In the Linux kernel, the following vulnerability has been resolved:
tun: avoid double free in tunfreenetdev
Avoid double free in tunfreenetdev() by moving the dev->tstats and tun->security allocs to a new ndoinit routine (tunnetinit()) that will be called by registernetdevice(). ndoinit is paired with the desctructor (tunfreenetdev()), so if there's an error in registernetdevice() the destructor will handle the frees.
BUG: KASAN: double-free or invalid-free in selinuxtundevfreesecurity+0x1a/0x20 security/selinux/hooks.c:5605
CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1 Hardware name: Red Hat KVM, BIOS Call Trace: <TASK> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x89/0xb5 lib/dumpstack.c:106 printaddressdescription.constprop.9+0x28/0x160 mm/kasan/report.c:247 kasanreportinvalidfree+0x55/0x80 mm/kasan/report.c:372 kasanslabfree mm/kasan/common.c:346 [inline] _kasanslabfree+0x107/0x120 mm/kasan/common.c:374 kasanslabfree include/linux/kasan.h:235 [inline] slabfreehook mm/slub.c:1723 [inline] slabfreefreelisthook mm/slub.c:1749 [inline] slabfree mm/slub.c:3513 [inline] kfree+0xac/0x2d0 mm/slub.c:4561 selinuxtundevfreesecurity+0x1a/0x20 security/selinux/hooks.c:5605 securitytundevfreesecurity+0x4f/0x90 security/security.c:2342 tunfreenetdev+0xe6/0x150 drivers/net/tun.c:2215 netdevruntodo+0x4df/0x840 net/core/dev.c:10627 rtnlunlock+0x13/0x20 net/core/rtnetlink.c:112 _tunchrioctl+0x80c/0x2870 drivers/net/tun.c:3302 tunchrioctl+0x2f/0x40 drivers/net/tun.c:3311 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:874 [inline] _sesysioctl fs/ioctl.c:860 [inline] _x64sysioctl+0x19d/0x220 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3a/0x80 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae