vmm: Fix a resource leak in an error path
vmmdev_create() increments the VM count as its last step and calls
vmmdev_destroy() if it fails. However, vmmdev_destroy() unconditionally
decrements the count.
Correct this bug by reordering operations.
Fixes: 1092ec8b33 ("kern: Introduce RLIMIT_VMM")
Reviewed by: bnovkov
Differential Revision: https://reviews.freebsd.org/D55068
This commit is contained in:
@@ -990,9 +990,15 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
|
||||
return (EEXIST);
|
||||
}
|
||||
|
||||
if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) {
|
||||
sx_xunlock(&vmmdev_mtx);
|
||||
return (ENOMEM);
|
||||
}
|
||||
|
||||
error = vm_create(name, &vm);
|
||||
if (error != 0) {
|
||||
sx_xunlock(&vmmdev_mtx);
|
||||
(void)chgvmmcnt(cred->cr_ruidinfo, -1, 0);
|
||||
return (error);
|
||||
}
|
||||
sc = vmmdev_alloc(vm, cred);
|
||||
@@ -1015,12 +1021,6 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
|
||||
vmmdev_destroy(sc);
|
||||
return (error);
|
||||
}
|
||||
if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) {
|
||||
sx_xunlock(&vmmdev_mtx);
|
||||
destroy_dev(cdev);
|
||||
vmmdev_destroy(sc);
|
||||
return (ENOMEM);
|
||||
}
|
||||
sc->cdev = cdev;
|
||||
sx_xunlock(&vmmdev_mtx);
|
||||
return (0);
|
||||
|
||||
Reference in New Issue
Block a user