via oss-sec http://seclists.org/oss-sec/2015/q2/545

> An issue was discovered in the linux kernel's tty subsystem handling during shutdown. The
> flaw was that a new tty thread could hold a reference to the ldisc lock used during
> the shutdown phase in the original thread and create a deadlock.
> 
> This race occurs on hangup of tty.  It races and hangs on ldsem_down_write on a semaphore 
> that is being aquired by a new reader(CPU 1).  The new reader/writer is sleeping
> in ldsem_down_read() and the hangup is sleeping in ldsem_down_write().
> 
> The deadlock can occur under these conditions.
> 
>    CPU 0                                   |  CPU 1
>                                            |
> _raw_spin_unlock_irq                       | _raw_spin_unlock_irq+0x24/0x26
> down_write_failed                          | down_read_failed+0xe3/0x1b9
> ldsem_down_write <-- here                  | ldsem_down_read  <--- here
> tty_ldisc_lock_pair_timeout                | tty_ldisc_ref_wait
> tty_ldisc_lock_pair_timeout                | tty_write
> tty_ldisc_hangup                           | redirected_tty_write
> __tty_hangup                               | tty_write
> disassociate_ctty                          | o_loop_readv_writev
> do_exit                                    | do_readv_writev
>                                            | SyS_writev
> 
> 
> This section of code was re-written upstream by creating a read/write semaphore to
> specially to handle ldisc, ldsem ( 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 ).  
> 
> This issue was reproduced on a system under load when testing the reproducer for
> CVE-2014-0196, on a system that already has this issue fixed.  No root permissions
> are required to recreate the deadlock.


Two year old though.




References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4170
http://seclists.org/oss-sec/2015/q2/613
https://bugzilla.redhat.com/show_bug.cgi?id=1218879