Re: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one

Next message: Alan Stern: "Re: [RFC PATCH] driver core: Don't link the device to the bus until we're ready to probe"
Previous message: Christian Brauner: "Re: [PATCH v5 1/2] readdir: Introduce dirent_size()"
In reply to: Pengpeng Hou: "[PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one"
Next in thread: K, Kiran: "RE: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Luiz Augusto von Dentz

Date: Tue Mar 24 2026 - 11:22:13 EST

Hi @Kiran K

On Tue, Mar 24, 2026 at 4:51 AM Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> btintel_pcie_send_sync() reads the next transmit slot from
> data->ia.tr_hia[] and uses it as an index into the fixed txq descriptor
> arrays. The current guard only rejects values strictly greater than
> txq->count, so an index equal to the queue depth still falls through and
> is used as the next transmit slot one element past the end.
>
> Reject indices at or above the queue depth before preparing the TX
> descriptor.
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> drivers/bluetooth/btintel_pcie.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
> index 37b744e35bc4..760cb3d1aa18 100644
> --- a/drivers/bluetooth/btintel_pcie.c
> +++ b/drivers/bluetooth/btintel_pcie.c
> @@ -359,7 +359,7 @@ static int btintel_pcie_send_sync(struct btintel_pcie_data *data,
>
> tfd_index = data->ia.tr_hia[BTINTEL_PCIE_TXQ_NUM];
>
> - if (tfd_index > txq->count)
> + if (tfd_index >= txq->count)
> return -ERANGE;
>
> /* Firmware raises alive interrupt on HCI_OP_RESET or
> --
> 2.50.1 (Apple Git-155)

Looks valid to me, index starts from 0 while count start from 1, so
index == count would probably overflow as well.

--
Luiz Augusto von Dentz