Fix crash when cleaning up from failed save attempt

If a transient QEMU crashes during save attempt, then the virDomainPtr
object may be freed. If a persistent QEMU crashes during save, then
the 'priv->mon' field is no longer valid since it will be inactive.

* src/qemu/qemu_driver.c: Fix two crashes when QEMU exits
  during a save attempt

src/qemu/qemu_driver.c

@@ -4924,7 +4924,8 @@ static int qemudDomainSaveFlag(virDomainPtr dom, const char *path,
     }
 
 endjob:
-    if (ret != 0 && header.was_running) {
+    if (vm) {
+        if (ret != 0 && header.was_running && priv->mon) {
             qemuDomainObjEnterMonitorWithDriver(driver, vm);
             rc = qemuMonitorStartCPUs(priv->mon, dom->conn);
             qemuDomainObjExitMonitorWithDriver(driver, vm);
@@ -4934,9 +4935,9 @@ endjob:
                 vm->state = VIR_DOMAIN_RUNNING;
         }
 
-    if (vm &&
-        qemuDomainObjEndJob(vm) == 0)
+        if (qemuDomainObjEndJob(vm) == 0)
             vm = NULL;
+    }
 
 cleanup:
     VIR_FREE(xml);
@@ -7110,9 +7111,16 @@ static int qemudDomainAttachNetDevice(virConnectPtr conn,
     }
 
     /* FIXME - need to support vhost-net here (5th arg) */
+    if ((qemuCmdFlags & QEMUD_CMD_FLAG_NETDEV) &&
+        (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
+        if (!(netstr = qemuBuildHostNetStr(net, ',',
+                                           -1, tapfd_name, 0)))
+            goto try_tapfd_close;
+    } else {
         if (!(netstr = qemuBuildHostNetStr(net, ' ',
                                            vlan, tapfd_name, 0)))
             goto try_tapfd_close;
+    }
 
     qemuDomainObjEnterMonitorWithDriver(driver, vm);
     if (qemuMonitorAddHostNetwork(priv->mon, netstr) < 0) {