1. Patchew
  2. linux
  3. View series

[PATCH] PM: hibernate: Fix crash when freeing invalid crypto compressor

Malaya Kumar Rout posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
kernel/power/swap.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
[PATCH] PM: hibernate: Fix crash when freeing invalid crypto compressor
Posted by Malaya Kumar Rout 1 month, 2 weeks ago 
When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.
The cleanup code in save_compressed_image() and load_compressed_image()
unconditionally calls crypto_free_acomp() without checking for ERR_PTR,
which causes crypto_acomp_tfm() to dereference an invalid pointer and
crash the kernel.

This can be triggered when the compression algorithm is unavailable
(e.g., CONFIG_CRYPTO_LZO not enabled).

Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()
and acomp_request_free(), similar to the existing kthread_stop() check.

Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
---
 kernel/power/swap.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/power/swap.c b/kernel/power/swap.c
index 33a186373bef..8ee2fa995580 100644
--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -902,8 +902,10 @@ static int save_compressed_image(struct swap_map_handle *handle,
 		for (thr = 0; thr < nr_threads; thr++) {
 			if (data[thr].thr)
 				kthread_stop(data[thr].thr);
-			acomp_request_free(data[thr].cr);
-			crypto_free_acomp(data[thr].cc);
+			if (data[thr].cr)
+				acomp_request_free(data[thr].cr);
+			if (!IS_ERR_OR_NULL(data[thr].cc))
+				crypto_free_acomp(data[thr].cc);
 		}
 		vfree(data);
 	}
@@ -1499,8 +1501,10 @@ static int load_compressed_image(struct swap_map_handle *handle,
 		for (thr = 0; thr < nr_threads; thr++) {
 			if (data[thr].thr)
 				kthread_stop(data[thr].thr);
-			acomp_request_free(data[thr].cr);
-			crypto_free_acomp(data[thr].cc);
+			if (data[thr].cr)
+				acomp_request_free(data[thr].cr);
+			if (!IS_ERR_OR_NULL(data[thr].cc))
+				crypto_free_acomp(data[thr].cc);
 		}
 		vfree(data);
 	}
-- 
2.51.0
Re: [PATCH] PM: hibernate: Fix crash when freeing invalid crypto compressor
Posted by Rafael J. Wysocki 1 month, 1 week ago 
On Wed, Dec 24, 2025 at 7:21 PM Malaya Kumar Rout <mrout@redhat.com> wrote:
>
> When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.
> The cleanup code in save_compressed_image() and load_compressed_image()
> unconditionally calls crypto_free_acomp() without checking for ERR_PTR,
> which causes crypto_acomp_tfm() to dereference an invalid pointer and
> crash the kernel.
>
> This can be triggered when the compression algorithm is unavailable
> (e.g., CONFIG_CRYPTO_LZO not enabled).
>
> Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()
> and acomp_request_free(), similar to the existing kthread_stop() check.
>
> Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>

I think that it should be possible to find a specific commit fixed by
this and provide a Fixes: tag pointing to it.

Can you please do so?

> ---
>  kernel/power/swap.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/power/swap.c b/kernel/power/swap.c
> index 33a186373bef..8ee2fa995580 100644
> --- a/kernel/power/swap.c
> +++ b/kernel/power/swap.c
> @@ -902,8 +902,10 @@ static int save_compressed_image(struct swap_map_handle *handle,
>                 for (thr = 0; thr < nr_threads; thr++) {
>                         if (data[thr].thr)
>                                 kthread_stop(data[thr].thr);
> -                       acomp_request_free(data[thr].cr);
> -                       crypto_free_acomp(data[thr].cc);
> +                       if (data[thr].cr)
> +                               acomp_request_free(data[thr].cr);
> +                       if (!IS_ERR_OR_NULL(data[thr].cc))
> +                               crypto_free_acomp(data[thr].cc);
>                 }
>                 vfree(data);
>         }
> @@ -1499,8 +1501,10 @@ static int load_compressed_image(struct swap_map_handle *handle,
>                 for (thr = 0; thr < nr_threads; thr++) {
>                         if (data[thr].thr)
>                                 kthread_stop(data[thr].thr);
> -                       acomp_request_free(data[thr].cr);
> -                       crypto_free_acomp(data[thr].cc);
> +                       if (data[thr].cr)
> +                               acomp_request_free(data[thr].cr);
> +                       if (!IS_ERR_OR_NULL(data[thr].cc))
> +                               crypto_free_acomp(data[thr].cc);
>                 }
>                 vfree(data);
>         }
> --
> 2.51.0
>
[PATCH v2] PM: hibernate: Fix crash when freeing invalid crypto compressor
Posted by Malaya Kumar Rout 1 month, 1 week ago 
When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.
The cleanup code in save_compressed_image() and load_compressed_image()
unconditionally calls crypto_free_acomp() without checking for ERR_PTR,
which causes crypto_acomp_tfm() to dereference an invalid pointer and
crash the kernel.

This can be triggered when the compression algorithm is unavailable
(e.g., CONFIG_CRYPTO_LZO not enabled).

Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()
and acomp_request_free(), similar to the existing kthread_stop() check.

Fixes: b03d542c3c95 ("PM: hibernate: Use crypto_acomp interface")
Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
---
 kernel/power/swap.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/power/swap.c b/kernel/power/swap.c
index 33a186373bef..8ee2fa995580 100644
--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -902,8 +902,10 @@ static int save_compressed_image(struct swap_map_handle *handle,
 		for (thr = 0; thr < nr_threads; thr++) {
 			if (data[thr].thr)
 				kthread_stop(data[thr].thr);
-			acomp_request_free(data[thr].cr);
-			crypto_free_acomp(data[thr].cc);
+			if (data[thr].cr)
+				acomp_request_free(data[thr].cr);
+			if (!IS_ERR_OR_NULL(data[thr].cc))
+				crypto_free_acomp(data[thr].cc);
 		}
 		vfree(data);
 	}
@@ -1499,8 +1501,10 @@ static int load_compressed_image(struct swap_map_handle *handle,
 		for (thr = 0; thr < nr_threads; thr++) {
 			if (data[thr].thr)
 				kthread_stop(data[thr].thr);
-			acomp_request_free(data[thr].cr);
-			crypto_free_acomp(data[thr].cc);
+			if (data[thr].cr)
+				acomp_request_free(data[thr].cr);
+			if (!IS_ERR_OR_NULL(data[thr].cc))
+				crypto_free_acomp(data[thr].cc);
 		}
 		vfree(data);
 	}
-- 
2.52.0
Re: [PATCH v2] PM: hibernate: Fix crash when freeing invalid crypto compressor
Posted by Rafael J. Wysocki 1 month ago 
On Tue, Dec 30, 2025 at 12:56 PM Malaya Kumar Rout <mrout@redhat.com> wrote:
>
> When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.
> The cleanup code in save_compressed_image() and load_compressed_image()
> unconditionally calls crypto_free_acomp() without checking for ERR_PTR,
> which causes crypto_acomp_tfm() to dereference an invalid pointer and
> crash the kernel.
>
> This can be triggered when the compression algorithm is unavailable
> (e.g., CONFIG_CRYPTO_LZO not enabled).
>
> Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()
> and acomp_request_free(), similar to the existing kthread_stop() check.
>
> Fixes: b03d542c3c95 ("PM: hibernate: Use crypto_acomp interface")
> Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
> ---
>  kernel/power/swap.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/power/swap.c b/kernel/power/swap.c
> index 33a186373bef..8ee2fa995580 100644
> --- a/kernel/power/swap.c
> +++ b/kernel/power/swap.c
> @@ -902,8 +902,10 @@ static int save_compressed_image(struct swap_map_handle *handle,
>                 for (thr = 0; thr < nr_threads; thr++) {
>                         if (data[thr].thr)
>                                 kthread_stop(data[thr].thr);
> -                       acomp_request_free(data[thr].cr);
> -                       crypto_free_acomp(data[thr].cc);
> +                       if (data[thr].cr)
> +                               acomp_request_free(data[thr].cr);
> +                       if (!IS_ERR_OR_NULL(data[thr].cc))
> +                               crypto_free_acomp(data[thr].cc);
>                 }
>                 vfree(data);
>         }
> @@ -1499,8 +1501,10 @@ static int load_compressed_image(struct swap_map_handle *handle,
>                 for (thr = 0; thr < nr_threads; thr++) {
>                         if (data[thr].thr)
>                                 kthread_stop(data[thr].thr);
> -                       acomp_request_free(data[thr].cr);
> -                       crypto_free_acomp(data[thr].cc);
> +                       if (data[thr].cr)
> +                               acomp_request_free(data[thr].cr);
> +                       if (!IS_ERR_OR_NULL(data[thr].cc))
> +                               crypto_free_acomp(data[thr].cc);
>                 }
>                 vfree(data);
>         }
> --

Applied as 6.19-rc material, thanks!

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.