FYI, the 2.6.31 kernel contains a trivially exploitable stack overflow for which my public exploit has existed for the past 2 weeks. The vulnerability is in the new perf_counter code, which is enabled automatically when using any distro's kernel configuration (they set CONFIG_PROFILING=y which causes the new perf_counter config option to be enabled).
There was some broken pointer arithmetic in the code that makes the above vuln trivially exploitable without exploiting a race being required. This was fixed by the patch: http://lkml.org/lkml/2009/9/19/155
Of course, they called the consequences of the bug a "kernel crash".
The exploit disables SELinux, AppArmor, LSM, auditing, and the recently introduced IMA (uses TPM to ensure integrity of files and modules on the system, and yet this exploit proves it cannot even do that).
"Reducing attack surface" through access control systems (take your pick) can't help when poorly-written and under-reviewed system calls like this one get added to a "stable" kernel.