git: b52dc2067618 - main - jail: Don't double-free the current prison in kern_jail_set/get
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 09 Jun 2026 22:32:33 UTC
The branch main has been updated by jamie:
URL: https://cgit.FreeBSD.org/src/commit/?id=b52dc2067618fc73e8d4d20e4035d1a67a8b455d
commit b52dc2067618fc73e8d4d20e4035d1a67a8b455d
Author: Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2026-06-09 22:31:40 +0000
Commit: Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2026-06-09 22:31:40 +0000
jail: Don't double-free the current prison in kern_jail_set/get
Reported by: Yuxiang Yang, et al <yangyx22 at mails.tsinghua.edu.cn>
Discussed with: markj
MFC after: 3 days
---
sys/kern/kern_jail.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index bc80adb91cd6..a8d44012db0f 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -1117,14 +1117,17 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
* Look up and create jails based on the
* descriptor's prison.
*/
- prison_free(mypr);
- error = jaildesc_find(td, jfd_in, &mypr, NULL);
+ struct prison *jdpr;
+
+ error = jaildesc_find(td, jfd_in, &jdpr, NULL);
if (error != 0) {
vfs_opterror(opts, error == ENOENT ?
"descriptor to dead jail" :
"not a jail descriptor");
goto done_errmsg;
}
+ prison_free(mypr);
+ mypr = jdpr;
if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) {
error = EPERM;
goto done_free;
@@ -2618,14 +2621,17 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags)
}
if (flags & JAIL_AT_DESC) {
/* Look up jails based on the descriptor's prison. */
- prison_free(mypr);
- error = jaildesc_find(td, jfd_in, &mypr, NULL);
+ struct prison *jdpr;
+
+ error = jaildesc_find(td, jfd_in, &jdpr, NULL);
if (error != 0) {
vfs_opterror(opts, error == ENOENT ?
"descriptor to dead jail" :
"not a jail descriptor");
goto done;
}
+ prison_free(mypr);
+ mypr = jdpr;
}
if (flags & (JAIL_GET_DESC | JAIL_OWN_DESC)) {
/* Allocate a jail descriptor to return later. */