Fix use-after-free in kern_jail_set() triggered e.g. by attempts

to clear "persist" flag from empty persistent jail, like this: jail -c persist=1 jail -n 1 -m persist=0 Submitted by: Mateusz Guzik <mjguzik at gmail dot com> MFC after: 2 weeks
svn path=/head/; revision=235803
2012-05-22 19:43:20 +00:00 · 2012-05-22 19:43:20 +00:00 · 1fb2497499 · 2020-12-20 02:59:44 +00:00
parent ba21c2b408
commit 1fb2497499
1 changed files with 10 additions and 6 deletions
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -1811,6 +1811,16 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 		}
 	}

+#ifdef RACCT
+	if (!created) {
+		sx_sunlock(&allprison_lock);
+		prison_racct_modify(pr);
+		sx_slock(&allprison_lock);
+	}
+#endif
+
+	td->td_retval[0] = pr->pr_id;
+
 	/*
 	 * Now that it is all there, drop the temporary reference from existing
 	 * prisons.  Or add a reference to newly created persistent prisons
@ -1832,12 +1842,6 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 			sx_sunlock(&allprison_lock);
 	}

-#ifdef RACCT
-	if (!created)
-		prison_racct_modify(pr);
-#endif
-
-	td->td_retval[0] = pr->pr_id;
 	goto done_errmsg;

 done_deref_locked: