VMM: 0.869
graphic: 0.867
ppc: 0.812
device: 0.809
files: 0.771
architecture: 0.747
network: 0.701
PID: 0.696
vnc: 0.690
socket: 0.614
register: 0.597
kernel: 0.595
performance: 0.569
semantic: 0.568
risc-v: 0.541
boot: 0.517
arm: 0.505
virtual: 0.499
mistranslation: 0.473
debug: 0.467
TCG: 0.433
permissions: 0.419
i386: 0.411
x86: 0.380
assembly: 0.372
hypervisor: 0.321
peripherals: 0.291
user-level: 0.271
KVM: 0.244

A use-after-free bug in pflash_cfi01 snapshot implementation
Description of problem:
The flash snapshot restore does not function correctly. Basically when you use “if=pflash,format=raw,unit=0,file=OVMF_VAR.fd", it crashes when trying to restore a snapshot.

The root cause is:

1. In system/runstate.c, function vm_state_notify loops through vm_change_state_head list and calls the callback function for each entry.
2. One of the callback function pointer points to function postload_update_cb in hw/block/pflash_cfi01.c.
3. In function postload_update_cb, it calls qemu_del_vm_change_state_handler in which the entry element memory is freed.
4. Note that, it is still running in the loop, the entry will be visited and get executed, the function pointer may point to a wide memory.
Additional information: