Vulnerabilities

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in KaineLabs Youzify - Buddypress Moderation.This issue affects Youzify - Buddypress Moderation: from n/a through 1.2.5.<br /> <br />

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> misc/uss720: fix memory leak in uss720_probe<br /> <br /> uss720_probe forgets to decrease the refcount of usbdev in uss720_probe.<br /> Fix this by decreasing the refcount of usbdev by usb_put_dev.<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888101113800 (size 2048):<br /> comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s)<br /> hex dump (first 32 bytes):<br /> ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........<br /> 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................<br /> backtrace:<br /> [] kmalloc include/linux/slab.h:554 [inline]<br /> [] kzalloc include/linux/slab.h:684 [inline]<br /> [] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582<br /> [] hub_port_connect drivers/usb/core/hub.c:5129 [inline]<br /> [] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]<br /> [] port_event drivers/usb/core/hub.c:5509 [inline]<br /> [] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591<br /> [] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275<br /> [] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421<br /> [] kthread+0x178/0x1b0 kernel/kthread.c:292<br /> [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()<br /> <br /> Commit de144ff4234f changes _pnfs_return_layout() to call<br /> pnfs_mark_matching_lsegs_return() passing NULL as the struct<br /> pnfs_layout_range argument. Unfortunately,<br /> pnfs_mark_matching_lsegs_return() doesn&amp;#39;t check if we have a value here<br /> before dereferencing it, causing an oops.<br /> <br /> I&amp;#39;m able to hit this crash consistently when running connectathon basic<br /> tests on NFS v4.1/v4.2 against Ontap.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFC: nci: fix memory leak in nci_allocate_device<br /> <br /> nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev.<br /> Fix this by freeing hci_dev in nci_free_device.<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888111ea6800 (size 1024):<br /> comm "kworker/1:0", pid 19, jiffies 4294942308 (age 13.580s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 60 fd 0c 81 88 ff ff .........`......<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] kmalloc include/linux/slab.h:552 [inline]<br /> [] kzalloc include/linux/slab.h:682 [inline]<br /> [] nci_hci_allocate+0x21/0xd0 net/nfc/nci/hci.c:784<br /> [] nci_allocate_device net/nfc/nci/core.c:1170 [inline]<br /> [] nci_allocate_device+0x10b/0x160 net/nfc/nci/core.c:1132<br /> [] nfcmrvl_nci_register_dev+0x10a/0x1c0 drivers/nfc/nfcmrvl/main.c:153<br /> [] nfcmrvl_probe+0x223/0x290 drivers/nfc/nfcmrvl/usb.c:345<br /> [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396<br /> [] really_probe+0x159/0x4a0 drivers/base/dd.c:554<br /> [] driver_probe_device+0x84/0x100 drivers/base/dd.c:740<br /> [] __device_attach_driver+0xee/0x110 drivers/base/dd.c:846<br /> [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431<br /> [] __device_attach+0x122/0x250 drivers/base/dd.c:914<br /> [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491<br /> [] device_add+0x5be/0xc30 drivers/base/core.c:3109<br /> [] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2164<br /> [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238<br /> [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293<br /> [] really_probe+0x159/0x4a0 drivers/base/dd.c:554

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: add missing discipline function<br /> <br /> Fix crash with illegal operation exception in dasd_device_tasklet.<br /> Commit b72949328869 ("s390/dasd: Prepare for additional path event handling")<br /> renamed the verify_path function for ECKD but not for FBA and DIAG.<br /> This leads to a panic when the path verification function is called for a<br /> FBA or DIAG device.<br /> <br /> Fix by defining a wrapper function for dasd_generic_verify_path().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: fq_pie: fix OOB access in the traffic path<br /> <br /> the following script:<br /> <br /> # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2<br /> # tc qdisc add dev eth0 clsact<br /> # tc filter add dev eth0 egress matchall action skbedit priority 0x10002<br /> # ping 192.0.2.2 -I eth0 -c2 -w1 -q<br /> <br /> produces the following splat:<br /> <br /> BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]<br /> Read of size 4 at addr ffff888171306924 by task ping/942<br /> <br /> CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441<br /> Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014<br /> Call Trace:<br /> dump_stack+0x92/0xc1<br /> print_address_description.constprop.7+0x1a/0x150<br /> kasan_report.cold.13+0x7f/0x111<br /> fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie]<br /> __dev_queue_xmit+0x1034/0x2b10<br /> ip_finish_output2+0xc62/0x2120<br /> __ip_finish_output+0x553/0xea0<br /> ip_output+0x1ca/0x4d0<br /> ip_send_skb+0x37/0xa0<br /> raw_sendmsg+0x1c4b/0x2d00<br /> sock_sendmsg+0xdb/0x110<br /> __sys_sendto+0x1d7/0x2b0<br /> __x64_sys_sendto+0xdd/0x1b0<br /> do_syscall_64+0x3c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fe69735c3eb<br /> Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89<br /> RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb<br /> RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003<br /> RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260<br /> R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0<br /> <br /> Allocated by task 917:<br /> kasan_save_stack+0x19/0x40<br /> __kasan_kmalloc+0x7f/0xa0<br /> __kmalloc_node+0x139/0x280<br /> fq_pie_init+0x555/0x8e8 [sch_fq_pie]<br /> qdisc_create+0x407/0x11b0<br /> tc_modify_qdisc+0x3c2/0x17e0<br /> rtnetlink_rcv_msg+0x346/0x8e0<br /> netlink_rcv_skb+0x120/0x380<br /> netlink_unicast+0x439/0x630<br /> netlink_sendmsg+0x719/0xbf0<br /> sock_sendmsg+0xe2/0x110<br /> ____sys_sendmsg+0x5ba/0x890<br /> ___sys_sendmsg+0xe9/0x160<br /> __sys_sendmsg+0xd3/0x170<br /> do_syscall_64+0x3c/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The buggy address belongs to the object at ffff888171306800<br /> which belongs to the cache kmalloc-256 of size 256<br /> The buggy address is located 36 bytes to the right of<br /> 256-byte region [ffff888171306800, ffff888171306900)<br /> The buggy address belongs to the page:<br /> page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306<br /> head:00000000bcfb624e order:1 compound_mapcount:0<br /> flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)<br /> raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40<br /> raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc<br /> &gt;ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ^<br /> ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> <br /> fix fq_pie traffic path to avoid selecting &amp;#39;q-&gt;flows + q-&gt;flows_cnt&amp;#39; as a<br /> valid flow: it&amp;#39;s an address beyond the allocated memory.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version<br /> <br /> Arturo reported this backtrace:<br /> <br /> [709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0<br /> [709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod<br /> [709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common<br /> [709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1<br /> [709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020<br /> [709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0<br /> [709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb<br /> [709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202<br /> [709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001<br /> [709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003<br /> [709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462<br /> [709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960<br /> [709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660<br /> [709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000<br /> [709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0<br /> [709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [709732.359003] PKRU: 55555554<br /> [709732.359005] Call Trace:<br /> [709732.359009] <br /> [709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables]<br /> [709732.359046] ? sched_clock+0x5/0x10<br /> [709732.359054] ? sched_clock_cpu+0xc/0xb0<br /> [709732.359061] ? record_times+0x16/0x80<br /> [709732.359068] ? plist_add+0xc1/0x100<br /> [709732.359073] ? psi_group_change+0x47/0x230<br /> [709732.359079] ? skb_clone+0x4d/0xb0<br /> [709732.359085] ? enqueue_task_rt+0x22b/0x310<br /> [709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en]<br /> [709732.359102] ? packet_rcv+0x40/0x4a0<br /> [709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables]<br /> [709732.359133] nft_do_chain+0x350/0x500 [nf_tables]<br /> [709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables]<br /> [709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables]<br /> [709732.359172] ? fib4_rule_action+0x6d/0x80<br /> [709732.359178] ? fib_rules_lookup+0x107/0x250<br /> [709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat]<br /> [709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat]<br /> [709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat]<br /> [709732.359207] nf_hook_slow+0x44/0xc0<br /> [709732.359214] ip_output+0xd2/0x100<br /> [709732.359221] ? __ip_finish_output+0x210/0x210<br /> [709732.359226] ip_forward+0x37d/0x4a0<br /> [709732.359232] ? ip4_key_hashfn+0xb0/0xb0<br /> [709732.359238] ip_subli<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: core: Avoid smp_processor_id() in preemptible code<br /> <br /> The BUG message "BUG: using smp_processor_id() in preemptible [00000000]<br /> code" was observed for TCMU devices with kernel config DEBUG_PREEMPT.<br /> <br /> The message was observed when blktests block/005 was run on TCMU devices<br /> with fileio backend or user:zbc backend [1]. The commit 1130b499b4a7<br /> ("scsi: target: tcm_loop: Use LIO wq cmd submission helper") triggered the<br /> symptom. The commit modified work queue to handle commands and changed<br /> &amp;#39;current-&gt;nr_cpu_allowed&amp;#39; at smp_processor_id() call.<br /> <br /> The message was also observed at system shutdown when TCMU devices were not<br /> cleaned up [2]. The function smp_processor_id() was called in SCSI host<br /> work queue for abort handling, and triggered the BUG message. This symptom<br /> was observed regardless of the commit 1130b499b4a7 ("scsi: target:<br /> tcm_loop: Use LIO wq cmd submission helper").<br /> <br /> To avoid the preemptible code check at smp_processor_id(), get CPU ID with<br /> raw_smp_processor_id() instead. The CPU ID is used for performance<br /> improvement then thread move to other CPU will not affect the code.<br /> <br /> [1]<br /> <br /> [ 56.468103] run blktests block/005 at 2021-05-12 14:16:38<br /> [ 57.369473] check_preemption_disabled: 85 callbacks suppressed<br /> [ 57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511<br /> [ 57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510<br /> [ 57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506<br /> [ 57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod]<br /> [ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34<br /> [ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018<br /> [ 57.369617] Call Trace:<br /> [ 57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507<br /> [ 57.369628] dump_stack+0x6d/0x89<br /> [ 57.369642] check_preemption_disabled+0xc8/0xd0<br /> [ 57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod]<br /> [ 57.369655] __target_init_cmd+0x157/0x170 [target_core_mod]<br /> [ 57.369695] target_init_cmd+0x76/0x90 [target_core_mod]<br /> [ 57.369732] tcm_loop_queuecommand+0x109/0x210 [tcm_loop]<br /> [ 57.369744] scsi_queue_rq+0x38e/0xc40<br /> [ 57.369761] __blk_mq_try_issue_directly+0x109/0x1c0<br /> [ 57.369779] blk_mq_try_issue_directly+0x43/0x90<br /> [ 57.369790] blk_mq_submit_bio+0x4e5/0x5d0<br /> [ 57.369812] submit_bio_noacct+0x46e/0x4e0<br /> [ 57.369830] __blkdev_direct_IO_simple+0x1a3/0x2d0<br /> [ 57.369859] ? set_init_blocksize.isra.0+0x60/0x60<br /> [ 57.369880] generic_file_read_iter+0x89/0x160<br /> [ 57.369898] blkdev_read_iter+0x44/0x60<br /> [ 57.369906] new_sync_read+0x102/0x170<br /> [ 57.369929] vfs_read+0xd4/0x160<br /> [ 57.369941] __x64_sys_pread64+0x6e/0xa0<br /> [ 57.369946] ? lockdep_hardirqs_on+0x79/0x100<br /> [ 57.369958] do_syscall_64+0x3a/0x70<br /> [ 57.369965] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [ 57.369973] RIP: 0033:0x7f7ed4c1399f<br /> [ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b<br /> [ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011<br /> [ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f<br /> [ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009<br /> [ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001<br /> [ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70<br /> [ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568<br /> [ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34<br /> [ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018<br /> [ 57.370039] Call Trace:<br /> [ 57.370045] dump_stack+0x6d/0x89<br /> [ 57.370056] ch<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix sysfs leak in alloc_iommu()<br /> <br /> iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent<br /> errors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix null deref accessing lag dev<br /> <br /> It could be the lag dev is null so stop processing the event.<br /> In bond_enslave() the active/backup slave being set before setting the<br /> upper dev so first event is without an upper dev.<br /> After setting the upper dev with bond_master_upper_dev_link() there is<br /> a second event and in that event we have an upper dev.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: usb: fix memory leak in smsc75xx_bind<br /> <br /> Syzbot reported memory leak in smsc75xx_bind().<br /> The problem was is non-freed memory in case of<br /> errors after memory allocation.<br /> <br /> backtrace:<br /> [] kmalloc include/linux/slab.h:556 [inline]<br /> [] kzalloc include/linux/slab.h:686 [inline]<br /> [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460<br /> [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: skb_linearize the head skb when reassembling msgs<br /> <br /> It&amp;#39;s not a good idea to append the frag skb to a skb&amp;#39;s frag_list if<br /> the frag_list already has skbs from elsewhere, such as this skb was<br /> created by pskb_copy() where the frag_list was cloned (all the skbs<br /> in it were skb_get&amp;#39;ed) and shared by multiple skbs.<br /> <br /> However, the new appended frag skb should have been only seen by the<br /> current skb. Otherwise, it will cause use after free crashes as this<br /> appended frag skb are seen by multiple skbs but it only got skb_get<br /> called once.<br /> <br /> The same thing happens with a skb updated by pskb_may_pull() with a<br /> skb_cloned skb. Li Shuang has reported quite a few crashes caused<br /> by this when doing testing over macvlan devices:<br /> <br /> [] kernel BUG at net/core/skbuff.c:1970!<br /> [] Call Trace:<br /> [] skb_clone+0x4d/0xb0<br /> [] macvlan_broadcast+0xd8/0x160 [macvlan]<br /> [] macvlan_process_broadcast+0x148/0x150 [macvlan]<br /> [] process_one_work+0x1a7/0x360<br /> [] worker_thread+0x30/0x390<br /> <br /> [] kernel BUG at mm/usercopy.c:102!<br /> [] Call Trace:<br /> [] __check_heap_object+0xd3/0x100<br /> [] __check_object_size+0xff/0x16b<br /> [] simple_copy_to_iter+0x1c/0x30<br /> [] __skb_datagram_iter+0x7d/0x310<br /> [] __skb_datagram_iter+0x2a5/0x310<br /> [] skb_copy_datagram_iter+0x3b/0x90<br /> [] tipc_recvmsg+0x14a/0x3a0 [tipc]<br /> [] ____sys_recvmsg+0x91/0x150<br /> [] ___sys_recvmsg+0x7b/0xc0<br /> <br /> [] kernel BUG at mm/slub.c:305!<br /> [] Call Trace:<br /> [] <br /> [] kmem_cache_free+0x3ff/0x400<br /> [] __netif_receive_skb_core+0x12c/0xc40<br /> [] ? kmem_cache_alloc+0x12e/0x270<br /> [] netif_receive_skb_internal+0x3d/0xb0<br /> [] ? get_rx_page_info+0x8e/0xa0 [be2net]<br /> [] be_poll+0x6ef/0xd00 [be2net]<br /> [] ? irq_exit+0x4f/0x100<br /> [] net_rx_action+0x149/0x3b0<br /> <br /> ...<br /> <br /> This patch is to fix it by linearizing the head skb if it has frag_list<br /> set in tipc_buf_append(). Note that we choose to do this before calling<br /> skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can<br /> not just drop the frag_list either as the early time.