diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2026-02-03 19:09:28 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2026-02-03 19:09:28 +0000 |
| commit | 8cfa6ddcee021adaf9515286e25dd0c961adf8a4 (patch) | |
| tree | ec4adc11dfebea71284e2eb8fd6ac7cca2142053 | |
| parent | 6ea242cc305b7ec5b44488c9f04d413ebbf0b731 (diff) | |
vmm: Fix a resource leak in an error path
vmmdev_create() increments the VM count as its last step and calls
vmmdev_destroy() if it fails. However, vmmdev_destroy() unconditionally
decrements the count.
Correct this bug by reordering operations.
Fixes: 1092ec8b3375 ("kern: Introduce RLIMIT_VMM")
Reviewed by: bnovkov
Differential Revision: https://reviews.freebsd.org/D55068
| -rw-r--r-- | sys/dev/vmm/vmm_dev.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c index fa51dc950459..ad3cc5725f9c 100644 --- a/sys/dev/vmm/vmm_dev.c +++ b/sys/dev/vmm/vmm_dev.c @@ -990,9 +990,15 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred) return (EEXIST); } + if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) { + sx_xunlock(&vmmdev_mtx); + return (ENOMEM); + } + error = vm_create(name, &vm); if (error != 0) { sx_xunlock(&vmmdev_mtx); + (void)chgvmmcnt(cred->cr_ruidinfo, -1, 0); return (error); } sc = vmmdev_alloc(vm, cred); @@ -1015,12 +1021,6 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred) vmmdev_destroy(sc); return (error); } - if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) { - sx_xunlock(&vmmdev_mtx); - destroy_dev(cdev); - vmmdev_destroy(sc); - return (ENOMEM); - } sc->cdev = cdev; sx_xunlock(&vmmdev_mtx); return (0); |