Re: [PATCH] thermal: qcom-spmi-temp-alarm: fix out-of-bounds when copying temp map
From: Dmitry Baryshkov
Date: Sun Feb 08 2026 - 16:54:05 EST
On Mon, Feb 09, 2026 at 12:16:05AM +0800, Baoyuan Geng via B4 Relay wrote:
> From: Baoyuan Geng <geng.baoyuan@xxxxxxxxx>
>
> The way to index the pointer of array missed a dereference, fix it.
>
> The bug is reported by KASAN[0].
>
> [0]:
> ==================================================================
> BUG: KASAN: global-out-of-bounds in qpnp_tm_sync_thresholds+0x11c/0x1a4 [qcom_spmi_temp_alarm]
> Read of size 24 at addr ffffbb86e7685280 by task (udev-worker)/928
>
> CPU: 6 UID: 0 PID: 928 Comm: (udev-worker) \
> Not tainted 6.19.0-rc8-00185-g2687c848e578 #4 PREEMPT
> Hardware name: Thundercomm RUBIK Pi 3 (DT)
> Call trace:
> show_stack+0x18/0x30 (C)
> dump_stack_lvl+0x60/0x80
> print_report+0x18c/0x4e0
> kasan_report+0xac/0xf0
> kasan_check_range+0xfc/0x1ac
> __asan_memcpy+0x3c/0xa0
> qpnp_tm_sync_thresholds+0x11c/0x1a4 [qcom_spmi_temp_alarm]
> qpnp_tm_probe+0x390/0xb60 [qcom_spmi_temp_alarm]
> platform_probe+0xc0/0x1f0
> really_probe+0x190/0x604
> __driver_probe_device+0x160/0x2c0
> driver_probe_device+0x5c/0x2b8
> __driver_attach+0x134/0x534
> bus_for_each_dev+0xf4/0x180
> driver_attach+0x3c/0x60
> bus_add_driver+0x1f0/0x510
> driver_register+0x154/0x39c
> __platform_driver_register+0x58/0x84
> qpnp_tm_driver_init+0x2c/0x1000 [qcom_spmi_temp_alarm]
> do_one_initcall+0xd4/0x354
> do_init_module+0x30c/0x8bc
> load_module+0x3de0/0x5764
> init_module_from_file+0x144/0x254
> __arm64_sys_finit_module+0x338/0x710
> invoke_syscall.constprop.0+0x64/0x220
> do_el0_svc+0x144/0x200
> el0_svc+0x38/0xb8
> el0t_64_sync_handler+0xa0/0xe4
> el0t_64_sync+0x198/0x19c
>
> The buggy address belongs to the variable:
> temp_map_gen2_v1+0x60/0xffffffffffff9de0 [qcom_spmi_temp_alarm]
> ==================================================================
>
> Fixes: 703f13285a6c ("thermal/drivers/qcom-spmi-temp-alarm: Add temp alarm data struct based on HW subtype")
> Fixes: 1f835c6a4c84 ("thermal/drivers/qcom-spmi-temp-alarm: Prepare to support additional Temp Alarm subtypes")
>
> Signed-off-by: Baoyuan Geng <geng.baoyuan@xxxxxxxxx>
> ---
> drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxxxxxxxx>
--
With best wishes
Dmitry