Commit e3ac0d9f authored Apr 24, 2026 by Pauli Virtanen Committed by Luiz Augusto von Dentz May 14, 2026

Bluetooth: btmtk: accept too short WMT FUNC_CTRL events

MT7925 (USB ID 0e8d:e025) on fw version 20260106153314 sends WMT
FUNC_CTRL events that are missing the status field.

Prior to commit 006b9943b982 ("Bluetooth: btmtk: validate WMT event SKB
length before struct access") the status was read from out-of-bounds of
SKB data, which usually would result to success with
BTMTK_WMT_ON_UNDONE, although I don't know the intent here. The bounds
check added in that commit returns with error instead, producing
"Bluetooth: hci0: Failed to send wmt func ctrl (-22)" and makes the
device unusable.

Fix the regression by interpreting too short packet as status
BTMTK_WMT_ON_UNDONE, which makes the device work normally again.

Fixes: 634a4408 ("Bluetooth: btmtk: validate WMT event SKB length before struct access")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> # MT7922 (0489:e0e2)
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent e83f5e24

drivers/bluetooth/btmtk.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -719,8 +719,8 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
		case BTMTK_WMT_FUNC_CTRL:
		if (!skb_pull_data(data->evt_skb,
		sizeof(wmt_evt_funcc->status))) {
		err = -EINVAL;
		goto err_free_skb;
		status = BTMTK_WMT_ON_UNDONE;
		break;
		}

		wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;