CVE-2025-39818

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save

Improper use of secondary pointer (&dev->i2csubipregs) caused kernel crash and out-of-bounds error:

BUG: KASAN: slab-out-of-bounds in regmapbulk_read+0x449/0x510 Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107

CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary) Workqueue: async asyncrunentryfn Call Trace: <TASK> dumpstacklvl+0x76/0xa0 printreport+0xd1/0x660 ? pfxrawspinlockirqsave+0x10/0x10 ? kasancompletemodereportinfo+0x26/0x200 kasanreport+0xe1/0x120 ? regmapbulkread+0x449/0x510 ? regmapbulkread+0x449/0x510 __asanreportstore4noabort+0x17/0x30 regmapbulkread+0x449/0x510 ? pfxregmapbulkread+0x10/0x10 regmapbulkread+0x270/0x3d0 piocomplete+0x1ee/0x2c0 [intelthc] ? __pfxpiocomplete+0x10/0x10 [intel_thc] ? __pfxpiowait+0x10/0x10 [intelthc] ? regmapupdatebitsbase+0x13b/0x1f0 thci2csubippioread+0x117/0x270 [intelthc] thci2csubipregssave+0xc2/0x140 [intelthc] ? __pfxthci2csubipregssave+0x10/0x10 [intelthc] [...] The buggy address belongs to the object at ffff888136005d00 which belongs to the cache kmalloc-rnd-12-192 of size 192 The buggy address is located 0 bytes to the right of allocated 192-byte region [ffff888136005d00, ffff888136005dc0)

Replaced with direct array indexing (&dev->i2csubipregs[i]) to ensure safe memory access.