Remove the lock if an identical overlapping one is already present.
authoranton <anton@openbsd.org>
Wed, 27 Apr 2022 18:01:23 +0000 (18:01 +0000)
committeranton <anton@openbsd.org>
Wed, 27 Apr 2022 18:01:23 +0000 (18:01 +0000)
Preventing a use after free discovered by syzkaller.

ok visa@

Reported-by: syzbot+a2649c1d77e9d2463f33@syzkaller.appspotmail.com
Reported-by: syzbot+182df9087f5f182daa44@syzkaller.appspotmail.com
Reported-by: syzbot+46d03139d7ed5e81ed2f@syzkaller.appspotmail.com
Reported-by: syzbot+892e886a6113db341da1@syzkaller.appspotmail.com
sys/kern/vfs_lockf.c

index 1f3bab8..82c2deb 100644 (file)
@@ -1,4 +1,4 @@
-/*     $OpenBSD: vfs_lockf.c,v 1.45 2019/12/02 15:02:32 visa Exp $     */
+/*     $OpenBSD: vfs_lockf.c,v 1.46 2022/04/27 18:01:23 anton Exp $    */
 /*     $NetBSD: vfs_lockf.c,v 1.7 1996/02/04 02:18:21 christos Exp $   */
 
 /*
@@ -449,6 +449,9 @@ lf_setlock(struct lockf *lock)
                         * Check for common starting point and different types.
                         */
                        if (overlap->lf_type == lock->lf_type) {
+                               if (!needtolink)
+                                       TAILQ_REMOVE(&lock->lf_state->ls_locks,
+                                           lock, lf_entry);
                                lf_free(lock);
                                lock = overlap; /* for debug output below */
                                break;