RE: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one

[K, Kiran]

Hi Luiz, Pengpeng,

>Subject: Re: [PATCH] Bluetooth: btintel_pcie: fix TX queue off-by-one
>
>Hi @Kiran K
>
>On Tue, Mar 24, 2026 at 4:51 AM Pengpeng Hou <pengpeng@xxxxxxxxxxx>
>wrote:
>>
>> btintel_pcie_send_sync() reads the next transmit slot from
>> data->ia.tr_hia[] and uses it as an index into the fixed txq
>> data->descriptor
>> arrays. The current guard only rejects values strictly greater than
>> txq->count, so an index equal to the queue depth still falls through
>> txq->and
>> is used as the next transmit slot one element past the end.
>>
>> Reject indices at or above the queue depth before preparing the TX
>> descriptor.
>>
>> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
>> ---
>>  drivers/bluetooth/btintel_pcie.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/bluetooth/btintel_pcie.c
>> b/drivers/bluetooth/btintel_pcie.c
>> index 37b744e35bc4..760cb3d1aa18 100644
>> --- a/drivers/bluetooth/btintel_pcie.c
>> +++ b/drivers/bluetooth/btintel_pcie.c
>> @@ -359,7 +359,7 @@ static int btintel_pcie_send_sync(struct
>> btintel_pcie_data *data,
>>
>>         tfd_index = data->ia.tr_hia[BTINTEL_PCIE_TXQ_NUM];
>>
>> -       if (tfd_index > txq->count)
>> +       if (tfd_index >= txq->count)

Unless the firmware corrupts DMA memory (or there's a serious firmware bug), tfd_index should never reach or exceed txq->count.  With that in mind, the change looks good to me.

>>                 return -ERANGE;
>>
>>         /* Firmware raises alive interrupt on HCI_OP_RESET or
>> --
>> 2.50.1 (Apple Git-155)
>
>Looks valid to me, index starts from 0 while count start from 1, so index == count
>would probably overflow as well.
>
>--
>Luiz Augusto von Dentz

Thanks,
Kiran