From: "Rafael J. Wysocki" <rjw@sisk.pl>

Fix two bugs in the swsusp userland interface:

1) Prevent the SNAPSHOT_FREE_SWAP_PAGES ioctl from leaking swap pages
   due to the wrong condition.

2) Prevent snapshot_write_next() and snapshot_read_next() from using a
   freed page (this could happen if the snapshot ioctls were called repeatedly
   without closing the device, eg.  when attempting to create the image for
   the second time with image_size = 0).

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 kernel/power/snapshot.c |    5 ++---
 kernel/power/user.c     |    2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff -puN kernel/power/snapshot.c~swsusp-userland-interface-fixes kernel/power/snapshot.c
--- devel/kernel/power/snapshot.c~swsusp-userland-interface-fixes	2006-02-15 20:46:59.000000000 -0800
+++ devel-akpm/kernel/power/snapshot.c	2006-02-15 20:46:59.000000000 -0800
@@ -37,6 +37,7 @@
 struct pbe *pagedir_nosave;
 static unsigned int nr_copy_pages;
 static unsigned int nr_meta_pages;
+static unsigned long *buffer;
 
 #ifdef CONFIG_HIGHMEM
 unsigned int count_highmem_pages(void)
@@ -418,6 +419,7 @@ void swsusp_free(void)
 	nr_copy_pages = 0;
 	nr_meta_pages = 0;
 	pagedir_nosave = NULL;
+	buffer = NULL;
 }
 
 
@@ -570,8 +572,6 @@ static inline struct pbe *pack_orig_addr
 
 int snapshot_read_next(struct snapshot_handle *handle, size_t count)
 {
-	static unsigned long *buffer;
-
 	if (handle->page > nr_meta_pages + nr_copy_pages)
 		return 0;
 	if (!buffer) {
@@ -776,7 +776,6 @@ static int create_image(struct snapshot_
 
 int snapshot_write_next(struct snapshot_handle *handle, size_t count)
 {
-	static unsigned long *buffer;
 	int error = 0;
 
 	if (handle->prev && handle->page > nr_meta_pages + nr_copy_pages)
diff -puN kernel/power/user.c~swsusp-userland-interface-fixes kernel/power/user.c
--- devel/kernel/power/user.c~swsusp-userland-interface-fixes	2006-02-15 20:46:59.000000000 -0800
+++ devel-akpm/kernel/power/user.c	2006-02-15 20:46:59.000000000 -0800
@@ -241,7 +241,7 @@ static int snapshot_ioctl(struct inode *
 		break;
 
 	case SNAPSHOT_FREE_SWAP_PAGES:
-		if (data->swap >= 0 && data->swap < MAX_SWAPFILES) {
+		if (data->swap < 0 || data->swap >= MAX_SWAPFILES) {
 			error = -ENODEV;
 			break;
 		}
_