If 'vm->def->sec->sectype' would be invalid; which is currently not
possible; we'd not unlock the domain object. Fix the logic even when the
bug currently can't happen.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_driver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index a5122d0cd6..45bb3c09aa 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19056,7 +19056,7 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
         virReportEnumRangeError(virDomainLaunchSecurity, vm->def->sec->sectype);
-        return -1;
+        goto cleanup;
     }

     ret = 0;
-- 
2.48.1

On 3/11/25 12:59, Peter Krempa wrote:
> If 'vm->def->sec->sectype' would be invalid; which is currently not
> possible; we'd not unlock the domain object. Fix the logic even when the
> bug currently can't happen.
> 
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
>  src/qemu/qemu_driver.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index a5122d0cd6..45bb3c09aa 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -19056,7 +19056,7 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
>      case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
>      case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
>          virReportEnumRangeError(virDomainLaunchSecurity, vm->def->sec->sectype);
> -        return -1;
> +        goto cleanup;

Ooops, looking at the commit that introduced this (no need to run git
blame O;-)), there's another problem like this in
virSecurityDACRestoreAllLabel(). But that function has some other issues
too, so I'll post a patch shortly.

Michal