Commit 129fa608 authored Mar 25, 2026 by Pengpeng Hou Committed by Luiz Augusto von Dentz Mar 25, 2026

Bluetooth: btusb: clamp SCO altsetting table indices



btusb_work() maps the number of active SCO links to USB alternate
settings through a three-entry lookup table when CVSD traffic uses
transparent voice settings. The lookup currently indexes alts[] with
data->sco_num - 1 without first constraining sco_num to the number of
available table entries.

While the table only defines alternate settings for up to three SCO
links, data->sco_num comes from hci_conn_num() and is used directly.
Cap the lookup to the last table entry before indexing it so the
driver keeps selecting the highest supported alternate setting without
reading past alts[].

Fixes: baac6276 ("Bluetooth: btusb: handle mSBC audio over USB Endpoints")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent 25f420a0

drivers/bluetooth/btusb.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -2376,8 +2376,11 @@ static void btusb_work(struct work_struct *work)
		if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
		if (hdev->voice_setting & 0x0020) {
		static const int alts[3] = { 2, 4, 5 };
		unsigned int sco_idx;

		new_alts = alts[data->sco_num - 1];
		sco_idx = min_t(unsigned int, data->sco_num - 1,
		ARRAY_SIZE(alts) - 1);
		new_alts = alts[sco_idx];
		} else {
		new_alts = data->sco_num;
		}