Ignoring plenty of nuance, tiocspgrp (TTY IOCTL Set Process Group) would grab the wrong lock. Pseudoterminals (pty) have a master and a slave device, both of which are controlled by userland and can have ioctls called on them. This is the tty pointer for the function, the real_tty is passed in also, which will point to the master tty if it is part of a pty.

The problem is that while the function modifies the real_tty it grabs the tty’s spinlock. So by invoking the IOCTL on both ends you can have two threads in the critical area at one time resulting in skewed reference counters. There are two corruption cases, the original pgrp will have its reference counter decremented twice and which ever thread wins the race (sets pgrp first) will have its pgrp overwritten without a corresponding decrement of the reference count.