From 68ccebcff78e5b3b429865fafa524850c88aa4d2 Mon Sep 17 00:00:00 2001
From: Oliver Pinter <op@hardenedbsd.org>
Date: Thu, 8 Jan 2015 03:42:07 +0100
Subject: [PATCH] HBSD: improve style and fix programing error

This patch fixed an UaF.

From the PR's comment:

~~~
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address      = 0x30058
 fault code         = supervisor write data, page not present
 instruction pointer        = 0x20:0xffffffff8090e46a
 stack pointer              = 0x28:0xfffffe000024d780
 frame pointer              = 0x28:0xfffffe000024d850
 code segment               =base rx0, limit 0xfffff, type 0x1b
 = DPL 0, pres 1, long 1, def32 0, gran 1
 processor eflags   = interrupt enabled, resume, IOPL = 0
 current process            = 27466 (httpd)
	trap number                = 12
	panic: page fault
	cpuid = 0
	KDB: stack backtrace:
 #0 0xffffffff80963000 at kdb_backtrace+0x60
 #1 0xffffffff80928125 at panic+0x155
 #2 0xffffffff80d24f1f at trap_fatal+0x38f
 #3 0xffffffff80d25238 at trap_pfault+0x308
 #4 0xffffffff80d2489a at trap+0x47a
 #5 0xffffffff80d0a782 at calltrap+0x8
 #6 0xffffffff8090ec35 at lf_advlock+0x45
 #7 0xffffffff809b8e69 at vop_stdadvlock+0xa9
 #8 0xffffffff80e44247 at VOP_ADVLOCK_APV+0xa7
 #9 0xffffffff808e4919 at kern_fcntl+0xb39
 #10 0xffffffff808e3d5c at kern_fcntl_freebsd+0xac
 #11 0xffffffff80d25851 at amd64_syscall+0x351
 #12 0xffffffff80d0aa6b at Xfast_syscall+0xfb
~~~

FreeBSD-PR: Bug 194525
FreeBSD-PR-url: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194525
Discussed-with: Hunger <hunger+hbsd@hunger.hu>
Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
---
 sys/kern/kern_lockf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_lockf.c b/sys/kern/kern_lockf.c
index 8d5c57681fe..91eae09cc6e 100644
--- a/sys/kern/kern_lockf.c
+++ b/sys/kern/kern_lockf.c
@@ -740,12 +740,13 @@ retry_setlock:
 
 	VI_UNLOCK(vp);
 
-	if (freestate) {
+	if (freestate != NULL) {
 		sx_xlock(&lf_lock_states_lock);
 		LIST_REMOVE(freestate, ls_link);
 		sx_xunlock(&lf_lock_states_lock);
 		sx_destroy(&freestate->ls_lock);
 		free(freestate, M_LOCKF);
+		freestate = NULL;
 	}
 
 	if (error == EDOOFUS) {