Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Jan 2021 19:00:37 GMT
From:      Jamie Gritton <jamie@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 195cd6ae2481 - main - jail: fix dangling reference bug from 6754ae2572eb
Message-ID:  <202101221900.10MJ0bfZ009358@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by jamie:

URL: https://cgit.FreeBSD.org/src/commit/?id=195cd6ae2481dd5ad555ed65c226b6f20908d66a

commit 195cd6ae2481dd5ad555ed65c226b6f20908d66a
Author:     Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2021-01-22 18:56:24 +0000
Commit:     Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2021-01-22 18:56:24 +0000

    jail: fix dangling reference bug from 6754ae2572eb
    
    The change to use refcounts for pr_uref was mishandled in
    prison_proc_free, so killing a jail's last process could add
    an extra reference, leaving it an unkillable zombie.
---
 sys/kern/kern_jail.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 318f81fb13be..064f1afa4133 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -2705,7 +2705,6 @@ prison_proc_hold(struct prison *pr)
 void
 prison_proc_free(struct prison *pr)
 {
-	int lasturef;
 
 	/*
 	 * Locking is only required when releasing the last reference.
@@ -2714,11 +2713,7 @@ prison_proc_free(struct prison *pr)
 	 */
 	KASSERT(refcount_load(&pr->pr_uref) > 0,
 	    ("Trying to kill a process in a dead prison (jid=%d)", pr->pr_id));
-	if (refcount_release_if_not_last(&pr->pr_uref))
-		return;
-	mtx_lock(&pr->pr_mtx);
-	lasturef = refcount_release(&pr->pr_uref);
-	if (lasturef) {
+	if (!refcount_release_if_not_last(&pr->pr_uref)) {
 		/*
 		 * Don't remove the last user reference in this context,
 		 * which is expected to be a process that is not only locked,
@@ -2726,11 +2721,8 @@ prison_proc_free(struct prison *pr)
 		 * prison_free() won't re-submit the task.
 		 */
 		refcount_acquire(&pr->pr_ref);
-		mtx_unlock(&pr->pr_mtx);
 		taskqueue_enqueue(taskqueue_thread, &pr->pr_task);
-		return;
 	}
-	mtx_unlock(&pr->pr_mtx);
 }
 
 /*

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101221900.10MJ0bfZ009358>