jail: Avoid a potential use-after-free when destroying jails

prison_deref() and prison_deref_kill() have to handle the case where
destruction of a jail will release the final reference on the jail's
parent, resulting in destruction of the parent jail. They thus maintain
a list of jails whose references have gone away; the loop at the end of
prison_deref() then goes through the list and deallocates resources
associated with each jail. In particular, if a jail's VNET is not the
same as that of its parent, this loop destroys the VNET.

Suppose prison_deref() removes the last reference on a jail, releasing a
reference to its parent and causing the jail to be placed in the
"freeprison" list. Suppose then that the parent jail is destroyed
before the "freeprison" list is processed. When destroying the
now-orphaned child jail, prison_deref() derefences its parent to see
whether the child jail's VNET needs to be freed, but if this race
occurs, this is a use-after-free.

Fix the problem by using PR_VNET to decide whether the jail's VNET is to
be destroyed, rather than dereferencing the parent jail pointer. Set it
earlier so that a subsequent failure in kern_jail_set() cleans up the
nascent VNET.

Reviewed by: zlei (previous version), jamie
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D47992