RE: [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags

Next message: Nicolas Frattaroli: " Re: [PATCH v11 03/22] drm: Add new general DRM property &quot;color format&quot;"
Previous message: Andreas Kemnade: "Re: [PATCH 1/8] regulator: pbias: Add pbias SIM regulator for OMAP4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: K, Kiran

Date: Fri Mar 27 2026 - 09:04:20 EST

Hi Luiz, Pengpeng,

>Subject: [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
>
>The RX completion path trusts urbd1->frbd_tag as a direct index into the fixed
>rxq->bufs[] table. The table only has rxq->count entries, while frbd_tag is a
>wider firmware-provided field and is not range-checked before use.
>
>Validate the completion tag before indexing the RX buffer table so a
>malformed completion cannot walk past the descriptor-backed buffer array.
>
>Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
>---
> drivers/bluetooth/btintel_pcie.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
>index 37b744e35bc4..4f6b3f00a49a 100644
>--- a/drivers/bluetooth/btintel_pcie.c
>+++ b/drivers/bluetooth/btintel_pcie.c
>@@ -1410,6 +1410,12 @@ static void btintel_pcie_msix_rx_handle(struct
>btintel_pcie_data *data)
> urbd1 = &rxq->urbd1s[cr_tia];
> ipc_print_urbd1(data->hdev, urbd1, cr_tia);
>
>+ if (urbd1->frbd_tag >= rxq->count) {
>+ bt_dev_err(hdev, "RXQ: invalid FRBD tag %u",
>+ urbd1->frbd_tag);
>+ return;
>+ }
>+
> buf = &rxq->bufs[urbd1->frbd_tag];
> if (!buf) {
> bt_dev_err(hdev, "RXQ: failed to get the DMA buffer
>for %d",
>--
>2.50.1 (Apple Git-155)
>

Tested-by: Kiran K <kiran.k@xxxxxxxxx>

Thanks,
Kiran