Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 09 Jun 2026 22:32:33 +0000
From:      Jamie Gritton <jamie@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: b52dc2067618 - main - jail: Don't double-free the current prison in kern_jail_set/get
Message-ID:  <6a289481.320f5.78341fda@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by jamie:

URL: https://cgit.FreeBSD.org/src/commit/?id=b52dc2067618fc73e8d4d20e4035d1a67a8b455d

commit b52dc2067618fc73e8d4d20e4035d1a67a8b455d
Author:     Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2026-06-09 22:31:40 +0000
Commit:     Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2026-06-09 22:31:40 +0000

    jail: Don't double-free the current prison in kern_jail_set/get
    
    Reported by:    Yuxiang Yang, et al <yangyx22 at mails.tsinghua.edu.cn>
    Discussed with: markj
    MFC after:      3 days
---
 sys/kern/kern_jail.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index bc80adb91cd6..a8d44012db0f 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -1117,14 +1117,17 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 			 * Look up and create jails based on the
 			 * descriptor's prison.
 			 */
-			prison_free(mypr);
-			error = jaildesc_find(td, jfd_in, &mypr, NULL);
+			struct prison *jdpr;
+
+			error = jaildesc_find(td, jfd_in, &jdpr, NULL);
 			if (error != 0) {
 				vfs_opterror(opts, error == ENOENT ?
 				    "descriptor to dead jail" :
 				    "not a jail descriptor");
 				goto done_errmsg;
 			}
+			prison_free(mypr);
+			mypr = jdpr;
 			if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) {
 				error = EPERM;
 				goto done_free;
@@ -2618,14 +2621,17 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags)
 		}
 		if (flags & JAIL_AT_DESC) {
 			/* Look up jails based on the descriptor's prison. */
-			prison_free(mypr);
-			error = jaildesc_find(td, jfd_in, &mypr, NULL);
+			struct prison *jdpr;
+
+			error = jaildesc_find(td, jfd_in, &jdpr, NULL);
 			if (error != 0) {
 				vfs_opterror(opts, error == ENOENT ?
 				    "descriptor to dead jail" :
 				    "not a jail descriptor");
 				goto done;
 			}
+			prison_free(mypr);
+			mypr = jdpr;
 		}
 		if (flags & (JAIL_GET_DESC | JAIL_OWN_DESC)) {
 			/* Allocate a jail descriptor to return later. */
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a289481.320f5.78341fda>