
On 4/8/19 1:35 PM, Roman Bogorodskiy wrote:
Eric Blake wrote:
Commit b647d2195 introduced a use-after-free situation when the caller is trying to delete a snapshot and its children: if the callback
Fixes: b647d2195 Reported-by: Roman Bogorodskiy <bogorodskiy@gmail.com> Signed-off-by: Eric Blake <eblake@redhat.com> --- src/conf/virdomainmomentobjlist.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/conf/virdomainmomentobjlist.c b/src/conf/virdomainmomentobjlist.c index 65e82f632c..66eb66017b 100644 --- a/src/conf/virdomainmomentobjlist.c +++ b/src/conf/virdomainmomentobjlist.c @@ -80,9 +80,11 @@ virDomainMomentActOnDescendant(void *payload, { virDomainMomentObjPtr obj = payload; struct moment_act_on_descendant *curr = data; + virDomainMomentObj tmp = *obj;
+ /* Careful: curr->iter can delete obj, hence the need for tmp */ (curr->iter)(payload, name, curr->data); - curr->number += 1 + virDomainMomentForEachDescendant(obj, + curr->number += 1 + virDomainMomentForEachDescendant(&tmp, curr->iter, curr->data); return 0;
This fixes the problem for me, thanks. The change itself looks reasonable to me, but I'm not familiar with the code enough to go with Reviewed-by I guess.
Well, Tested-by is better than nothing; so I've gone ahead and pushed it. Thanks for checking that it works :) -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org