CVE-2022-49808

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: don&amp;#39;t leak tagger-owned storage on switch driver unbind<br /> <br /> In the initial commit dc452a471dba ("net: dsa: introduce tagger-owned<br /> storage for private and shared data"), we had a call to<br /> tag_ops-&gt;disconnect(dst) issued from dsa_tree_free(), which is called at<br /> tree teardown time.<br /> <br /> There were problems with connecting to a switch tree as a whole, so this<br /> got reworked to connecting to individual switches within the tree. In<br /> this process, tag_ops-&gt;disconnect(ds) was made to be called only from<br /> switch.c (cross-chip notifiers emitted as a result of dynamic tag proto<br /> changes), but the normal driver teardown code path wasn&amp;#39;t replaced with<br /> anything.<br /> <br /> Solve this problem by adding a function that does the opposite of<br /> dsa_switch_setup_tag_protocol(), which is called from the equivalent<br /> spot in dsa_switch_teardown(). The positioning here also ensures that we<br /> won&amp;#39;t have any use-after-free in tagging protocol (*rcv) ops, since the<br /> teardown sequence is as follows:<br /> <br /> dsa_tree_teardown<br /> -&gt; dsa_tree_teardown_master<br /> -&gt; dsa_master_teardown<br /> -&gt; unsets master-&gt;dsa_ptr, making no further packets match the<br /> ETH_P_XDSA packet type handler<br /> -&gt; dsa_tree_teardown_ports<br /> -&gt; dsa_port_teardown<br /> -&gt; dsa_slave_destroy<br /> -&gt; unregisters DSA net devices, there is even a synchronize_net()<br /> in unregister_netdevice_many()<br /> -&gt; dsa_tree_teardown_switches<br /> -&gt; dsa_switch_teardown<br /> -&gt; dsa_switch_teardown_tag_protocol<br /> -&gt; finally frees the tagger-owned storage