Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent

commit 99e67d4 upstream. Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent otherwise the controller maybe be generating invalid events or, more likely, it is a result of fuzzing tools attempting to test the right behavior of the stack when unexpected events are generated. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
frank-w · Jan 8, 2024 · e5f7ce9 · e5f7ce9
1 parent f08abcc
commit e5f7ce9
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
@@ -1701,7 +1701,8 @@ static void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 		return;
 	}
 
-	set_bit(HCI_INQUIRY, &hdev->flags);
+	if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY))
+		set_bit(HCI_INQUIRY, &hdev->flags);
 }
 
 static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)