[Spice-devel] [PATCH] server: not reading command rings before RED_WORKER_MESSAGE_START, RHBZ #718713

Yonit Halperin yhalperi at redhat.com
Mon Jul 4 05:32:39 PDT 2011


On migration, destroy_surfaces is called from qxl (qxl_hard_reset), before the device was loaded (on destination).
handle_dev_destroy_surfaces led to red_process_commands, which read the qxl command ring
(which appeared to be not empty), and then when processing the command
it accessed unmapped memory.
---
 server/red_worker.c |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/server/red_worker.c b/server/red_worker.c
index 89fdac3..c0a9760 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4166,6 +4166,11 @@ static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int *ri
     QXLCommandExt ext_cmd;
     int n = 0;
 
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->cursor_channel || worker->cursor_channel->common.base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_cursor_command(worker->qxl, &ext_cmd)) {
@@ -4205,7 +4210,12 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
     QXLCommandExt ext_cmd;
     int n = 0;
     uint64_t start = red_now();
-    
+
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->display_channel || worker->display_channel->common.base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_command(worker->qxl, &ext_cmd)) {
-- 
1.7.4.4



More information about the Spice-devel mailing list