Description of problem: We accidently copy the ipv6 flow list to child sockets of listening TCP sockets, but don't bump the reference count, clone the object, etc. And the list linkage of this object is not built such that multiple sockets can point to it anyways. Therefore if a listening socket has a flow list attached, when a child connection closes we'll OOPS or double free the flow list entry. Any user can trigger this. Version-Release number of selected component (if applicable): How reproducible: Writing a reproducer should be simple: 1) Open listening IPV6 TCP socket 2) Attach a flowlabel with IPV6_FLOWLABEL_MGR socket option, freq->flr_action == IPV6_FL_A_GET and appropriate metadata. 3) Connect to that listening socket, and close() Steps to Reproduce: 1. 2. 3. Actual results: Instant oops. The fix is to simply not inherit this ipv6 socket option. Expected results: Additional info: This was discovered and merged upstream right before this past weekend. See: http://marc.info/?l=linux-netdev&m=117406721731891&w=2 Can someone help me audit RHEL3 and RHEL4 to make sure we get those fixed up if necessary? I'm about to go away for 3 days.
A patch for this issue has been included in build 2.6.18-8.1.4.el5.
Confirmed that fix is in 2.6.18-8.1.4.el5.
*** Bug 238952 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0347.html