From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qt1-f177.google.com (mail-qt1-f177.google.com [209.85.160.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D96EA41B36A
	for <linux-kernel@vger.kernel.org>; Fri,  8 May 2026 19:44:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.177
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778269473; cv=none; b=olWboYcRDTmAaYi/YPRngWOK4AlYTyT2WoSvzA6GaG0HKSEaU4LG2bvdnmxdLdwkk7vMQmP3QsRgR20ZTE5Xdv1AOVg41aECtgWY/N/ksA1b/xSFXfo399Qwx76nCj4zuaibKobBEcScUFA5B5YDjuczTtL2FI8Npuws9L1801c=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778269473; c=relaxed/simple;
	bh=qyTl2ymgQqX3Kx4pKTOe5UoaJUgK+Hz/XneBslM3Dx0=;
	h=Subject:To:Cc:References:From:Message-ID:Date:MIME-Version:
	 In-Reply-To:Content-Type; b=D90SSmIV9rRJFCbSZc5iUT9+cSKiL6wQJpx+8ihC1eJRkK8SxaB1XSEGHd/mpzpIAmSJSKFNXkSgBI1i444WIB96/fmJ7cXjf/7JolER5FSJ+xqD45JOtsBsAK8JJZ6P4sRC4wcBAXba/WiFNU3v8I0pI1J6bD68/qflcpzTSog=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=p40rMahv; arc=none smtp.client-ip=209.85.160.177
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="p40rMahv"
Received: by mail-qt1-f177.google.com with SMTP id d75a77b69052e-50e63771d91so23477831cf.0
        for <linux-kernel@vger.kernel.org>; Fri, 08 May 2026 12:44:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778269469; x=1778874269; darn=vger.kernel.org;
        h=content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UxZbOgmXVgyW7qx2mNw/iaUaD8Rd/NnI6+5bQxDUCo0=;
        b=p40rMahvh3eZgsZs7MOJeLTRaK6npqoco3w6Bap2T9ZV7YQVsmyRMM6xpx53GgYRZG
         qgrE9RCezpQTGnqOxnjsFG3iftZ8uYQiRUbNl4zHV4qKQZwg6gKf0bYCCLIZ3g0yZo/t
         aoTm6Oh5yyY1tRqbl+/FA/MVXKPDukBjeqiUzZevs30nFjqugQmkNCZrgAIOZ/fND14t
         rwsNay6Crj19XxHkiXLv7xK+Rn9TpJc3x3hFN/2SQfE+FQGs6yzD2Zx76tYyeqHBwVJV
         fRvfjlIU1zxZYPdntN4U88tP7n0nw02z5hZ6EwO4jlpr9Iks7YymOHXn8QtgCHDvtWmm
         Z14g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778269469; x=1778874269;
        h=content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:x-gm-gg:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=UxZbOgmXVgyW7qx2mNw/iaUaD8Rd/NnI6+5bQxDUCo0=;
        b=LkeVtmZ7GFehjMygebq/uvHI/nvRIRZd9fYzMBGw6DqgzyC9jU9hPP3FVnW2p8k6Du
         7QMpiOgaU7b1+Xw5T9TxN1aNv6qMZfd82+s6YK5wk5EVBQTMubt4Y9zvemYruiXUdeH3
         hsXDXDzJrn2woj75rnehecgW5SPjwLq8b9QXzj4IcoojLYymZKAqyh+KRUPPwtt4SSps
         U36DX+Y6s7VUxK3DsxtYCNjSXZ97z22Wn6Gu623BzHzL4OOThmeq2gIDG8OArafiGWk1
         KiUy1EEK85WeQ19wMdoJ4O8e1YvFyrsKBRYxuQsoCDLNO8L+aqdS6dadqDl7uGx+/BYA
         WrKQ==
X-Forwarded-Encrypted: i=1; AFNElJ+b6VdJ8HDHO8Jtevogyon37fRrob04wvOkIe/UBVL6yyXwYKpJIbiGFyoliMZeqNMzra3A+DBra2nur+w=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywul3cn4pQ3lNyFnnQnBFOaDBoGWvSeAQEguCWXmlvq3Na0pgsW
	t2LIkIzeOVXEmR9nSeygwqsYq4VsfjdWZvKKWaHjKcVKefpcZ1nAPF4=
X-Gm-Gg: AeBDieuV/+Hi5y6gQ/UV1YW2jYG5JwNFZO0+gtl0Id3Oyt8957bYfKQ36B5VGxlE14q
	uI8A0Vf4iExtHkG9hRjuSxLOVJNQhGNmj4btf/EERzze3RAKt6bLACH3ZPRHigoomZ74UrY4Nih
	R09Rt20C4NS2ucR6oHlBvodON7UIPKM/ZO6nCxNK27ys+E4qTS6uriOP71qqUbB3b/4IdQRLCj9
	IpN8v/ZciiCCF1dcXvqiS4rlXK/vAw35Zn5ht3C5fIiuWyve9oZH5Chdjmil6t7xabDRJXbjckF
	sFvrgTVqPZGkiRC4UhKyTL+S+VXNDL+n3WHqVYMaUkXFJNl6bOpYbXl53HVPV0diA7fHxpiPf3O
	03lm28FtgpOXnXI9Usa6fgbHgYJ6G8aZFS7iU60NWel5G/biCH8bKHm/dP0LmSYi15LM73Iecpf
	k3AYnWKH6FKmVdtG2jJOnNAU7x13Zc0KguVdrMPnzp79T34nBcaBOwzYkPMfzWiA==
X-Received: by 2002:a05:622a:5c0d:b0:50d:a644:699d with SMTP id d75a77b69052e-51461fb988fmr175300251cf.46.1778269468933;
        Fri, 08 May 2026 12:44:28 -0700 (PDT)
Received: from [120.7.1.23] (135-23-94-154.cpe.pppoe.ca. [135.23.94.154])
        by smtp.gmail.com with ESMTPSA id d75a77b69052e-5148e82ad3dsm23954141cf.26.2026.05.08.12.44.27
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 08 May 2026 12:44:28 -0700 (PDT)
Subject: Re: Linux 5.15.205
To: Ben Hutchings <benh@debian.org>, Ron Economos <re@w6rz.net>,
 "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Cc: Massimiliano Pellizzer <mpellizzer.dev@gmail.com>,
 Dominik Grzegorzek <dominik.grzegorzek@oracle.com>,
 "torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
 "lwn@lwn.net" <lwn@lwn.net>, "stable@vger.kernel.org"
 <stable@vger.kernel.org>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
 "akpm@linux-foundation.org" <akpm@linux-foundation.org>,
 "jslaby@suse.cz" <jslaby@suse.cz>
References: <2026050835-appealing-stallion-a207@gregkh>
 <1b941a1353791ddd6fd75fb8e68b377367d689ff.camel@oracle.com>
 <2026050829-gladiator-displease-57af@gregkh>
 <CALUEkOdFEFJ_U1va62B=tWspd2YfLJ-qk72r380wrLRGYfYKPg@mail.gmail.com>
 <2026050855-valley-slashed-c382@gregkh>
 <CALUEkOfBS7qsN-7ERMS+2wcPEixXAGmquREu7uv8ecXn6d7haw@mail.gmail.com>
 <2026050815-length-yummy-f8b6@gregkh>
 <036ef29e143799f9117792463d640916490fa61a.camel@debian.org>
 <2026050840-washcloth-showdown-b66f@gregkh>
 <f922379b-e8a6-4d38-9589-029a8d52126d@w6rz.net>
 <19cc282f2e3b821e2dc3930cf5207bc251010307.camel@debian.org>
From: Woody Suwalski <terraluna977@gmail.com>
Message-ID: <cc26b57e-62b3-cd4d-e072-2019da2a232d@gmail.com>
Date: Fri, 8 May 2026 15:44:35 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
 Firefox/128.0 SeaMonkey/2.53.23
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
In-Reply-To: <19cc282f2e3b821e2dc3930cf5207bc251010307.camel@debian.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Ben Hutchings wrote:
> On Fri, 2026-05-08 at 12:06 -0700, Ron Economos wrote:
>> On 5/8/26 07:50, gregkh@linuxfoundation.org wrote:
>>> On Fri, May 08, 2026 at 04:38:45PM +0200, Ben Hutchings wrote:
>>>> On Fri, 2026-05-08 at 16:30 +0200, gregkh@linuxfoundation.org wrote:
>>>>> On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
>>>>>> On Fri, May 8, 2026 at 3:50 PM gregkh@linuxfoundation.org
>>>>>> <gregkh@linuxfoundation.org> wrote:
>>>>>>> On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
>>>>>>>> On Fri, May 8, 2026 at 2:44 PM gregkh@linuxfoundation.org
>>>>>>>> <gregkh@linuxfoundation.org> wrote:
>>>>>>>>> On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
>>>>>>>>>>
>>>>>>>>>> skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
>>>>>>>>>>
>>>>>>>>>> Would this need to be:
>>>>>>>>>>
>>>>>>>>>> skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>>>>>>>>>>
>>>>>>>>>> My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
>>>>>>>>> Adding Ben who did the 5.10 backport so he can comment on this.
>>>>>>>>>
>>>>>>>>> thanks,
>>>>>>>>>
>>>>>>>>> greg k-h
>>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
>>>>>>>>
>>>>>>>> ```
>>>>>>>> $ ./run.sh
>>>>>>>> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
>>>>>>>> 'sick::0:0:<pad>:/:/bin/bash'
>>>>>>>> === Stage 2 — verify
>>>>>>>> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
>>>>>>>> === Stage 3 — su - sick (empty password via PAM nullok)
>>>>>>>> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
>>>>>>>> # uname -r
>>>>>>>> 5.15.205
>>>>>>>> ```
>>>>>>>>
>>>>>>> Does the patch below fix this up?
>>>>>>>
>>>>>>> thanks,
>>>>>>>
>>>>>>> greg k-h
>>>>>>>
>>>>>>> ------------------
>>>>>>>
>>>>>>>
>>>>>>> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
>>>>>>> index 68509e1f89b5..5d8f8a5901bc 100644
>>>>>>> --- a/net/ipv4/ip_output.c
>>>>>>> +++ b/net/ipv4/ip_output.c
>>>>>>> @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
>>>>>>>                           goto error;
>>>>>>>                   }
>>>>>>>
>>>>>>> -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
>>>>>>> +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>>>>>>>
>>>>>>>                   if (skb->ip_summed == CHECKSUM_NONE) {
>>>>>>>                           __wsum csum;
>>>>>> Yes, this works.
>>>>> Wait, is this also needed in the 6.1.y backport as well?
>>>>>
>>>>> Ben, I'm guessing you tested the 6.1.y backport, right?
>>>> Yes, but on 6.1 the PoC never succeeded for me even without the patch.
>>>> (On 5.10 and 6.12 it does.)  So unfortunately that testing could not
>>>> show whether my attempted fix was correct.
>>>>
>>>> Sorry for screwing this one up.
>>> Not a problem, thanks for doing the backport at all!  I'll go do a new
>>> 6.1.y release now.
>>>
>>> Releases for everyone!!!
>>>
>>> thanks,
>>>
>>> greg k-h
>>>
>> Doesn't 5.10.255 need the flag fixup too?
> In 5.10 it was correct to set this flag in skb_shared_info::tx_flags:
>
> static inline bool skb_has_shared_frag(const struct sk_buff *skb)
> {
> 	return skb_is_nonlinear(skb) &&
> 	       skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG;
> }
>
> Ben.
>
Thanks for the above confirmation...
Woody