Re: [PATCH 1/3] thermal: testing: Avoid NULL pointer dereference on missing arg

[Rafael J. Wysocki]

On Sat, Jun 6, 2026 at 11:05 PM Ovidiu Panait
<ovidiu.panait.oss@xxxxxxxxx> wrote:
>
> Commands such as deltz expect an argument after the ":" separator.
> When the separator is missing, arg gets set to NULL, which is fed
> directly to sscanf(). This causes a NULL ptr dereference:
>
> $ echo deltz > /sys/kernel/debug/thermal-testing/command
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> ...
> sscanf+0x57/0x80
> tt_del_tz+0x39/0x1e0
> tt_command_write+0x115/0x140
> full_proxy_write+0x5d/0x90
> vfs_write+0xd2/0x480
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? count_memcg_events+0x8b/0x1a0
> ? srso_alias_return_thunk+0x5/0xfbef5
> ksys_write+0x75/0xf0
> __x64_sys_write+0x1d/0x30
> x64_sys_call+0x223/0x1dd0
> do_syscall_64+0x97/0x4b0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> To fix this, make arg an empty string instead of leaving it NULL when the
> separator is missing. sscanf() then fails correctly with -EINVAL on it.
>
> Fixes: f6a034f2df42 ("thermal: Introduce a debugfs-based testing facility")
> Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@xxxxxxxxx>
> ---
>  drivers/thermal/testing/command.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/thermal/testing/command.c b/drivers/thermal/testing/command.c
> index 1159ecea57e7..5513a26feed7 100644
> --- a/drivers/thermal/testing/command.c
> +++ b/drivers/thermal/testing/command.c
> @@ -150,6 +150,8 @@ static ssize_t tt_command_process(char *s)
>         if (arg) {
>                 *arg = '\0';
>                 arg++;
> +       } else {
> +               arg = s + strlen(s);
>         }
>
>         for (i = 0; i < ARRAY_SIZE(tt_command_strings); i++) {
> --

The issue addressed by this change should be fixed by

https://lore.kernel.org/linux-pm/20260605185212.2491144-1-sam.moelius@xxxxxxxxxxxxxxx/

that has just been applied.

Thanks!