-From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001
+From e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b Mon Sep 17 00:00:00 2001
From: Pauli Virtanen <pav@iki.fi>
Date: Fri, 24 Apr 2026 22:24:29 +0300
Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
From: Pauli Virtanen <pav@iki.fi>
-commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream.
+commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream.
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.
Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
-Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
+Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
-bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
netfilter-nf_tables-unconditionally-bump-set-nelems-.patch
ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch
+bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
-From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001
+From e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b Mon Sep 17 00:00:00 2001
From: Pauli Virtanen <pav@iki.fi>
Date: Fri, 24 Apr 2026 22:24:29 +0300
Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
From: Pauli Virtanen <pav@iki.fi>
-commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream.
+commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream.
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.
Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
-Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
+Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
-bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
hid-pass-the-buffer-size-to-hid_report_raw_event.patch
hid-core-introduce-hid_safe_input_report.patch
hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch
ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch
media-staging-imx-configure-src_mux-in-csi_start.patch
+bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
-From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001
+From e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b Mon Sep 17 00:00:00 2001
From: Pauli Virtanen <pav@iki.fi>
Date: Fri, 24 Apr 2026 22:24:29 +0300
Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
From: Pauli Virtanen <pav@iki.fi>
-commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream.
+commit e3ac0d9f1a205f33a43fba3b79ef74d2f604c78b upstream.
MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.
Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
-Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
+Fixes: 634a4408c061 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
-bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
hid-pass-the-buffer-size-to-hid_report_raw_event.patch
hid-core-introduce-hid_safe_input_report.patch
rseq-revert-to-historical-performance-killing-behavi.patch
hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch
media-staging-imx-configure-src_mux-in-csi_start.patch
+bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
