aboutsummaryrefslogtreecommitdiff
path: root/savevm.c
diff options
context:
space:
mode:
authorChris Spiegel <chris.spiegel@cypherpath.com>2014-10-06 09:33:45 -0700
committerStefan Hajnoczi <stefanha@redhat.com>2014-11-03 09:48:41 +0000
commitba2b22888c43fdf36f3ae0553c89013616e9c44a (patch)
tree26339a068f56bc5e24fbd3b66f314295270a9f4a /savevm.c
parent54a7f8f38ddf4711ee8bf773b5066337b045a343 (diff)
downloadqemu-arm-ba2b22888c43fdf36f3ae0553c89013616e9c44a.tar.gz
snapshot: Reset err to NULL to avoid double free
If an error occurs in bdrv_snapshot_delete_by_id_or_name(), "err" is freed. If "err" is not set to NULL before calling bdrv_snapshot_delete_by_id_or_name() again, it will not be updated on error, and will be freed again. This can be triggered by starting a VM with at least two drives and then attempting to delete a non-existent snapshot. Broken in commit a89d89d. Signed-off-by: Chris Spiegel <chris.spiegel@cypherpath.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-id: 1412613225-32676-1-git-send-email-chris.spiegel@cypherpath.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Diffstat (limited to 'savevm.c')
-rw-r--r--savevm.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/savevm.c b/savevm.c
index 2d8eb960bb..08ec678ddc 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1246,7 +1246,7 @@ int load_vmstate(const char *name)
void do_delvm(Monitor *mon, const QDict *qdict)
{
BlockDriverState *bs;
- Error *err = NULL;
+ Error *err;
const char *name = qdict_get_str(qdict, "name");
if (!find_vmstate_bs()) {
@@ -1257,6 +1257,7 @@ void do_delvm(Monitor *mon, const QDict *qdict)
bs = NULL;
while ((bs = bdrv_next(bs))) {
if (bdrv_can_snapshot(bs)) {
+ err = NULL;
bdrv_snapshot_delete_by_id_or_name(bs, name, &err);
if (err) {
monitor_printf(mon,