From nobody Mon Mar 23 23:24:07 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1772781493; cv=none;
	d=zohomail.com; s=zohoarc;
	b=eL9y1xcT7cHt/dfY3GghdhWp/E8goFQ5V1UU4AoCt/w9VQgDGUdxiv6bYLFjNM5MWvxaEv6wTWv3qmNzaRBTzsUxyfiWiK2wres2BDiCznEg3UMZudl6xsT4Z6ilwf5Ib/Sh7CuKZcemPXYHQKwBzj++bwXQNv24uGwKMBCIW6Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772781493;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=xs7RRgDa5OMlgQginnlciIl4rQsLx7RnEAHFjqYCcVM=;
	b=LZPb6T0Z0QIZ8M0DNVhlxRBuAjgk1H7ut+3rPh/IDsy69fqTfbg/zM5kzNAJp0tK/sSChC00nbuUJzi44CNtIKrMH1HXyki2xVFTjJNDK/lKH5c8noe1rMYJZIb5iGZtBccp9eVjaIvqjFpl+yKY4jvb8OU1vBRpqSLoqVocf6E=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1772781493607453.46125903602683;
 Thu, 5 Mar 2026 23:18:13 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 5B08741A69; Fri,  6 Mar 2026 02:18:12 -0500 (EST)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 65B2041B5B;
	Fri,  6 Mar 2026 02:17:03 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 64B94418AC; Fri,  6 Mar 2026 02:16:58 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id E68D03F959
	for <devel@lists.libvirt.org>; Fri,  6 Mar 2026 02:16:57 -0500 (EST)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-607-BYYillTnPh6Y8xQRrHr4Lg-1; Fri,
 06 Mar 2026 02:16:55 -0500
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 7EAC11956095
	for <devel@lists.libvirt.org>; Fri,  6 Mar 2026 07:16:54 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.45.242.5])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id AF6921958DCA
	for <devel@lists.libvirt.org>; Fri,  6 Mar 2026 07:16:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1772781417;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=xs7RRgDa5OMlgQginnlciIl4rQsLx7RnEAHFjqYCcVM=;
	b=OhXzVWnLt2UV7NzP5a6JJd5jNAzRJuDj3O7FyipSvaYG707cI7BwWXQHrmZk7bcLTXCesK
	pZ97DrFGcMrJ/jo23w8rDWqaqa5rxl3HP7pO0QC2MOsE7xary2dBoryqkDMZdp7+OyHyq6
	7VRwpzik73P1kAXFNFjrNVODkGr0GPU=
X-MC-Unique: BYYillTnPh6Y8xQRrHr4Lg-1
X-Mimecast-MFC-AGG-ID: BYYillTnPh6Y8xQRrHr4Lg_1772781414
To: devel@lists.libvirt.org
Subject: [PATCH 1/2] qemuDomainAttachDeviceDiskLive: Remove 'disk' variable
Date: Fri,  6 Mar 2026 08:16:49 +0100
Message-ID: 
 <46e715403e3c1d8e1f6452f500788f04c2503e42.1772781240.git.pkrempa@redhat.com>
In-Reply-To: <cover.1772781240.git.pkrempa@redhat.com>
References: <cover.1772781240.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: HU2teua6SuvhihcEVHrd1wTaMm73yCE6cy_-uAgWfOE_1772781414
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QB62SNDTNCMZ2UYYNBSWKJEHF6RWJSND
X-Message-ID-Hash: QB62SNDTNCMZ2UYYNBSWKJEHF6RWJSND
X-MailFrom: pkrempa@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/QB62SNDTNCMZ2UYYNBSWKJEHF6RWJSND/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Peter Krempa via Devel <devel@lists.libvirt.org>
Reply-To: Peter Krempa <pkrempa@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1772781496082158500
Content-Type: text/plain; charset="utf-8"

From: Peter Krempa <pkrempa@redhat.com>

Remove the extra temporary variable to make the changes in the next
patch more obvious.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_hotplug.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index b3f2a173a8..6235f6c27c 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1134,20 +1134,19 @@ qemuDomainAttachDeviceDiskLive(virQEMUDriver *drive=
r,
                                virDomainObj *vm,
                                virDomainDeviceDef *dev)
 {
-    virDomainDiskDef *disk =3D dev->data.disk;
     virDomainDiskDef *orig_disk =3D NULL;

     /* this API overloads media change semantics on disk hotplug
      * for devices supporting media changes */
-    if ((disk->device =3D=3D VIR_DOMAIN_DISK_DEVICE_CDROM ||
-         disk->device =3D=3D VIR_DOMAIN_DISK_DEVICE_FLOPPY) &&
-        (orig_disk =3D virDomainDiskByTarget(vm->def, disk->dst))) {
+    if ((dev->data.disk->device =3D=3D VIR_DOMAIN_DISK_DEVICE_CDROM ||
+         dev->data.disk->device =3D=3D VIR_DOMAIN_DISK_DEVICE_FLOPPY) &&
+        (orig_disk =3D virDomainDiskByTarget(vm->def, dev->data.disk->dst)=
)) {
         if (qemuDomainChangeEjectableMedia(driver, vm, orig_disk,
-                                           disk->src, false) < 0)
+                                           dev->data.disk->src, false) < 0)
             return -1;

-        disk->src =3D NULL;
-        virDomainDiskDefFree(disk);
+        dev->data.disk->src =3D NULL;
+        virDomainDiskDefFree(dev->data.disk);
         return 0;
     }

--=20
2.53.0
From nobody Mon Mar 23 23:24:07 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1772781537; cv=none;
	d=zohomail.com; s=zohoarc;
	b=WjmQsah6QYA0dgyscS4SHQhPHTIhxVMOVvePw0aaOULpezuAT3tFh0mH4KKoEVqxiYpJfGjWME9o06RbFn1IRC9HaHzuT0grATmIFLIfgiYWYXK7Knyre0kgN0w9UXzhrBxfOgIfpcsaFmJMVCN6ADqQts+7N5kw9YRSwC9Z8JA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1772781537;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc;
	bh=pfpBQfdVpAwriTGLNoXRGvXq2JFuMZQbOdNcIxYe2T8=;
	b=mjTcEiuVMaekzy8YrZbAumHtswTN3c0fccM1/y5eeYNdk/bXeGI3Qe6LrBwY2Mw1mwN+2VCcWXoOiLFAI54BT5x9oEPFzDWIBZ34L0Q69nkq5mU2JcDCSdPBzDmgGH8XexcuInFrZhSwyLj671YJGrLhJIcYyvwY26tQrDzPvJY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1772781537209211.09744417633613;
 Thu, 5 Mar 2026 23:18:57 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 39DEC418C5; Fri,  6 Mar 2026 02:18:56 -0500 (EST)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id 682E741BB8;
	Fri,  6 Mar 2026 02:17:23 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id 494574196B; Fri,  6 Mar 2026 02:17:18 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 693704193F
	for <devel@lists.libvirt.org>; Fri,  6 Mar 2026 02:17:00 -0500 (EST)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-326-Mz_Sd7QwNaOGx4_o2JuvWg-1; Fri,
 06 Mar 2026 02:16:58 -0500
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id BB61B1956048
	for <devel@lists.libvirt.org>; Fri,  6 Mar 2026 07:16:55 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.45.242.5])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 04FCA1958DC5
	for <devel@lists.libvirt.org>; Fri,  6 Mar 2026 07:16:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable
	autolearn_force=no version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1772781420;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=pfpBQfdVpAwriTGLNoXRGvXq2JFuMZQbOdNcIxYe2T8=;
	b=K1VSttR70lH5AZi2cYDv3o678NgO2vyWgXtifJphtdBFjjFujoNJBNh8uxeawUtT67PO5A
	ZSBmu8TyXV84OddSiAfb1AtMyTdUD95xUMTM3mqAxPxdXku/TcrlJKUyOFkCZEkux/KlfM
	ZQDT4UbarrdZd4Pu3t7+Gx6Gmm3iFa0=
X-MC-Unique: Mz_Sd7QwNaOGx4_o2JuvWg-1
X-Mimecast-MFC-AGG-ID: Mz_Sd7QwNaOGx4_o2JuvWg_1772781416
To: devel@lists.libvirt.org
Subject: [PATCH 2/2] qemu: hotplug: Don't access disk definititon after it was
 freed after media change
Date: Fri,  6 Mar 2026 08:16:50 +0100
Message-ID: 
 <463be0cc9efb445708d5b7595b6eaeb99801679d.1772781240.git.pkrempa@redhat.com>
In-Reply-To: <cover.1772781240.git.pkrempa@redhat.com>
References: <cover.1772781240.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: CqY7w4WyS0WH6ZUYdrZzqVOiXuxPXFpd8kr0tSBviQc_1772781416
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: MAWQNW7KF3MMQZFLKBED7QL5ENEIO2ZZ
X-Message-ID-Hash: MAWQNW7KF3MMQZFLKBED7QL5ENEIO2ZZ
X-MailFrom: pkrempa@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/MAWQNW7KF3MMQZFLKBED7QL5ENEIO2ZZ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Peter Krempa via Devel <devel@lists.libvirt.org>
Reply-To: Peter Krempa <pkrempa@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1772781540481154100
Content-Type: text/plain; charset="utf-8"

From: Peter Krempa <pkrempa@redhat.com>

A special case in qemuDomainAttachDeviceDiskLive causes disk media to be
changed. This code has different semantics than the real hotplug code
where the hotplugged device definition is absorbed into the domain
definition and thus the pointer is still valid. On media change we just
use the disk source and discard everything else from the disk
definition.

Later in qemuDomainAttachDeviceLive we then attempt to extract the alias
of the attached device for emiting an event. Since in case of media
change the main definition was freed this causes an use-after-free on
the disk data pointer.

To address this the media change code will clear the disk definition
pointer from the device wrapper and the caller will extract the device
alias only when the disk definition pointer is non-NULL.

The semantics of the event will not change because the device alias
wouldn't be assigned for the media change code at all.

The use-after-free is observable via valgrind when attempting a media
change via 'virsh attach-device', as otherwise in most cases it doesn't
cause any ill efect as only the pointer to a NULL string is accessed:

=3D=3D2763495=3D=3D Invalid read of size 8
=3D=3D2763495=3D=3D    at 0xEA4102A: qemuDomainAttachDeviceLive (qemu_hotpl=
ug.c:3455)
=3D=3D2763495=3D=3D    by 0xEA28ECD: qemuDomainAttachDeviceLiveAndConfig (q=
emu_driver.c:7408)
=3D=3D2763495=3D=3D    by 0xEA28ECD: qemuDomainAttachDeviceFlags (qemu_driv=
er.c:7456)
=3D=3D2763495=3D=3D    by 0x4BC5BE6: virDomainAttachDevice (libvirt-domain.=
c:8951)
=3D=3D2763495=3D=3D    by 0x402579D: remoteDispatchDomainAttachDevice (remo=
te_daemon_dispatch_stubs.h:3763)
 [snip]
=3D=3D2763495=3D=3D  Address 0x6df57c8 is 360 bytes inside a block of size =
608 free'd
=3D=3D2763495=3D=3D    at 0x48F7E43: free (vg_replace_malloc.c:990)
=3D=3D2763495=3D=3D    by 0x4EC7EC4: g_free (in /usr/lib64/libglib-2.0.so.0=
.8600.3)
=3D=3D2763495=3D=3D    by 0xEA4101E: qemuDomainAttachDeviceDiskLive (qemu_h=
otplug.c:1150)
=3D=3D2763495=3D=3D    by 0xEA4101E: qemuDomainAttachDeviceLive (qemu_hotpl=
ug.c:3453)
=3D=3D2763495=3D=3D    by 0xEA28ECD: qemuDomainAttachDeviceLiveAndConfig (q=
emu_driver.c:7408)
=3D=3D2763495=3D=3D    by 0xEA28ECD: qemuDomainAttachDeviceFlags (qemu_driv=
er.c:7456)
=3D=3D2763495=3D=3D    by 0x4BC5BE6: virDomainAttachDevice (libvirt-domain.=
c:8951)
 [snip]

Closes: https://gitlab.com/libvirt/libvirt/-/issues/859
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_hotplug.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 6235f6c27c..df4bb49af7 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1146,7 +1146,7 @@ qemuDomainAttachDeviceDiskLive(virQEMUDriver *driver,
             return -1;

         dev->data.disk->src =3D NULL;
-        virDomainDiskDefFree(dev->data.disk);
+        g_clear_pointer(&dev->data.disk, virDomainDiskDefFree);
         return 0;
     }

@@ -3450,7 +3450,7 @@ qemuDomainAttachDeviceLive(virDomainObj *vm,
     case VIR_DOMAIN_DEVICE_DISK:
         qemuDomainObjCheckDiskTaint(driver, vm, dev->data.disk, NULL);
         ret =3D qemuDomainAttachDeviceDiskLive(driver, vm, dev);
-        if (!ret) {
+        if (ret =3D=3D 0 && dev->data.disk) {
             alias =3D dev->data.disk->info.alias;
             dev->data.disk =3D NULL;
         }
--=20
2.53.0