From b2d76b52fd48306486deff193d49b728afbb04a3 Mon Sep 17 00:00:00 2001
From: Zhenlei Huang <zlei@FreeBSD.org>
Date: Tue, 21 Feb 2023 23:43:25 +0800
Subject: [PATCH] jail: Fix redoing ip restricting

`prison_ip_restrict()` is called in loop FOREACH_PRISON_DESCENDANT_LOCKED.
While under low memory, it is still possible that in subsequent rounds
`prison_ip_restrict()` succeed and `redo_ip[46]` flip over from true to
false, thus leave some prisons's IPv[46] addresses unrestricted.

Reviewed by:	jamie
Fixes:		8bce8d28abe6 jail: Avoid multipurpose return value of function prison_ip_restrict()
Differential Revision:	https://reviews.freebsd.org/D38697
---
 sys/kern/kern_jail.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 75be0df85448..92e8e4f34b42 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -2047,7 +2047,8 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 				continue;
 			}
 #endif
-			redo_ip4 = !prison_ip_restrict(tpr, PR_INET, &ip4);
+			if (!prison_ip_restrict(tpr, PR_INET, &ip4))
+				redo_ip4 = true;
 		}
 		mtx_unlock(&pr->pr_mtx);
 	}
@@ -2066,7 +2067,8 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
 				continue;
 			}
 #endif
-			redo_ip6 = !prison_ip_restrict(tpr, PR_INET6, &ip6);
+			if (!prison_ip_restrict(tpr, PR_INET6, &ip6))
+				redo_ip6 = true;
 		}
 		mtx_unlock(&pr->pr_mtx);
 	}