Reported by Tavis Ormandy of Google Security Team. The root cause was determined to be a use-after-free of locked async file descriptors, and it is believed to have been introduced here: http://git.kernel.org/linus/233e70f4228e78eb2f80dc6650f65d3ae3dbf17c Acknowledgements: Red Hat would like to thank Tavis Ormandy of Google Security Team for reporting this issue.
Upstream commit: http://git.kernel.org/linus/53281b6d3
This only affected Red Hat Enterprise Linux 5.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0046 https://rhn.redhat.com/errata/RHSA-2010-0046.html
Patch present on the latest RHEL6 git tree.
Fixed in 2.6.31.12 and 2.6.32.4 by: fasync-split-fasync_helper-into-separate-add-remove-functions.patch
kernel-2.6.30.10-105.2.13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.13.fc11
kernel-2.6.30.10-105.2.13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5.3.Z - Server Only Via RHSA-2010:0149 https://rhn.redhat.com/errata/RHSA-2010-0149.html
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0161 https://rhn.redhat.com/errata/RHSA-2010-0161.html