From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 19 May 2026 12:08:30 +0000 (+0200)
Subject: 7.0-stable patches
X-Git-Tag: v6.6.141~58
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=bbcdd24ef260276a9e2192aa9adb35e6bb039d25;p=thirdparty%2Fkernel%2Fstable-queue.git

7.0-stable patches

added patches:
	bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
---

diff --git a/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch b/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
new file mode 100644
index 0000000000..ac95dfef05
--- /dev/null
+++ b/queue-7.0/bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch
@@ -0,0 +1,45 @@
+From 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 Mon Sep 17 00:00:00 2001
+From: Pauli Virtanen <pav@iki.fi>
+Date: Fri, 24 Apr 2026 22:24:29 +0300
+Subject: Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
+
+From: Pauli Virtanen <pav@iki.fi>
+
+commit 162b1adeb057d28ad84fd8a03f3c50cf08db5c62 upstream.
+
+MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
+FUNC_CTRL events that are missing the status field.
+
+Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
+length before struct access") the status was read from out-of-bounds of
+SKB data, which usually would result to success with
+BTMTK_WMT_ON_UNDONE, although I don't know the intent here.  The bounds
+check added in that commit returns with error instead, producing
+"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
+device unusable.
+
+Fix the regression by interpreting too short packet as status
+BTMTK_WMT_ON_UNDONE, which makes the device work normally again.
+
+Fixes: 041e88fb0c08 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btmtk.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/btmtk.c
++++ b/drivers/bluetooth/btmtk.c
+@@ -678,8 +678,8 @@ static int btmtk_usb_hci_wmt_sync(struct
+ 	case BTMTK_WMT_FUNC_CTRL:
+ 		if (!skb_pull_data(data->evt_skb,
+ 				   sizeof(wmt_evt_funcc->status))) {
+-			err = -EINVAL;
+-			goto err_free_skb;
++			status = BTMTK_WMT_ON_UNDONE;
++			break;
+ 		}
+ 
+ 		wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
diff --git a/queue-7.0/series b/queue-7.0/series
index 9a99923051..77ad490b88 100644
--- a/queue-7.0/series
+++ b/queue-7.0/series
@@ -1058,3 +1058,4 @@ kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch
 kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch
 kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch
 kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch
+bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch