[PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one

Next message: Chen Ridong: "Re: [PATCH 7/8] mm/mglru: simplify and improve dirty writeback handling"
Previous message: Jiri Olsa: "Re: [PATCH 0/2] kallsyms: show typed function parameters in oops/WARN dumps"
Next in thread: Luiz Augusto von Dentz: "Re: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Tue Mar 24 2026 - 05:05:57 EST

btintel_pcie_send_sync() reads the next transmit slot from
data->ia.tr_hia[] and uses it as an index into the fixed txq descriptor
arrays. The current guard only rejects values strictly greater than
txq->count, so an index equal to the queue depth still falls through and
is used as the next transmit slot one element past the end.

Reject indices at or above the queue depth before preparing the TX
descriptor.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/bluetooth/btintel_pcie.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37b744e35bc4..760cb3d1aa18 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -359,7 +359,7 @@ static int btintel_pcie_send_sync(struct btintel_pcie_data *data,

tfd_index = data->ia.tr_hia[BTINTEL_PCIE_TXQ_NUM];

- if (tfd_index > txq->count)
+ if (tfd_index >= txq->count)
return -ERANGE;

/* Firmware raises alive interrupt on HCI_OP_RESET or
--
2.50.1 (Apple Git-155)