From: Daniel P. Berrangé <berrange@redhat.com>
Date: Tue, 9 Sep 2025 09:26:20 +0000 (+0100)
Subject: conf: clear the acpiNodeset field after freeing
X-Git-Tag: v11.8.0-rc1~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7afc0388b824c928a3b017ceb44615c54abe4ab5;p=thirdparty%2Flibvirt.git

conf: clear the acpiNodeset field after freeing

The virDomainDeviceInfoClear method does not free the struct, only
its contents, so all pointer fields must be explicitly set to NULL
after releasing to avoid disk of double-free.

Reported by coverity:

  *** CID 895678:         Memory - corruptions  (USE_AFTER_FREE)
  /src/conf/domain_conf.c: 5926             in virDomainDeviceInfoParseXML()
  5920             goto cleanup;
  5921
  5922
  5923         ret = 0;
  5924      cleanup:
  5925         if (ret < 0)
  >>>     CID 895678:         Memory - corruptions  (USE_AFTER_FREE)
  >>>     Calling "virDomainDeviceInfoClear" frees pointer "info->acpiNodeset" which has already been freed.
  5926             virDomainDeviceInfoClear(info);
  5927         return ret;
  5928     }
  5929
  5930     static int
  5931     virDomainHostdevSubsysUSBDefParseXML(xmlNodePtr node,

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

diff --git a/src/conf/device_conf.c b/src/conf/device_conf.c
index d08de68717..c278b81652 100644
--- a/src/conf/device_conf.c
+++ b/src/conf/device_conf.c
@@ -137,7 +137,7 @@ virDomainDeviceInfoClear(virDomainDeviceInfo *info)
     info->type = VIR_DOMAIN_DEVICE_ADDRESS_TYPE_NONE;
     VIR_FREE(info->romfile);
     VIR_FREE(info->loadparm);
-    virBitmapFree(info->acpiNodeset);
+    g_clear_pointer(&info->acpiNodeset, virBitmapFree);
     info->isolationGroup = 0;
     info->isolationGroupLocked = false;
 }