The address of `modprobe_path` was written to `simple_xattr->prev` instead of `simple_xattr->next`
as stated in the exploit writeup.
Thus, the arbitrary write occurs in the second part of the unlinking, when `simple_xattr->next`
is written to `simple_xattr->prev->next`.
This actually slightly simplifies the exploit as `next` is the first field in `list_head`
so there is no need to deal with any offsets.
However, if the technique in the writeup is followed exactly, `modprobe_path` should be written
into `simple_xattr->next`, so that in the first part of unlinking, the value of `simple_xattr->prev`
is written to `simple_xattr->next->prev`, which is offset 8 bytes from `simple_xattr->next`.
This commit modifies the exploit to use the latter method, accounting for the 8 byte offset.
More comments are also added to better explain what is going on.
Ref: https://twitter.com/QiuhaoLi/status/1578362818369232897