file: Fix offset handling in kern_copy_file_range()

One can ask copy_file_range(2) to use the file offsets of the file
descriptions that it copies from and to.  We were updating those offsets
without any locking, which is incorrect and can lead to unkillable loops
in the event of a race (e.g., the check for overlapping ranges in
kern_copy_file_range() is subject to a TOCTOU race with the following
loop which range-locks the input and output file).

Use foffset_lock() to serialize updates to the file descriptions, as we
do for other, similar system calls.

Reported by:	syzkaller
Reviewed by:	rmacklem, kib
MFC after:	2 weeks
Fixes:		bbbbeca3e9a3 ("Add kernel support for a Linux compatible copy_file_range(2) syscall.")
Differential Revision:	https://reviews.freebsd.org/D49440

0 files changed, 0 insertions, 0 deletions