Linux 5.15.205

Linux 5.15.205

[Greg Kroah-Hartman]

I'm announcing the release of the 5.15.205 kernel.

All users of the 5.15 kernel series must upgrade.

The updated 5.15.y git tree can be found at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y
and can be browsed at the normal kernel.org git web browser:
	https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary

thanks,

greg k-h

------------

 Makefile             |    2 +-
 net/ipv4/esp4.c      |    3 ++-
 net/ipv4/ip_output.c |    2 ++
 net/ipv6/esp6.c      |    3 ++-
 4 files changed, 7 insertions(+), 3 deletions(-)

Greg Kroah-Hartman (1):
      Linux 5.15.205

Kuan-Ting Chen (1):
      xfrm: esp: avoid in-place decrypt on shared skb frags

Re: Linux 5.15.205

[Greg Kroah-Hartman]

diff --git a/Makefile b/Makefile
index 3937e96d463f..9fcf204d08af 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 5
 PATCHLEVEL = 15
-SUBLEVEL = 204
+SUBLEVEL = 205
 EXTRAVERSION =
 NAME = Trick or Treat
 
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index c69cee3feff0..0b062959871f 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -921,7 +921,8 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
 			nfrags = 1;
 
 			goto skip_cow;
-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
 			nfrags = skb_shinfo(skb)->nr_frags;
 			nfrags++;
 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index d674a24217f9..68509e1f89b5 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1443,6 +1443,8 @@ ssize_t	ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
 			goto error;
 		}
 
+		skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
+
 		if (skb->ip_summed == CHECKSUM_NONE) {
 			__wsum csum;
 			csum = csum_page(page, offset, len);
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index e87f3f8f0681..0aaafc0bd8fa 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -968,7 +968,8 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
 			nfrags = 1;
 
 			goto skip_cow;
-		} else if (!skb_has_frag_list(skb)) {
+		} else if (!skb_has_frag_list(skb) &&
+			   !skb_has_shared_frag(skb)) {
 			nfrags = skb_shinfo(skb)->nr_frags;
 			nfrags++;
 

Re: Linux 5.15.205

[Dominik Grzegorzek]

Hi,

I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:

skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;

Would this need to be:

skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;

My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.

Regards,
Dominik Grzegorzek

Re: Linux 5.15.205

[gregkh]

On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> Hi,
> 
> I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> 
> skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> 
> Would this need to be:
> 
> skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> 
> My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.

Adding Ben who did the 5.10 backport so he can comment on this.

thanks,

greg k-h

Re: Linux 5.15.205

[Massimiliano Pellizzer]

On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
<gregkh@linuxfoundation.org> wrote:
>
> On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > Hi,
> >
> > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> >
> > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> >
> > Would this need to be:
> >
> > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> >
> > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
>
> Adding Ben who did the 5.10 backport so he can comment on this.
>
> thanks,
>
> greg k-h
>

Hi,

The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.

```
$ ./run.sh
=== Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
'sick::0:0:<pad>:/:/bin/bash'
=== Stage 2 — verify
sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
=== Stage 3 — su - sick (empty password via PAM nullok)
[i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
# uname -r
5.15.205
```

Re: Linux 5.15.205

[gregkh]

On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > Hi,
> > >
> > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > >
> > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > >
> > > Would this need to be:
> > >
> > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > >
> > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> >
> > Adding Ben who did the 5.10 backport so he can comment on this.
> >
> > thanks,
> >
> > greg k-h
> >
> 
> Hi,
> 
> The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> 
> ```
> $ ./run.sh
> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> 'sick::0:0:<pad>:/:/bin/bash'
> === Stage 2 — verify
> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> === Stage 3 — su - sick (empty password via PAM nullok)
> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> # uname -r
> 5.15.205
> ```
> 

Does the patch below fix this up?

thanks,

greg k-h

------------------


diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 68509e1f89b5..5d8f8a5901bc 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1443,7 +1443,7 @@ ssize_t	ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
 			goto error;
 		}
 
-		skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
+		skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
 
 		if (skb->ip_summed == CHECKSUM_NONE) {
 			__wsum csum;

Re: Linux 5.15.205

[Massimiliano Pellizzer]

On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
<gregkh@linuxfoundation.org> wrote:
>
> On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > Hi,
> > > >
> > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > >
> > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > >
> > > > Would this need to be:
> > > >
> > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > >
> > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > >
> > > Adding Ben who did the 5.10 backport so he can comment on this.
> > >
> > > thanks,
> > >
> > > greg k-h
> > >
> >
> > Hi,
> >
> > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> >
> > ```
> > $ ./run.sh
> > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > 'sick::0:0:<pad>:/:/bin/bash'
> > === Stage 2 — verify
> > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > === Stage 3 — su - sick (empty password via PAM nullok)
> > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > # uname -r
> > 5.15.205
> > ```
> >
>
> Does the patch below fix this up?
>
> thanks,
>
> greg k-h
>
> ------------------
>
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 68509e1f89b5..5d8f8a5901bc 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
>                         goto error;
>                 }
>
> -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>
>                 if (skb->ip_summed == CHECKSUM_NONE) {
>                         __wsum csum;

Yes, this works.
Thanks

Re: Linux 5.15.205

[gregkh]

On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > Hi,
> > > > >
> > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > >
> > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > Would this need to be:
> > > > >
> > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > >
> > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > >
> > > Hi,
> > >
> > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > >
> > > ```
> > > $ ./run.sh
> > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > 'sick::0:0:<pad>:/:/bin/bash'
> > > === Stage 2 — verify
> > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > # uname -r
> > > 5.15.205
> > > ```
> > >
> >
> > Does the patch below fix this up?
> >
> > thanks,
> >
> > greg k-h
> >
> > ------------------
> >
> >
> > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > index 68509e1f89b5..5d8f8a5901bc 100644
> > --- a/net/ipv4/ip_output.c
> > +++ b/net/ipv4/ip_output.c
> > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> >                         goto error;
> >                 }
> >
> > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> >
> >                 if (skb->ip_summed == CHECKSUM_NONE) {
> >                         __wsum csum;
> 
> Yes, this works.

Great, thanks, let me go push out a new release with this fix, thanks
for testing!

greg k-h

Re: Linux 5.15.205

[gregkh]

On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > > <gregkh@linuxfoundation.org> wrote:
> > > >
> > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > Hi,
> > > > >
> > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > >
> > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > Would this need to be:
> > > > >
> > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > >
> > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > >
> > > Hi,
> > >
> > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > >
> > > ```
> > > $ ./run.sh
> > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > 'sick::0:0:<pad>:/:/bin/bash'
> > > === Stage 2 — verify
> > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > # uname -r
> > > 5.15.205
> > > ```
> > >
> >
> > Does the patch below fix this up?
> >
> > thanks,
> >
> > greg k-h
> >
> > ------------------
> >
> >
> > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > index 68509e1f89b5..5d8f8a5901bc 100644
> > --- a/net/ipv4/ip_output.c
> > +++ b/net/ipv4/ip_output.c
> > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> >                         goto error;
> >                 }
> >
> > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> >
> >                 if (skb->ip_summed == CHECKSUM_NONE) {
> >                         __wsum csum;
> 
> Yes, this works.

Wait, is this also needed in the 6.1.y backport as well?

Ben, I'm guessing you tested the 6.1.y backport, right?

thanks,

greg k-h

Re: Linux 5.15.205

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 3057 bytes --]

On Fri, 2026-05-08 at 16:30 +0200, gregkh@linuxfoundation.org wrote:
> On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> > On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
> > <gregkh@linuxfoundation.org> wrote:
> > > 
> > > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > > > <gregkh@linuxfoundation.org> wrote:
> > > > > 
> > > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > > > 
> > > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > > > 
> > > > > > Would this need to be:
> > > > > > 
> > > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > > > 
> > > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > > > 
> > > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > > > 
> > > > > thanks,
> > > > > 
> > > > > greg k-h
> > > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > > > 
> > > > ```
> > > > $ ./run.sh
> > > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > > 'sick::0:0:<pad>:/:/bin/bash'
> > > > === Stage 2 — verify
> > > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > > # uname -r
> > > > 5.15.205
> > > > ```
> > > > 
> > > 
> > > Does the patch below fix this up?
> > > 
> > > thanks,
> > > 
> > > greg k-h
> > > 
> > > ------------------
> > > 
> > > 
> > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > > index 68509e1f89b5..5d8f8a5901bc 100644
> > > --- a/net/ipv4/ip_output.c
> > > +++ b/net/ipv4/ip_output.c
> > > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> > >                         goto error;
> > >                 }
> > > 
> > > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > 
> > >                 if (skb->ip_summed == CHECKSUM_NONE) {
> > >                         __wsum csum;
> > 
> > Yes, this works.
> 
> Wait, is this also needed in the 6.1.y backport as well?
> 
> Ben, I'm guessing you tested the 6.1.y backport, right?

Yes, but on 6.1 the PoC never succeeded for me even without the patch. 
(On 5.10 and 6.12 it does.)  So unfortunately that testing could not
show whether my attempted fix was correct.

Sorry for screwing this one up.

Ben.

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS
teams

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Linux 5.15.205

[gregkh]

On Fri, May 08, 2026 at 04:38:45PM +0200, Ben Hutchings wrote:
> On Fri, 2026-05-08 at 16:30 +0200, gregkh@linuxfoundation.org wrote:
> > On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> > > On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
> > > <gregkh@linuxfoundation.org> wrote:
> > > > 
> > > > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > > > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > > 
> > > > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > > > > 
> > > > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > > > > 
> > > > > > > Would this need to be:
> > > > > > > 
> > > > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > > > > 
> > > > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > > > > 
> > > > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > > > > 
> > > > > > thanks,
> > > > > > 
> > > > > > greg k-h
> > > > > > 
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > > > > 
> > > > > ```
> > > > > $ ./run.sh
> > > > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > > > 'sick::0:0:<pad>:/:/bin/bash'
> > > > > === Stage 2 — verify
> > > > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > > > # uname -r
> > > > > 5.15.205
> > > > > ```
> > > > > 
> > > > 
> > > > Does the patch below fix this up?
> > > > 
> > > > thanks,
> > > > 
> > > > greg k-h
> > > > 
> > > > ------------------
> > > > 
> > > > 
> > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > > > index 68509e1f89b5..5d8f8a5901bc 100644
> > > > --- a/net/ipv4/ip_output.c
> > > > +++ b/net/ipv4/ip_output.c
> > > > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> > > >                         goto error;
> > > >                 }
> > > > 
> > > > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > 
> > > >                 if (skb->ip_summed == CHECKSUM_NONE) {
> > > >                         __wsum csum;
> > > 
> > > Yes, this works.
> > 
> > Wait, is this also needed in the 6.1.y backport as well?
> > 
> > Ben, I'm guessing you tested the 6.1.y backport, right?
> 
> Yes, but on 6.1 the PoC never succeeded for me even without the patch. 
> (On 5.10 and 6.12 it does.)  So unfortunately that testing could not
> show whether my attempted fix was correct.
> 
> Sorry for screwing this one up.

Not a problem, thanks for doing the backport at all!  I'll go do a new
6.1.y release now.

Releases for everyone!!!

thanks,

greg k-h

Re: Linux 5.15.205

[Ron Economos]

On 5/8/26 07:50, gregkh@linuxfoundation.org wrote:
> On Fri, May 08, 2026 at 04:38:45PM +0200, Ben Hutchings wrote:
>> On Fri, 2026-05-08 at 16:30 +0200, gregkh@linuxfoundation.org wrote:
>>> On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
>>>> On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
>>>> <gregkh@linuxfoundation.org> wrote:
>>>>> On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
>>>>>> On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
>>>>>> <gregkh@linuxfoundation.org> wrote:
>>>>>>> On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
>>>>>>>>
>>>>>>>> skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
>>>>>>>>
>>>>>>>> Would this need to be:
>>>>>>>>
>>>>>>>> skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>>>>>>>>
>>>>>>>> My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
>>>>>>> Adding Ben who did the 5.10 backport so he can comment on this.
>>>>>>>
>>>>>>> thanks,
>>>>>>>
>>>>>>> greg k-h
>>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
>>>>>>
>>>>>> ```
>>>>>> $ ./run.sh
>>>>>> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
>>>>>> 'sick::0:0:<pad>:/:/bin/bash'
>>>>>> === Stage 2 — verify
>>>>>> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
>>>>>> === Stage 3 — su - sick (empty password via PAM nullok)
>>>>>> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
>>>>>> # uname -r
>>>>>> 5.15.205
>>>>>> ```
>>>>>>
>>>>> Does the patch below fix this up?
>>>>>
>>>>> thanks,
>>>>>
>>>>> greg k-h
>>>>>
>>>>> ------------------
>>>>>
>>>>>
>>>>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>>>>> index 68509e1f89b5..5d8f8a5901bc 100644
>>>>> --- a/net/ipv4/ip_output.c
>>>>> +++ b/net/ipv4/ip_output.c
>>>>> @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
>>>>>                          goto error;
>>>>>                  }
>>>>>
>>>>> -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
>>>>> +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>>>>>
>>>>>                  if (skb->ip_summed == CHECKSUM_NONE) {
>>>>>                          __wsum csum;
>>>> Yes, this works.
>>> Wait, is this also needed in the 6.1.y backport as well?
>>>
>>> Ben, I'm guessing you tested the 6.1.y backport, right?
>> Yes, but on 6.1 the PoC never succeeded for me even without the patch.
>> (On 5.10 and 6.12 it does.)  So unfortunately that testing could not
>> show whether my attempted fix was correct.
>>
>> Sorry for screwing this one up.
> Not a problem, thanks for doing the backport at all!  I'll go do a new
> 6.1.y release now.
>
> Releases for everyone!!!
>
> thanks,
>
> greg k-h
>
Doesn't 5.10.255 need the flag fixup too?

Re: Linux 5.15.205

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 4072 bytes --]

On Fri, 2026-05-08 at 12:06 -0700, Ron Economos wrote:
> On 5/8/26 07:50, gregkh@linuxfoundation.org wrote:
> > On Fri, May 08, 2026 at 04:38:45PM +0200, Ben Hutchings wrote:
> > > On Fri, 2026-05-08 at 16:30 +0200, gregkh@linuxfoundation.org wrote:
> > > > On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> > > > > On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
> > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > > > > > On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
> > > > > > > <gregkh@linuxfoundation.org> wrote:
> > > > > > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > > > > > Hi,
> > > > > > > > > 
> > > > > > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > > > > > > 
> > > > > > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > > > > > > 
> > > > > > > > > Would this need to be:
> > > > > > > > > 
> > > > > > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > > > > > > 
> > > > > > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > > > > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > > > > > > 
> > > > > > > > thanks,
> > > > > > > > 
> > > > > > > > greg k-h
> > > > > > > > 
> > > > > > > Hi,
> > > > > > > 
> > > > > > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > > > > > > 
> > > > > > > ```
> > > > > > > $ ./run.sh
> > > > > > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > > > > > 'sick::0:0:<pad>:/:/bin/bash'
> > > > > > > === Stage 2 — verify
> > > > > > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > > > > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > > > > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > > > > > # uname -r
> > > > > > > 5.15.205
> > > > > > > ```
> > > > > > > 
> > > > > > Does the patch below fix this up?
> > > > > > 
> > > > > > thanks,
> > > > > > 
> > > > > > greg k-h
> > > > > > 
> > > > > > ------------------
> > > > > > 
> > > > > > 
> > > > > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > > > > > index 68509e1f89b5..5d8f8a5901bc 100644
> > > > > > --- a/net/ipv4/ip_output.c
> > > > > > +++ b/net/ipv4/ip_output.c
> > > > > > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> > > > > >                          goto error;
> > > > > >                  }
> > > > > > 
> > > > > > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > > > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > > > 
> > > > > >                  if (skb->ip_summed == CHECKSUM_NONE) {
> > > > > >                          __wsum csum;
> > > > > Yes, this works.
> > > > Wait, is this also needed in the 6.1.y backport as well?
> > > > 
> > > > Ben, I'm guessing you tested the 6.1.y backport, right?
> > > Yes, but on 6.1 the PoC never succeeded for me even without the patch.
> > > (On 5.10 and 6.12 it does.)  So unfortunately that testing could not
> > > show whether my attempted fix was correct.
> > > 
> > > Sorry for screwing this one up.
> > Not a problem, thanks for doing the backport at all!  I'll go do a new
> > 6.1.y release now.
> > 
> > Releases for everyone!!!
> > 
> > thanks,
> > 
> > greg k-h
> > 
> Doesn't 5.10.255 need the flag fixup too?

In 5.10 it was correct to set this flag in skb_shared_info::tx_flags:

static inline bool skb_has_shared_frag(const struct sk_buff *skb)
{
	return skb_is_nonlinear(skb) &&
	       skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
}

Ben.

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS
teams

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Linux 5.15.205

[Woody Suwalski]

Ben Hutchings wrote:
> On Fri, 2026-05-08 at 12:06 -0700, Ron Economos wrote:
>> On 5/8/26 07:50, gregkh@linuxfoundation.org wrote:
>>> On Fri, May 08, 2026 at 04:38:45PM +0200, Ben Hutchings wrote:
>>>> On Fri, 2026-05-08 at 16:30 +0200, gregkh@linuxfoundation.org wrote:
>>>>> On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
>>>>>> On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
>>>>>> <gregkh@linuxfoundation.org> wrote:
>>>>>>> On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
>>>>>>>> On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
>>>>>>>> <gregkh@linuxfoundation.org> wrote:
>>>>>>>>> On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
>>>>>>>>>>
>>>>>>>>>> skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
>>>>>>>>>>
>>>>>>>>>> Would this need to be:
>>>>>>>>>>
>>>>>>>>>> skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>>>>>>>>>>
>>>>>>>>>> My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
>>>>>>>>> Adding Ben who did the 5.10 backport so he can comment on this.
>>>>>>>>>
>>>>>>>>> thanks,
>>>>>>>>>
>>>>>>>>> greg k-h
>>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
>>>>>>>>
>>>>>>>> ```
>>>>>>>> $ ./run.sh
>>>>>>>> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
>>>>>>>> 'sick::0:0:<pad>:/:/bin/bash'
>>>>>>>> === Stage 2 — verify
>>>>>>>> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
>>>>>>>> === Stage 3 — su - sick (empty password via PAM nullok)
>>>>>>>> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
>>>>>>>> # uname -r
>>>>>>>> 5.15.205
>>>>>>>> ```
>>>>>>>>
>>>>>>> Does the patch below fix this up?
>>>>>>>
>>>>>>> thanks,
>>>>>>>
>>>>>>> greg k-h
>>>>>>>
>>>>>>> ------------------
>>>>>>>
>>>>>>>
>>>>>>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>>>>>>> index 68509e1f89b5..5d8f8a5901bc 100644
>>>>>>> --- a/net/ipv4/ip_output.c
>>>>>>> +++ b/net/ipv4/ip_output.c
>>>>>>> @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
>>>>>>>                           goto error;
>>>>>>>                   }
>>>>>>>
>>>>>>> -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
>>>>>>> +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>>>>>>>
>>>>>>>                   if (skb->ip_summed == CHECKSUM_NONE) {
>>>>>>>                           __wsum csum;
>>>>>> Yes, this works.
>>>>> Wait, is this also needed in the 6.1.y backport as well?
>>>>>
>>>>> Ben, I'm guessing you tested the 6.1.y backport, right?
>>>> Yes, but on 6.1 the PoC never succeeded for me even without the patch.
>>>> (On 5.10 and 6.12 it does.)  So unfortunately that testing could not
>>>> show whether my attempted fix was correct.
>>>>
>>>> Sorry for screwing this one up.
>>> Not a problem, thanks for doing the backport at all!  I'll go do a new
>>> 6.1.y release now.
>>>
>>> Releases for everyone!!!
>>>
>>> thanks,
>>>
>>> greg k-h
>>>
>> Doesn't 5.10.255 need the flag fixup too?
> In 5.10 it was correct to set this flag in skb_shared_info::tx_flags:
>
> static inline bool skb_has_shared_frag(const struct sk_buff *skb)
> {
> 	return skb_is_nonlinear(skb) &&
> 	       skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
> }
>
> Ben.
>
Thanks for the above confirmation...
Woody