{"id":"CVE-2022-49808","summary":"net: dsa: don't leak tagger-owned storage on switch driver unbind","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: don't leak tagger-owned storage on switch driver unbind\n\nIn the initial commit dc452a471dba (\"net: dsa: introduce tagger-owned\nstorage for private and shared data\"), we had a call to\ntag_ops-\u003edisconnect(dst) issued from dsa_tree_free(), which is called at\ntree teardown time.\n\nThere were problems with connecting to a switch tree as a whole, so this\ngot reworked to connecting to individual switches within the tree. In\nthis process, tag_ops-\u003edisconnect(ds) was made to be called only from\nswitch.c (cross-chip notifiers emitted as a result of dynamic tag proto\nchanges), but the normal driver teardown code path wasn't replaced with\nanything.\n\nSolve this problem by adding a function that does the opposite of\ndsa_switch_setup_tag_protocol(), which is called from the equivalent\nspot in dsa_switch_teardown(). The positioning here also ensures that we\nwon't have any use-after-free in tagging protocol (*rcv) ops, since the\nteardown sequence is as follows:\n\ndsa_tree_teardown\n-\u003e dsa_tree_teardown_master\n   -\u003e dsa_master_teardown\n      -\u003e unsets master-\u003edsa_ptr, making no further packets match the\n         ETH_P_XDSA packet type handler\n-\u003e dsa_tree_teardown_ports\n   -\u003e dsa_port_teardown\n      -\u003e dsa_slave_destroy\n         -\u003e unregisters DSA net devices, there is even a synchronize_net()\n            in unregister_netdevice_many()\n-\u003e dsa_tree_teardown_switches\n   -\u003e dsa_switch_teardown\n      -\u003e dsa_switch_teardown_tag_protocol\n         -\u003e finally frees the tagger-owned storage","modified":"2026-05-18T05:55:51.104736362Z","published":"2025-05-01T14:09:34.130Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49808.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4e0c19fcb8b5323716140fa82b79aa9f60e60407"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5809fb03942dbac25144db5bebea84fa003ecaca"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49808.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49808"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208"},{"fixed":"5809fb03942dbac25144db5bebea84fa003ecaca"},{"fixed":"4e0c19fcb8b5323716140fa82b79aa9f60e60407"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49808.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.17.0"},{"fixed":"6.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49808.json"}}],"schema_version":"1.7.5"}