sys_fsc2h_ctrl kernel stack free

## Summary It is possible to cause a kernel stack free in the syscall sys_fsc2h_ctrl. Consider 4 threads: Thread 1: The command CMD_WAIT (0x10001) in sys_fsc2h_ctrl waits for path 1. Thread 2: The command CMD_WAIT (0x10001) in sys_fsc2h_ctrl waits for path 2. Thread 3: The command CMD_RESOLVE (0x20005) in sys_fsc2h_ctrl sets the pointer of path 2 to a local stack buffer and sleeps. Thread 4: The command CMD_COMPLETE (0x20003) in sys_fsc2h_ctrl writes data into that local stack buffer and wakes up the thread 3. Thread 2: This thread wakes up before thread 3 and it will free path 2. However, that is not a malloc() allocation, but it is actually a pointer to kernel stack. ## Impact Privilege escalation.