snapshot: Reset err to NULL to avoid double free

If an error occurs in bdrv_snapshot_delete_by_id_or_name(), "err" is
freed.  If "err" is not set to NULL before calling
bdrv_snapshot_delete_by_id_or_name() again, it will not be updated on
error, and will be freed again.

This can be triggered by starting a VM with at least two drives and then
attempting to delete a non-existent snapshot.

Broken in commit a89d89d.

Signed-off-by: Chris Spiegel <[email protected]>
Reviewed-by: Markus Armbruster <[email protected]>
Message-id: [email protected]
Signed-off-by: Stefan Hajnoczi <[email protected]>

Author: cspiegel-cypherpath

savevm.c

@@ -1246,7 +1246,7 @@ int load_vmstate(const char *name)
 void do_delvm(Monitor *mon, const QDict *qdict)
 {
     BlockDriverState *bs;
-    Error *err = NULL;
+    Error *err;
     const char *name = qdict_get_str(qdict, "name");
 
     if (!find_vmstate_bs()) {
@@ -1257,6 +1257,7 @@ void do_delvm(Monitor *mon, const QDict *qdict)
     bs = NULL;
     while ((bs = bdrv_next(bs))) {
         if (bdrv_can_snapshot(bs)) {
+            err = NULL;
             bdrv_snapshot_delete_by_id_or_name(bs, name, &err);
             if (err) {
                 monitor_printf(mon,