From b881c4b5caa42544d449e3454a00250f7cd023c0 Mon Sep 17 00:00:00 2001
From: Yonit Halperin <yhalperi@redhat.com>
Date: Mon, 4 Jul 2011 15:14:43 +0300
Subject: server: not reading command rings before RED_WORKER_MESSAGE_START,
 RHBZ #718713

On migration, destroy_surfaces is called from qxl (qxl_hard_reset), before the device was loaded (on destination).
handle_dev_destroy_surfaces led to red_process_commands, which read the qxl command ring
(which appeared to be not empty), and then when processing the command
it accessed unmapped memory.
---
 server/red_worker.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'server/red_worker.c')

diff --git a/server/red_worker.c b/server/red_worker.c
index e00751c8..7632c604 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4166,6 +4166,11 @@ static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int *ri
     QXLCommandExt ext_cmd;
     int n = 0;
 
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->cursor_channel || worker->cursor_channel->common.base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_cursor_command(worker->qxl, &ext_cmd)) {
@@ -4205,7 +4210,12 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
     QXLCommandExt ext_cmd;
     int n = 0;
     uint64_t start = red_now();
-    
+
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->display_channel || worker->display_channel->common.base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_command(worker->qxl, &ext_cmd)) {
-- 
cgit