1. Patchew
  2. linux
  3. View series

[PATCH] Bluetooth: btintel_pcie: validate RX buffer tags

Pengpeng Hou posted 1 patch 1 week, 4 days ago 
drivers/bluetooth/btintel_pcie.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
Posted by Pengpeng Hou 1 week, 4 days ago 
The RX completion path trusts urbd1->frbd_tag as a direct index into the
fixed rxq->bufs[] table. The table only has rxq->count entries, while
frbd_tag is a wider firmware-provided field and is not range-checked
before use.

Validate the completion tag before indexing the RX buffer table so a
malformed completion cannot walk past the descriptor-backed buffer
array.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/bluetooth/btintel_pcie.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37b744e35bc4..4f6b3f00a49a 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -1410,6 +1410,12 @@ static void btintel_pcie_msix_rx_handle(struct btintel_pcie_data *data)
 		urbd1 = &rxq->urbd1s[cr_tia];
 		ipc_print_urbd1(data->hdev, urbd1, cr_tia);
 
+		if (urbd1->frbd_tag >= rxq->count) {
+			bt_dev_err(hdev, "RXQ: invalid FRBD tag %u",
+				   urbd1->frbd_tag);
+			return;
+		}
+
 		buf = &rxq->bufs[urbd1->frbd_tag];
 		if (!buf) {
 			bt_dev_err(hdev, "RXQ: failed to get the DMA buffer for %d",
-- 
2.50.1 (Apple Git-155)
RE: [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
Posted by K, Kiran 1 week ago 
Hi Luiz, Pengpeng,

>Subject: [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
>
>The RX completion path trusts urbd1->frbd_tag as a direct index into the fixed
>rxq->bufs[] table. The table only has rxq->count entries, while frbd_tag is a
>wider firmware-provided field and is not range-checked before use.
>
>Validate the completion tag before indexing the RX buffer table so a
>malformed completion cannot walk past the descriptor-backed buffer array.
>
>Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
>---
> drivers/bluetooth/btintel_pcie.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
>index 37b744e35bc4..4f6b3f00a49a 100644
>--- a/drivers/bluetooth/btintel_pcie.c
>+++ b/drivers/bluetooth/btintel_pcie.c
>@@ -1410,6 +1410,12 @@ static void btintel_pcie_msix_rx_handle(struct
>btintel_pcie_data *data)
> 		urbd1 = &rxq->urbd1s[cr_tia];
> 		ipc_print_urbd1(data->hdev, urbd1, cr_tia);
>
>+		if (urbd1->frbd_tag >= rxq->count) {
>+			bt_dev_err(hdev, "RXQ: invalid FRBD tag %u",
>+				   urbd1->frbd_tag);
>+			return;
>+		}
>+
> 		buf = &rxq->bufs[urbd1->frbd_tag];
> 		if (!buf) {
> 			bt_dev_err(hdev, "RXQ: failed to get the DMA buffer
>for %d",
>--
>2.50.1 (Apple Git-155)
>

Tested-by: Kiran K <kiran.k@intel.com>

Thanks,
Kiran

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.