* [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
@ 2026-04-24 19:24 Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
2026-04-24 19:59 ` bluez.test.bot
0 siblings, 2 replies; 3+ messages in thread
From: Pauli Virtanen @ 2026-04-24 19:24 UTC (permalink / raw)
To: linux-bluetooth
Cc: Pauli Virtanen, marcel, luiz.dentz, tristan, linux-mediatek,
sean.wang, mark-yw.chen
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.
Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
length before struct access") the status was read from out-of-bounds of
SKB data, which usually would result to success with
BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
check added in that commit returns with error instead, producing
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
device unusable.
Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
Notes:
AFAICS the commit is not yet pulled and is only in bluetooth-next, so
maybe this should be just fixup?
drivers/bluetooth/btmtk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index ab34f1dd42bc..68a32d11e5ec 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
case BTMTK_WMT_FUNC_CTRL:
if (!skb_pull_data(data->evt_skb,
sizeof(wmt_evt_funcc->status))) {
- err = -EINVAL;
- goto err_free_skb;
+ status = BTMTK_WMT_ON_UNDONE;
+ break;
}
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
@ 2026-04-24 19:38 ` Luiz Augusto von Dentz
2026-04-24 19:59 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-04-24 19:38 UTC (permalink / raw)
To: Pauli Virtanen
Cc: linux-bluetooth, marcel, tristan, linux-mediatek, sean.wang,
mark-yw.chen
Hi Pauli, Tristan,
On Fri, Apr 24, 2026 at 3:25 PM Pauli Virtanen <pav@iki.fi> wrote:
>
> MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
> FUNC_CTRL events that are missing the status field.
>
> Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
> length before struct access") the status was read from out-of-bounds of
> SKB data, which usually would result to success with
> BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
> check added in that commit returns with error instead, producing
> "Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
> device unusable.
>
> Fix the regression by interpreting too short packet as status
> BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
>
> Fixes: 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> ---
>
> Notes:
> AFAICS the commit is not yet pulled and is only in bluetooth-next, so
> maybe this should be just fixup?
Yeah, I'll most likely fix it in place and add your Signed-off-by.
> drivers/bluetooth/btmtk.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
> index ab34f1dd42bc..68a32d11e5ec 100644
> --- a/drivers/bluetooth/btmtk.c
> +++ b/drivers/bluetooth/btmtk.c
> @@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
> case BTMTK_WMT_FUNC_CTRL:
> if (!skb_pull_data(data->evt_skb,
> sizeof(wmt_evt_funcc->status))) {
> - err = -EINVAL;
> - goto err_free_skb;
> + status = BTMTK_WMT_ON_UNDONE;
> + break;
This probably means the original change was never tested on real
hardware. We likely need input from the MediaTek team on how to handle
these events, as I don't think a public spec exists.
> }
>
> wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
> --
> 2.53.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread* RE: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
@ 2026-04-24 19:59 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-04-24 19:59 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 882 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1085333
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
GitLint PASS 0.24 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 25.71 seconds
CheckAllWarning PASS 28.17 seconds
CheckSparse PASS 26.78 seconds
BuildKernel32 PASS 25.12 seconds
TestRunnerSetup PASS 560.60 seconds
IncrementalBuild PASS 23.89 seconds
https://github.com/bluez/bluetooth-next/pull/121
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-24 19:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24 19:24 [PATCH] Bluetooth: btmtk: accept too short WMT FUNC_CTRL events Pauli Virtanen
2026-04-24 19:38 ` Luiz Augusto von Dentz
2026-04-24 19:59 ` bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox