From patchwork Thu Sep 25 09:13:18 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Joerg Roedel X-Patchwork-Id: 4973861 Return-Path: X-Original-To: patchwork-linux-pm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 2F7569F1D4 for ; Thu, 25 Sep 2014 09:13:30 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DDCC820295 for ; Thu, 25 Sep 2014 09:13:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 25E4C2027D for ; Thu, 25 Sep 2014 09:13:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751743AbaIYJNX (ORCPT ); Thu, 25 Sep 2014 05:13:23 -0400 Received: from cantor2.suse.de ([195.135.220.15]:33814 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751603AbaIYJNW (ORCPT ); Thu, 25 Sep 2014 05:13:22 -0400 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 7A499AB07; Thu, 25 Sep 2014 09:13:20 +0000 (UTC) Date: Thu, 25 Sep 2014 11:13:18 +0200 From: Joerg Roedel To: =?iso-8859-1?Q?Bj=F8rn?= Mork Cc: "Rafael J. Wysocki" , linux-pm@vger.kernel.org Subject: Re: NULL pointer dereference in swsusp_free with 3.17-rc5 Message-ID: <20140925091318.GA4269@suse.de> References: <87zjdq8k7i.fsf@nemi.mork.no> <20140924095111.GC10438@suse.de> <87vbodiaq9.fsf@nemi.mork.no> <19091504.rBv2mCrhao@vostro.rjw.lan> <87egv0i2sl.fsf@nemi.mork.no> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <87egv0i2sl.fsf@nemi.mork.no> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-pm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pm@vger.kernel.org X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Thu, Sep 25, 2014 at 09:20:58AM +0200, Bjørn Mork wrote: > "Rafael J. Wysocki" writes: > > > I've decided to go with a revert for 3.17, as we don't seem to have an immediate > > fix and the final 3.17 may be as close as this Sunday. So I'm going to send my > > final pull request for 3.17 to Linus tomorrow or early on Friday. > > Sounds safest to me, FWIW. Yes, sorry for the delay, I am still fighting with my cold and couldn't get around to send a fix sooner :/ > For the next round of this, I think the only missing part was some test > like > > if (!forbidden_pages_map || !free_pages_map) > goto return_without_freeing_anything; Right, this is pretty much the fix. Can you please test the attached patch? > And BTW, I believe it would be useful if at least one more person in the > world tested hibernation between each release ;-) Well, I tested these patches on at least 4 or 5 different hardware configurations. I also know of other people testing hibernation with -rc kernels, but this is the first report of this issue I have seen. I wonder what it different in your setup so that you trigger this bug. Anyway, it would be great if you could test the patch below :) Thanks, Joerg From fe599eff60cfbfbb1f894dc476ee28f38aef954b Mon Sep 17 00:00:00 2001 From: Joerg Roedel Date: Thu, 25 Sep 2014 11:04:40 +0200 Subject: [PATCH] PM: Hibernate: Fix NULL pointer access in swsusp_free The optimized version of swsusp_free does not check the bitmap pointers anymore, which may cause a NULL pointer dereference and a kernel crash. Fix it by adding the checks and bail out if one of them is NULL. Reported-by: Bjørn Mork Signed-off-by: Joerg Roedel --- kernel/power/snapshot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c index c4b8093..791a618 100644 --- a/kernel/power/snapshot.c +++ b/kernel/power/snapshot.c @@ -1343,6 +1343,9 @@ void swsusp_free(void) { unsigned long fb_pfn, fr_pfn; + if (!forbidden_pages_map || !free_pages_map) + goto out; + memory_bm_position_reset(forbidden_pages_map); memory_bm_position_reset(free_pages_map); @@ -1370,6 +1373,7 @@ loop: goto loop; } +out: nr_copy_pages = 0; nr_meta_pages = 0; restore_pblist = NULL;