1. Patchew
  2. linux
  3. View series

[PATCH] Bluetooth: btusb: clamp SCO altsetting table indices

Pengpeng Hou posted 1 patch 1 week, 3 days ago
There is a newer version of this series
drivers/bluetooth/btusb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH] Bluetooth: btusb: clamp SCO altsetting table indices
Posted by Pengpeng Hou 1 week, 3 days ago 
btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.

While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/bluetooth/btusb.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a1c5eb993e47..870a6aa92216 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
 		if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
 			if (hdev->voice_setting & 0x0020) {
 				static const int alts[3] = { 2, 4, 5 };
+				unsigned int sco_idx;
 
-				new_alts = alts[data->sco_num - 1];
+				sco_idx = min_t(unsigned int, data->sco_num,
+						ARRAY_SIZE(alts)) - 1;
+				new_alts = alts[sco_idx];
 			} else {
 				new_alts = data->sco_num;
 			}
-- 
2.50.1 (Apple Git-155)
Re: [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices
Posted by Luiz Augusto von Dentz 1 week, 2 days ago 
Hi,

On Mon, Mar 23, 2026 at 10:05 PM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> btusb_work() maps the number of active SCO links to USB alternate
> settings through a three-entry lookup table when CVSD traffic uses
> transparent voice settings. The lookup currently indexes alts[] with
> data->sco_num - 1 without first constraining sco_num to the number of
> available table entries.
>
> While the table only defines alternate settings for up to three SCO
> links, data->sco_num comes from hci_conn_num() and is used directly.
> Cap the lookup to the last table entry before indexing it so the
> driver keeps selecting the highest supported alternate setting without
> reading past alts[].
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  drivers/bluetooth/btusb.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index a1c5eb993e47..870a6aa92216 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
>                 if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
>                         if (hdev->voice_setting & 0x0020) {
>                                 static const int alts[3] = { 2, 4, 5 };
> +                               unsigned int sco_idx;
>
> -                               new_alts = alts[data->sco_num - 1];
> +                               sco_idx = min_t(unsigned int, data->sco_num,
> +                                               ARRAY_SIZE(alts)) - 1;
> +                               new_alts = alts[sco_idx];
>                         } else {
>                                 new_alts = data->sco_num;
>                         }
> --
> 2.50.1 (Apple Git-155)

https://sashiko.dev/#/patchset/20260324020427.60125-1-pengpeng%40iscas.ac.cn

They seem valid to me, so we might need to check if sco_idx is looping
around, etc.

-- 
Luiz Augusto von Dentz
[PATCH v2] Bluetooth: btusb: clamp SCO altsetting table indices
Posted by Pengpeng Hou 1 week, 2 days ago 
btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.

While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- rewrite the clamped SCO table index as an explicit 0-based clamp
  to avoid wraparound concerns raised in review

 drivers/bluetooth/btusb.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a1c5eb993e47..5c535f3ab722 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
 		if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
 			if (hdev->voice_setting & 0x0020) {
 				static const int alts[3] = { 2, 4, 5 };
+				unsigned int sco_idx;
 
-				new_alts = alts[data->sco_num - 1];
+				sco_idx = min_t(unsigned int, data->sco_num - 1,
+						ARRAY_SIZE(alts) - 1);
+				new_alts = alts[sco_idx];
 			} else {
 				new_alts = data->sco_num;
 			}
-- 
2.50.1 (Apple Git-155)

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.