[PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
From: Pengpeng Hou
Date: Mon Mar 23 2026 - 08:18:05 EST
The RX completion path trusts urbd1->frbd_tag as a direct index into the
fixed rxq->bufs[] table. The table only has rxq->count entries, while
frbd_tag is a wider firmware-provided field and is not range-checked
before use.
Validate the completion tag before indexing the RX buffer table so a
malformed completion cannot walk past the descriptor-backed buffer
array.
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/bluetooth/btintel_pcie.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37b744e35bc4..4f6b3f00a49a 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -1410,6 +1410,12 @@ static void btintel_pcie_msix_rx_handle(struct btintel_pcie_data *data)
urbd1 = &rxq->urbd1s[cr_tia];
ipc_print_urbd1(data->hdev, urbd1, cr_tia);
+ if (urbd1->frbd_tag >= rxq->count) {
+ bt_dev_err(hdev, "RXQ: invalid FRBD tag %u",
+ urbd1->frbd_tag);
+ return;
+ }
+
buf = &rxq->bufs[urbd1->frbd_tag];
if (!buf) {
bt_dev_err(hdev, "RXQ: failed to get the DMA buffer for %d",
--
2.50.1 (Apple Git-155)