The branch main has been updated by zlei:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b2d76b52fd48306486deff193d49b728afbb04a3
commit b2d76b52fd48306486deff193d49b728afbb04a3
Author: Zhenlei Huang <z...@freebsd.org>
AuthorDate: 2023-02-21 15:43:25 +0000
Commit: Zhenlei Huang <z...@freebsd.org>
CommitDate: 2023-02-21 15:43:25 +0000
jail: Fix redoing ip restricting
`prison_ip_restrict()` is called in loop FOREACH_PRISON_DESCENDANT_LOCKED.
While under low memory, it is still possible that in subsequent rounds
`prison_ip_restrict()` succeed and `redo_ip[46]` flip over from true to
false, thus leave some prisons's IPv[46] addresses unrestricted.
Reviewed by: jamie
Fixes: 8bce8d28abe6 jail: Avoid multipurpose return value of
function prison_ip_restrict()
Differential Revision: https://reviews.freebsd.org/D38697
---
sys/kern/kern_jail.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 75be0df85448..92e8e4f34b42 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -2047,7 +2047,8 @@ kern_jail_set(struct thread *td, struct uio *optuio, int
flags)
continue;
}
#endif
- redo_ip4 = !prison_ip_restrict(tpr, PR_INET, &ip4);
+ if (!prison_ip_restrict(tpr, PR_INET, &ip4))
+ redo_ip4 = true;
}
mtx_unlock(&pr->pr_mtx);
}
@@ -2066,7 +2067,8 @@ kern_jail_set(struct thread *td, struct uio *optuio, int
flags)
continue;
}
#endif
- redo_ip6 = !prison_ip_restrict(tpr, PR_INET6, &ip6);
+ if (!prison_ip_restrict(tpr, PR_INET6, &ip6))
+ redo_ip6 = true;
}
mtx_unlock(&pr->pr_mtx);
}
