From 65315d4d4359323af4f23f6d8d3db7f0dfa1e7bc Mon Sep 17 00:00:00 2001
From: mpi <mpi@openbsd.org>
Date: Tue, 21 Dec 2021 22:21:32 +0000
Subject: [PATCH] Fix a typo in mlock(2) error path triggering a double-free.

Pass the correct entry to uvm_fault_unwire_locked().

Reported-by: syzbot+bb2f63f076618e9ed0d3@syzkaller.appspotmail.com

ok kettenis@, deraadt@
---
 sys/uvm/uvm_map.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/uvm/uvm_map.c b/sys/uvm/uvm_map.c
index d4e420d4c1e..c931418f753 100644
--- a/sys/uvm/uvm_map.c
+++ b/sys/uvm/uvm_map.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_map.c,v 1.281 2021/12/15 12:53:53 mpi Exp $	*/
+/*	$OpenBSD: uvm_map.c,v 1.282 2021/12/21 22:21:32 mpi Exp $	*/
 /*	$NetBSD: uvm_map.c,v 1.86 2000/11/27 08:40:03 chs Exp $	*/
 
 /*
@@ -2420,7 +2420,7 @@ uvm_map_pageable_wire(struct vm_map *map, struct vm_map_entry *first,
 			first->wired_count--;
 			if (!VM_MAPENT_ISWIRED(first)) {
 				uvm_fault_unwire_locked(map,
-				    iter->start, iter->end);
+				    first->start, first->end);
 			}
 		}
 
-- 
2.20.1