{"id":"CVE-2022-49014","summary":"net: tun: Fix use-after-free in tun_detach()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix use-after-free in tun_detach()\n\nsyzbot reported use-after-free in tun_detach() [1].  This causes call\ntrace like below:\n\n==================================================================\nBUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\nRead of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673\n\nCPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x461 mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\n call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942\n call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\n call_netdevice_notifiers net/core/dev.c:1997 [inline]\n netdev_wait_allrefs_any net/core/dev.c:10237 [inline]\n netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351\n tun_detach drivers/net/tun.c:704 [inline]\n tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467\n __fput+0x27c/0xa90 fs/file_table.c:320\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xb3d/0x2a30 kernel/exit.c:820\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x21b1/0x2440 kernel/signal.c:2858\n arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe cause of the issue is that sock_put() from __tun_detach() drops\nlast reference count for struct net, and then notifier_call_chain()\nfrom netdev_state_change() accesses that struct net.\n\nThis patch fixes the issue by calling sock_put() from tun_detach()\nafter all necessary accesses for the struct net has done.","modified":"2026-05-12T03:52:34.201176Z","published":"2024-10-21T20:06:24.020Z","related":["SUSE-SU-2024:3983-1","SUSE-SU-2024:3985-1","SUSE-SU-2024:4081-1","SUSE-SU-2024:4082-1","SUSE-SU-2024:4100-1","SUSE-SU-2024:4103-1","SUSE-SU-2024:4131-1","SUSE-SU-2024:4140-1","SUSE-SU-2024:4364-1","SUSE-SU-2025:0034-1","SUSE-SU-2025:1213-1","SUSE-SU-2025:1225-1","SUSE-SU-2025:1231-1","SUSE-SU-2025:1236-1","SUSE-SU-2025:1248-1","SUSE-SU-2025:1254-1","SUSE-SU-2025:1259-1","SUSE-SU-2025:1260-1","SUSE-SU-2025:1262-1","SUSE-SU-2025:1278-1","SUSE-SU-2025:4123-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49014.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054"},{"type":"WEB","url":"https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49014.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49014"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"83c1f36f9880814b24cdf6c2f91f66f61db65326"},{"fixed":"1f23f1890d91812c35d32eab1b49621b6d32dc7b"},{"fixed":"16c244bc65d1175775325ec0489a5a5c830e02c7"},{"fixed":"5f442e1d403e0496bacb74a58e2be7f500695e6f"},{"fixed":"04b995e963229501401810dab89dc73e7f12d054"},{"fixed":"4cde8da2d814a3b7b176db81922d4ddaad7c0f0e"},{"fixed":"5daadc86f27ea4d691e2131c04310d0418c6cd12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49014.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.17.0"},{"fixed":"4.19.268"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.226"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.158"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.82"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.0.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49014.json"}}],"schema_version":"1.7.5"}