Here's the fix, followed by the endjob/cleanup code:

From d696f6067d6e802714adbf3e36bf53c9fcf3ec76 Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering@redhat.com> Date: Mon, 17 May 2010 19:28:44 +0200 Subject: [PATCH] qemudDomainSetVcpus: avoid NULL-deref on failed uuid look-up

* src/qemu/qemu_driver.c (qemudDomainSetVcpus): Upon look-up failure, i.e., vm==NULL, goto cleanup, rather than to "endjob", superficially since the latter would dereference vm, but more fundamentally because we certainly don't want to call qemuDomainObjEndJob before we've even attempted qemuDomainObjBeginJob. --- src/qemu/qemu_driver.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 582fdee..16a9646 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5526,11 +5526,11 @@ static int qemudDomainSetVcpus(virDomainPtr dom, unsigned int nvcpus) { if (!vm) { char uuidstr[VIR_UUID_STRING_BUFLEN]; virUUIDFormat(dom->uuid, uuidstr); qemuReportError(VIR_ERR_NO_DOMAIN, _("no domain with matching uuid '%s'"), uuidstr); - goto endjob; + goto cleanup; } if (qemuDomainObjBeginJob(vm) < 0) goto cleanup; -- 1.7.1.250.g7d1e8 Here's the end of that function. Note that in endjob's code, vm is dereferenced: ... ret = qemudDomainHotplugVcpus(vm, nvcpus); endjob: if (qemuDomainObjEndJob(vm) == 0) vm = NULL; cleanup: if (vm) virDomainObjUnlock(vm); return ret; }