"Some futex functions do get_user calls while holding mmap_sem
for reading. If get_user() faults, and another thread happens
to be in mmap (or somewhere else holding waiting on down_write
for the same semaphore), then do_page_fault will
deadlock. Most architectures seem to be exposed to this."
This would allow a local user to easily cause a system crash. CVE applied for.
This is fixed by linux-2.6.9-futex-mmap_sem-deadlock.patch in RHSA-2005:420