CVE-2025-21958

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Revert "openvswitch: switch to per-action label counting in conntrack"<br /> <br /> Currently, ovs_ct_set_labels() is only called for confirmed conntrack<br /> entries (ct) within ovs_ct_commit(). However, if the conntrack entry<br /> does not have the labels_ext extension, attempting to allocate it in<br /> ovs_ct_get_conn_labels() for a confirmed entry triggers a warning in<br /> nf_ct_ext_add():<br /> <br /> WARN_ON(nf_ct_is_confirmed(ct));<br /> <br /> This happens when the conntrack entry is created externally before OVS<br /> increments net-&gt;ct.labels_used. The issue has become more likely since<br /> commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting<br /> in conntrack"), which changed to use per-action label counting and<br /> increment net-&gt;ct.labels_used when a flow with ct action is added.<br /> <br /> Since there’s no straightforward way to fully resolve this issue at the<br /> moment, this reverts the commit to avoid breaking existing use cases.