Merge branch '3768-dns_zonemgr-use-after-free-v9_18' into 'v9_18'

[9.18] Fix a use-after-free bug in dns_zonemgr_releasezone()

See merge request isc-projects/bind9!7351

CHANGES

@@ -11,6 +11,10 @@
 6061.	[bug]		Fix unexpected "Prohibited" extended DNS error
 			on allow-recursion. [GL #3743]
 
+6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
+			by detaching from the zone manager outside of the write
+			lock. [GL #3768]
+
 6059.	[bug]		In some serve stale scenarios, like when following an
 			expired CNAME record, named could return SERVFAIL if the
 			previous request wasn't successful. Consider non-stale

lib/dns/zone.c

@@ -18927,8 +18927,6 @@ unlock:
 
 void
 dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	bool free_now = false;
-
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
 	REQUIRE(zone->zmgr == zmgr);
@@ -18943,19 +18941,13 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 		ENSURE(zone->kfio == NULL);
 	}
 
+	/* Detach below, outside of the write lock. */
 	zone->zmgr = NULL;
 
-	if (isc_refcount_decrement(&zmgr->refs) == 1) {
-		free_now = true;
-	}
-
 	UNLOCK_ZONE(zone);
 	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
 
-	if (free_now) {
-		zonemgr_free(zmgr);
-	}
-	ENSURE(zone->zmgr == NULL);
+	dns_zonemgr_detach(&zmgr);
 }
 
 void