Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-50516— fs: dlm: fix invalid derefence of sb_lvbptr

EPSS 0.03% · P8

Affected Version Matrix 12

VendorProductVersion RangeStatus
LinuxLinuxe7fd41792fc0ee52a05fcaac87511f118328d147< ef3033b435a6bac547166b793025578fab2f9df3affected
e7fd41792fc0ee52a05fcaac87511f118328d147< ea7be82fd7e1f5de72208bce93fbbe6de6c13decaffected
e7fd41792fc0ee52a05fcaac87511f118328d147< 1ab6d3030652b5de0015176a5b0ad9df9b847514affected
e7fd41792fc0ee52a05fcaac87511f118328d147< 57c1cfb5781068e5d3632bc6e5f74a8fcc4f1a30affected
e7fd41792fc0ee52a05fcaac87511f118328d147< 7175e131ebba47afef47e6ac4d5bab474d1e6e49affected
2.6.19affected
< 2.6.19unaffected
5.10.251≤ 5.10.*unaffected
… +4 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-50516

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
fs: dlm: fix invalid derefence of sb_lvbptr
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fs: dlm: fix invalid derefence of sb_lvbptr I experience issues when putting a lkbsb on the stack and have sb_lvbptr field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash with the following kernel message, the dangled pointer is here 0xdeadbeef as example: [ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef [ 102.749320] #PF: supervisor read access in kernel mode [ 102.749323] #PF: error_code(0x0000) - not-present page [ 102.749325] PGD 0 P4D 0 [ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI [ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565 [ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014 [ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10 [ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe [ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202 [ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040 [ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070 [ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001 [ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70 [ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001 [ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000 [ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0 [ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 102.749379] PKRU: 55555554 [ 102.749381] Call Trace: [ 102.749382] <TASK> [ 102.749383] ? send_args+0xb2/0xd0 [ 102.749389] send_common+0xb7/0xd0 [ 102.749395] _unlock_lock+0x2c/0x90 [ 102.749400] unlock_lock.isra.56+0x62/0xa0 [ 102.749405] dlm_unlock+0x21e/0x330 [ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] [ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture] [ 102.749419] ? preempt_count_sub+0xba/0x100 [ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture] [ 102.786186] kthread+0x10a/0x130 [ 102.786581] ? kthread_complete_and_exit+0x20/0x20 [ 102.787156] ret_from_fork+0x22/0x30 [ 102.787588] </TASK> [ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw [ 102.792536] CR2: 00000000deadbeef [ 102.792930] ---[ end trace 0000000000000000 ]--- This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags is set when copying the lvbptr array instead of if it's just null which fixes for me the issue. I think this patch can fix other dlm users as well, depending how they handle the init, freeing memory handling of sb_lvbptr and don't set DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a hidden issue all the time. However with checking on DLM_LKF_VALBLK the user always need to provide a sb_lvbptr non-null value. There might be more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and non-null to report the user the way how DLM API is used is wrong but can be added for later, this will only fix the current behaviour.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于无效引用sb_lvbptr,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux e7fd41792fc0ee52a05fcaac87511f118328d147 ~ ef3033b435a6bac547166b793025578fab2f9df3 -
LinuxLinux 2.6.19 -

II. Public POCs for CVE-2022-50516

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-50516

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-10-07 · 118 CVEs total

CVE-2022-50544usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
CVE-2023-53658spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
CVE-2023-53657ice: Don't tx before switchdev is fully configured
CVE-2023-53656drivers/perf: hisi: Don't migrate perf to the CPU going to teardown
CVE-2023-53655rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-ed
CVE-2022-50555tipc: fix a null-ptr-deref in tipc_topsrv_accept
CVE-2022-50554blk-mq: avoid double ->queue_rq() because of early timeout
CVE-2022-50553tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
CVE-2022-50552blk-mq: use quiesced elevator switch when reinitializing queues
CVE-2022-50551wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
CVE-2022-50550blk-iolatency: Fix memory leak on add_disk() failures
CVE-2022-50549dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
CVE-2022-50547media: solo6x10: fix possible memory leak in solo_sysfs_init()
CVE-2022-50548media: i2c: hi846: Fix memory leak in hi846_parse_dt()
CVE-2022-50546ext4: fix uninititialized value in 'ext4_evict_inode'
CVE-2023-53654octeontx2-af: Add validation before accessing cgx and lmac
CVE-2022-50537firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
CVE-2022-50536bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
CVE-2022-50535drm/amd/display: Fix potential null-deref in dm_resume
CVE-2023-53652vdpa: Add features attr to vdpa_nl_policy for nlattr length check

Showing top 20 of 118 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2022-50516

No comments yet

Leave a comment