{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49808","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-05-01T14:05:17.226Z","datePublished":"2025-05-01T14:09:34.130Z","dateUpdated":"2026-05-11T19:07:11.386Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:07:11.386Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: don't leak tagger-owned storage on switch driver unbind\n\nIn the initial commit dc452a471dba (\"net: dsa: introduce tagger-owned\nstorage for private and shared data\"), we had a call to\ntag_ops->disconnect(dst) issued from dsa_tree_free(), which is called at\ntree teardown time.\n\nThere were problems with connecting to a switch tree as a whole, so this\ngot reworked to connecting to individual switches within the tree. In\nthis process, tag_ops->disconnect(ds) was made to be called only from\nswitch.c (cross-chip notifiers emitted as a result of dynamic tag proto\nchanges), but the normal driver teardown code path wasn't replaced with\nanything.\n\nSolve this problem by adding a function that does the opposite of\ndsa_switch_setup_tag_protocol(), which is called from the equivalent\nspot in dsa_switch_teardown(). The positioning here also ensures that we\nwon't have any use-after-free in tagging protocol (*rcv) ops, since the\nteardown sequence is as follows:\n\ndsa_tree_teardown\n-> dsa_tree_teardown_master\n   -> dsa_master_teardown\n      -> unsets master->dsa_ptr, making no further packets match the\n         ETH_P_XDSA packet type handler\n-> dsa_tree_teardown_ports\n   -> dsa_port_teardown\n      -> dsa_slave_destroy\n         -> unregisters DSA net devices, there is even a synchronize_net()\n            in unregister_netdevice_many()\n-> dsa_tree_teardown_switches\n   -> dsa_switch_teardown\n      -> dsa_switch_teardown_tag_protocol\n         -> finally frees the tagger-owned storage"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/dsa/dsa2.c"],"versions":[{"version":"7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208","lessThan":"5809fb03942dbac25144db5bebea84fa003ecaca","status":"affected","versionType":"git"},{"version":"7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208","lessThan":"4e0c19fcb8b5323716140fa82b79aa9f60e60407","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/dsa/dsa2.c"],"versions":[{"version":"5.17","status":"affected"},{"version":"0","lessThan":"5.17","status":"unaffected","versionType":"semver"},{"version":"6.0.10","lessThanOrEqual":"6.0.*","status":"unaffected","versionType":"semver"},{"version":"6.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.0.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17","versionEndExcluding":"6.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5809fb03942dbac25144db5bebea84fa003ecaca"},{"url":"https://git.kernel.org/stable/c/4e0c19fcb8b5323716140fa82b79aa9f60e60407"}],"title":"net: dsa: don't leak tagger-owned storage on switch driver unbind","x_generator":{"engine":"bippy-1.2.0"}}}}