Site Navigation

Date:      Fri, 12 Jun 2026 17:59:54 +0000
From:      Jamie Gritton <jamie@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 4938fd9361b4 - stable/15 - jail: Don't double-free the current prison in kern_jail_set/get
Message-ID:  <6a2c491a.41d9f.c5262ca@gitrepo.freebsd.org>

---

index | next in thread | raw e-mail

---

The branch stable/15 has been updated by jamie:

URL: https://cgit.FreeBSD.org/src/commit/?id=4938fd9361b497241df8f442f1f87cc73ef81d6c

commit 4938fd9361b497241df8f442f1f87cc73ef81d6c
Author:     Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2026-06-09 22:31:40 +0000
Commit:     Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2026-06-12 17:57:44 +0000

    jail: Don't double-free the current prison in kern_jail_set/get
    
    Reported by:    Yuxiang Yang, et al <yangyx22 at mails.tsinghua.edu.cn>
    Discussed with: markj
    
    (cherry picked from commit b52dc2067618fc73e8d4d20e4035d1a67a8b455d)
---
 sys/kern/kern_jail.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 9f6916a433a1..43acde461e40 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -1101,14 +1101,17 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 			 * Look up and create jails based on the
 			 * descriptor's prison.
 			 */
-			prison_free(mypr);
-			error = jaildesc_find(td, jfd_in, &mypr, NULL);
+			struct prison *jdpr;
+
+			error = jaildesc_find(td, jfd_in, &jdpr, NULL);
 			if (error != 0) {
 				vfs_opterror(opts, error == ENOENT ?
 				    "descriptor to dead jail" :
 				    "not a jail descriptor");
 				goto done_errmsg;
 			}
+			prison_free(mypr);
+			mypr = jdpr;
 			if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) {
 				error = EPERM;
 				goto done_free;
@@ -2550,14 +2553,17 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags)
 		}
 		if (flags & JAIL_AT_DESC) {
 			/* Look up jails based on the descriptor's prison. */
-			prison_free(mypr);
-			error = jaildesc_find(td, jfd_in, &mypr, NULL);
+			struct prison *jdpr;
+
+			error = jaildesc_find(td, jfd_in, &jdpr, NULL);
 			if (error != 0) {
 				vfs_opterror(opts, error == ENOENT ?
 				    "descriptor to dead jail" :
 				    "not a jail descriptor");
 				goto done;
 			}
+			prison_free(mypr);
+			mypr = jdpr;
 		}
 		if (flags & (JAIL_GET_DESC | JAIL_OWN_DESC)) {
 			/* Allocate a jail descriptor to return later. */

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a2c491a.41d9f.c5262ca>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact