From 59e0d130fed50a9833a32654171fc71d7337a6f2 Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Wed, 12 Jan 2022 10:31:59 +0100 Subject: [PATCH] qemuSnapshotRedefine: Fix use of snapshot definition after free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit f4aae9726df factored out the snapshot redefinition code into a separate function, but didn't account for the fact that the code is consuming the reference to the snapshot definition and by moving the code away the caller (qemuSnapshotCreateXML) now frees the definition which didn't happen before as we cleared the pointer. Fix it by increasing the reference locally. Later patches will refactor the code so that it's more obvious what's happening. Fixes: f4aae9726df Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2039651 Signed-off-by: Peter Krempa Reviewed-by: Ján Tomko --- src/qemu/qemu_snapshot.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c index 624ace0314..f92e00f9c0 100644 --- a/src/qemu/qemu_snapshot.c +++ b/src/qemu/qemu_snapshot.c @@ -1709,13 +1709,14 @@ qemuSnapshotCreateWriteMetadata(virDomainObj *vm, static virDomainSnapshotPtr qemuSnapshotRedefine(virDomainObj *vm, virDomainPtr domain, - virDomainSnapshotDef *snapdef, + virDomainSnapshotDef *snapdeftmp, virQEMUDriver *driver, virQEMUDriverConfig *cfg, unsigned int flags) { virDomainMomentObj *snap = NULL; virDomainSnapshotPtr ret = NULL; + g_autoptr(virDomainSnapshotDef) snapdef = virObjectRef(snapdeftmp); if (virDomainSnapshotRedefinePrep(vm, &snapdef, &snap, driver->xmlopt, @@ -1725,6 +1726,7 @@ qemuSnapshotRedefine(virDomainObj *vm, if (!snap) { if (!(snap = virDomainSnapshotAssignDef(vm->snapshots, snapdef))) return NULL; + snapdef = NULL; } /* XXX Should we validate that the redefined snapshot even * makes sense, such as checking that qemu-img recognizes the