From: Alberto Garcia <berto@igalia.com>
Date: Thu, 6 Sep 2018 14:25:41 +0000 (+0300)
Subject: block: Fix use after free error in bdrv_open_inherit()
X-Git-Tag: qemu-xen-4.13.0-rc1~655^2^2~22
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=8961be33e8ca7e809c603223803ea66ef7ea5be7;p=qemu-xen.git

block: Fix use after free error in bdrv_open_inherit()

When a block device is opened with BDRV_O_SNAPSHOT and the
bdrv_append_temp_snapshot() call fails then the error code path tries
to unref the already destroyed 'options' QDict.

This can be reproduced easily by setting TMPDIR to a location where
the QEMU process can't write:

   $ TMPDIR=/nonexistent $QEMU -drive driver=null-co,snapshot=on

Signed-off-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---

diff --git a/block.c b/block.c
index 0dbb1fcc7b..a381c8ece8 100644
--- a/block.c
+++ b/block.c
@@ -2792,6 +2792,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename,
     bdrv_parent_cb_change_media(bs, true);
 
     qobject_unref(options);
+    options = NULL;
 
     /* For snapshot=on, create a temporary qcow2 overlay. bs points to the
      * temporary snapshot afterwards. */