In the Linux kernel, the following vulnerability has been resolved:
thermal/debugfs: Add missing count increment to thermaldebugtztripup()
The count field in struct tripstats, representing the number of times the zone temperature was above the trip point, needs to be incremented in thermaldebugtztrip_up(), for two reasons.
First, if a trip point is crossed on the way up for the first time, thermaldebugupdatetemp() called from updatetemperature() does not see it because it has not been added to tripscrossed[] array in the thermal zone's struct tzdebugfs object yet. Therefore, when thermaldebugtztripup() is called after that, the trip point's count value is 0, and the attempt to divide by it during the average temperature computation leads to a divide error which causes the kernel to crash. Setting the count to 1 before the division by incrementing it fixes this problem.
Second, if a trip point is crossed on the way up, but it has been crossed on the way up already before, its count value needs to be incremented to make a record of the fact that the zone temperature is above the trip now. Without doing that, if the mitigations applied after crossing the trip cause the zone temperature to drop below its threshold, the count will not be updated for this episode at all and the average temperature in the trip statistics record will be somewhat higher than it should be.
Cc :6.8+ stable@vger.kernel.org # 6.8+