CVE-2025-21884

While kernel sockets are dismantled during pernetoperations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skbsetownerw() prior calls.

This then trigger the following warning from reftrackerdir_exit() [1]

To fix this, make sure that kernel sockets own a reference on net->passive.

Add sknetrefcnt_upgrade() helper, used whenever a kernel socket is converted to a refcounted one.

[1]

[ 136.263918][ T35] reftracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.263918][ T35] skalloc+0x2b3/0x370 [ 136.263918][ T35] inet6create+0x6ce/0x10f0 [ 136.263918][ T35] _sockcreate+0x4c0/0xa30 [ 136.263918][ T35] inetctlsockcreate+0xc2/0x250 [ 136.263918][ T35] igmp6netinit+0x39/0x390 [ 136.263918][ T35] opsinit+0x31e/0x590 [ 136.263918][ T35] setupnet+0x287/0x9e0 [ 136.263918][ T35] copynetns+0x33f/0x570 [ 136.263918][ T35] createnewnamespaces+0x425/0x7b0 [ 136.263918][ T35] unsharensproxynamespaces+0x124/0x180 [ 136.263918][ T35] ksysunshare+0x57d/0xa70 [ 136.263918][ T35] _x64sysunshare+0x38/0x40 [ 136.263918][ T35] dosyscall64+0xf3/0x230 [ 136.263918][ T35] entrySYSCALL64afterhwframe+0x77/0x7f [ 136.263918][ T35] [ 136.343488][ T35] reftracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at [ 136.343488][ T35] skalloc+0x2b3/0x370 [ 136.343488][ T35] inet6create+0x6ce/0x10f0 [ 136.343488][ T35] _sockcreate+0x4c0/0xa30 [ 136.343488][ T35] inetctlsockcreate+0xc2/0x250 [ 136.343488][ T35] ndiscnetinit+0xa7/0x2b0 [ 136.343488][ T35] opsinit+0x31e/0x590 [ 136.343488][ T35] setupnet+0x287/0x9e0 [ 136.343488][ T35] copynetns+0x33f/0x570 [ 136.343488][ T35] createnewnamespaces+0x425/0x7b0 [ 136.343488][ T35] unsharensproxynamespaces+0x124/0x180 [ 136.343488][ T35] ksysunshare+0x57d/0xa70 [ 136.343488][ T35] _x64sysunshare+0x38/0x40 [ 136.343488][ T35] dosyscall64+0xf3/0x230 [ 136.343488][ T35] entrySYSCALL64afterhwframe+0x77/0x7f

References

CVE-2025-21884

Affected packages