git: 4938fd9361b4 - stable/15 - jail: Don't double-free the current prison in kern_jail_set/get
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 12 Jun 2026 17:59:54 UTC
The branch stable/15 has been updated by jamie:
URL: https://cgit.FreeBSD.org/src/commit/?id=4938fd9361b497241df8f442f1f87cc73ef81d6c
commit 4938fd9361b497241df8f442f1f87cc73ef81d6c
Author: Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2026-06-09 22:31:40 +0000
Commit: Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2026-06-12 17:57:44 +0000
jail: Don't double-free the current prison in kern_jail_set/get
Reported by: Yuxiang Yang, et al <yangyx22 at mails.tsinghua.edu.cn>
Discussed with: markj
(cherry picked from commit b52dc2067618fc73e8d4d20e4035d1a67a8b455d)
---
sys/kern/kern_jail.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 9f6916a433a1..43acde461e40 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -1101,14 +1101,17 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
* Look up and create jails based on the
* descriptor's prison.
*/
- prison_free(mypr);
- error = jaildesc_find(td, jfd_in, &mypr, NULL);
+ struct prison *jdpr;
+
+ error = jaildesc_find(td, jfd_in, &jdpr, NULL);
if (error != 0) {
vfs_opterror(opts, error == ENOENT ?
"descriptor to dead jail" :
"not a jail descriptor");
goto done_errmsg;
}
+ prison_free(mypr);
+ mypr = jdpr;
if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) {
error = EPERM;
goto done_free;
@@ -2550,14 +2553,17 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags)
}
if (flags & JAIL_AT_DESC) {
/* Look up jails based on the descriptor's prison. */
- prison_free(mypr);
- error = jaildesc_find(td, jfd_in, &mypr, NULL);
+ struct prison *jdpr;
+
+ error = jaildesc_find(td, jfd_in, &jdpr, NULL);
if (error != 0) {
vfs_opterror(opts, error == ENOENT ?
"descriptor to dead jail" :
"not a jail descriptor");
goto done;
}
+ prison_free(mypr);
+ mypr = jdpr;
}
if (flags & (JAIL_GET_DESC | JAIL_OWN_DESC)) {
/* Allocate a jail descriptor to return later. */