ioctx_alloc() calls aio_setup_ring() to allocate a ring. If aio_setup_ring() fails to do so it would call aio_free_ring() before returning, but ioctx_alloc() would call aio_free_ring() again causing a double free of the ring. Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d558023207e008a4476a3b7bb8706b2a2bf5d84f References: http://seclists.org/oss-sec/2014/q1/711
Statement: Not vulnerable. This issued does not affect Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1083271]