Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Feb 2026 19:16:15 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 8cfa6ddcee02 - main - vmm: Fix a resource leak in an error path
Message-ID:  <6982497f.33420.536840f1@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8cfa6ddcee021adaf9515286e25dd0c961adf8a4

commit 8cfa6ddcee021adaf9515286e25dd0c961adf8a4
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-02-03 19:09:28 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-02-03 19:09:28 +0000

    vmm: Fix a resource leak in an error path
    
    vmmdev_create() increments the VM count as its last step and calls
    vmmdev_destroy() if it fails.  However, vmmdev_destroy() unconditionally
    decrements the count.
    
    Correct this bug by reordering operations.
    
    Fixes:          1092ec8b3375 ("kern: Introduce RLIMIT_VMM")
    Reviewed by:    bnovkov
    Differential Revision:  https://reviews.freebsd.org/D55068
---
 sys/dev/vmm/vmm_dev.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c
index fa51dc950459..ad3cc5725f9c 100644
--- a/sys/dev/vmm/vmm_dev.c
+++ b/sys/dev/vmm/vmm_dev.c
@@ -990,9 +990,15 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
 		return (EEXIST);
 	}
 
+	if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) {
+		sx_xunlock(&vmmdev_mtx);
+		return (ENOMEM);
+	}
+
 	error = vm_create(name, &vm);
 	if (error != 0) {
 		sx_xunlock(&vmmdev_mtx);
+		(void)chgvmmcnt(cred->cr_ruidinfo, -1, 0);
 		return (error);
 	}
 	sc = vmmdev_alloc(vm, cred);
@@ -1015,12 +1021,6 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
 		vmmdev_destroy(sc);
 		return (error);
 	}
-	if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) {
-		sx_xunlock(&vmmdev_mtx);
-		destroy_dev(cdev);
-		vmmdev_destroy(sc);
-		return (ENOMEM);
-	}
 	sc->cdev = cdev;
 	sx_xunlock(&vmmdev_mtx);
 	return (0);
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6982497f.33420.536840f1>