CVE-2025-21958

In the Linux kernel, the following vulnerability has been resolved:

Revert "openvswitch: switch to per-action label counting in conntrack"

Currently, ovsctsetlabels() is only called for confirmed conntrack entries (ct) within ovsctcommit(). However, if the conntrack entry does not have the labelsext extension, attempting to allocate it in ovsctgetconnlabels() for a confirmed entry triggers a warning in nfctext_add():

WARNON(nfctisconfirmed(ct));

This happens when the conntrack entry is created externally before OVS increments net->ct.labelsused. The issue has become more likely since commit fcb1aa5163b1 ("openvswitch: switch to per-action label counting in conntrack"), which changed to use per-action label counting and increment net->ct.labelsused when a flow with ct action is added.

Since there’s no straightforward way to fully resolve this issue at the moment, this reverts the commit to avoid breaking existing use cases.