From: Pedro Nishiyama <nishiyama.pedro@gmail.com> mainline inclusion from mainline-v6.15-rc1 commit 14d17c78a4b1660c443bae9d38c814edea506f62 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICJTCL CVE: CVE-2025-38099 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- A SCO connection without the proper voice_setting can cause the controller to lock up. Signed-off-by: Pedro Nishiyama <nishiyama.pedro@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Pu Lehui <pulehui@huawei.com> --- net/bluetooth/hci_event.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 1e689d8c00a5..2e0a2ed1955d 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -933,6 +933,9 @@ static u8 hci_cc_read_buffer_size(struct hci_dev *hdev, void *data, hdev->sco_pkts = 8; } + if (!read_voice_setting_capable(hdev)) + hdev->sco_pkts = 0; + hdev->acl_cnt = hdev->acl_pkts; hdev->sco_cnt = hdev->sco_pkts; -- 2.34.1