In the Linux kernel, the following vulnerability has been resolved:

debugfs: fix wait/cancellation handling during remove

Ben Greear further reports deadlocks during concurrent debugfs
remove while files are being accessed, even though the code in
question now uses debugfs cancellations. Turns out that despite
all the review on the locking, we missed completely that the
logic is wrong: if the refcount hits zero we can finish (and
need not wait for the completion), but if it doesn't we have
to trigger all the cancellations. As written, we can _never_
get into the loop triggering the cancellations. Fix this, and
explain it better while at it.

kernel.org https://git.kernel.org/stable/c/3d08cca5fd0aabb62b7015067ab40913b33da906 [No types assigned]

kernel.org https://git.kernel.org/stable/c/952c3fce297f12c7ff59380adb66b564e2bc9b64 [No types assigned]

kernel.org https://git.kernel.org/stable/c/e88b5ae01901c4a655a53158397746334778a57b [No types assigned]