From ba2b22888c43fdf36f3ae0553c89013616e9c44a Mon Sep 17 00:00:00 2001
From: Chris Spiegel <chris.spiegel@cypherpath.com>
Date: Mon, 6 Oct 2014 09:33:45 -0700
Subject: snapshot: Reset err to NULL to avoid double free

If an error occurs in bdrv_snapshot_delete_by_id_or_name(), "err" is
freed.  If "err" is not set to NULL before calling
bdrv_snapshot_delete_by_id_or_name() again, it will not be updated on
error, and will be freed again.

This can be triggered by starting a VM with at least two drives and then
attempting to delete a non-existent snapshot.

Broken in commit a89d89d.

Signed-off-by: Chris Spiegel <chris.spiegel@cypherpath.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1412613225-32676-1-git-send-email-chris.spiegel@cypherpath.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 savevm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/savevm.c b/savevm.c
index 2d8eb960bb..08ec678ddc 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1246,7 +1246,7 @@ int load_vmstate(const char *name)
 void do_delvm(Monitor *mon, const QDict *qdict)
 {
     BlockDriverState *bs;
-    Error *err = NULL;
+    Error *err;
     const char *name = qdict_get_str(qdict, "name");
 
     if (!find_vmstate_bs()) {
@@ -1257,6 +1257,7 @@ void do_delvm(Monitor *mon, const QDict *qdict)
     bs = NULL;
     while ((bs = bdrv_next(bs))) {
         if (bdrv_can_snapshot(bs)) {
+            err = NULL;
             bdrv_snapshot_delete_by_id_or_name(bs, name, &err);
             if (err) {
                 monitor_printf(mon,
-- 
cgit v1.2.1