A flaw was found in rsvp_change(). The root cause is an slab-out-of-bound access, but since the offset to the original pointer is an `unsign int` fully controlled by users, the behavior is usually a wild pointer access.
The rsvp classifier has been retired upstream: https://github.com/torvalds/linux/commit/265b4da82dbf5df04bee5a5d46b7474b1aaf326a
*** Bug 2226790 has been marked as a duplicate of this bug. ***
*** Bug 2258363 has been marked as a duplicate of this bug. ***
*** Bug 2258364 has been marked as a duplicate of this bug. ***