Comment 13 for bug 620994

So the problem seems to be the following: For the security issue a guard page has been added. To prevent user-space effects mlock was changed to prevent the first page on a VM_GROWSDOWN (stack) vma to be excluded from being made present.
What was not expected is that apparently Xen user-space locks areas within the stack. This can cause the vma to be split. If that happens, the remaining vma.>vm_start is always equal to the start of locking, but it does not contain the guard page. Even worse, if the requested size of only one page, we end up calling make_pages_present() with start == end and trigger the BUG() check there.

This is being flawed in more recent kernels (Jaunty to Maverick) too. Though by another bug the effect is rather to accidentally map in the guard page (which would cause the stack to grow each time it gets mlocked) and potentially locking one page less than desired (see upstream discussion here: http://kerneltrap.org/mailarchive/linux-kernel/2010/8/22/4609662/thread). The patches mentioned in that discussion should be watched. Linus did not sound too confident of them.

For Hardy I am currently trying to get test kernels being created and will update this bug report when I got them uploaded to a public space.