Re: [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices
From: Luiz Augusto von Dentz
Date: Tue Mar 24 2026 - 16:02:46 EST
Hi,
On Mon, Mar 23, 2026 at 10:05 PM Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> btusb_work() maps the number of active SCO links to USB alternate
> settings through a three-entry lookup table when CVSD traffic uses
> transparent voice settings. The lookup currently indexes alts[] with
> data->sco_num - 1 without first constraining sco_num to the number of
> available table entries.
>
> While the table only defines alternate settings for up to three SCO
> links, data->sco_num comes from hci_conn_num() and is used directly.
> Cap the lookup to the last table entry before indexing it so the
> driver keeps selecting the highest supported alternate setting without
> reading past alts[].
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> drivers/bluetooth/btusb.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index a1c5eb993e47..870a6aa92216 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
> if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
> if (hdev->voice_setting & 0x0020) {
> static const int alts[3] = { 2, 4, 5 };
> + unsigned int sco_idx;
>
> - new_alts = alts[data->sco_num - 1];
> + sco_idx = min_t(unsigned int, data->sco_num,
> + ARRAY_SIZE(alts)) - 1;
> + new_alts = alts[sco_idx];
> } else {
> new_alts = data->sco_num;
> }
> --
> 2.50.1 (Apple Git-155)
https://sashiko.dev/#/patchset/20260324020427.60125-1-pengpeng%40iscas.ac.cn
They seem valid to me, so we might need to check if sco_idx is looping
around, etc.
--
Luiz Augusto von Dentz