jail: Don't double-free the current prison in kern_jail_set/get

Reported by:	Yuxiang Yang, et al <yangyx22 at mails.tsinghua.edu.cn>
Discussed with:	markj
MFC after:	3 days
This commit is contained in:
Jamie Gritton
2026-06-09 15:31:40 -07:00
parent 44970244e6
commit b52dc20676
+10 -4
View File
@@ -1117,14 +1117,17 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
* Look up and create jails based on the * Look up and create jails based on the
* descriptor's prison. * descriptor's prison.
*/ */
prison_free(mypr); struct prison *jdpr;
error = jaildesc_find(td, jfd_in, &mypr, NULL);
error = jaildesc_find(td, jfd_in, &jdpr, NULL);
if (error != 0) { if (error != 0) {
vfs_opterror(opts, error == ENOENT ? vfs_opterror(opts, error == ENOENT ?
"descriptor to dead jail" : "descriptor to dead jail" :
"not a jail descriptor"); "not a jail descriptor");
goto done_errmsg; goto done_errmsg;
} }
prison_free(mypr);
mypr = jdpr;
if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) { if ((flags & JAIL_CREATE) && mypr->pr_childmax == 0) {
error = EPERM; error = EPERM;
goto done_free; goto done_free;
@@ -2618,14 +2621,17 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags)
} }
if (flags & JAIL_AT_DESC) { if (flags & JAIL_AT_DESC) {
/* Look up jails based on the descriptor's prison. */ /* Look up jails based on the descriptor's prison. */
prison_free(mypr); struct prison *jdpr;
error = jaildesc_find(td, jfd_in, &mypr, NULL);
error = jaildesc_find(td, jfd_in, &jdpr, NULL);
if (error != 0) { if (error != 0) {
vfs_opterror(opts, error == ENOENT ? vfs_opterror(opts, error == ENOENT ?
"descriptor to dead jail" : "descriptor to dead jail" :
"not a jail descriptor"); "not a jail descriptor");
goto done; goto done;
} }
prison_free(mypr);
mypr = jdpr;
} }
if (flags & (JAIL_GET_DESC | JAIL_OWN_DESC)) { if (flags & (JAIL_GET_DESC | JAIL_OWN_DESC)) {
/* Allocate a jail descriptor to return later. */ /* Allocate a jail descriptor to return later. */