[PATCH] Bluetooth: btmtk: Fix FUNC_CTRL parsing for devices with zero-length payloads

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: btmtk: Fix FUNC_CTRL parsing for devices with zero-length payloads
@ 2026-05-14 17:48 Shivam Kalra via B4 Relay
  2026-05-14 18:21 ` bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Shivam Kalra via B4 Relay @ 2026-05-14 17:48 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz, Matthias Brugger,
	AngeloGioacchino Del Regno, Tristan Madani
  Cc: Luiz Augusto von Dentz, linux-bluetooth, linux-kernel,
	linux-arm-kernel, linux-mediatek, stable, Shivam Kalra

From: Shivam Kalra <shivamkalra98@zohomail.in>

Commit 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length
before struct access") added strict SKB length checks to prevent OOB
memory reads when parsing WMT events.

However, when enabling the protocol (flag = 0), the MT7922 returns a WMT
event with a zero-length payload (skb->len == 7), omitting the 2-byte
status field entirely.

The strict sizeof() check unconditionally enforced the presence of the
status field for all BTMTK_WMT_FUNC_CTRL events. This caused the driver
to reject these payload-less responses with -EINVAL, failing Bluetooth
initialization ("Failed to send wmt func ctrl (-22)").

Fix this by making skb_pull_data() conditional: if the status payload is
present, parse it as before; if omitted, default to BTMTK_WMT_ON_UNDONE.
This restores the pre-regression initialization behavior while
maintaining the memory safety bounds of the previous patch.

Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221511
Cc: stable@vger.kernel.org
Signed-off-by: Shivam Kalra <shivamkalra98@zohomail.in>
---
Tested on a laptop with a single MediaTek MT7922 (USB ID 0489:e0e0)
Bluetooth controller. Before this patch, Bluetooth initialization failed
with "Failed to send wmt func ctrl (-22)" on every boot. After applying
this patch, initialization succeeds reliably.

This regression is also reported by other users on the kernel bug
tracker [1].

Note: btmtksdio.c and btmtkuart.c have similar FUNC_CTRL parsing code
but were not modified by the original commit 634a4408c061, so they are
not affected by this regression and do not require changes.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=221511
---
 drivers/bluetooth/btmtk.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index f70c1b0f8990..026e5a76b086 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -717,19 +717,19 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
 			status = BTMTK_WMT_PATCH_DONE;
 		break;
 	case BTMTK_WMT_FUNC_CTRL:
-		if (!skb_pull_data(data->evt_skb,
-				   sizeof(wmt_evt_funcc->status))) {
-			err = -EINVAL;
-			goto err_free_skb;
-		}
-
-		wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
-		if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
-			status = BTMTK_WMT_ON_DONE;
-		else if (be16_to_cpu(wmt_evt_funcc->status) == 0x420)
-			status = BTMTK_WMT_ON_PROGRESS;
-		else
+		if (skb_pull_data(data->evt_skb,
+				  sizeof(wmt_evt_funcc->status))) {
+			wmt_evt_funcc =
+				(struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
+			if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
+				status = BTMTK_WMT_ON_DONE;
+			else if (be16_to_cpu(wmt_evt_funcc->status) == 0x420)
+				status = BTMTK_WMT_ON_PROGRESS;
+			else
+				status = BTMTK_WMT_ON_UNDONE;
+		} else {
 			status = BTMTK_WMT_ON_UNDONE;
+		}
 		break;
 	case BTMTK_WMT_PATCH_DWNLD:
 		if (wmt_evt->whdr.flag == 2)

---
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
change-id: 20260514-bluetooh-fix-mt7922-92bbbeff229b

Best regards,
--  
Shivam Kalra <shivamkalra98@zohomail.in>

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: Bluetooth: btmtk: Fix FUNC_CTRL parsing for devices with zero-length payloads
  2026-05-14 17:48 [PATCH] Bluetooth: btmtk: Fix FUNC_CTRL parsing for devices with zero-length payloads Shivam Kalra via B4 Relay
@ 2026-05-14 18:21 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-14 18:21 UTC (permalink / raw)
  To: linux-bluetooth, shivamkalra98

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: drivers/bluetooth/btmtk.c:717
error: drivers/bluetooth/btmtk.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-14 18:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-14 17:48 [PATCH] Bluetooth: btmtk: Fix FUNC_CTRL parsing for devices with zero-length payloads Shivam Kalra via B4 Relay
2026-05-14 18:21 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox