From patchwork Wed Sep 10 12:30:39 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fam Zheng <famz@redhat.com>
X-Patchwork-Id: 387735
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 0BAE314013B
	for <incoming@patchwork.ozlabs.org>;
	Wed, 10 Sep 2014 22:31:22 +1000 (EST)
Received: from localhost ([::1]:55959 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1XRh3O-0003U3-L5
	for incoming@patchwork.ozlabs.org; Wed, 10 Sep 2014 08:31:18 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60117)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1XRh2z-0002z8-J9
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 08:30:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1XRh2t-0007h2-Vy
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 08:30:53 -0400
Received: from mx1.redhat.com ([209.132.183.28]:31914)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1XRh2t-0007gr-Pm
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 08:30:47 -0400
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s8ACUj8c015966
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL); Wed, 10 Sep 2014 08:30:45 -0400
Received: from fam-t430.nay.redhat.com (dhcp-14-161.nay.redhat.com
	[10.66.14.161])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id s8ACUfMI007425; Wed, 10 Sep 2014 08:30:42 -0400
From: Fam Zheng <famz@redhat.com>
To: qemu-devel@nongnu.org
Date: Wed, 10 Sep 2014 20:30:39 +0800
Message-Id: <1410352239-8705-1-git-send-email-famz@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 209.132.183.28
Cc: Kevin Wolf <kwolf@redhat.com>, Markus Armbruster <armbru@redhat.com>,
	Michael Roth <mdroth@linux.vnet.ibm.com>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Luiz Capitulino <lcapitulino@redhat.com>
Subject: [Qemu-devel] [PATCH] qapi: Fix crash with enum dealloc when kind is
	invalid
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

We shouldn't do anything in the switch block in enum's visit_type_
function, when the enum data's ->kind is not valid at all. This happens
when the dealloc visitor is called, after qmp input visitor returned
error.

Now, the input visitor will set ->kind to <TYPE>_MAX if the value is not
found, so that in dealloc, the switch block knows to skip calling into
specific type's visiting functions.

The added test case would trigger SIGSEGV without this fix.

This crash is introduced since commit b1de5f43 (QMP: Add support for
Archipelago).

Signed-off-by: Fam Zheng <famz@redhat.com>
---
 qapi/qapi-visit-core.c     | 12 +++++-------
 scripts/qapi-visit.py      |  6 ++++++
 tests/qemu-iotests/087     | 17 +++++++++++++++++
 tests/qemu-iotests/087.out | 13 +++++++++++++
 4 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c
index 55f8d40..6c46e0e 100644
--- a/qapi/qapi-visit-core.c
+++ b/qapi/qapi-visit-core.c
@@ -276,23 +276,21 @@ void input_type_enum(Visitor *v, int *obj, const char *strings[],
 
     visit_type_str(v, &enum_str, name, &local_err);
     if (local_err) {
-        error_propagate(errp, local_err);
-        return;
+        enum_str = NULL;
     }
 
     while (strings[value] != NULL) {
-        if (strcmp(strings[value], enum_str) == 0) {
+        if (enum_str && strcmp(strings[value], enum_str) == 0) {
             break;
         }
         value++;
     }
 
-    if (strings[value] == NULL) {
-        error_set(errp, QERR_INVALID_PARAMETER, enum_str);
-        g_free(enum_str);
-        return;
+    if (!local_err && strings[value] == NULL) {
+        error_set(&local_err, QERR_INVALID_PARAMETER, enum_str);
     }
 
     g_free(enum_str);
     *obj = value;
+    error_propagate(errp, local_err);
 }
diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
index c129697..dad7561 100644
--- a/scripts/qapi-visit.py
+++ b/scripts/qapi-visit.py
@@ -379,6 +379,12 @@ void visit_type_%(name)s(Visitor *m, %(name)s **obj, const char *name, Error **e
                 c_name=c_fun(key))
 
     ret += mcgen('''
+        case %(enum_full_value)s:
+            break;
+''',
+                enum_full_value = generate_enum_full_value(disc_type, 'MAX'))
+
+    ret += mcgen('''
         default:
             abort();
         }
diff --git a/tests/qemu-iotests/087 b/tests/qemu-iotests/087
index 82c56b1..d7454d1 100755
--- a/tests/qemu-iotests/087
+++ b/tests/qemu-iotests/087
@@ -218,6 +218,23 @@ run_qemu <<EOF
 { "execute": "quit" }
 EOF
 
+echo
+echo === Missing driver ===
+echo
+
+_make_test_img -o encryption=on $size
+run_qemu -S <<EOF
+{ "execute": "qmp_capabilities" }
+{ "execute": "blockdev-add",
+  "arguments": {
+      "options": {
+        "id": "disk"
+      }
+    }
+  }
+{ "execute": "quit" }
+EOF
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
index 7fbee3f..f16bad0 100644
--- a/tests/qemu-iotests/087.out
+++ b/tests/qemu-iotests/087.out
@@ -64,4 +64,17 @@ QMP_VERSION
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}
 
+
+=== Missing driver ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on 
+Testing: -S
+QMP_VERSION
+{"return": {}}
+{"error": {"class": "GenericError", "desc": "Invalid parameter type for 'driver', expected: string"}}
+{"return": {}}
+{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN"}
+{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
+{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}
+
 *** done