From d9d397d53498ea56bb368b1f2d86186ced3e16e5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 20 May 2026 14:47:13 +0200 Subject: [PATCH] fix up bluetooth patch --- ...etooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch | 6 +++--- queue-6.12/series | 2 +- ...etooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch | 6 +++--- queue-6.18/series | 2 +- ...etooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch | 6 +++--- queue-7.0/series | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/queue-6.12/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch b/queue-6.12/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch index ac95dfef05..634b233b4d 100644 --- a/queue-6.12/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch +++ b/queue-6.12/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch @@ -1,11 +1,11 @@ -From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001 +From e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b Mon Sep 17 00:00:00 2001 From: Pauli Virtanen Date: Fri, 24 Apr 2026 22:24:29 +0300 Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events From: Pauli Virtanen -commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream. +commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream. MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT FUNC_CTRL events that are missing the status field. @@ -21,7 +21,7 @@ device unusable. Fix the regression by interpreting too short packet as status BTMTK_WMT_ON_UNDONE, which makes the device work normally again. -Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") +Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") Signed-off-by: Pauli Virtanen Tested-by: Mikhail Gavrilov # MT7922 (0489:e0e2) Signed-off-by: Luiz Augusto von Dentz diff --git a/queue-6.12/series b/queue-6.12/series index e1fc569f54..82379aa260 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -619,6 +619,6 @@ audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch -bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch netfilter-nf_tables-unconditionally-bump-set-nelems-.patch ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch +bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch diff --git a/queue-6.18/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch b/queue-6.18/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch index ac95dfef05..634b233b4d 100644 --- a/queue-6.18/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch +++ b/queue-6.18/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch @@ -1,11 +1,11 @@ -From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001 +From e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b Mon Sep 17 00:00:00 2001 From: Pauli Virtanen Date: Fri, 24 Apr 2026 22:24:29 +0300 Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events From: Pauli Virtanen -commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream. +commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream. MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT FUNC_CTRL events that are missing the status field. @@ -21,7 +21,7 @@ device unusable. Fix the regression by interpreting too short packet as status BTMTK_WMT_ON_UNDONE, which makes the device work normally again. -Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") +Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") Signed-off-by: Pauli Virtanen Tested-by: Mikhail Gavrilov # MT7922 (0489:e0e2) Signed-off-by: Luiz Augusto von Dentz diff --git a/queue-6.18/series b/queue-6.18/series index 80d0342a67..bb3ebab6d1 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -892,10 +892,10 @@ audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch -bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch hid-pass-the-buffer-size-to-hid_report_raw_event.patch hid-core-introduce-hid_safe_input_report.patch hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch media-staging-imx-configure-src_mux-in-csi_start.patch +bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch diff --git a/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch b/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch index ac95dfef05..634b233b4d 100644 --- a/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch +++ b/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch @@ -1,11 +1,11 @@ -From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001 +From e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b Mon Sep 17 00:00:00 2001 From: Pauli Virtanen Date: Fri, 24 Apr 2026 22:24:29 +0300 Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events From: Pauli Virtanen -commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream. +commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream. MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT FUNC_CTRL events that are missing the status field. @@ -21,7 +21,7 @@ device unusable. Fix the regression by interpreting too short packet as status BTMTK_WMT_ON_UNDONE, which makes the device work normally again. -Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") +Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access") Signed-off-by: Pauli Virtanen Tested-by: Mikhail Gavrilov # MT7922 (0489:e0e2) Signed-off-by: Luiz Augusto von Dentz diff --git a/queue-7.0/series b/queue-7.0/series index fd458a4e36..c66d03568c 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1058,7 +1058,6 @@ kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch -bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch hid-pass-the-buffer-size-to-hid_report_raw_event.patch hid-core-introduce-hid_safe_input_report.patch rseq-revert-to-historical-performance-killing-behavi.patch @@ -1067,3 +1066,4 @@ rseq-reenable-performance-optimizations-conditionall.patch hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch media-staging-imx-configure-src_mux-in-csi_start.patch +bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch -- 2.47.3