* [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
@ 2026-04-24 19:24 Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Pauli Virtanen @ 2026-04-24 19:24 UTC (permalink / raw)
To: linux-bluetooth
Cc: Pauli Virtanen, marcel, luiz.dentz, tristan, linux-mediatek,
sean.wang, mark-yw.chen
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.
Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
length before struct access") the status was read from out-of-bounds of
SKB data, which usually would result to success with
BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
check added in that commit returns with error instead, producing
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
device unusable.
Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
AFAICS the commit is not yet pulled and is only in bluetooth-next, so
maybe this should be just fixup?
drivers/bluetooth/btmtk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index ab34f1dd42bc..68a32d11e5ec 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
case BTMTK_WMT_FUNC_CTRL:
if (!skb_pull_data(data->evt_skb,
sizeof(wmt_evt_funcc->status))) {
- err = -EINVAL;
- goto err_free_skb;
+ status = BTMTK_WMT_ON_UNDONE;
+ break;
}
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
--
2.53.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
@ 2026-04-24 19:38 ` Luiz Augusto von Dentz
2026-05-08 19:09 ` Pauli Virtanen
2026-04-24 19:59 ` bluez.test.bot
2026-05-11 14:30 ` [PATCH] " patchwork-bot+bluetooth
2 siblings, 1 reply; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2026-04-24 19:38 UTC (permalink / raw)
To: Pauli Virtanen
Cc: linux-bluetooth, marcel, tristan, linux-mediatek, sean.wang,
mark-yw.chen
Hi Pauli, Tristan,
On Fri, Apr 24, 2026 at 3:25 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
> FUNC_CTRL events that are missing the status field.
>
> Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
> length before struct access") the status was read from out-of-bounds of
> SKB data, which usually would result to success with
> BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
> check added in that commit returns with error instead, producing
> "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
> device unusable.
>
> Fix the regression by interpreting too short packet as status
> BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
>
> Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> ---
>
> Notes:
> AFAICS the commit is not yet pulled and is only in bluetooth-next, so
> maybe this should be just fixup?
Yeah, I'll most likely fix it in place and add your Signed-off-by.
> drivers/bluetooth/btmtk.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index ab34f1dd42bc..68a32d11e5ec 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
> case BTMTK_WMT_FUNC_CTRL:
> if (!skb_pull_data(data->evt_skb,
> sizeof(wmt_evt_funcc->status))) {
> - err = -EINVAL;
> - goto err_free_skb;
> + status = BTMTK_WMT_ON_UNDONE;
> + break;
This probably means the original change was never tested on real
hardware. We likely need input from the MediaTek team on how to handle
these events, as I don't think a public spec exists.
> }
>
> wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
> --
> 2.53.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
@ 2026-04-24 19:59 ` bluez.test.bot
2026-05-11 14:30 ` [PATCH] " patchwork-bot+bluetooth
2 siblings, 0 replies; 7+ messages in thread
From: bluez.test.bot @ 2026-04-24 19:59 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1085333
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
GitLint PASS 0.24 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 25.71 seconds
CheckAllWarning PASS 28.17 seconds
CheckSparse PASS 26.78 seconds
BuildKernel32 PASS 25.12 seconds
TestRunnerSetup PASS 560.60 seconds
IncrementalBuild PASS 23.89 seconds
https://github.com/bluez/bluetooth-next/pull/121
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-04-24 19:38 ` Luiz Augusto von Dentz
@ 2026-05-08 19:09 ` Pauli Virtanen
2026-05-08 19:19 ` Mikhail Gavrilov
2026-05-11 14:46 ` Luiz Augusto von Dentz
0 siblings, 2 replies; 7+ messages in thread
From: Pauli Virtanen @ 2026-05-08 19:09 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, Mikhail Gavrilov
Hi Luiz,
pe, 2026-04-24 kello 15:38 -0400, Luiz Augusto von Dentz kirjoitti:
> Hi Pauli, Tristan,
>
> On Fri, Apr 24, 2026 at 3:25 PM Pauli Virtanen <pav@iki.fi> wrote:
> >
> > MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
> > FUNC_CTRL events that are missing the status field.
> >
> > Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
> > length before struct access") the status was read from out-of-bounds of
> > SKB data, which usually would result to success with
> > BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
> > check added in that commit returns with error instead, producing
> > "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
> > device unusable.
> >
> > Fix the regression by interpreting too short packet as status
> > BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
> >
> > Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
> > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > ---
> >
> > Notes:
> > AFAICS the commit is not yet pulled and is only in bluetooth-next, so
> > maybe this should be just fixup?
>
> Yeah, I'll most likely fix it in place and add your Signed-off-by.
Looks like this got pulled to net without this fix, so it's broken now
>
> > drivers/bluetooth/btmtk.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> > index ab34f1dd42bc..68a32d11e5ec 100644
> > --- a/drivers/bluetooth/btmtk.c
> > +++ b/drivers/bluetooth/btmtk.c
> > @@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
> > case BTMTK_WMT_FUNC_CTRL:
> > if (!skb_pull_data(data->evt_skb,
> > sizeof(wmt_evt_funcc->status))) {
> > - err = -EINVAL;
> > - goto err_free_skb;
> > + status = BTMTK_WMT_ON_UNDONE;
> > + break;
>
> This probably means the original change was never tested on real
> hardware. We likely need input from the MediaTek team on how to handle
> these events, as I don't think a public spec exists.
>
> > }
> >
> > wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
> > --
> > 2.53.0
> >
>
--
Pauli Virtanen
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-05-08 19:09 ` Pauli Virtanen
@ 2026-05-08 19:19 ` Mikhail Gavrilov
2026-05-11 14:46 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 7+ messages in thread
From: Mikhail Gavrilov @ 2026-05-08 19:19 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: Luiz Augusto von Dentz, linux-bluetooth
On Sat, May 9, 2026 at 12:09 AM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi Luiz,
>
> pe, 2026-04-24 kello 15:38 -0400, Luiz Augusto von Dentz kirjoitti:
> > Hi Pauli, Tristan,
> >
> > On Fri, Apr 24, 2026 at 3:25 PM Pauli Virtanen <pav@iki.fi> wrote:
> > >
> > > MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
> > > FUNC_CTRL events that are missing the status field.
> > >
> > > Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
> > > length before struct access") the status was read from out-of-bounds of
> > > SKB data, which usually would result to success with
> > > BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
> > > check added in that commit returns with error instead, producing
> > > "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
> > > device unusable.
> > >
> > > Fix the regression by interpreting too short packet as status
> > > BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
> > >
> > > Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
> > > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > > ---
> > >
> > > Notes:
> > > AFAICS the commit is not yet pulled and is only in bluetooth-next, so
> > > maybe this should be just fixup?
> >
> > Yeah, I'll most likely fix it in place and add your Signed-off-by.
>
> Looks like this got pulled to net without this fix, so it's broken now
>
> >
> > > drivers/bluetooth/btmtk.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> > > index ab34f1dd42bc..68a32d11e5ec 100644
> > > --- a/drivers/bluetooth/btmtk.c
> > > +++ b/drivers/bluetooth/btmtk.c
> > > @@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
> > > case BTMTK_WMT_FUNC_CTRL:
> > > if (!skb_pull_data(data->evt_skb,
> > > sizeof(wmt_evt_funcc->status))) {
> > > - err = -EINVAL;
> > > - goto err_free_skb;
> > > + status = BTMTK_WMT_ON_UNDONE;
> > > + break;
> >
> > This probably means the original change was never tested on real
> > hardware. We likely need input from the MediaTek team on how to handle
> > these events, as I don't think a public spec exists.
> >
> > > }
> > >
> > > wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
> > > --
> > > 2.53.0
> > >
> >
>
> --
> Pauli Virtanen
Hi Pauli, Luiz,
I sent a functionally equivalent fix [1] earlier today before
finding your April 24 submission -- apologies for the noise.
Confirming the same regression on MediaTek MT7922 (USB ID
0489:e0e2, firmware build 20260224103448): "Failed to send wmt
func ctrl (-22)" right after HW/SW Version, BT setup aborts.
Reverting bd75e1003d3e on top of v7.1-rc2 restores Bluetooth;
your fix has the same effect on my hardware.
So this is not chip-specific: MT7922 (Wi-Fi 6E generation) and
MT7925 (Wi-Fi 7 generation) firmware both send 7-byte FUNC_CTRL
events without the trailing __be16 status, suggesting a property
of the MediaTek WMT firmware family rather than an individual
quirk.
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
[1] https://lore.kernel.org/linux-bluetooth/20260508173121.27526-1-mikhail.v.gavrilov@gmail.com/
--
Thanks,
Mikhail
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
2026-04-24 19:59 ` bluez.test.bot
@ 2026-05-11 14:30 ` patchwork-bot+bluetooth
2 siblings, 0 replies; 7+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-11 14:30 UTC (permalink / raw)
To: Pauli Virtanen
Cc: linux-bluetooth, marcel, luiz.dentz, tristan, linux-mediatek,
sean.wang, mark-yw.chen
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Fri, 24 Apr 2026 22:24:29 +0300 you wrote:
> MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
> FUNC_CTRL events that are missing the status field.
>
> Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
> length before struct access") the status was read from out-of-bounds of
> SKB data, which usually would result to success with
> BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
> check added in that commit returns with error instead, producing
> "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
> device unusable.
>
> [...]
Here is the summary with links:
- Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
https://git.kernel.org/bluetooth/bluetooth-next/c/162b1adeb057
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-05-08 19:09 ` Pauli Virtanen
2026-05-08 19:19 ` Mikhail Gavrilov
@ 2026-05-11 14:46 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2026-05-11 14:46 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth, Mikhail Gavrilov
Hi Pauli,
On Fri, May 8, 2026 at 3:09 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> Hi Luiz,
>
> pe, 2026-04-24 kello 15:38 -0400, Luiz Augusto von Dentz kirjoitti:
> > Hi Pauli, Tristan,
> >
> > On Fri, Apr 24, 2026 at 3:25 PM Pauli Virtanen <pav@iki.fi> wrote:
> > >
> > > MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
> > > FUNC_CTRL events that are missing the status field.
> > >
> > > Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
> > > length before struct access") the status was read from out-of-bounds of
> > > SKB data, which usually would result to success with
> > > BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
> > > check added in that commit returns with error instead, producing
> > > "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
> > > device unusable.
> > >
> > > Fix the regression by interpreting too short packet as status
> > > BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
> > >
> > > Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
> > > Signed-off-by: Pauli Virtanen <pav@iki.fi>
> > > ---
> > >
> > > Notes:
> > > AFAICS the commit is not yet pulled and is only in bluetooth-next, so
> > > maybe this should be just fixup?
> >
> > Yeah, I'll most likely fix it in place and add your Signed-off-by.
>
> Looks like this got pulled to net without this fix, so it's broken now
My bad, will try to expedite a PR to have it fixed asap.
> >
> > > drivers/bluetooth/btmtk.c | 4 ++--
> > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> > > index ab34f1dd42bc..68a32d11e5ec 100644
> > > --- a/drivers/bluetooth/btmtk.c
> > > +++ b/drivers/bluetooth/btmtk.c
> > > @@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
> > > case BTMTK_WMT_FUNC_CTRL:
> > > if (!skb_pull_data(data->evt_skb,
> > > sizeof(wmt_evt_funcc->status))) {
> > > - err = -EINVAL;
> > > - goto err_free_skb;
> > > + status = BTMTK_WMT_ON_UNDONE;
> > > + break;
> >
> > This probably means the original change was never tested on real
> > hardware. We likely need input from the MediaTek team on how to handle
> > these events, as I don't think a public spec exists.
> >
> > > }
> > >
> > > wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
> > > --
> > > 2.53.0
> > >
> >
>
> --
> Pauli Virtanen
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-05-11 14:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
2026-05-08 19:09 ` Pauli Virtanen
2026-05-08 19:19 ` Mikhail Gavrilov
2026-05-11 14:46 ` Luiz Augusto von Dentz
2026-04-24 19:59 ` bluez.test.bot
2026-05-11 14:30 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox