memcpy Oops in suspend_nvs_save after multiple S4 cycles

Bug #703228 reported by Colin Ian King
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Colin Ian King
Maverick
Medium
Colin Ian King

Bug Description

Ubuntu-2.6.35-25, Maverick.

After repeated S4 cycles, a memcpy() Oops occurs in suspend_nvs_save. This error occurs because the ioremap of the NVS region fails, returning NULL and the subsequent memcpy() tries to copy to a NULL pointer, hence the oops.

We are running out of mappable regions because suspend_nvs_save() is called twice during hibernation, and yet the unmapping via suspend_nvs_free() is only called once, hence we have a leak.

Looking at create_image() in kernel/power/hibernate.c, we can see that we call the __acpi_pm_prepare() via arch_prepare_suspend() and a little later we call platform_pre_snapshot() which calls acpi_hibernation_pre_snapshot() which does the duplication of the suspend_nvs_save(). We need to drop one of these.

This has been fixed in upstream commit:

commit c5f7a1bb65bca03253c189e946b3ca79669f08af
Author: Rafael J. Wysocki <email address hidden>
Date: Fri Jul 2 00:14:09 2010 +0200

    ACPI / Sleep: Consolidate suspend and hibernation routines

    Some hibernation and suspend routines can be merged, which reduces
    the complexity of code a bit.

    Signed-off-by: Rafael J. Wysocki <email address hidden>
    Signed-off-by: Len Brown <email address hidden>

..where the extraneous suspend_nvs_save() has been dropped from function __acpi_pm_prepare()

Revision history for this message
Colin Ian King (colin-king) wrote :

Note: Without this patch, one particular laptop is failing after 12 S4 iterations. With the patch we don't get the memcpy() oops anymore.

I've also soak tested this patch on another machine with 250 S4 cycles. I also threw in 250 S3 cycles to make sure we don't get any regressions.

description: updated
description: updated
Revision history for this message
Andy Whitcroft (apw) wrote :

The fix above is already in the Natty kernel and that kernel has been tested and does not show this specific error. Closing Natty task off Fix Released.

Changed in linux (Ubuntu):
assignee: nobody → Colin King (colin-king)
status: New → Fix Released
importance: Undecided → Medium
Changed in linux (Ubuntu Maverick):
importance: Undecided → Medium
assignee: nobody → Colin King (colin-king)
status: New → In Progress
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted linux into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Colin Ian King (colin-king) wrote :

This SRU is for Maverick by the way.

Tested: Without the -proposed kernel, machine oopses after 12 S4 hibernate cycles. With the -proposed kernel, no oopsing occurs and was able to run 75 S4 cycles without any oopsing.

Tested with i386 kernel.

tags: added: verification-done
Chris Van Hoof (vanhoof)
Changed in linux (Ubuntu Maverick):
status: In Progress → Fix Committed
tags: added: hwe-blocker
Brad Figg (brad-figg)
tags: added: verification-done-maverick
removed: verification-done
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted linux into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Colin Ian King (colin-king) wrote :

Tested: Without the -proposed kernel, machine oopses after 12 S4 hibernate cycles. With the -proposed kernel, no oopsing occurs and was able to run 80 S4 cycles without any oopsing.

Tested with i386 kernel.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.1 KiB)

This bug was fixed in the package linux - 2.6.35-27.48

---------------
linux (2.6.35-27.48) maverick-proposed; urgency=low

  [ Steve Conklin ]

  * Release Tracking Bug
    - LP: #723335

  [ Upstream Kernel Changes ]

  * thinkpad-acpi: avoid keymap pitfall
    - LP: #722747

linux (2.6.35-27.47) maverick-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #716532

  [ Upstream Kernel Changes ]

  * Revert "USB: gadget: Allow function access to device ID data during
    bind()"
    - LP: #714732
  * net: fix rds_iovec page count overflow, CVE-2010-3865
    - LP: #709153
    - CVE-2010-3865
  * Input: fix typo in keycode validation supporting large scancodes
    - LP: #658198
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #710714
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * posix-cpu-timers: workaround to suppress the problems with mt exec,
    CVE-2010-4248
    - LP: #712609
    - CVE-2010-4248
  * sys_semctl: fix kernel stack leakage, CVE-2010-4083
    - LP: #712749
    - CVE-2010-4083
  * thinkpad-acpi: lock down size of hotkey keymap
    - LP: #712174
  * thinkpad-acpi: add support for model-specific keymaps
    - LP: #712174
  * thinkpad-acpi: Add KEY_CAMERA (Fn-F6) for Lenovo keyboards
    - LP: #712174
  * x86, hotplug: Use mwait to offline a processor, fix the legacy case
    - LP: #714732
  * fuse: verify ioctl retries
    - LP: #714732
  * fuse: fix ioctl when server is 32bit
    - LP: #714732
  * ALSA: hda: Use position_fix=1 for Acer Aspire 5538 to enable capture on
    internal mic
    - LP: #685161, #714732
  * ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and
    capture
    - LP: #595482, #714732
  * drm/radeon/kms: don't apply 7xx HDP flush workaround on AGP
    - LP: #714732
  * drm/kms: remove spaces from connector names (v2)
    - LP: #714732
  * drm/radeon/kms: fix vram base calculation on rs780/rs880
    - LP: #714732
  * nohz: Fix printk_needs_cpu() return value on offline cpus
    - LP: #714732
  * nohz: Fix get_next_timer_interrupt() vs cpu hotplug
    - LP: #714732
  * nfsd: Fix possible BUG_ON firing in set_change_info
    - LP: #714732
  * NFS: Fix fcntl F_GETLK not reporting some conflicts
    - LP: #714732
  * sunrpc: prevent use-after-free on clearing XPT_BUSY
    - LP: #714732
  * hwmon: (adm1026) Allow 1 as a valid divider value
    - LP: #714732
  * hwmon: (adm1026) Fix setting fan_div
    - LP: #714732
  * EDAC: Fix workqueue-related crashes
    - LP: #714732
  * amd64_edac: Fix interleaving check
    - LP: #714732
  * ASoC: Fix swap of left and right channels for WM8993/4 speaker boost
    gain
    - LP: #714732
  * ASoC: Fix off by one error in WM8994 EQ register bank size
    - LP: #714732
  * ASoC: WM8580: Fix R8 initial value
    - LP: #714732
  * ASoC: fix deemphasis control in wm8904/55/60 codecs
    - LP: #714732
  * bootmem: Add alloc_bootmem_...

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers