Re: Linux 5.15.205

[gregkh@xxxxxxxxxxxxxxxxxxx]

On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 3:50 PM gregkh@xxxxxxxxxxxxxxxxxxx
> <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > On Fri, May 8, 2026 at 2:44 PM gregkh@xxxxxxxxxxxxxxxxxxx
> > > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > > >
> > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > Hi,
> > > > >
> > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > >
> > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > Would this need to be:
> > > > >
> > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > >
> > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > >
> > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > >
> > > Hi,
> > >
> > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > >
> > > ```
> > > $ ./run.sh
> > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > 'sick::0:0:<pad>:/:/bin/bash'
> > > === Stage 2 — verify
> > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > # uname -r
> > > 5.15.205
> > > ```
> > >
> >
> > Does the patch below fix this up?
> >
> > thanks,
> >
> > greg k-h
> >
> > ------------------
> >
> >
> > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > index 68509e1f89b5..5d8f8a5901bc 100644
> > --- a/net/ipv4/ip_output.c
> > +++ b/net/ipv4/ip_output.c
> > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> >                         goto error;
> >                 }
> >
> > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> >
> >                 if (skb->ip_summed == CHECKSUM_NONE) {
> >                         __wsum csum;
> 
> Yes, this works.

Great, thanks, let me go push out a new release with this fix, thanks
for testing!

greg k-h