From nobody Mon Feb  9 01:31:11 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1642011126; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JzM9uxH6u2qemAurhHy1Ag2k8Wc7OAqm/zPE6eilSQ/Rn1BSLC0/B8Q/E/bE4UMhIlKnze1k3YPtp2SzObAH0CVdyRpytIvrzdEd7BJY82a3n3/y3Du7WP7gSc90kP5DR8lgkOQB0X8Fpn9zMZCbB4bZdSYMRRKnC6K0/0EWn5I=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1642011126;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=luo5U7DmKFFQKOoIrORSOOCt75RlGun+vq4Mr82MiRU=;
	b=CmHqYDYIz5VOGX61CaLNaLdJ5e43iVceaJx3b3aUjW3YKLNjriWF2vg+1j7T9d2pd7RLUzzbFmQGl8GTnTSg/D5Dq8X2MIAt7z2D+NiHLngDMueBSBj28tDngYXGySX7yO6mkTjuaI0T/BhjalwE/tAGC7iZjhvz263e4FOwOPg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 164201112613472.12524861889233;
 Wed, 12 Jan 2022 10:12:06 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-214-DyWxb6wAMqWc32Y1rLJSmA-1; Wed, 12 Jan 2022 13:11:23 -0500
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EE3341083F7B;
	Wed, 12 Jan 2022 18:11:16 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 4AF351064145;
	Wed, 12 Jan 2022 18:11:16 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 197CE1809CBF;
	Wed, 12 Jan 2022 18:11:16 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 20CIATsN002988 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 12 Jan 2022 13:10:29 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id A30DE8AD01; Wed, 12 Jan 2022 18:10:29 +0000 (UTC)
Received: from speedmetal.lan (unknown [10.40.208.34])
	by smtp.corp.redhat.com (Postfix) with ESMTP id ECED38ACEA
	for <libvir-list@redhat.com>; Wed, 12 Jan 2022 18:10:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1642011124;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=luo5U7DmKFFQKOoIrORSOOCt75RlGun+vq4Mr82MiRU=;
	b=dB1a+8jqGbmxk1g063UHGi0ZGSivmOLIN+9u3baSZ75oUMqt8ejXodvVSRSXI5kO9+E2Gk
	KoO12c0D/CQcWGndgXxxsVDKR6ZzVoQRNF48opiDyl6xPgTTIcZIHu7JGBYKK18N9gInNP
	59OCk0Niuna+O0CuT6ZCYx0TQpbyLSA=
X-MC-Unique: DyWxb6wAMqWc32Y1rLJSmA-1
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 02/17] qemuSnapshotRedefine: Fix use of snapshot definition
	after free
Date: Wed, 12 Jan 2022 19:10:02 +0100
Message-Id: 
 <112a9482d13f276c46998cc06f52d40c6757744c.1642010887.git.pkrempa@redhat.com>
In-Reply-To: <cover.1642010887.git.pkrempa@redhat.com>
References: <cover.1642010887.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1642011128474100001
Content-Type: text/plain; charset="utf-8"

Commit f4aae9726df factored out the snapshot redefinition code into a
separate function, but didn't account for the fact that the code is
consuming the reference to the snapshot definition and by moving the
code away the caller (qemuSnapshotCreateXML) now frees the definition
which didn't happen before as we cleared the pointer.

Fix it by increasing the reference locally. Later patches will refactor
the code so that it's more obvious what's happening.

Fixes: f4aae9726df
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D2039651
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_snapshot.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_snapshot.c b/src/qemu/qemu_snapshot.c
index 624ace0314..f92e00f9c0 100644
--- a/src/qemu/qemu_snapshot.c
+++ b/src/qemu/qemu_snapshot.c
@@ -1709,13 +1709,14 @@ qemuSnapshotCreateWriteMetadata(virDomainObj *vm,
 static virDomainSnapshotPtr
 qemuSnapshotRedefine(virDomainObj *vm,
                      virDomainPtr domain,
-                     virDomainSnapshotDef *snapdef,
+                     virDomainSnapshotDef *snapdeftmp,
                      virQEMUDriver *driver,
                      virQEMUDriverConfig *cfg,
                      unsigned int flags)
 {
     virDomainMomentObj *snap =3D NULL;
     virDomainSnapshotPtr ret =3D NULL;
+    g_autoptr(virDomainSnapshotDef) snapdef =3D virObjectRef(snapdeftmp);

     if (virDomainSnapshotRedefinePrep(vm, &snapdef, &snap,
                                       driver->xmlopt,
@@ -1725,6 +1726,7 @@ qemuSnapshotRedefine(virDomainObj *vm,
     if (!snap) {
         if (!(snap =3D virDomainSnapshotAssignDef(vm->snapshots, snapdef)))
             return NULL;
+        snapdef =3D NULL;
     }
     /* XXX Should we validate that the redefined snapshot even
      * makes sense, such as checking that qemu-img recognizes the
--=20
2.31.1