jail: Fix redoing ip restricting

`prison_ip_restrict()` is called in loop FOREACH_PRISON_DESCENDANT_LOCKED. While under low memory, it is still possible that in subsequent rounds `prison_ip_restrict()` succeed and `redo_ip[46]` flip over from true to false, thus leave some prisons's IPv[46] addresses unrestricted. Reviewed by: jamie Fixes: 8bce8d28ab jail: Avoid multipurpose return value of function prison_ip_restrict() Differential Revision: https://reviews.freebsd.org/D38697
2023-02-21 23:43:25 +08:00 · 2023-02-21 23:43:25 +08:00 · b2d76b52fd
commit b2d76b52fd
parent 192a001984
1 changed files with 4 additions and 2 deletions
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -2047,7 +2047,8 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 				continue;
 			}
 #endif
-			redo_ip4 = !prison_ip_restrict(tpr, PR_INET, &ip4);
+			if (!prison_ip_restrict(tpr, PR_INET, &ip4))
+				redo_ip4 = true;
 		}
 		mtx_unlock(&pr->pr_mtx);
 	}
@ -2066,7 +2067,8 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 				continue;
 			}
 #endif
-			redo_ip6 = !prison_ip_restrict(tpr, PR_INET6, &ip6);
+			if (!prison_ip_restrict(tpr, PR_INET6, &ip6))
+				redo_ip6 = true;
 		}
 		mtx_unlock(&pr->pr_mtx);
 	}