* [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices
@ 2026-03-24 2:04 Pengpeng Hou
2026-03-24 19:58 ` Luiz Augusto von Dentz
2026-03-25 0:42 ` [PATCH v2] " Pengpeng Hou
0 siblings, 2 replies; 4+ messages in thread
From: Pengpeng Hou @ 2026-03-24 2:04 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, pengpeng
btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.
While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
drivers/bluetooth/btusb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a1c5eb993e47..870a6aa92216 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
if (hdev->voice_setting & 0x0020) {
static const int alts[3] = { 2, 4, 5 };
+ unsigned int sco_idx;
- new_alts = alts[data->sco_num - 1];
+ sco_idx = min_t(unsigned int, data->sco_num,
+ ARRAY_SIZE(alts)) - 1;
+ new_alts = alts[sco_idx];
} else {
new_alts = data->sco_num;
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices
2026-03-24 2:04 [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices Pengpeng Hou
@ 2026-03-24 19:58 ` Luiz Augusto von Dentz
2026-03-25 0:42 ` [PATCH v2] " Pengpeng Hou
1 sibling, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-24 19:58 UTC (permalink / raw)
To: Pengpeng Hou; +Cc: Marcel Holtmann, linux-bluetooth, linux-kernel
Hi,
On Mon, Mar 23, 2026 at 10:05 PM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> btusb_work() maps the number of active SCO links to USB alternate
> settings through a three-entry lookup table when CVSD traffic uses
> transparent voice settings. The lookup currently indexes alts[] with
> data->sco_num - 1 without first constraining sco_num to the number of
> available table entries.
>
> While the table only defines alternate settings for up to three SCO
> links, data->sco_num comes from hci_conn_num() and is used directly.
> Cap the lookup to the last table entry before indexing it so the
> driver keeps selecting the highest supported alternate setting without
> reading past alts[].
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> drivers/bluetooth/btusb.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
> index a1c5eb993e47..870a6aa92216 100644
> --- a/drivers/bluetooth/btusb.c
> +++ b/drivers/bluetooth/btusb.c
> @@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
> if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
> if (hdev->voice_setting & 0x0020) {
> static const int alts[3] = { 2, 4, 5 };
> + unsigned int sco_idx;
>
> - new_alts = alts[data->sco_num - 1];
> + sco_idx = min_t(unsigned int, data->sco_num,
> + ARRAY_SIZE(alts)) - 1;
> + new_alts = alts[sco_idx];
> } else {
> new_alts = data->sco_num;
> }
> --
> 2.50.1 (Apple Git-155)
https://sashiko.dev/#/patchset/20260324020427.60125-1-pengpeng%40iscas.ac.cn
They seem valid to me, so we might need to check if sco_idx is looping
around, etc.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] Bluetooth: btusb: clamp SCO altsetting table indices
2026-03-24 2:04 [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices Pengpeng Hou
2026-03-24 19:58 ` Luiz Augusto von Dentz
@ 2026-03-25 0:42 ` Pengpeng Hou
2026-03-26 18:30 ` patchwork-bot+bluetooth
1 sibling, 1 reply; 4+ messages in thread
From: Pengpeng Hou @ 2026-03-25 0:42 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, pengpeng
btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.
While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
v2:
- rewrite the clamped SCO table index as an explicit 0-based clamp
to avoid wraparound concerns raised in review
drivers/bluetooth/btusb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index a1c5eb993e47..5c535f3ab722 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
if (hdev->voice_setting & 0x0020) {
static const int alts[3] = { 2, 4, 5 };
+ unsigned int sco_idx;
- new_alts = alts[data->sco_num - 1];
+ sco_idx = min_t(unsigned int, data->sco_num - 1,
+ ARRAY_SIZE(alts) - 1);
+ new_alts = alts[sco_idx];
} else {
new_alts = data->sco_num;
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] Bluetooth: btusb: clamp SCO altsetting table indices
2026-03-25 0:42 ` [PATCH v2] " Pengpeng Hou
@ 2026-03-26 18:30 ` patchwork-bot+bluetooth
0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-26 18:30 UTC (permalink / raw)
To: Pengpeng Hou; +Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 25 Mar 2026 08:42:45 +0800 you wrote:
> btusb_work() maps the number of active SCO links to USB alternate
> settings through a three-entry lookup table when CVSD traffic uses
> transparent voice settings. The lookup currently indexes alts[] with
> data->sco_num - 1 without first constraining sco_num to the number of
> available table entries.
>
> While the table only defines alternate settings for up to three SCO
> links, data->sco_num comes from hci_conn_num() and is used directly.
> Cap the lookup to the last table entry before indexing it so the
> driver keeps selecting the highest supported alternate setting without
> reading past alts[].
>
> [...]
Here is the summary with links:
- [v2] Bluetooth: btusb: clamp SCO altsetting table indices
https://git.kernel.org/bluetooth/bluetooth-next/c/08a198361071
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-26 18:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-24 2:04 [PATCH] Bluetooth: btusb: clamp SCO altsetting table indices Pengpeng Hou
2026-03-24 19:58 ` Luiz Augusto von Dentz
2026-03-25 0:42 ` [PATCH v2] " Pengpeng Hou
2026-03-26 18:30 ` patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox