With CLONE_IO, copy_io() increments both ioc->refcount and ioc->nr_tasks. However exit_io_context() only decrements ioc->refcount if ioc->nr_tasks reaches 0.
With CLONE_IO, parent's io_context->nr_tasks is incremented, but never decremented whenever copy_process() fails afterwards, which prevents xit_io_context() from calling IO schedulers exit functions.
An unprivileged local user could use these flaws cause denial of service.
This issue affects the Linux kernel as shipped with Red Hat Enterprise Linux 6. This issue does not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5 as they did not provide support for CLONE_IO. This issue does not affect the Linux kernel as shipped with Red Hat Enterprise MRG as they already contain the fix. This has been addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2012-0481.html.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/02/23/5
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:0481 https://rhn.redhat.com/errata/RHSA-2012-0481.html