Gah. Here's the EIP backtrace, I forgot it.
(gdb) l *0x00145718
0x145718 is in tcp_recvmsg (tcp.c:1642).
1637 while (skb != (struct sk_buff *)&sk->receive_queue)
1638 {
1639 if (before(*seq, skb->seq))
1640 break;
1641 offset = *seq - skb->seq;
1642 if (skb->h.th->syn)
1643 offset--;
1644 if (offset < skb->len)
1645 goto found_ok_skb;
1646 if (skb->h.th->fin)
> Does the patch I sent out today cure this?
I'll give it a spin.
-Dan