A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0. The root cause of this bug is in the incorrect assumption made by sock_init_data() regarding the struct socket input. It assumes the input socket will be contained within a struct socket_alloc, however for TUN and TAP devices it will be embeded in a struct tap_queue or struct tun_file when it gets called. Eventually, when container_of is called, with socket_alloc as the parent structure, it’ll calculate an incorrect container/parent pointer.