This is a note to let you know that I've just added the patch titled Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bluetooth-hci_event-fix-not-checking-if-hci_op_inquiry-has-been-sent.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 99e67d46e5ff3c7c901af6009edec72d3d363be8 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Date: Mon, 20 Nov 2023 10:04:39 -0500 Subject: Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> commit 99e67d46e5ff3c7c901af6009edec72d3d363be8 upstream. Before setting HCI_INQUIRY bit check if HCI_OP_INQUIRY was really sent otherwise the controller maybe be generating invalid events or, more likely, it is a result of fuzzing tools attempting to test the right behavior of the stack when unexpected events are generated. Cc: stable@xxxxxxxxxxxxxxx Link: https://bugzilla.kernel.org/show_bug.cgi?id=218151 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/bluetooth/hci_event.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2301,7 +2301,8 @@ static void hci_cs_inquiry(struct hci_de return; } - set_bit(HCI_INQUIRY, &hdev->flags); + if (hci_sent_cmd_data(hdev, HCI_OP_INQUIRY)) + set_bit(HCI_INQUIRY, &hdev->flags); } static void hci_cs_create_conn(struct hci_dev *hdev, __u8 status) Patches currently in stable-queue which might be from luiz.von.dentz@xxxxxxxxx are queue-6.1/bluetooth-add-more-enc-key-size-check.patch queue-6.1/bluetooth-mgmt-smp-fix-address-type-when-using-smp-over-bredr-le.patch queue-6.1/bluetooth-hci_event-fix-not-checking-if-hci_op_inquiry-has-been-sent.patch queue-6.1/bluetooth-l2cap-send-reject-on-command-corrupted-request.patch queue-6.1/bluetooth-hci_event-shut-up-a-false-positive-warning.patch queue-6.1/bluetooth-fix-deadlock-in-vhci_send_frame.patch queue-6.1/bluetooth-af_bluetooth-fix-use-after-free-in-bt_sock_recvmsg.patch