CVE-2025-21884

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21884
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21884.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21884
Downstream
Related
Published
2025-03-27T14:57:12Z
Modified
2025-10-10T07:35:26.295273Z
Summary
net: better track kernel sockets lifetime
Details

In the Linux kernel, the following vulnerability has been resolved:

net: better track kernel sockets lifetime

While kernel sockets are dismantled during pernetoperations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skbsetownerw() prior calls.

This then trigger the following warning from reftrackerdir_exit() [1]

To fix this, make sure that kernel sockets own a reference on net->passive.

Add sknetrefcnt_upgrade() helper, used whenever a kernel socket is converted to a refcounted one.

[1]

[ 136.263918][ T35] reftracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.263918][ T35] skalloc+0x2b3/0x370 [ 136.263918][ T35] inet6create+0x6ce/0x10f0 [ 136.263918][ T35] _sockcreate+0x4c0/0xa30 [ 136.263918][ T35] inetctlsockcreate+0xc2/0x250 [ 136.263918][ T35] igmp6netinit+0x39/0x390 [ 136.263918][ T35] opsinit+0x31e/0x590 [ 136.263918][ T35] setupnet+0x287/0x9e0 [ 136.263918][ T35] copynetns+0x33f/0x570 [ 136.263918][ T35] createnewnamespaces+0x425/0x7b0 [ 136.263918][ T35] unsharensproxynamespaces+0x124/0x180 [ 136.263918][ T35] ksysunshare+0x57d/0xa70 [ 136.263918][ T35] _x64sysunshare+0x38/0x40 [ 136.263918][ T35] dosyscall64+0xf3/0x230 [ 136.263918][ T35] entrySYSCALL64afterhwframe+0x77/0x7f [ 136.263918][ T35] [ 136.343488][ T35] reftracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.343488][ T35] skalloc+0x2b3/0x370 [ 136.343488][ T35] inet6create+0x6ce/0x10f0 [ 136.343488][ T35] _sockcreate+0x4c0/0xa30 [ 136.343488][ T35] inetctlsockcreate+0xc2/0x250 [ 136.343488][ T35] ndiscnetinit+0xa7/0x2b0 [ 136.343488][ T35] opsinit+0x31e/0x590 [ 136.343488][ T35] setupnet+0x287/0x9e0 [ 136.343488][ T35] copynetns+0x33f/0x570 [ 136.343488][ T35] createnewnamespaces+0x425/0x7b0 [ 136.343488][ T35] unsharensproxynamespaces+0x124/0x180 [ 136.343488][ T35] ksysunshare+0x57d/0xa70 [ 136.343488][ T35] _x64sysunshare+0x38/0x40 [ 136.343488][ T35] dosyscall64+0xf3/0x230 [ 136.343488][ T35] entrySYSCALL64afterhwframe+0x77/0x7f

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0cafd77dcd032d1687efaba5598cf07bce85997f
Fixed
2668e038800b946d269f96ec1b258c01930a242c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0cafd77dcd032d1687efaba5598cf07bce85997f
Fixed
4ceb0bd4ffd009821b585ce6a8033b12b59fb5fb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0cafd77dcd032d1687efaba5598cf07bce85997f
Fixed
c31a732fac46b00b95b78fcc9c37cb48dd6f2e0c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0cafd77dcd032d1687efaba5598cf07bce85997f
Fixed
5c70eb5c593d64d93b178905da215a9fd288a4b5

Affected versions

v6.*

v6.1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.100
v6.6.101
v6.6.102
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.103
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.43
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.6