From 4f8bbd141e9ba1719daebf61d6ef940e51d427fa Mon Sep 17 00:00:00 2001
From: Tuur Martens <tuurmartens4@gmail.com>
Date: Tue, 17 May 2022 12:06:28 +0200
Subject: [PATCH] [NTOS:MM] Fix memory leak in MiMapViewOfDataSection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If inserting the allocated VAD fails, MiMapViewOfDataSection will make no attempt to free the allocated VAD. Nor will it call MiDereferenceControlArea(ControlArea); like other failure return paths. This commit fixes this behavior.
Co-authored-by: Hermès BÉLUSCA - MAÏTO <hermes.belusca-maito@reactos.org>
---
 ntoskrnl/mm/ARM3/section.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/ntoskrnl/mm/ARM3/section.c b/ntoskrnl/mm/ARM3/section.c
index 40d942f7703..ad20d01e093 100644
--- a/ntoskrnl/mm/ARM3/section.c
+++ b/ntoskrnl/mm/ARM3/section.c
@@ -1494,6 +1494,11 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea,
     if (!NT_SUCCESS(Status))
     {
         ExFreePoolWithTag(Vad, 'ldaV');
+        MiDereferenceControlArea(ControlArea);
+
+        KeAcquireGuardedMutex(&MmSectionCommitMutex);
+        Segment->NumberOfCommittedPages -= QuotaCharge;
+        KeReleaseGuardedMutex(&MmSectionCommitMutex);
         return Status;
     }
 
@@ -1506,6 +1511,13 @@ MiMapViewOfDataSection(IN PCONTROL_AREA ControlArea,
                            AllocationType);
     if (!NT_SUCCESS(Status))
     {
+        ExFreePoolWithTag(Vad, 'ldaV');
+        MiDereferenceControlArea(ControlArea);
+
+        KeAcquireGuardedMutex(&MmSectionCommitMutex);
+        Segment->NumberOfCommittedPages -= QuotaCharge;
+        KeReleaseGuardedMutex(&MmSectionCommitMutex);
+
         PsReturnProcessNonPagedPoolQuota(PsGetCurrentProcess(), sizeof(MMVAD_LONG));
         return Status;
     }