Re: NULL pointer dereference in swsusp_free with 3.17-rc5

[Joerg Roedel <jroedel@suse.de>]

On Thu, Sep 25, 2014 at 09:20:58AM +0200, Bjørn Mork wrote:
> "Rafael J. Wysocki" <rjw@rjwysocki.net> writes:
> 
> > I've decided to go with a revert for 3.17, as we don't seem to have an immediate
> > fix and the final 3.17 may be as close as this Sunday.  So I'm going to send my
> > final pull request for 3.17 to Linus tomorrow or early on Friday.
> 
> Sounds safest to me, FWIW.

Yes, sorry for the delay, I am still fighting with my cold and couldn't
get around to send a fix sooner :/

> For the next round of this, I think the only missing part was some test
> like
> 
>         if (!forbidden_pages_map || !free_pages_map)
>            goto return_without_freeing_anything;

Right, this is pretty much the fix. Can you please test the attached
patch?

> And BTW, I believe it would be useful if at least one more person in the
> world tested hibernation between each release ;-)

Well, I tested these patches on at least 4 or 5 different hardware
configurations. I also know of other people testing hibernation with -rc
kernels, but this is the first report of this issue I have seen. I
wonder what it different in your setup so that you trigger this bug.

Anyway, it would be great if you could test the patch below :)

Thanks,

	Joerg

From fe599eff60cfbfbb1f894dc476ee28f38aef954b Mon Sep 17 00:00:00 2001
From: Joerg Roedel <jroedel@suse.de>
Date: Thu, 25 Sep 2014 11:04:40 +0200
Subject: [PATCH] PM: Hibernate: Fix NULL pointer access in swsusp_free

The optimized version of swsusp_free does not check the
bitmap pointers anymore, which may cause a NULL pointer
dereference and a kernel crash. Fix it by adding the checks
and bail out if one of them is NULL.

Reported-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 kernel/power/snapshot.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index c4b8093..791a618 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -1343,6 +1343,9 @@ void swsusp_free(void)
 {
 	unsigned long fb_pfn, fr_pfn;
 
+	if (!forbidden_pages_map || !free_pages_map)
+		goto out;
+
 	memory_bm_position_reset(forbidden_pages_map);
 	memory_bm_position_reset(free_pages_map);
 
@@ -1370,6 +1373,7 @@ loop:
 		goto loop;
 	}
 
+out:
 	nr_copy_pages = 0;
 	nr_meta_pages = 0;
 	restore_pblist = NULL;
-- 
1.8.4.5