[Spice-devel] [PATCH] server: not reading command rings before RED_WORKER_MESSAGE_START, RHBZ #718713
Alon Levy
alevy at redhat.com
Tue Jul 5 07:10:24 PDT 2011
On Mon, Jul 04, 2011 at 03:32:39PM +0300, Yonit Halperin wrote:
> On migration, destroy_surfaces is called from qxl (qxl_hard_reset), before the device was loaded (on destination).
> handle_dev_destroy_surfaces led to red_process_commands, which read the qxl command ring
> (which appeared to be not empty), and then when processing the command
> it accessed unmapped memory.
ACK
> ---
> server/red_worker.c | 12 +++++++++++-
> 1 files changed, 11 insertions(+), 1 deletions(-)
>
> diff --git a/server/red_worker.c b/server/red_worker.c
> index 89fdac3..c0a9760 100644
> --- a/server/red_worker.c
> +++ b/server/red_worker.c
> @@ -4166,6 +4166,11 @@ static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int *ri
> QXLCommandExt ext_cmd;
> int n = 0;
>
> + if (!worker->running) {
> + *ring_is_empty = TRUE;
> + return n;
> + }
> +
> *ring_is_empty = FALSE;
> while (!worker->cursor_channel || worker->cursor_channel->common.base.pipe_size <= max_pipe_size) {
> if (!worker->qxl->st->qif->get_cursor_command(worker->qxl, &ext_cmd)) {
> @@ -4205,7 +4210,12 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
> QXLCommandExt ext_cmd;
> int n = 0;
> uint64_t start = red_now();
> -
> +
> + if (!worker->running) {
> + *ring_is_empty = TRUE;
> + return n;
> + }
> +
> *ring_is_empty = FALSE;
> while (!worker->display_channel || worker->display_channel->common.base.pipe_size <= max_pipe_size) {
> if (!worker->qxl->st->qif->get_command(worker->qxl, &ext_cmd)) {
> --
> 1.7.4.4
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
More information about the Spice-devel
mailing list