From c30ab30fe47bdb0bc845ad0b06a2099375dddd13 Mon Sep 17 00:00:00 2001 From: anton Date: Wed, 27 Apr 2022 18:01:23 +0000 Subject: [PATCH] Remove the lock if an identical overlapping one is already present. Preventing a use after free discovered by syzkaller. ok visa@ Reported-by: syzbot+a2649c1d77e9d2463f33@syzkaller.appspotmail.com Reported-by: syzbot+182df9087f5f182daa44@syzkaller.appspotmail.com Reported-by: syzbot+46d03139d7ed5e81ed2f@syzkaller.appspotmail.com Reported-by: syzbot+892e886a6113db341da1@syzkaller.appspotmail.com --- sys/kern/vfs_lockf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/kern/vfs_lockf.c b/sys/kern/vfs_lockf.c index 1f3bab8849c..82c2debce95 100644 --- a/sys/kern/vfs_lockf.c +++ b/sys/kern/vfs_lockf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_lockf.c,v 1.45 2019/12/02 15:02:32 visa Exp $ */ +/* $OpenBSD: vfs_lockf.c,v 1.46 2022/04/27 18:01:23 anton Exp $ */ /* $NetBSD: vfs_lockf.c,v 1.7 1996/02/04 02:18:21 christos Exp $ */ /* @@ -449,6 +449,9 @@ lf_setlock(struct lockf *lock) * Check for common starting point and different types. */ if (overlap->lf_type == lock->lf_type) { + if (!needtolink) + TAILQ_REMOVE(&lock->lf_state->ls_locks, + lock, lf_entry); lf_free(lock); lock = overlap; /* for debug output below */ break; -- 2.20.1