Description of the problem: A very subtle race condition between inet_frag_evictor, inet_frag_intern and the IPv4/6 frag_queue and expire functions (basically the users of inet_frag_kill/inet_frag_put) was found. What happens is that after a fragment has been added to the hash chain but before it's been added to the lru_list (inet_frag_lru_add), it may get deleted (either by an expired timer if the system load is high or the timer sufficiently low, or by the fraq_queue function for different reasons) before it's added to the lru_list, then after it gets added it's a matter of time for the evictor to get to a piece of memory which has been freed leading to a number of different bugs depending on what's left there. Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0d Acknowledgements: This issue was discovered by Nikolay Aleksandrov of Red Hat.
Statement: This issue did not affect the versions of Linux kernel package as shipped with Red Hat Enterprise Linux 5 and 6 as they did not backport the commit that introduced this issue.
Upstream patch submission: http://patchwork.ozlabs.org/patch/325844/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1072026]
kernel-3.13.5-202.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.13.5-103.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=24b9bf43e93e0edd89072da51cf1fab95fc69dec
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2014:0557 https://rhn.redhat.com/errata/RHSA-2014-0557.html