The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8cfa6ddcee021adaf9515286e25dd0c961adf8a4
commit 8cfa6ddcee021adaf9515286e25dd0c961adf8a4 Author: Mark Johnston <[email protected]> AuthorDate: 2026-02-03 19:09:28 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-02-03 19:09:28 +0000 vmm: Fix a resource leak in an error path vmmdev_create() increments the VM count as its last step and calls vmmdev_destroy() if it fails. However, vmmdev_destroy() unconditionally decrements the count. Correct this bug by reordering operations. Fixes: 1092ec8b3375 ("kern: Introduce RLIMIT_VMM") Reviewed by: bnovkov Differential Revision: https://reviews.freebsd.org/D55068 --- sys/dev/vmm/vmm_dev.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c index fa51dc950459..ad3cc5725f9c 100644 --- a/sys/dev/vmm/vmm_dev.c +++ b/sys/dev/vmm/vmm_dev.c @@ -990,9 +990,15 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred) return (EEXIST); } + if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) { + sx_xunlock(&vmmdev_mtx); + return (ENOMEM); + } + error = vm_create(name, &vm); if (error != 0) { sx_xunlock(&vmmdev_mtx); + (void)chgvmmcnt(cred->cr_ruidinfo, -1, 0); return (error); } sc = vmmdev_alloc(vm, cred); @@ -1015,12 +1021,6 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred) vmmdev_destroy(sc); return (error); } - if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) { - sx_xunlock(&vmmdev_mtx); - destroy_dev(cdev); - vmmdev_destroy(sc); - return (ENOMEM); - } sc->cdev = cdev; sx_xunlock(&vmmdev_mtx); return (0);
