From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 734F9355813;
	Fri,  8 May 2026 14:30:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778250645; cv=none; b=nVddg3AjaIZGch+itsBbHW9/nyaUc2DW5FFr5D1muN/emNoJcXCgvOvrJUcMDd+KaJaRT8LOBpt5fei3ZX9S3nmjKkJfCaTOTlBgOXwO5KW8NnSdpWqTNcepmLFAI5MCdYGxvjuaJVuIBrdih1tz6XHsF1XWAgvV/7RPCUw79oo=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778250645; c=relaxed/simple;
	bh=W4djIa/qKQxgQgk4J09PPCjUtdavt6HjPlq2ub1HFWo=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=dHyDxjz53rKaabMsdvRqQbkz/hywks16eK1TR9gK33YHDI53cbihkStE9l1c7yqPZ8N6ufSDjcJfWteyMvtD0qHnlCVXBoMSNAOcq2yEgUUz/9JTjRwE5GBUZPSqoVvhzGADBggjHlZpdpnJpmDHfZqGnFmU8qzfOMAwyHrJJHo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pYgoKAh9; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pYgoKAh9"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C2EFCC2BCB0;
	Fri,  8 May 2026 14:30:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1778250645;
	bh=W4djIa/qKQxgQgk4J09PPCjUtdavt6HjPlq2ub1HFWo=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=pYgoKAh9j0/UYFLqffIzRNHW95q5Z/C6W27sFottEgI+CLizRLRpBPyrlDSvlWLyk
	 642xehtx3i0vOE5/BxhT0R1qBWpWkJhXQsfxfiAA0qYVbkVcNtY8iIurDvNOE2M+Tv
	 TohU/r9KgcWxbJ6IXveUoGsUJfZsq9RtrJRaujAE=
Date: Fri, 8 May 2026 16:30:42 +0200
From: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
To: Massimiliano Pellizzer <mpellizzer.dev@gmail.com>
Cc: Dominik Grzegorzek <dominik.grzegorzek@oracle.com>,
	Ben Hutchings <benh@debian.org>,
	"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
	"lwn@lwn.net" <lwn@lwn.net>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
	"jslaby@suse.cz" <jslaby@suse.cz>
Subject: Re: Linux 5.15.205
Message-ID: <2026050815-length-yummy-f8b6@gregkh>
References: <2026050835-appealing-stallion-a207@gregkh>
 <1b941a1353791ddd6fd75fb8e68b377367d689ff.camel@oracle.com>
 <2026050829-gladiator-displease-57af@gregkh>
 <CALUEkOdFEFJ_U1va62B=tWspd2YfLJ-qk72r380wrLRGYfYKPg@mail.gmail.com>
 <2026050855-valley-slashed-c382@gregkh>
 <CALUEkOfBS7qsN-7ERMS+2wcPEixXAGmquREu7uv8ecXn6d7haw@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CALUEkOfBS7qsN-7ERMS+2wcPEixXAGmquREu7uv8ecXn6d7haw@mail.gmail.com>

On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > Hi,
> > > > >
> > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > >
> > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > Would this need to be:
> > > > >
> > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > >
> > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > >
> > > Hi,
> > >
> > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > >
> > > ```
> > > $ ./run.sh
> > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > 'sick::0:0:<pad>:/:/bin/bash'
> > > === Stage 2 — verify
> > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > # uname -r
> > > 5.15.205
> > > ```
> > >
> >
> > Does the patch below fix this up?
> >
> > thanks,
> >
> > greg k-h
> >
> > ------------------
> >
> >
> > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > index 68509e1f89b5..5d8f8a5901bc 100644
> > --- a/net/ipv4/ip_output.c
> > +++ b/net/ipv4/ip_output.c
> > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> >                         goto error;
> >                 }
> >
> > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> >
> >                 if (skb->ip_summed == CHECKSUM_NONE) {
> >                         __wsum csum;
> 
> Yes, this works.

Wait, is this also needed in the 6.1.y backport as well?

Ben, I'm guessing you tested the 6.1.y backport, right?

thanks,

greg k-h