Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent

Vudentz · Vudentz · commit 99e67d46e5ff · 2023-12-15T11:50:34.000-05:00
Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent otherwise the controller maybe be generating invalid events or, more likely, it is a result of fuzzing tools attempting to test the right behavior of the stack when unexpected events are generated. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
@@ -2302,7 +2302,8 @@ static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 		return;
 	}
 
-	set_bit(HCI_INQUIRY, &hdev->flags);
+	if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
+		set_bit(HCI_INQUIRY, &hdev->flags);
 }
 
 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)

Original file line number	Diff line number	Diff line change
`@@ -2302,7 +2302,8 @@ static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)`
`2302`	`2302`	`return;`
`2303`	`2303`	`}`
`2304`	`2304`
`2305`		`- set_bit(HCI_INQUIRY, &hdev->flags);`
	`2305`	`+ if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))`
	`2306`	`+ set_bit(HCI_INQUIRY, &hdev->flags);`
`2306`	`2307`	`}`
`2307`	`2308`
`2308`	`2309`	`static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)`