From: Paul Meyer <katexochen0@gmail.com>
Date: Sat, 13 Jun 2026 08:37:20 +0000 (+0200)
Subject: vmspawn: null freed fields and drain subscribers before bridge teardown
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c90e57241138a2fbafe5b64a52287cbbea834ee0;p=thirdparty%2Fsystemd.git

vmspawn: null freed fields and drain subscribers before bridge teardown

vmspawn_varlink_context_free() discarded the sd_varlink_server_unref()
and vmspawn_qmp_bridge_free() return values, leaving ctx->varlink_server
and ctx->bridge dangling. No current handler reads those fields, but use
the assign-back idiom so the fields are NULL during any synchronous
callback regardless of future changes.

Also drain subscribers before freeing the bridge, so subscriber teardown
can't run against a half-freed bridge.

Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Paul Meyer <katexochen0@gmail.com>
---

diff --git a/src/vmspawn/vmspawn-varlink.c b/src/vmspawn/vmspawn-varlink.c
index ebfdd878761..57230c8e8f4 100644
--- a/src/vmspawn/vmspawn-varlink.c
+++ b/src/vmspawn/vmspawn-varlink.c
@@ -577,10 +577,11 @@ VmspawnVarlinkContext* vmspawn_varlink_context_free(VmspawnVarlinkContext *ctx)
         if (!ctx)
                 return NULL;
 
-        sd_varlink_server_unref(ctx->varlink_server);
-        vmspawn_qmp_bridge_free(ctx->bridge);
+        ctx->varlink_server = sd_varlink_server_unref(ctx->varlink_server);
 
         drain_event_subscribers(&ctx->subscribed);
 
+        ctx->bridge = vmspawn_qmp_bridge_free(ctx->bridge);
+
         return mfree(ctx);
 }