vmm: Fix a resource leak in an error path

vmmdev_create() increments the VM count as its last step and calls
vmmdev_destroy() if it fails.  However, vmmdev_destroy() unconditionally
decrements the count.

Correct this bug by reordering operations.

Fixes:		1092ec8b33 ("kern: Introduce RLIMIT_VMM")
Reviewed by:	bnovkov
Differential Revision:	https://reviews.freebsd.org/D55068
This commit is contained in:
Mark Johnston
2026-02-03 19:09:28 +00:00
parent 6ea242cc30
commit 8cfa6ddcee
+6 -6
View File
@@ -990,9 +990,15 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
return (EEXIST);
}
if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) {
sx_xunlock(&vmmdev_mtx);
return (ENOMEM);
}
error = vm_create(name, &vm);
if (error != 0) {
sx_xunlock(&vmmdev_mtx);
(void)chgvmmcnt(cred->cr_ruidinfo, -1, 0);
return (error);
}
sc = vmmdev_alloc(vm, cred);
@@ -1015,12 +1021,6 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
vmmdev_destroy(sc);
return (error);
}
if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) {
sx_xunlock(&vmmdev_mtx);
destroy_dev(cdev);
vmmdev_destroy(sc);
return (ENOMEM);
}
sc->cdev = cdev;
sx_xunlock(&vmmdev_mtx);
return (0);