We accidently copy the ipv6 flow list to child sockets of listening TCP sockets, but don't bump the reference count, clone the object, etc. And the list linkage of this object is not built such that multiple sockets can point to it anyways. Therefore if a listening socket has a flow list attached, when a child connection closes we'll OOPS or double free the flow list entry. Any user can trigger this. Steps to reproduce this behavior: 1) Open listening IPV6 TCP socket 2) Attach a flowlabel with IPV6_FLOWLABEL_MGR socket option, freq->flr_action == IPV6_FL_A_GET and appropriate metadata. 3) Connect to that listening socket, and close() http://marc.info/?l=linux-netdev&m=117406721731891&w=2
A patch addressing this issue has been included in kernel-2.4.18-e.65.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0673.html