From afb1c1edc409018855b0a91b0240eea4319e2a1c Mon Sep 17 00:00:00 2001
From: anton <anton@openbsd.org>
Date: Wed, 27 Apr 2022 18:02:05 +0000
Subject: [PATCH] Add test case capable of triggering the recently fixed use
 after free, based on the syzkaller reproducer.

---
 regress/sys/kern/flock/Makefile |  5 ++--
 regress/sys/kern/flock/flock.c  | 47 +++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/regress/sys/kern/flock/Makefile b/regress/sys/kern/flock/Makefile
index d0952ee8ed5..2bf4167e0b1 100644
--- a/regress/sys/kern/flock/Makefile
+++ b/regress/sys/kern/flock/Makefile
@@ -1,14 +1,15 @@
-#	$OpenBSD: Makefile,v 1.11 2020/12/16 22:59:55 bluhm Exp $
+#	$OpenBSD: Makefile,v 1.12 2022/04/27 18:02:05 anton Exp $
 
 PROGS+=		flock
 SRCS_flock=	flock.c util.c
+LDADD_flock=	-lutil
 
 PROGS+=		lockf
 SRCS_lockf=	lockf.c util.c
 
 WARNINGS=	yes
 
-TESTS_FLOCK!=	jot 24 1
+TESTS_FLOCK!=	jot 25 1
 .for t in ${TESTS_FLOCK}
 run-flock-$t: flock
 	./flock ${LOCKFLAGS} $t
diff --git a/regress/sys/kern/flock/flock.c b/regress/sys/kern/flock/flock.c
index 09b182c309f..154b85315bb 100644
--- a/regress/sys/kern/flock/flock.c
+++ b/regress/sys/kern/flock/flock.c
@@ -38,7 +38,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <termios.h>
 #include <unistd.h>
+#include <util.h>
 
 #include "util.h"
 
@@ -1713,6 +1715,50 @@ test24(int fd)
 	SUCCEED;
 }
 
+/*
+ * Test 25 - use after free regression
+ *
+ * Discovered by syzkaller.
+ */
+static int
+test25(int fd)
+{
+	struct flock fl;
+	int master, res, slave;
+
+	res = openpty(&master, &slave, NULL, NULL, NULL);
+	FAIL(res == -1);
+	close(master);
+
+	fl.l_start = 0;
+	fl.l_len = 0;
+	fl.l_pid = 0;
+	fl.l_type = F_RDLCK;
+	fl.l_whence = SEEK_SET;
+	res = fcntl(slave, F_SETLKW, &fl);
+	FAIL(res != 0);
+
+	fl.l_start = 3;
+	fl.l_len = 0x7ffffffffffffffd;
+	fl.l_pid = 0;
+	fl.l_type = F_UNLCK;
+	fl.l_whence = SEEK_END;
+	res = fcntl(slave, F_SETLKW, &fl);
+	FAIL(res != 0);
+
+	fl.l_start = 0;
+	fl.l_len = 0;
+	fl.l_pid = 0;
+	fl.l_type = F_RDLCK;
+	fl.l_whence = SEEK_SET;
+	res = fcntl(slave, F_SETLKW, &fl);
+	FAIL(res != 0);
+
+	close(slave);
+
+	SUCCEED;
+}
+
 static struct test tests[] = {
 	{	test1,		0	},
 	{	test2,		0	},
@@ -1738,6 +1784,7 @@ static struct test tests[] = {
 	{	test22,		0	},
 	{	test23,		0	},
 	{	test24,		0	},
+	{	test25,		0	},
 };
 
 static int test_count = sizeof(tests) / sizeof(tests[0]);
-- 
2.20.1