vmspawn: null freed fields and drain subscribers before bridge teardown

vmspawn_varlink_context_free() discarded the sd_varlink_server_unref()
and vmspawn_qmp_bridge_free() return values, leaving ctx->varlink_server
and ctx->bridge dangling. No current handler reads those fields, but use
the assign-back idiom so the fields are NULL during any synchronous
callback regardless of future changes.

Also drain subscribers before freeing the bridge, so subscriber teardown
can't run against a half-freed bridge.

Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Paul Meyer <katexochen0@gmail.com>

diff --git a/src/vmspawn/vmspawn-varlink.c b/src/vmspawn/vmspawn-varlink.c
index ebfdd878761bd0d0dd22acaca40fc29a5dfff259..57230c8e8f45d095396c7a3d952320b15b25e0f2 100644 (file)
--- a/src/vmspawn/vmspawn-varlink.c
+++ b/src/vmspawn/vmspawn-varlink.c
@@ -577,10 +577,11 @@ VmspawnVarlinkContext* vmspawn_varlink_context_free(VmspawnVarlinkContext *ctx)
         if (!ctx)
                 return NULL;
 
-        sd_varlink_server_unref(ctx->varlink_server);
-        vmspawn_qmp_bridge_free(ctx->bridge);
+        ctx->varlink_server = sd_varlink_server_unref(ctx->varlink_server);
 
         drain_event_subscribers(&ctx->subscribed);
 
+        ctx->bridge = vmspawn_qmp_bridge_free(ctx->bridge);
+
         return mfree(ctx);
 }