CVE-2022-49337: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock When user_dlm_destroy_lock failed, it didn't clean up the flags it set before exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of lock is still in used, next time when unlink invokes this function, it will return succeed, and then unlink will remove inode and dentry if lock is not in used(file closed), but the dlm lock is still linked in dlm lock resource, then when bast come in, it will trigger a panic due to user-after-free. See the following panic call trace. To fix this, USER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink fail. For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN, USER_LOCK_BUSY is also required to be cleared. Even though spin lock is released in between, but USER_LOCK_IN_TEARDOWN is still set, for USER_LOCK_BUSY, if before every place that waits on this flag, USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow waits on the busy flag set by user_dlm_destroy_lock(), then we can simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix user_dlm_cluster_lock() which is the only function not following this. [ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink 004fb0000060000b5a90b8c847b72e1, error -16 from destroy [ 989.757536] ------------[ cut here ]------------ [ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173! [ 989.757876] invalid opcode: 0000 [#1] SMP [ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O) ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si ipmi_msghandler [ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ksplice_2zhuk2jr_ib_ipoib_old] [ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE 4.1.12-124.57.1.el6uek.x86_64 #2 [ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021 [ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti: ffff88017f7c8000 [ 989.762848] RIP: e030:[<ffffffffc07d4316>] [<ffffffffc07d4316>] __user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs] [ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246 [ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX: 0000000000000003 [ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI: ffff880174d48170 [ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09: 0000000000000000 [ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12: ffff880174d48008 [ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15: ffff88021db7a000 [ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000) knlGS:ffff880247480000 [ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4: 0000000000042660 [ 989.765081] Stack: [ 989.765167] 00000000000 ---truncated---
AI Analysis
Technical Summary
CVE-2022-49337 is a vulnerability in the Linux kernel specifically affecting the OCFS2 (Oracle Cluster File System version 2) distributed lock manager filesystem (dlmfs) component. The flaw arises from improper error handling in the user_dlm_destroy_lock function. When this function fails to destroy a lock because the lock is still in use, it does not properly clean up the flags it sets, particularly USER_LOCK_IN_TEARDOWN. This improper cleanup causes subsequent unlink operations to incorrectly succeed, leading to the removal of inode and dentry structures even though the distributed lock (dlm lock) remains linked to the lock resource. This inconsistency results in a use-after-free condition when the lock resource is accessed later, triggering a kernel panic and system crash. The vulnerability also involves improper handling of the USER_LOCK_BUSY flag during ocfs2_dlm_unlock failure, which can cause waiting flows to stall or behave incorrectly. The root cause is that the flags USER_LOCK_IN_TEARDOWN and USER_LOCK_BUSY are not reverted or cleared properly on failure paths, leading to inconsistent lock states and kernel instability. The vulnerability can cause denial of service (DoS) through kernel panic and system crash. The provided kernel panic trace shows the failure occurring in the userdlm.c source file, confirming the critical nature of the flaw in the OCFS2 distributed lock manager. The vulnerability affects Linux kernel versions containing the flawed OCFS2 dlmfs implementation prior to the patch. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability requires local interaction with the OCFS2 filesystem and the distributed lock manager interface, implying that exploitation requires access to systems using OCFS2 with distributed locking enabled. This flaw is particularly relevant for clustered Linux environments using OCFS2 for shared storage, such as Oracle RAC clusters or other high-availability setups relying on OCFS2. The vulnerability was published on 26 February 2025 and is marked as resolved in newer kernel versions by fixing the error handling to revert flags and return appropriate errors to the user space.
Potential Impact
For European organizations, the impact of CVE-2022-49337 can be significant in environments that utilize OCFS2 for clustered file systems, particularly in sectors relying on high-availability and shared storage solutions such as financial services, telecommunications, cloud service providers, and large enterprises running Oracle RAC or similar clustered database systems. The vulnerability can lead to kernel panics and denial of service, causing unplanned downtime, data unavailability, and potential disruption of critical business operations. Since OCFS2 is used in clustered environments, the failure of one node due to this vulnerability can impact the entire cluster's stability and availability. This could result in cascading failures or degraded performance in distributed applications. Additionally, the use-after-free condition could theoretically be leveraged for privilege escalation or arbitrary code execution by a skilled attacker with local access, although no such exploits are currently known. The requirement for local access limits remote exploitation but insider threats or compromised accounts could trigger the vulnerability. The impact on confidentiality is low, but integrity and availability are at risk due to potential data corruption or loss caused by improper unlink operations and system crashes. Organizations in Europe with critical infrastructure or regulated industries must prioritize patching to maintain compliance and operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49337 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations using OCFS2 in clustered environments, schedule maintenance windows to update kernel versions to patched releases to avoid disruption. 3. Monitor kernel logs and system messages for signs of dlmfs unlink errors or kernel panics related to OCFS2 to detect attempts to trigger the vulnerability. 4. Restrict local access to systems running OCFS2 to trusted administrators and users only, minimizing the risk of exploitation by unauthorized personnel. 5. Implement strict access controls and auditing on clustered file systems to detect anomalous unlink or lock operations. 6. Consider alternative cluster file systems or distributed lock managers if patching is delayed and risk is unacceptable. 7. Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about updates and mitigations. 8. Test patches in staging environments replicating production cluster configurations to ensure stability before deployment. 9. Harden kernel parameters and enable security modules (e.g., SELinux, AppArmor) to reduce the attack surface and contain potential exploitation attempts. 10. Document and rehearse incident response procedures for kernel panic or cluster node failures to minimize downtime and data loss.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Ireland
CVE-2022-49337: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock When user_dlm_destroy_lock failed, it didn't clean up the flags it set before exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of lock is still in used, next time when unlink invokes this function, it will return succeed, and then unlink will remove inode and dentry if lock is not in used(file closed), but the dlm lock is still linked in dlm lock resource, then when bast come in, it will trigger a panic due to user-after-free. See the following panic call trace. To fix this, USER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink fail. For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN, USER_LOCK_BUSY is also required to be cleared. Even though spin lock is released in between, but USER_LOCK_IN_TEARDOWN is still set, for USER_LOCK_BUSY, if before every place that waits on this flag, USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow waits on the busy flag set by user_dlm_destroy_lock(), then we can simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix user_dlm_cluster_lock() which is the only function not following this. [ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink 004fb0000060000b5a90b8c847b72e1, error -16 from destroy [ 989.757536] ------------[ cut here ]------------ [ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173! [ 989.757876] invalid opcode: 0000 [#1] SMP [ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O) ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si ipmi_msghandler [ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ksplice_2zhuk2jr_ib_ipoib_old] [ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE 4.1.12-124.57.1.el6uek.x86_64 #2 [ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021 [ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti: ffff88017f7c8000 [ 989.762848] RIP: e030:[<ffffffffc07d4316>] [<ffffffffc07d4316>] __user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs] [ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246 [ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX: 0000000000000003 [ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI: ffff880174d48170 [ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09: 0000000000000000 [ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12: ffff880174d48008 [ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15: ffff88021db7a000 [ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000) knlGS:ffff880247480000 [ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4: 0000000000042660 [ 989.765081] Stack: [ 989.765167] 00000000000 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49337 is a vulnerability in the Linux kernel specifically affecting the OCFS2 (Oracle Cluster File System version 2) distributed lock manager filesystem (dlmfs) component. The flaw arises from improper error handling in the user_dlm_destroy_lock function. When this function fails to destroy a lock because the lock is still in use, it does not properly clean up the flags it sets, particularly USER_LOCK_IN_TEARDOWN. This improper cleanup causes subsequent unlink operations to incorrectly succeed, leading to the removal of inode and dentry structures even though the distributed lock (dlm lock) remains linked to the lock resource. This inconsistency results in a use-after-free condition when the lock resource is accessed later, triggering a kernel panic and system crash. The vulnerability also involves improper handling of the USER_LOCK_BUSY flag during ocfs2_dlm_unlock failure, which can cause waiting flows to stall or behave incorrectly. The root cause is that the flags USER_LOCK_IN_TEARDOWN and USER_LOCK_BUSY are not reverted or cleared properly on failure paths, leading to inconsistent lock states and kernel instability. The vulnerability can cause denial of service (DoS) through kernel panic and system crash. The provided kernel panic trace shows the failure occurring in the userdlm.c source file, confirming the critical nature of the flaw in the OCFS2 distributed lock manager. The vulnerability affects Linux kernel versions containing the flawed OCFS2 dlmfs implementation prior to the patch. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability requires local interaction with the OCFS2 filesystem and the distributed lock manager interface, implying that exploitation requires access to systems using OCFS2 with distributed locking enabled. This flaw is particularly relevant for clustered Linux environments using OCFS2 for shared storage, such as Oracle RAC clusters or other high-availability setups relying on OCFS2. The vulnerability was published on 26 February 2025 and is marked as resolved in newer kernel versions by fixing the error handling to revert flags and return appropriate errors to the user space.
Potential Impact
For European organizations, the impact of CVE-2022-49337 can be significant in environments that utilize OCFS2 for clustered file systems, particularly in sectors relying on high-availability and shared storage solutions such as financial services, telecommunications, cloud service providers, and large enterprises running Oracle RAC or similar clustered database systems. The vulnerability can lead to kernel panics and denial of service, causing unplanned downtime, data unavailability, and potential disruption of critical business operations. Since OCFS2 is used in clustered environments, the failure of one node due to this vulnerability can impact the entire cluster's stability and availability. This could result in cascading failures or degraded performance in distributed applications. Additionally, the use-after-free condition could theoretically be leveraged for privilege escalation or arbitrary code execution by a skilled attacker with local access, although no such exploits are currently known. The requirement for local access limits remote exploitation but insider threats or compromised accounts could trigger the vulnerability. The impact on confidentiality is low, but integrity and availability are at risk due to potential data corruption or loss caused by improper unlink operations and system crashes. Organizations in Europe with critical infrastructure or regulated industries must prioritize patching to maintain compliance and operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2022-49337 as soon as they become available from trusted sources or Linux distribution vendors. 2. For organizations using OCFS2 in clustered environments, schedule maintenance windows to update kernel versions to patched releases to avoid disruption. 3. Monitor kernel logs and system messages for signs of dlmfs unlink errors or kernel panics related to OCFS2 to detect attempts to trigger the vulnerability. 4. Restrict local access to systems running OCFS2 to trusted administrators and users only, minimizing the risk of exploitation by unauthorized personnel. 5. Implement strict access controls and auditing on clustered file systems to detect anomalous unlink or lock operations. 6. Consider alternative cluster file systems or distributed lock managers if patching is delayed and risk is unacceptable. 7. Engage with Linux distribution security advisories and subscribe to vulnerability notifications to stay informed about updates and mitigations. 8. Test patches in staging environments replicating production cluster configurations to ensure stability before deployment. 9. Harden kernel parameters and enable security modules (e.g., SELinux, AppArmor) to reduce the attack surface and contain potential exploitation attempts. 10. Document and rehearse incident response procedures for kernel panic or cluster node failures to minimize downtime and data loss.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T02:08:31.539Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe56e7
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 5:57:59 AM
Last updated: 8/15/2025, 1:09:53 AM
Views: 14
Related Threats
CVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumCVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.