server: not reading command rings before RED_WORKER_MESSAGE_START, RHBZ #718713

On migration, destroy_surfaces is called from qxl (qxl_hard_reset), before the device was loaded (on destination).
handle_dev_destroy_surfaces led to red_process_commands, which read the qxl command ring
(which appeared to be not empty), and then when processing the command
it accessed unmapped memory.

1 files changed, 11 insertions, 1 deletions

diff --git a/server/red_worker.c b/server/red_worker.c
index e00751c..7632c60 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4166,6 +4166,11 @@ static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int *ri
     QXLCommandExt ext_cmd;
     int n = 0;
 
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->cursor_channel || worker->cursor_channel->common.base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_cursor_command(worker->qxl, &ext_cmd)) {
@@ -4205,7 +4210,12 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
     QXLCommandExt ext_cmd;
     int n = 0;
     uint64_t start = red_now();
-    
+
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->display_channel || worker->display_channel->common.base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_command(worker->qxl, &ext_cmd)) {