CVE-2025-21926

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix ownership in __udpgsosegment

In __udpgsosegment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug:

kernel BUG at ./include/linux/skbuff.h:3312! (skborphan) RIP: 0010:iprcvcore+0x8b2/0xca0 Call Trace: iprcv+0xab/0x6e0 __netifreceiveskb_onecore+0x168/0x1b0 processbacklog+0x384/0x1100 _napipoll.constprop.0+0xa1/0x370 netrxaction+0x925/0xe50

The above can happen following a sequence of events when using OpenVSwitch, when an OVSACTIONATTRUSERSPACE action precedes an OVSACTIONATTROUTPUT action:

1. OVSACTIONATTRUSERSPACE is handled (in doexecuteactions): the skb goes through queuegso_packets and then __udpgsosegment, where its destructor is removed.
2. The segments' data are copied and sent to userspace.
3. OVSACTIONATTROUTPUT is handled (in doexecute_actions) and the same original skb is sent to its path.
4. If it later hits skb_orphan, we hit the bug.

Fix this by also removing the reference to the socket in __udpgsosegment.