[PATCH] Bluetooth: btintel_pcie: validate RX buffer tags

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
@ 2026-03-23 12:17 Pengpeng Hou
  2026-03-23 13:13 ` bluez.test.bot
  2026-03-27 13:01 ` [PATCH] " K, Kiran
  0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-23 12:17 UTC (permalink / raw)
  To: marcel; +Cc: luiz.dentz, linux-bluetooth, linux-kernel, pengpeng

The RX completion path trusts urbd1->frbd_tag as a direct index into the
fixed rxq->bufs[] table. The table only has rxq->count entries, while
frbd_tag is a wider firmware-provided field and is not range-checked
before use.

Validate the completion tag before indexing the RX buffer table so a
malformed completion cannot walk past the descriptor-backed buffer
array.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/bluetooth/btintel_pcie.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37b744e35bc4..4f6b3f00a49a 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -1410,6 +1410,12 @@ static void btintel_pcie_msix_rx_handle(struct btintel_pcie_data *data)
 		urbd1 = &rxq->urbd1s[cr_tia];
 		ipc_print_urbd1(data->hdev, urbd1, cr_tia);
 
+		if (urbd1->frbd_tag >= rxq->count) {
+			bt_dev_err(hdev, "RXQ: invalid FRBD tag %u",
+				   urbd1->frbd_tag);
+			return;
+		}
+
 		buf = &rxq->bufs[urbd1->frbd_tag];
 		if (!buf) {
 			bt_dev_err(hdev, "RXQ: failed to get the DMA buffer for %d",
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: Bluetooth: btintel_pcie: validate RX buffer tags
  2026-03-23 12:17 [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags Pengpeng Hou
@ 2026-03-23 13:13 ` bluez.test.bot
  2026-03-27 13:01 ` [PATCH] " K, Kiran
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-03-23 13:13 UTC (permalink / raw)
  To: linux-bluetooth, pengpeng

[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1070881

---Test result---

Test Summary:
CheckPatch                    PENDING   0.33 seconds
GitLint                       PENDING   0.28 seconds
SubjectPrefix                 PASS      0.09 seconds
BuildKernel                   PASS      24.11 seconds
CheckAllWarning               PASS      26.65 seconds
CheckSparse                   PASS      25.90 seconds
BuildKernel32                 PASS      23.75 seconds
TestRunnerSetup               PASS      529.10 seconds
TestRunner_l2cap-tester       PASS      27.84 seconds
TestRunner_iso-tester         FAIL      30.53 seconds
TestRunner_bnep-tester        PASS      6.29 seconds
TestRunner_mgmt-tester        FAIL      113.89 seconds
TestRunner_rfcomm-tester      PASS      9.49 seconds
TestRunner_sco-tester         FAIL      14.54 seconds
TestRunner_ioctl-tester       PASS      10.18 seconds
TestRunner_mesh-tester        FAIL      12.48 seconds
TestRunner_smp-tester         PASS      8.54 seconds
TestRunner_userchan-tester    PASS      6.69 seconds
IncrementalBuild              PENDING   0.60 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.108 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.755 seconds
Mesh - Send cancel - 2                               Timed out    1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
  2026-03-23 12:17 [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags Pengpeng Hou
  2026-03-23 13:13 ` bluez.test.bot
@ 2026-03-27 13:01 ` K, Kiran
  1 sibling, 0 replies; 3+ messages in thread
From: K, Kiran @ 2026-03-27 13:01 UTC (permalink / raw)
  To: Pengpeng Hou, marcel@holtmann.org
  Cc: luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org,
	linux-kernel@vger.kernel.org, Srivatsa, Ravishankar,
	Tumkur Narayan, Chethan

Hi Luiz, Pengpeng,

>Subject: [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags
>
>The RX completion path trusts urbd1->frbd_tag as a direct index into the fixed
>rxq->bufs[] table. The table only has rxq->count entries, while frbd_tag is a
>wider firmware-provided field and is not range-checked before use.
>
>Validate the completion tag before indexing the RX buffer table so a
>malformed completion cannot walk past the descriptor-backed buffer array.
>
>Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
>---
> drivers/bluetooth/btintel_pcie.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
>index 37b744e35bc4..4f6b3f00a49a 100644
>--- a/drivers/bluetooth/btintel_pcie.c
>+++ b/drivers/bluetooth/btintel_pcie.c
>@@ -1410,6 +1410,12 @@ static void btintel_pcie_msix_rx_handle(struct
>btintel_pcie_data *data)
> 		urbd1 = &rxq->urbd1s[cr_tia];
> 		ipc_print_urbd1(data->hdev, urbd1, cr_tia);
>
>+		if (urbd1->frbd_tag >= rxq->count) {
>+			bt_dev_err(hdev, "RXQ: invalid FRBD tag %u",
>+				   urbd1->frbd_tag);
>+			return;
>+		}
>+
> 		buf = &rxq->bufs[urbd1->frbd_tag];
> 		if (!buf) {
> 			bt_dev_err(hdev, "RXQ: failed to get the DMA buffer
>for %d",
>--
>2.50.1 (Apple Git-155)
>

Tested-by: Kiran K <kiran.k@intel.com>

Thanks,
Kiran



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-27 13:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 12:17 [PATCH] Bluetooth: btintel_pcie: validate RX buffer tags Pengpeng Hou
2026-03-23 13:13 ` bluez.test.bot
2026-03-27 13:01 ` [PATCH] " K, Kiran

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox