From df9cb669425051f4f4364cffb19c9b8089e04297 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 7 Jul 2011 17:04:17 +0200
Subject: [PATCH 1/2] spice: add sanity check for spice ports

Make sure at least one port (port=.. or tls-port=...)
is specified.  Also apply range checks to the port numbers.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/spice-core.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ui/spice-core.c b/ui/spice-core.c
index e142452bb6..1100417698 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -480,7 +480,16 @@ void qemu_spice_init(void)
     port = qemu_opt_get_number(opts, "port", 0);
     tls_port = qemu_opt_get_number(opts, "tls-port", 0);
     if (!port && !tls_port) {
-        return;
+        fprintf(stderr, "neither port nor tls-port specified for spice.");
+        exit(1);
+    }
+    if (port < 0 || port > 65535) {
+        fprintf(stderr, "spice port is out of range");
+        exit(1);
+    }
+    if (tls_port < 0 || tls_port > 65535) {
+        fprintf(stderr, "spice tls-port is out of range");
+        exit(1);
     }
     password = qemu_opt_get(opts, "password");
 

From 8927cfbba232e28304734f7afd463c1b84134031 Mon Sep 17 00:00:00 2001
From: Yonit Halperin <yhalperi@redhat.com>
Date: Tue, 12 Jul 2011 11:51:58 +0300
Subject: [PATCH 2/2] qxl: upon reset, if spice worker is stopped, the command
 rings can be not empty

Spice worker does no longer process commands when it is stopped.
Otherwise, it might crash during migration when attempting to process
commands while the guest is not completely loaded.

Cc: Alon Levy <alevy@redhat.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/qxl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/qxl.c b/hw/qxl.c
index 0b9a4c71ec..a6fb7f0acb 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -656,8 +656,8 @@ static void qxl_reset_state(PCIQXLDevice *d)
     QXLRam *ram = d->ram;
     QXLRom *rom = d->rom;
 
-    assert(SPICE_RING_IS_EMPTY(&ram->cmd_ring));
-    assert(SPICE_RING_IS_EMPTY(&ram->cursor_ring));
+    assert(!d->ssd.running || SPICE_RING_IS_EMPTY(&ram->cmd_ring));
+    assert(!d->ssd.running || SPICE_RING_IS_EMPTY(&ram->cursor_ring));
     d->shadow_rom.update_id = cpu_to_le32(0);
     *rom = d->shadow_rom;
     qxl_rom_set_dirty(d);