server: not reading command rings before RED_WORKER_MESSAGE_START, RHBZ #718713

On migration, destroy_surfaces is called from qxl (qxl_hard_reset), before the device was loaded (on destination).
handle_dev_destroy_surfaces led to red_process_commands, which read the qxl command ring
(which appeared to be not empty), and then when processing the command
it accessed unmapped memory.

1 files changed, 10 insertions, 0 deletions

diff --git a/server/red_worker.c b/server/red_worker.c
index 2880f8c3..5f078033 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4296,6 +4296,11 @@ static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int *ri
     QXLCommandExt ext_cmd;
     int n = 0;
 
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->cursor_channel || worker->cursor_channel->base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_cursor_command(worker->qxl, &ext_cmd)) {
@@ -4336,6 +4341,11 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size, int *
     int n = 0;
     uint64_t start = red_now();
 
+    if (!worker->running) {
+        *ring_is_empty = TRUE;
+        return n;
+    }
+
     *ring_is_empty = FALSE;
     while (!worker->display_channel || worker->display_channel->base.pipe_size <= max_pipe_size) {
         if (!worker->qxl->st->qif->get_command(worker->qxl, &ext_cmd)) {