From: Dave Voutila <dv@sisu.io>
Subject: fix vcpu leak in vmm(4) vm_create
To: tech@openbsd.org
Cc: mlarkin@openbsd.org
Date: Sun, 26 Oct 2025 13:15:19 -0400

Since the vcpu isn't attached to the list, it never gets returned to the
pool.

If vcpu_init() fails, it handles cleaning up any allocated memory and
state in the vcpu object, so there's no need to call vcpu_deinit().

ok?

-dv

diff a7edf25a2cbd9b978653b6181daa4d24dae9d3ba c1e59316ede7ec393e35134268a96a83f3449d4d
commit - a7edf25a2cbd9b978653b6181daa4d24dae9d3ba
commit + c1e59316ede7ec393e35134268a96a83f3449d4d
blob - 237ae3cfbfa3ad64acc8a13fe788965d3776ae75
blob + 53618f43451d6c2182eace1a08d40939c455e701
--- sys/dev/vmm/vmm.c
+++ sys/dev/vmm/vmm.c
@@ -452,16 +452,17 @@ vm_create(struct vm_create_params *vcp, struct proc *p
 	for (i = 0; i < vcp->vcp_ncpus; i++) {
 		vcpu = pool_get(&vcpu_pool, PR_WAITOK | PR_ZERO);

 		vcpu->vc_parent = vm;
 		vcpu->vc_id = vm->vm_vcpu_ct;
 		vm->vm_vcpu_ct++;
 		if ((ret = vcpu_init(vcpu, vcp)) != 0) {
 			printf("failed to init vcpu %d for vm %p\n", i, vm);
+			pool_put(&vcpu_pool, vcpu);
 			vm_teardown(&vm);
 			return (ret);
 		}
 		/* Publish vcpu to list, inheriting the reference. */
 		SLIST_INSERT_HEAD(&vm->vm_vcpu_list, vcpu, vc_vcpu_link);
 	}

 	/* Attempt to register the vm now that it's configured. */