In the Linux kernel, the following vulnerability has been resolved:
configfs: fix a race in configfs{,un}registersubsystem()
When configfsregistersubsystem() or configfsunregistersubsystem() is executing linkgroup() or unlinkgroup(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic.
One of cases is: A --> B --> C --> D A <-- B <-- C <-- D
delete list_head *B | delete list_head *C
--------------------------------|----------------------------------- configfsunregistersubsystem | configfsunregistersubsystem unlinkgroup | unlinkgroup unlinkobj | unlinkobj listdelinit | listdelinit _listdelentry | _listdelentry _listdel | _listdel // next == C | next->prev = prev | | next->prev = prev prev->next = next | | // prev == B | prev->next = next
Fix this by adding mutex when calling linkgroup() or unlinkgroup(), but parent configfssubsystem is NULL when configitem is root. So I create a mutex configfssubsystemmutex.