From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:60117)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1XRh2z-0002z8-J9
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 08:30:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1XRh2t-0007h2-Vy
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 08:30:53 -0400
Received: from mx1.redhat.com ([209.132.183.28]:31914)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <famz@redhat.com>) id 1XRh2t-0007gr-Pm
	for qemu-devel@nongnu.org; Wed, 10 Sep 2014 08:30:47 -0400
From: Fam Zheng <famz@redhat.com>
Date: Wed, 10 Sep 2014 20:30:39 +0800
Message-Id: <1410352239-8705-1-git-send-email-famz@redhat.com>
Subject: [Qemu-devel] [PATCH] qapi: Fix crash with enum dealloc when kind is
	invalid
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, Markus Armbruster <armbru@redhat.com>, Michael Roth <mdroth@linux.vnet.ibm.com>, Stefan Hajnoczi <stefanha@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Luiz Capitulino <lcapitulino@redhat.com>

We shouldn't do anything in the switch block in enum's visit_type_
function, when the enum data's ->kind is not valid at all. This happens
when the dealloc visitor is called, after qmp input visitor returned
error.

Now, the input visitor will set ->kind to <TYPE>_MAX if the value is not
found, so that in dealloc, the switch block knows to skip calling into
specific type's visiting functions.

The added test case would trigger SIGSEGV without this fix.

This crash is introduced since commit b1de5f43 (QMP: Add support for
Archipelago).

Signed-off-by: Fam Zheng <famz@redhat.com>
---
 qapi/qapi-visit-core.c     | 12 +++++-------
 scripts/qapi-visit.py      |  6 ++++++
 tests/qemu-iotests/087     | 17 +++++++++++++++++
 tests/qemu-iotests/087.out | 13 +++++++++++++
 4 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/qapi/qapi-visit-core.c b/qapi/qapi-visit-core.c
index 55f8d40..6c46e0e 100644
--- a/qapi/qapi-visit-core.c
+++ b/qapi/qapi-visit-core.c
@@ -276,23 +276,21 @@ void input_type_enum(Visitor *v, int *obj, const char *strings[],
 
     visit_type_str(v, &enum_str, name, &local_err);
     if (local_err) {
-        error_propagate(errp, local_err);
-        return;
+        enum_str = NULL;
     }
 
     while (strings[value] != NULL) {
-        if (strcmp(strings[value], enum_str) == 0) {
+        if (enum_str && strcmp(strings[value], enum_str) == 0) {
             break;
         }
         value++;
     }
 
-    if (strings[value] == NULL) {
-        error_set(errp, QERR_INVALID_PARAMETER, enum_str);
-        g_free(enum_str);
-        return;
+    if (!local_err && strings[value] == NULL) {
+        error_set(&local_err, QERR_INVALID_PARAMETER, enum_str);
     }
 
     g_free(enum_str);
     *obj = value;
+    error_propagate(errp, local_err);
 }
diff --git a/scripts/qapi-visit.py b/scripts/qapi-visit.py
index c129697..dad7561 100644
--- a/scripts/qapi-visit.py
+++ b/scripts/qapi-visit.py
@@ -379,6 +379,12 @@ void visit_type_%(name)s(Visitor *m, %(name)s **obj, const char *name, Error **e
                 c_name=c_fun(key))
 
     ret += mcgen('''
+        case %(enum_full_value)s:
+            break;
+''',
+                enum_full_value = generate_enum_full_value(disc_type, 'MAX'))
+
+    ret += mcgen('''
         default:
             abort();
         }
diff --git a/tests/qemu-iotests/087 b/tests/qemu-iotests/087
index 82c56b1..d7454d1 100755
--- a/tests/qemu-iotests/087
+++ b/tests/qemu-iotests/087
@@ -218,6 +218,23 @@ run_qemu <<EOF
 { "execute": "quit" }
 EOF
 
+echo
+echo === Missing driver ===
+echo
+
+_make_test_img -o encryption=on $size
+run_qemu -S <<EOF
+{ "execute": "qmp_capabilities" }
+{ "execute": "blockdev-add",
+  "arguments": {
+      "options": {
+        "id": "disk"
+      }
+    }
+  }
+{ "execute": "quit" }
+EOF
+
 # success, all done
 echo "*** done"
 rm -f $seq.full
diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
index 7fbee3f..f16bad0 100644
--- a/tests/qemu-iotests/087.out
+++ b/tests/qemu-iotests/087.out
@@ -64,4 +64,17 @@ QMP_VERSION
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
 {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}
 
+
+=== Missing driver ===
+
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on 
+Testing: -S
+QMP_VERSION
+{"return": {}}
+{"error": {"class": "GenericError", "desc": "Invalid parameter type for 'driver', expected: string"}}
+{"return": {}}
+{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN"}
+{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
+{"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}
+
 *** done
-- 
1.9.3