From 70d75c22d700098dea39151b12bba9729bed0f67 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Kai=20L=C3=BCke?= Date: Sat, 25 Apr 2026 01:49:09 +0900 Subject: [PATCH] machine-register: don't unref borrowed varlink reply ASAN showed a use-after-free error for systemd-vmspawn's machine_register call because the reply got accessed and freed again through _cleanup. The same problem exists in two verb_machine_control_one/unregister_machine. Fix these call sites to not set up _cleanup. --- src/machine/machinectl.c | 2 +- src/shared/machine-register.c | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c index e8a30a89592..ae5473aa99d 100644 --- a/src/machine/machinectl.c +++ b/src/machine/machinectl.c @@ -1242,7 +1242,7 @@ static int verb_machine_control_one(const char *machine_name, const char *method if (r < 0) return log_error_errno(r, "Failed to connect to machine control socket: %m"); - _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL; + sd_json_variant *reply = NULL; const char *error_id = NULL; r = sd_varlink_call(vl, method, /* parameters= */ NULL, &reply, &error_id); if (r < 0) diff --git a/src/shared/machine-register.c b/src/shared/machine-register.c index a161d1b0508..9637793fe54 100644 --- a/src/shared/machine-register.c +++ b/src/shared/machine-register.c @@ -170,8 +170,7 @@ int register_machine( } if (r < 0) return log_debug_errno(r, "Failed to connect to machined on %s: %m", strna(p)); - - _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL; + sd_json_variant *reply = NULL; const char *error_id = NULL; r = sd_varlink_callbo( vl, @@ -306,7 +305,7 @@ int unregister_machine(sd_bus *bus, const char *machine_name, RuntimeScope scope if (r >= 0) r = sd_varlink_connect_address(&vl, p); if (r >= 0) { - _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL; + sd_json_variant *reply = NULL; const char *error_id = NULL; r = sd_varlink_callbo( vl, -- 2.47.3