Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent

Vudentz · gregkh · commit 470896ecbc92 · 2024-01-01T12:39:03.000Z
commit 99e67d4 upstream. Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent otherwise the controller maybe be generating invalid events or, more likely, it is a result of fuzzing tools attempting to test the right behavior of the stack when unexpected events are generated. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
@@ -2301,7 +2301,8 @@ static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 		return;
 	}
 
-	set_bit(HCI_INQUIRY, &hdev->flags);
+	if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
+		set_bit(HCI_INQUIRY, &hdev->flags);
 }
 
 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)

Original file line number	Diff line number	Diff line change
`@@ -2301,7 +2301,8 @@ static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)`
`2301`	`2301`	`return;`
`2302`	`2302`	`}`
`2303`	`2303`
`2304`		`- set_bit(HCI_INQUIRY, &hdev->flags);`
	`2304`	`+ if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))`
	`2305`	`+ set_bit(HCI_INQUIRY, &hdev->flags);`
`2305`	`2306`	`}`
`2306`	`2307`
`2307`	`2308`	`static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)`