* [PATCH v9 1/6] Bluetooth: btmtk: Add firmware size validation in btmtk_setup_firmware_79xx()
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
@ 2026-07-02 10:14 ` Chris Lu
2026-07-02 10:14 ` [PATCH v9 2/6] Bluetooth: btmtksdio: Remove redundant firmware filename override Chris Lu
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu @ 2026-07-02 10:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Paul Menzel, Chris Lu
Add firmware size validation to prevent out-of-bounds access when loading
truncated or malicious firmware files.
Add three levels of validation:
1. Minimum size check for header and global descriptor
2. Section map bounds check with integer overflow protection using
check_mul_overflow() and check_add_overflow()
3. Section data bounds check before accessing each section
This matches the validation approach used in btmtk_load_cbmcu_firmware().
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Assisted-by: Claude:Sonnet-4.5
---
drivers/bluetooth/btmtk.c | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 02a96342e964..3491060b3ae9 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -145,6 +145,7 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
int err, dlen, i, status;
u8 flag, first_block, retry;
u32 section_num, dl_size, section_offset;
+ size_t expected_size;
u8 cmd[64];
err = request_firmware(&fw, fwname, &hdev->dev);
@@ -153,12 +154,40 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
return err;
}
+ /* Validate minimum firmware size for header and global descriptor */
+ if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE) {
+ bt_dev_err(hdev, "Firmware file too small: size=%zu, expected at least %u bytes",
+ fw->size, MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
fw_ptr = fw->data;
fw_bin_ptr = fw_ptr;
hdr = (struct btmtk_patch_header *)fw_ptr;
globaldesc = (struct btmtk_global_desc *)(fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE);
section_num = le32_to_cpu(globaldesc->section_num);
+ /* Check for potential integer overflow in size calculation */
+ if (check_mul_overflow((size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE,
+ (size_t)section_num, &expected_size) ||
+ check_add_overflow(expected_size,
+ (size_t)(MTK_FW_ROM_PATCH_HEADER_SIZE +
+ MTK_FW_ROM_PATCH_GD_SIZE),
+ &expected_size)) {
+ bt_dev_err(hdev, "Firmware size calculation overflow (section_num=%u)",
+ section_num);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ if (fw->size < expected_size) {
+ bt_dev_err(hdev, "Firmware truncated: size=%zu, expected=%zu (section_num=%u)",
+ fw->size, expected_size, section_num);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
bt_dev_info(hdev, "HW/SW Version: 0x%04x%04x, Build Time: %s",
le16_to_cpu(hdr->hwver), le16_to_cpu(hdr->swver), hdr->datetime);
@@ -171,6 +200,16 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
section_offset = le32_to_cpu(sectionmap->secoffset);
dl_size = le32_to_cpu(sectionmap->bin_info_spec.dlsize);
+ /* Validate section boundaries to prevent out-of-bounds access */
+ if (dl_size > 0 &&
+ (section_offset > fw->size ||
+ dl_size > fw->size - section_offset)) {
+ bt_dev_err(hdev, "Section %d out of bounds: offset=%u, size=%u, fw_size=%zu",
+ i, section_offset, dl_size, fw->size);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
/* MT6639: only download sections where dlmode byte0 == 0x01,
* matching the Windows driver behavior which skips WiFi/other
* sections that would cause the chip to hang.
--
2.45.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v9 2/6] Bluetooth: btmtksdio: Remove redundant firmware filename override
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
2026-07-02 10:14 ` [PATCH v9 1/6] Bluetooth: btmtk: Add firmware size validation in btmtk_setup_firmware_79xx() Chris Lu
@ 2026-07-02 10:14 ` Chris Lu
2026-07-02 10:14 ` [PATCH v9 3/6] Bluetooth: btmtksdio: Pass hardware dev_id to mt79xx_setup() Chris Lu
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu @ 2026-07-02 10:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Paul Menzel, Chris Lu
btmtksdio_setup() calls btmtk_fw_get_filename() to generate the correct
firmware filename based on chip ID, then immediately overwrites it with
snprintf() using a generic legacy format. This causes newer chips that
require chip-specific firmware paths (MT6639, MT7925, MT7928) to request
incorrect legacy filenames, leading to firmware load failures.
The USB driver (btmtkusb.c) correctly uses btmtk_fw_get_filename()
without overriding the result. Match that behavior by removing the
redundant snprintf() call.
Fixes: 7f935b21bee4 ("Bluetooth: btmtk: apply the common btmtk_fw_get_filename")
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
---
drivers/bluetooth/btmtksdio.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
index 5b0fab7b89b5..d5f3fd002f85 100644
--- a/drivers/bluetooth/btmtksdio.c
+++ b/drivers/bluetooth/btmtksdio.c
@@ -1139,9 +1139,6 @@ static int btmtksdio_setup(struct hci_dev *hdev)
btmtk_fw_get_filename(fwname, sizeof(fwname), dev_id,
fw_version, 0);
- snprintf(fwname, sizeof(fwname),
- "mediatek/BT_RAM_CODE_MT%04x_1_%x_hdr.bin",
- dev_id & 0xffff, (fw_version & 0xff) + 1);
err = mt79xx_setup(hdev, fwname);
if (err < 0)
return err;
--
2.45.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v9 3/6] Bluetooth: btmtksdio: Pass hardware dev_id to mt79xx_setup()
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
2026-07-02 10:14 ` [PATCH v9 1/6] Bluetooth: btmtk: Add firmware size validation in btmtk_setup_firmware_79xx() Chris Lu
2026-07-02 10:14 ` [PATCH v9 2/6] Bluetooth: btmtksdio: Remove redundant firmware filename override Chris Lu
@ 2026-07-02 10:14 ` Chris Lu
2026-07-02 10:14 ` [PATCH v9 4/6] Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum Chris Lu
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu @ 2026-07-02 10:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Paul Menzel, Chris Lu
mt79xx_setup() hardcodes dev_id=0 when calling btmtk_setup_firmware_79xx(),
causing SDIO devices to log incorrect chip ID "BT HW ver: 0x0000" instead
of the actual hardware version read from register 0x70010200.
Pass the hardware dev_id to mt79xx_setup() and forward it to
btmtk_setup_firmware_79xx() to match USB driver behavior and display
correct chip identification.
Fixes: 28b7c5a6db74 ("Bluetooth: btmtk: Add MT6639 (MT7927) Bluetooth support")
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
---
drivers/bluetooth/btmtksdio.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
index d5f3fd002f85..3e9f143e2bf5 100644
--- a/drivers/bluetooth/btmtksdio.c
+++ b/drivers/bluetooth/btmtksdio.c
@@ -876,14 +876,14 @@ static int mt76xx_setup(struct hci_dev *hdev, const char *fwname)
return 0;
}
-static int mt79xx_setup(struct hci_dev *hdev, const char *fwname)
+static int mt79xx_setup(struct hci_dev *hdev, const char *fwname, u32 dev_id)
{
struct btmtksdio_dev *bdev = hci_get_drvdata(hdev);
struct btmtk_hci_wmt_params wmt_params;
u8 param = 0x1;
int err;
- err = btmtk_setup_firmware_79xx(hdev, fwname, mtk_hci_wmt_sync, 0);
+ err = btmtk_setup_firmware_79xx(hdev, fwname, mtk_hci_wmt_sync, dev_id);
if (err < 0) {
bt_dev_err(hdev, "Failed to setup 79xx firmware (%d)", err);
return err;
@@ -1139,7 +1139,7 @@ static int btmtksdio_setup(struct hci_dev *hdev)
btmtk_fw_get_filename(fwname, sizeof(fwname), dev_id,
fw_version, 0);
- err = mt79xx_setup(hdev, fwname);
+ err = mt79xx_setup(hdev, fwname, dev_id);
if (err < 0)
return err;
--
2.45.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v9 4/6] Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
` (2 preceding siblings ...)
2026-07-02 10:14 ` [PATCH v9 3/6] Bluetooth: btmtksdio: Pass hardware dev_id to mt79xx_setup() Chris Lu
@ 2026-07-02 10:14 ` Chris Lu
2026-07-02 10:14 ` [PATCH v9 5/6] Bluetooth: btmtk: Improve BT firmware logging Chris Lu
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu @ 2026-07-02 10:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Paul Menzel, Chris Lu
Add BTMTK_WMT_PKT_* enum to represent WMT download packet sequence flags,
improving code readability. Replace magic numbers (1, 2, 3) in
btmtk_setup_firmware_79xx() and btmtk_setup_firmware() with descriptive
enum values:
- BTMTK_WMT_PKT_START (1): First packet of a sequence
- BTMTK_WMT_PKT_CONTINUE (2): Continuation packet
- BTMTK_WMT_PKT_END (3): Final packet of a sequence
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Assisted-by: Claude:Sonnet-4.5
---
drivers/bluetooth/btmtk.c | 12 ++++++------
drivers/bluetooth/btmtk.h | 6 ++++++
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 3491060b3ae9..3fe6b4fdc438 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -269,12 +269,12 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
while (dl_size > 0) {
dlen = min_t(int, 250, dl_size);
if (first_block == 1) {
- flag = 1;
+ flag = BTMTK_WMT_PKT_START;
first_block = 0;
} else if (dl_size - dlen <= 0) {
- flag = 3;
+ flag = BTMTK_WMT_PKT_END;
} else {
- flag = 2;
+ flag = BTMTK_WMT_PKT_CONTINUE;
}
wmt_params.flag = flag;
@@ -353,7 +353,7 @@ int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
fw_size -= 30;
fw_ptr += 30;
- flag = 1;
+ flag = BTMTK_WMT_PKT_START;
wmt_params.op = BTMTK_WMT_PATCH_DWNLD;
wmt_params.status = NULL;
@@ -363,9 +363,9 @@ int btmtk_setup_firmware(struct hci_dev *hdev, const char *fwname,
/* Tell device the position in sequence */
if (fw_size - dlen <= 0)
- flag = 3;
+ flag = BTMTK_WMT_PKT_END;
else if (fw_size < fw->size - 30)
- flag = 2;
+ flag = BTMTK_WMT_PKT_CONTINUE;
wmt_params.flag = flag;
wmt_params.dlen = dlen;
diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
index c83c24897c95..51c18dde0a80 100644
--- a/drivers/bluetooth/btmtk.h
+++ b/drivers/bluetooth/btmtk.h
@@ -66,6 +66,12 @@ enum {
BTMTK_WMT_ON_PROGRESS,
};
+enum {
+ BTMTK_WMT_PKT_START = 1,
+ BTMTK_WMT_PKT_CONTINUE = 2,
+ BTMTK_WMT_PKT_END = 3,
+};
+
struct btmtk_wmt_hdr {
u8 dir;
u8 op;
--
2.45.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v9 5/6] Bluetooth: btmtk: Improve BT firmware logging
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
` (3 preceding siblings ...)
2026-07-02 10:14 ` [PATCH v9 4/6] Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum Chris Lu
@ 2026-07-02 10:14 ` Chris Lu
2026-07-02 10:14 ` [PATCH v9 6/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
2026-07-04 3:37 ` [PATCH v9 0/6] " Chris Lu (陸稚泓)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu @ 2026-07-02 10:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Paul Menzel, Chris Lu
Improve firmware loading log messages to provide more useful information:
- Add firmware filename before loading to help identify which file
is being loaded
- Display chip ID (dev_id) as HW version instead of firmware's hwver
field, which provides more meaningful hardware identification
- Use %.16s format specifier for hdr->datetime field to prevent
potential buffer over-read, as the field is a 16-byte array that
may not be null-terminated
log output with MT7922
[ 212.878783] Bluetooth: hci1: Loading BT firmware: mediatek/BT_RAM_CODE_MT7922_1_1_hdr.bin
[ 212.889614] Bluetooth: hci1: BT HW ver: 0x7922, SW ver: 0x008a, Build Time: 20260224103448
[ 216.048877] Bluetooth: hci1: Device setup in 3096530 usecs
[ 216.048890] Bluetooth: hci1: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
[ 216.114179] Bluetooth: hci1: AOSP extensions version v1.00
[ 216.114220] Bluetooth: hci1: AOSP quality report is supported
[ 216.116782] Bluetooth: MGMT ver 1.23
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Assisted-by: Claude:Sonnet-4.5
---
drivers/bluetooth/btmtk.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 3fe6b4fdc438..75519765bb49 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -148,6 +148,8 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
size_t expected_size;
u8 cmd[64];
+ bt_dev_info(hdev, "Loading BT firmware: %s", fwname);
+
err = request_firmware(&fw, fwname, &hdev->dev);
if (err < 0) {
bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
@@ -188,8 +190,8 @@ int btmtk_setup_firmware_79xx(struct hci_dev *hdev, const char *fwname,
goto err_release_fw;
}
- bt_dev_info(hdev, "HW/SW Version: 0x%04x%04x, Build Time: %s",
- le16_to_cpu(hdr->hwver), le16_to_cpu(hdr->swver), hdr->datetime);
+ bt_dev_info(hdev, "BT HW ver: 0x%04x, SW ver: 0x%04x, Build Time: %.16s",
+ dev_id & 0xffff, le16_to_cpu(hdr->swver), hdr->datetime);
for (i = 0; i < section_num; i++) {
first_block = 1;
--
2.45.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v9 6/6] Bluetooth: btmtk: Add MT7928 support
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
` (4 preceding siblings ...)
2026-07-02 10:14 ` [PATCH v9 5/6] Bluetooth: btmtk: Improve BT firmware logging Chris Lu
@ 2026-07-02 10:14 ` Chris Lu
2026-07-04 3:37 ` [PATCH v9 0/6] " Chris Lu (陸稚泓)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu @ 2026-07-02 10:14 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Von Dentz
Cc: Sean Wang, Will Lee, SS Wu, Steve Lee, linux-bluetooth,
linux-kernel, linux-mediatek, Paul Menzel, Chris Lu
Add support for MT7928 (internal device ID is MT7935) which requires
additional firmware (CBMCU firmware) loading before Bluetooth firmware.
CBMCU is a new component on MT7928 to handle common part shared across
the combo chip (Wi-Fi/Bluetooth's subsystem), providing a better user
experience through improved coordination between subsystems.
Implement two-phase CBMCU firmware download: Phase 1 loads section with
type 0x5 containing global descriptor, section maps and signature data;
Phase 2 loads remaining firmware sections. Add retry mechanism for
concurrent download protection.
After CBMCU firmware loads successfully, the driver continues to load
corresponding BT firmware based on device ID through fallthrough to
case 0x7922/0x7925.
Use %.16s format specifier for hdr->datetime field in CBMCU firmware
logging to prevent potential buffer over-read, as the field is a 16-byte
array that may not be null-terminated.
The firmware(CBMCU_CODE_MT7935_1_1.bin/BT_RAM_CODE_MT7935_1_1_hdr.bin)
required for MT7928 will be scheduled for upload to linux-firmware at
a later stage.
MT7928 bring-up kernel log:
[ 6931.197167] usb 1-3: New USB device found, idVendor=0e8d, idProduct=7935, bcdDevice= 1.00
[ 6931.197212] usb 1-3: New USB device strings: Mfr=5, Product=6, SerialNumber=7
[ 6931.197237] usb 1-3: Product: Wireless_Device
[ 6931.197258] usb 1-3: Manufacturer: MediaTek Inc.
[ 6931.197279] usb 1-3: SerialNumber: 000000000
[ 6931.213478] Bluetooth: hci1: Loading CBMCU firmware: mediatek/mt7928/CBMCU_CODE_MT7935_1_1.bin
[ 6931.215214] Bluetooth: hci1: CBMCU HW ver: 0x7935, SW ver: 0x0000, Build Time: 20260601T161751+
[ 6931.623962] Bluetooth: hci1: CBMCU firmware download completed
[ 6931.643916] Bluetooth: hci1: Loading BT firmware: mediatek/mt7928/BT_RAM_CODE_MT7935_1_1_hdr.bin
[ 6931.650467] Bluetooth: hci1: BT HW ver: 0x7935, SW ver: 0x0000, Build Time: 20260527000816
[ 6935.039790] Bluetooth: hci1: Device setup in 3369644 usecs
[ 6935.039833] Bluetooth: hci1: HCI Enhanced Setup Synchronous Connection command is advertised, but not supported.
[ 6935.160654] Bluetooth: hci1: AOSP extensions version v2.00
[ 6935.160710] Bluetooth: hci1: AOSP quality report is supported
[ 6935.162954] Bluetooth: MGMT ver 1.23
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Sean Wang <sean.wang@mediatek.com>
Assisted-by: Claude:Sonnet-4.5
---
drivers/bluetooth/btmtk.c | 370 +++++++++++++++++++++++++++++++++++++-
drivers/bluetooth/btmtk.h | 3 +
2 files changed, 372 insertions(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 75519765bb49..50d3d69f91d3 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -21,6 +21,12 @@
#define MTK_FW_ROM_PATCH_SEC_MAP_SIZE 64
#define MTK_SEC_MAP_COMMON_SIZE 12
#define MTK_SEC_MAP_NEED_SEND_SIZE 52
+#define MTK_SEC_MAP_LENGTH_SIZE 4
+#define MTK_SEC_CBMCU_DESC 0x5
+
+/* CBMCU WMT command flags */
+#define BTMTK_CBMCU_FLAG_QUERY_STATUS 0xF0
+#define BTMTK_CBMCU_FLAG_ENABLE_PATCH 0xF1
/* It is for mt79xx iso data transmission setting */
#define MTK_ISO_THRESHOLD 264
@@ -120,6 +126,11 @@ void btmtk_fw_get_filename(char *buf, size_t size, u32 dev_id, u32 fw_ver,
snprintf(buf, size,
"mediatek/mt%04x/BT_RAM_CODE_MT%04x_1_%x_hdr.bin",
dev_id & 0xffff, dev_id & 0xffff, (fw_ver & 0xff) + 1);
+ /* MT7928 */
+ else if (dev_id == 0x7935)
+ snprintf(buf, size,
+ "mediatek/mt7928/BT_RAM_CODE_MT%04x_1_1_hdr.bin",
+ dev_id & 0xffff);
else if (dev_id == 0x7961 && fw_flavor)
snprintf(buf, size,
"mediatek/BT_RAM_CODE_MT%04x_1a_%x_hdr.bin",
@@ -775,6 +786,7 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
status = BTMTK_WMT_ON_UNDONE;
break;
case BTMTK_WMT_PATCH_DWNLD:
+ case BTMTK_WMT_CBMCU_DWNLD:
if (wmt_evt->whdr.flag == 2)
status = BTMTK_WMT_PATCH_DONE;
else if (wmt_evt->whdr.flag == 1)
@@ -911,6 +923,351 @@ static u32 btmtk_usb_reset_done(struct hci_dev *hdev)
return val & MTK_BT_RST_DONE;
}
+static int btmtk_cbmcu_patch_status(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u8 *patch_status)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ int status, err, retry = 20;
+
+ do {
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.flag = BTMTK_CBMCU_FLAG_QUERY_STATUS;
+ wmt_params.dlen = 0;
+ wmt_params.data = NULL;
+ wmt_params.status = &status;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to query CBMCU patch status (%d)", err);
+ return err;
+ }
+
+ *patch_status = (u8)status;
+
+ if (*patch_status == BTMTK_WMT_PATCH_PROGRESS) {
+ msleep(100);
+ retry--;
+ } else {
+ break;
+ }
+ } while (retry > 0);
+
+ if (*patch_status == BTMTK_WMT_PATCH_PROGRESS) {
+ bt_dev_err(hdev, "CBMCU patch status query timeout");
+ return -ETIMEDOUT;
+ }
+
+ return 0;
+}
+
+static int btmtk_query_cbmcu_section(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u8 cbmcu_type,
+ const u8 *section_map,
+ u32 cert_len)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ u8 cmd[64];
+ int status, err;
+
+ cmd[0] = 0;
+ cmd[1] = cbmcu_type;
+
+ if (cbmcu_type == 0)
+ put_unaligned_le32(cert_len, &cmd[2]);
+ else
+ memcpy(&cmd[2], section_map, MTK_SEC_MAP_NEED_SEND_SIZE);
+
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.flag = 0;
+ wmt_params.dlen = cbmcu_type ?
+ MTK_SEC_MAP_NEED_SEND_SIZE + 2 :
+ MTK_SEC_MAP_LENGTH_SIZE + 2;
+ wmt_params.data = cmd;
+ wmt_params.status = &status;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to query CBMCU section (%d)", err);
+ return err;
+ }
+
+ /* Query should return UNDONE status for successful section query */
+ if (status != BTMTK_WMT_PATCH_UNDONE) {
+ bt_dev_err(hdev, "CBMCU section query status error (%d)", status);
+ return -EIO;
+ }
+
+ return 0;
+}
+
+static int btmtk_download_cbmcu_section(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ const u8 *fw_data,
+ u32 dl_size)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ u32 sent_len, total_size = dl_size;
+ int err;
+
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.status = NULL;
+
+ while (dl_size > 0) {
+ sent_len = min_t(u32, 250, dl_size);
+
+ if (dl_size == total_size)
+ wmt_params.flag = BTMTK_WMT_PKT_START;
+ else if (dl_size == sent_len)
+ wmt_params.flag = BTMTK_WMT_PKT_END;
+ else
+ wmt_params.flag = BTMTK_WMT_PKT_CONTINUE;
+
+ wmt_params.dlen = sent_len;
+ wmt_params.data = fw_data;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to send CBMCU section data (%d)", err);
+ return err;
+ }
+
+ dl_size -= sent_len;
+ fw_data += sent_len;
+ }
+
+ return 0;
+}
+
+static int btmtk_enable_cbmcu_patch(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync)
+{
+ struct btmtk_hci_wmt_params wmt_params;
+ int err;
+
+ wmt_params.op = BTMTK_WMT_CBMCU_DWNLD;
+ wmt_params.flag = BTMTK_CBMCU_FLAG_ENABLE_PATCH;
+ wmt_params.dlen = 0;
+ wmt_params.data = NULL;
+ wmt_params.status = NULL;
+
+ err = wmt_cmd_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to enable CBMCU patch (%d)", err);
+ return err;
+ }
+
+ return 0;
+}
+
+static int btmtk_load_cbmcu_firmware(struct hci_dev *hdev,
+ const char *fwname,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u32 dev_id)
+{
+ struct btmtk_patch_header *hdr;
+ struct btmtk_global_desc *globaldesc;
+ struct btmtk_section_map *sectionmap;
+ const struct firmware *fw;
+ const u8 *fw_ptr;
+ u8 *cert_buf = NULL;
+ u32 section_num, section_offset, dl_size, cert_len;
+ size_t expected_size;
+ int i, err;
+
+ err = request_firmware(&fw, fwname, &hdev->dev);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to load CBMCU firmware file %s (%d)",
+ fwname, err);
+ return err;
+ }
+
+ if (fw->size < MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE) {
+ bt_dev_err(hdev, "CBMCU firmware too small: size=%zu, min=%u",
+ fw->size,
+ MTK_FW_ROM_PATCH_HEADER_SIZE + MTK_FW_ROM_PATCH_GD_SIZE);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ fw_ptr = fw->data;
+ hdr = (struct btmtk_patch_header *)fw_ptr;
+ globaldesc = (struct btmtk_global_desc *)(fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE);
+ section_num = le32_to_cpu(globaldesc->section_num);
+
+ /* Check for potential integer overflow in size calculation */
+ if (check_mul_overflow((size_t)MTK_FW_ROM_PATCH_SEC_MAP_SIZE,
+ (size_t)section_num, &expected_size) ||
+ check_add_overflow(expected_size,
+ (size_t)(MTK_FW_ROM_PATCH_HEADER_SIZE +
+ MTK_FW_ROM_PATCH_GD_SIZE),
+ &expected_size)) {
+ bt_dev_err(hdev, "CBMCU firmware size calculation overflow (section_num=%u)",
+ section_num);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ if (fw->size < expected_size) {
+ bt_dev_err(hdev, "CBMCU firmware truncated: size=%zu, expected=%zu (section_num=%u)",
+ fw->size, expected_size, section_num);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ bt_dev_info(hdev, "CBMCU HW ver: 0x%04x, SW ver: 0x%04x, Build Time: %.16s",
+ dev_id & 0xffff, le16_to_cpu(hdr->swver), hdr->datetime);
+
+ /* Phase 1: Download section type MTK_SEC_CBMCU_DESC */
+ for (i = 0; i < section_num; i++) {
+ sectionmap = (struct btmtk_section_map *)
+ (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
+ MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
+
+ /* Only process MTK_SEC_CBMCU_DESC section in Phase 1 */
+ if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) != MTK_SEC_CBMCU_DESC)
+ continue;
+
+ section_offset = le32_to_cpu(sectionmap->secoffset);
+ dl_size = le32_to_cpu(sectionmap->secsize);
+
+ if (dl_size == 0)
+ continue;
+
+ if (section_offset > fw->size ||
+ dl_size > fw->size - section_offset) {
+ bt_dev_err(hdev, "CBMCU Phase 1 section out of bounds");
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ cert_len = MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num +
+ dl_size;
+
+ /* Query cbmcu section */
+ err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync, 0, NULL,
+ cert_len);
+ if (err < 0)
+ goto err_release_fw;
+
+ cert_buf = kmalloc(cert_len, GFP_KERNEL);
+ if (!cert_buf) {
+ err = -ENOMEM;
+ goto err_release_fw;
+ }
+
+ /* Copy Global Descriptor + All Section Maps */
+ memcpy(cert_buf,
+ fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE,
+ MTK_FW_ROM_PATCH_GD_SIZE + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num);
+
+ /* Copy Phase 1 section data */
+ memcpy(cert_buf + MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * section_num,
+ fw_ptr + section_offset,
+ dl_size);
+
+ /* Download Phase 1 section */
+ err = btmtk_download_cbmcu_section(hdev, wmt_cmd_sync,
+ cert_buf, cert_len);
+ kfree(cert_buf);
+ cert_buf = NULL;
+
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to download CBMCU Phase 1 section (%d)", err);
+ goto err_release_fw;
+ }
+
+ break;
+ }
+
+ /* Phase 2: Download other sections (type != MTK_SEC_CBMCU_DESC) */
+ for (i = 0; i < section_num; i++) {
+ sectionmap = (struct btmtk_section_map *)
+ (fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
+ MTK_FW_ROM_PATCH_GD_SIZE +
+ MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i);
+
+ /* Skip MTK_SEC_CBMCU_DESC section in Phase 2 */
+ if ((le32_to_cpu(sectionmap->sectype) & 0xFFFF) == MTK_SEC_CBMCU_DESC)
+ continue;
+
+ section_offset = le32_to_cpu(sectionmap->secoffset);
+ dl_size = le32_to_cpu(sectionmap->bin_info_spec.dlsize);
+
+ if (dl_size == 0)
+ continue;
+
+ if (section_offset > fw->size ||
+ dl_size > fw->size - section_offset) {
+ bt_dev_err(hdev, "CBMCU Phase 2 section %d out of bounds", i);
+ err = -EINVAL;
+ goto err_release_fw;
+ }
+
+ /* Query cbmcu section */
+ err = btmtk_query_cbmcu_section(hdev, wmt_cmd_sync, 1,
+ (u8 *)§ionmap->bin_info_spec,
+ 0);
+ if (err < 0)
+ goto err_release_fw;
+
+ /* Download section data */
+ err = btmtk_download_cbmcu_section(hdev, wmt_cmd_sync,
+ fw_ptr + section_offset,
+ dl_size);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to download CBMCU section %d (%d)", i, err);
+ goto err_release_fw;
+ }
+ }
+
+ bt_dev_info(hdev, "CBMCU firmware download completed");
+
+err_release_fw:
+ release_firmware(fw);
+ return err;
+}
+
+static int btmtk_setup_cbmcu_firmware(struct hci_dev *hdev,
+ wmt_cmd_sync_func_t wmt_cmd_sync,
+ u32 dev_id)
+{
+ char cbmcu_fwname[64];
+ u8 patch_status;
+ int err;
+
+ err = btmtk_cbmcu_patch_status(hdev, wmt_cmd_sync, &patch_status);
+ if (err < 0)
+ return err;
+
+ bt_dev_dbg(hdev, "CBMCU patch status: 0x%02x", patch_status);
+
+ if (patch_status != BTMTK_WMT_PATCH_UNDONE)
+ return 0;
+
+ snprintf(cbmcu_fwname, sizeof(cbmcu_fwname),
+ "mediatek/mt7928/CBMCU_CODE_MT%04x_1_1.bin",
+ dev_id & 0xffff);
+
+ bt_dev_info(hdev, "Loading CBMCU firmware: %s", cbmcu_fwname);
+
+ err = btmtk_load_cbmcu_firmware(hdev, cbmcu_fwname, wmt_cmd_sync, dev_id);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to download CBMCU firmware (%d)", err);
+ return err;
+ }
+
+ err = btmtk_enable_cbmcu_patch(hdev, wmt_cmd_sync);
+ if (err < 0)
+ return err;
+
+ return 0;
+}
+
int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
{
u32 val;
@@ -935,7 +1292,7 @@ int btmtk_usb_subsys_reset(struct hci_dev *hdev, u32 dev_id)
if (err < 0)
return err;
msleep(100);
- } else if (dev_id == 0x7925 || dev_id == 0x6639) {
+ } else if (dev_id == 0x7925 || dev_id == 0x6639 || dev_id == 0x7935) {
err = btmtk_usb_uhw_reg_read(hdev, MTK_BT_RESET_REG_CONNV3, &val);
if (err < 0)
return err;
@@ -1420,6 +1777,15 @@ int btmtk_usb_setup(struct hci_dev *hdev)
case 0x7668:
fwname = FIRMWARE_MT7668;
break;
+ case 0x7935:
+ /* Requires CBMCU firmware before BT firmware */
+ err = btmtk_setup_cbmcu_firmware(hdev, btmtk_usb_hci_wmt_sync,
+ dev_id);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to set up CBMCU firmware (%d)", err);
+ return err;
+ }
+ fallthrough;
case 0x7922:
case 0x7925:
/*
@@ -1637,3 +2003,5 @@ MODULE_FIRMWARE(FIRMWARE_MT7922);
MODULE_FIRMWARE(FIRMWARE_MT7961);
MODULE_FIRMWARE(FIRMWARE_MT7925);
MODULE_FIRMWARE(FIRMWARE_MT7927);
+MODULE_FIRMWARE(FIRMWARE_MT7928);
+MODULE_FIRMWARE(FIRMWARE_MT7928_CBMCU);
diff --git a/drivers/bluetooth/btmtk.h b/drivers/bluetooth/btmtk.h
index 51c18dde0a80..5fe4964b031b 100644
--- a/drivers/bluetooth/btmtk.h
+++ b/drivers/bluetooth/btmtk.h
@@ -9,6 +9,8 @@
#define FIRMWARE_MT7961 "mediatek/BT_RAM_CODE_MT7961_1_2_hdr.bin"
#define FIRMWARE_MT7925 "mediatek/mt7925/BT_RAM_CODE_MT7925_1_1_hdr.bin"
#define FIRMWARE_MT7927 "mediatek/mt7927/BT_RAM_CODE_MT6639_2_1_hdr.bin"
+#define FIRMWARE_MT7928 "mediatek/mt7928/BT_RAM_CODE_MT7935_1_1_hdr.bin"
+#define FIRMWARE_MT7928_CBMCU "mediatek/mt7928/CBMCU_CODE_MT7935_1_1.bin"
#define HCI_EV_WMT 0xe4
#define HCI_WMT_MAX_EVENT_SIZE 64
@@ -54,6 +56,7 @@ enum {
BTMTK_WMT_RST = 0x7,
BTMTK_WMT_REGISTER = 0x8,
BTMTK_WMT_SEMAPHORE = 0x17,
+ BTMTK_WMT_CBMCU_DWNLD = 0x58,
};
enum {
--
2.45.2
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support
2026-07-02 10:14 [PATCH v9 0/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
` (5 preceding siblings ...)
2026-07-02 10:14 ` [PATCH v9 6/6] Bluetooth: btmtk: Add MT7928 support Chris Lu
@ 2026-07-04 3:37 ` Chris Lu (陸稚泓)
6 siblings, 0 replies; 8+ messages in thread
From: Chris Lu (陸稚泓) @ 2026-07-04 3:37 UTC (permalink / raw)
To: luiz.dentz@gmail.com, johan.hedberg@gmail.com,
marcel@holtmann.org
Cc: pmenzel@molgen.mpg.de, Will-CY Lee (李政穎),
Steve Lee (李視誠),
SS Wu (巫憲欣), linux-kernel@vger.kernel.org,
Sean Wang, linux-bluetooth@vger.kernel.org,
linux-mediatek@lists.infradead.org
Hi Luiz,
On Thu, 2026-07-02 at 18:14 +0800, Chris Lu wrote:
> This patch series adds support for MT7928 (device ID 0x7935) to the
> btmtk driver, which requires a new two-stage firmware loading process
> with CBMCU firmware.
>
> The series is organized to fix existing issues first, then improve
> code
> quality, and finally add new functionality:
>
> Patch 1 fixes a pre-existing security issue in
> btmtk_setup_firmware_79xx()
> by adding comprehensive firmware size validation to prevent out-of-
> bounds
> memory access with truncated or malicious firmware files.
>
> Patch 2 fixes a pre-existing bug in btmtksdio_setup() where
> btmtk_fw_get_filename() generates the correct firmware path but is
> immediately overwritten by snprintf() with a generic legacy format,
> causing newer chips to request incorrect filenames.
>
> Patch 3 fixes a regression introduced in commit 28b7c5a6db74
> ("Bluetooth: btmtk: Add MT6639 (MT7927) Bluetooth support") where
> SDIO devices would incorrectly log "BT HW ver: 0x0000" due to
> hardcoded dev_id=0.
>
> Patch 4 refactors existing firmware download code by replacing magic
> numbers with a descriptive BTMTK_WMT_PKT_* enum, making the packet
> sequencing logic clearer.
>
> Patch 5 improves BT firmware logging to provide more useful
> information
> for debugging: adds firmware filename before loading and displays
> chip ID
> as HW version instead of firmware's hwver field.
>
> Patch 6 implements MT7928 firmware download flow, which requires
> loading
> CBMCU firmware before Bluetooth firmware. The CBMCU firmware uses a
> two-phase download sequence: Phase 1 downloads the section containing
> global descriptor and signature data, Phase 2 downloads the remaining
> firmware sections.
>
> Tested on MT7928 hardware with successful firmware loading and
> Bluetooth functionality verification.
>
> Changes in v9:
> - Reorder patches to group SDIO fixes together (Patch 2-3)
> - Patch 1 (was Patch 2): Fix firmware size validation in
> btmtk_setup_firmware_79xx()
> - Patch 2 (was Patch 1): Fix firmware filename override in
> btmtksdio_setup()
> btmtk_fw_get_filename() result was incorrectly overwritten by
> snprintf()
>
> Changes in v8:
> - Add Patch 1 (now Patch 2) to fix firmware size validation in
> btmtk_setup_firmware_79xx()
> - Add Patch 2 (now Patch 3) to fix SDIO device logging regression
> SDIO devices were passing hardcoded 0, causing "BT HW ver: 0x0000"
> log
>
> Changes in v7:
> - Patch 4 (was Patch 1): Extend magic number refactoring to
> btmtk_setup_firmware() in addition to btmtk_setup_firmware_79xx()
> for
> consistency
> - Patch 5 (was Patch 2): Fix potential buffer over-read by
> using %.16s format specifier for hdr->datetime which is a 16-byte
> array that may not be null-terminated
> - Patch 6 (was Patch 3): Apply same %.16s fix to CBMCU firmware
> logging
>
> Changes in v6:
> - Fix timeout handling in btmtk_cbmcu_patch_status() to return -
> ETIMEDOUT
> instead of success when polling exhausts retry count
> - Add integer overflow protection in btmtk_load_cbmcu_firmware()
> using
> check_mul_overflow() and check_add_overflow()
>
> Changes in v5:
> - Split into three patches: refactoring, logging improvement, and
> new feature
> - Add Patch 5 (was Patch 2) to improve BT firmware logging
> independently
> - Apply same logging improvements to CBMCU firmware in Patch 6
> (was Patch 3)
>
> Changes in v4:
> - Split into two patches: refactoring and new feature
> - Add BTMTK_WMT_PKT_* enum to improve code readability
> - Replace magic numbers (0xF0, 0xF1) with descriptive macros
>
> Changes in v3:
> - Add firmware size validation with bounds checking
> - Improve error messages with context information
>
> Changes in v2:
> - Simplified enum usage by consolidating status definitions
>
> Chris Lu (6):
> Bluetooth: btmtk: Add firmware size validation in
> btmtk_setup_firmware_79xx()
> Bluetooth: btmtksdio: Remove redundant firmware filename override
> Bluetooth: btmtksdio: Pass hardware dev_id to mt79xx_setup()
> Bluetooth: btmtk: Replace magic numbers with WMT packet flag enum
> Bluetooth: btmtk: Improve BT firmware logging
> Bluetooth: btmtk: Add MT7928 support
>
> drivers/bluetooth/btmtk.c | 427
> +++++++++++++++++++++++++++++++++-
> drivers/bluetooth/btmtk.h | 9 +
> drivers/bluetooth/btmtksdio.c | 9 +-
> 3 files changed, 430 insertions(+), 15 deletions(-)
>
https://sashiko.dev/#/patchset/20260702101437.1787800-1-chris.lu%40mediatek.com
Sashiko still has one comment on my patch v9, but it states that the
potential risk is unrelated to my change on btmtksdio.c and may be an
existing issue. Regarding this comment, I lean toward addressing it in
the future, focus on MT7928 this time. I'm not sure whether you would
agree to merge the v9 changes first.
Thanks a lot!
Chris Lu
^ permalink raw reply [flat|nested] 8+ messages in thread