"Some futex functions do get_user calls while holding mmap_sem for reading. If get_user() faults, and another thread happens to be in mmap (or somewhere else holding waiting on down_write for the same semaphore), then do_page_fault will deadlock. Most architectures seem to be exposed to this." http://lkml.org/lkml/2005/2/22/123 http://lkml.org/lkml/2005/2/22/185 fixed=2.6-bk (cset@421cfc11zFsK9gxvSJ2t__FCmuUd3Q) This would allow a local user to easily cause a system crash. CVE applied for.
This is fixed by linux-2.6.9-futex-mmap_sem-deadlock.patch in RHSA-2005:420