From a look at kern_fcntl_freebsd() it seems to me that the old lock structure is not properly filled in case of the F_OGETLK operation. This should fix the bug: --- kern_descrip.c (revision 276910) +++ kern_descrip.c (working copy) @@ -419,8 +419,10 @@ struct __oflock ofl; intptr_t arg1; int error; + int newcmd; error = 0; + newcmd = cmd; switch (cmd) { case F_OGETLK: case F_OSETLK: @@ -438,13 +440,13 @@ switch (cmd) { case F_OGETLK: - cmd = F_GETLK; + newcmd = F_GETLK; break; case F_OSETLK: - cmd = F_SETLK; + newcmd = F_SETLK; break; case F_OSETLKW: - cmd = F_SETLKW; + newcmd = F_SETLKW; break; } arg1 = (intptr_t)&fl; @@ -462,7 +464,7 @@ } if (error) return (error); - error = kern_fcntl(td, fd, cmd, arg1); + error = kern_fcntl(td, fd, newcmd, arg1); if (error) return (error); if (cmd == F_OGETLK) {
A commit references this bug: Author: kib Date: Wed Jul 8 13:19:15 UTC 2015 New revision: 285269 URL: https://svnweb.freebsd.org/changeset/base/285269 Log: Handle copyout for the fcntl(F_OGETLK) using oflock structure. Otherwise, kernel overwrites a word past the destination. Submitted by: walter@pelissero.de PR: 196718 MFC after: 1 week Changes: head/sys/kern/kern_descrip.c
Fixed in stable/10 (r285963) and releng/10.2 (r285964).