlined In iocg_pay_debt(), warn is triggered if 'active_list' is empty, which is intended to
confirm iocg is active when it has debt. However, warn can be triggered during a blkcg or disk removal, if
iocg_waitq_timer_fn() is run at that time: WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402
iocg_pay_debt+0x14c/0x190 Call trace: iocg_pay_debt+0x14c/0x190 iocg_kick_waitq+0x438/0x4c0
iocg_waitq_timer_fn+0xd8/0x130 __run_hrtimer+0x144/0x45c __hrtimer_run_queues+0x16c/0x244
hrtimer_interrupt+0x2cc/0x7b0 The warn in this situation is meaningless. Since this iocg is being removed,
the state of the 'active_list' is irrelevant, and 'waitq_timer' is canceled after removing 'active_list'
in ioc_pd_free(), which ensures iocg is freed after iocg_waitq_timer_fn() returns. Therefore, add the
check if iocg was already offlined to avoid warn when removing a blkcg or disk. (CVE-2024-36908)
Plugin Details
Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 5/30/2024