pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-27 07:29:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

server: not reading command rings before RED_WORKER_MESSAGE_START, RHBZ #718713

Browse Source 
On migration, destroy_surfaces is called from qxl (qxl_hard_reset), before the device was loaded (on destination).
handle_dev_destroy_surfaces led to red_process_commands, which read the qxl command ring
(which appeared to be not empty), and then when processing the command
it accessed unmapped memory.
This commit is contained in:
Yonit Halperin 2011-07-04 15:14:43 +03:00 committed by Alon Levy
parent f0e5a3cb77
commit c8d63ceb2f
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
server/red_worker.c
View File

@ -4296,6 +4296,11 @@ static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int *ri
QXLCommandExt ext_cmd;
int n = 0;
if (!worker->running) {
*ring_is_empty = TRUE;
return n;
}
*ring_is_empty = FALSE;
while (!worker->cursor_channel || worker->cursor_channel->base.pipe_size <= max_pipe_size) {
if (!worker->qxl->st->qif->get_cursor_command(worker->qxl, &ext_cmd)) {
@ -4335,7 +4340,12 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
QXLCommandExt ext_cmd;
int n = 0;
uint64_t start = red_now();
if (!worker->running) {
*ring_is_empty = TRUE;
return n;
}
*ring_is_empty = FALSE;
while (!worker->display_channel || worker->display_channel->base.pipe_size <= max_pipe_size) {
if (!worker->qxl->st->qif->get_command(worker->qxl, &ext_cmd)) {