On 10/18/2018 03:45 AM, Eric Blake wrote: > If qemuDomainSnapshotDiscard() fails for any reason (rare, > but possible with an ill-timed ENOMEM or if > qemuDomainSnapshotForEachQcow2() has problems talking to the > qemu guest monitor), then an attempt to retry the snapshot > deletion API will crash because we didn't undo the effects > of virDomainSnapshotDropParent() temporarily rearranging the > internal list structures, and the second attempt to drop > parents will dereference NULL. Fix it by instead noting that > there are only two callers to qemuDomainSnapshotDiscard(), > and only one of the two callers wants the parent to be updated; > thus we can move the call to virDomainSnapshotDropParent() > into a code path that only gets executed on success. > > Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> > > --- > v2: avoid use-after-free > --- > src/qemu/qemu_domain.c | 6 ++++-- > src/qemu/qemu_driver.c | 1 - > 2 files changed, 4 insertions(+), 3 deletions(-) ACK Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
