Re: [PATCH v2 2/2] thermal/drivers/qcom/tsens: Add support for ipq9650 tsens

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The device tree property `#qcom,sensors` can override `num_sensors`, leading to an out-of-bounds read of the static `hw_ids` array and subsequent out-of-bounds array accesses.
--

commit 1557d45f1d577e6cb959599793cf39e4448627b6
Author: Varadarajan Narayanan <varadarajan.narayanan@oss.qualcomm.com>

thermal/drivers/qcom/tsens: Add support for ipq9650 tsens

This commit adds support for the ipq9650 tsens device by reusing the
ipq5332 ops and features, while defining a custom hardware ID array for
its 11 sensors.

> diff --git a/drivers/thermal/qcom/tsens-v2.c b/drivers/thermal/qcom/tsens-v2.c
> index 8d9698ea3ec40..ef1fee2266a32 100644
> --- a/drivers/thermal/qcom/tsens-v2.c
> +++ b/drivers/thermal/qcom/tsens-v2.c
> @@ -300,6 +300,14 @@ const struct tsens_plat_data data_ipq5424 = {
>  	.fields		= tsens_v2_regfields,
>  };
>  
> +const struct tsens_plat_data data_ipq9650 = {
> +	.num_sensors	= 11,
> +	.ops		= &ops_ipq5332,
> +	.hw_ids		= (unsigned int []){5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},

[Severity: High]
This is a pre-existing issue, but does this hardcoded array expose us to
an out-of-bounds read if the device tree overrides the number of sensors?

In drivers/thermal/qcom/tsens.c:tsens_probe(), the number of sensors can
be overridden by the #qcom,sensors DT property. The probe function later
initializes the sensors in a loop:

    for (i = 0;  i < priv->num_sensors; i++) {
        if (data->hw_ids)
            priv->sensor[i].hw_id = data->hw_ids[i];
        else
            priv->sensor[i].hw_id = i;
    }

If a device tree specifies a larger number of sensors than the length of
this new array (for example 12, which is under the MAX_SENSORS limit of 16),
will the initialization loop read past the end of the hw_ids array?

It looks like this could result in garbage values being stored as hw_id,
which are then used as offsets for the fixed-size priv->rf[] regmap field
array, potentially causing arbitrary out-of-bounds pointer dereferences.

> +	.feat		= &ipq5332_feat,
> +	.fields		= tsens_v2_regfields,
> +};

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609065447.4024695-1-varadarajan.narayanan@oss.qualcomm.com?part=2