1. Patchew
  2. linux
  3. View series

[PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one

Pengpeng Hou posted 1 patch 1 week, 3 days ago 
drivers/bluetooth/btintel_pcie.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one
Posted by Pengpeng Hou 1 week, 3 days ago 
btintel_pcie_send_sync() reads the next transmit slot from
data->ia.tr_hia[] and uses it as an index into the fixed txq descriptor
arrays. The current guard only rejects values strictly greater than
txq->count, so an index equal to the queue depth still falls through and
is used as the next transmit slot one element past the end.

Reject indices at or above the queue depth before preparing the TX
descriptor.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/bluetooth/btintel_pcie.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37b744e35bc4..760cb3d1aa18 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -359,7 +359,7 @@ static int btintel_pcie_send_sync(struct btintel_pcie_data *data,
 
 	tfd_index = data->ia.tr_hia[BTINTEL_PCIE_TXQ_NUM];
 
-	if (tfd_index > txq->count)
+	if (tfd_index >= txq->count)
 		return -ERANGE;
 
 	/* Firmware raises alive interrupt on HCI_OP_RESET or
-- 
2.50.1 (Apple Git-155)
Re: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one
Posted by Luiz Augusto von Dentz 1 week, 2 days ago 
Hi @Kiran K

On Tue, Mar 24, 2026 at 4:51 AM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> btintel_pcie_send_sync() reads the next transmit slot from
> data->ia.tr_hia[] and uses it as an index into the fixed txq descriptor
> arrays. The current guard only rejects values strictly greater than
> txq->count, so an index equal to the queue depth still falls through and
> is used as the next transmit slot one element past the end.
>
> Reject indices at or above the queue depth before preparing the TX
> descriptor.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  drivers/bluetooth/btintel_pcie.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
> index 37b744e35bc4..760cb3d1aa18 100644
> --- a/drivers/bluetooth/btintel_pcie.c
> +++ b/drivers/bluetooth/btintel_pcie.c
> @@ -359,7 +359,7 @@ static int btintel_pcie_send_sync(struct btintel_pcie_data *data,
>
>         tfd_index = data->ia.tr_hia[BTINTEL_PCIE_TXQ_NUM];
>
> -       if (tfd_index > txq->count)
> +       if (tfd_index >= txq->count)
>                 return -ERANGE;
>
>         /* Firmware raises alive interrupt on HCI_OP_RESET or
> --
> 2.50.1 (Apple Git-155)

Looks valid to me, index starts from 0 while count start from 1, so
index == count would probably overflow as well.

-- 
Luiz Augusto von Dentz
RE: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one
Posted by K, Kiran 6 days, 21 hours ago 
Hi Luiz, Pengpeng,

>Subject: Re: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one
>
>Hi @Kiran K
>
>On Tue, Mar 24, 2026 at 4:51 AM Pengpeng Hou <pengpeng@iscas.ac.cn>
>wrote:
>>
>> btintel_pcie_send_sync() reads the next transmit slot from
>> data->ia.tr_hia[] and uses it as an index into the fixed txq
>> data->descriptor
>> arrays. The current guard only rejects values strictly greater than
>> txq->count, so an index equal to the queue depth still falls through
>> txq->and
>> is used as the next transmit slot one element past the end.
>>
>> Reject indices at or above the queue depth before preparing the TX
>> descriptor.
>>
>> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
>> ---
>>  drivers/bluetooth/btintel_pcie.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/bluetooth/btintel_pcie.c
>> b/drivers/bluetooth/btintel_pcie.c
>> index 37b744e35bc4..760cb3d1aa18 100644
>> --- a/drivers/bluetooth/btintel_pcie.c
>> +++ b/drivers/bluetooth/btintel_pcie.c
>> @@ -359,7 +359,7 @@ static int btintel_pcie_send_sync(struct
>> btintel_pcie_data *data,
>>
>>         tfd_index = data->ia.tr_hia[BTINTEL_PCIE_TXQ_NUM];
>>
>> -       if (tfd_index > txq->count)
>> +       if (tfd_index >= txq->count)

Unless the firmware corrupts DMA memory (or there's a serious firmware bug), tfd_index should never reach or exceed txq->count.  With that in mind, the change looks good to me.

>>                 return -ERANGE;
>>
>>         /* Firmware raises alive interrupt on HCI_OP_RESET or
>> --
>> 2.50.1 (Apple Git-155)
>
>Looks valid to me, index starts from 0 while count start from 1, so index == count
>would probably overflow as well.
>
>--
>Luiz Augusto von Dentz

Thanks,
Kiran

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.