git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Pauli Virtanen <pav@iki.fi>
	Fri, 24 Apr 2026 19:24:29 +0000 (22:24 +0300)
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Thu, 14 May 2026 13:54:06 +0000 (09:54 -0400)
commit	e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b
tree	356a7672970234454489045449fa22c28cab114a	tree \| snapshot
parent	e83f5e24da741fa9405aeeff00b08c5ee7c37b88	commit \| diff

Bluetooth: btmtk: accept too short WMT FUNC_CTRL events

MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.

Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
length before struct access") the status was read from out-of-bounds of
SKB data, which usually would result to success with
BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
check added in that commit returns with error instead, producing
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
device unusable.

Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.

Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>