CVE-2026-31771

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: move wake reason storage into validated event handlers

hcistorewakereason() is called from hcieventpacket() immediately after stripping the HCI event header but before hcieventfunc() enforces the per-event minimum payload length from hciev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs.

Rather than duplicating skb parsing and per-event length checks inside hcistorewakereason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hcistorewakereason() into a small helper that only stores an already-validated bdaddr while the caller holds hcidevlock(). Use the same helper after hcieventfunc() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address.

Annotate the helper with _musthold(&hdev->lock) and add lockdepassertheld(&hdev->lock) so future call paths keep the lock contract explicit.

Call the helper from hciconnrequestevt(), hciconncompleteevt(), hcisyncconncompleteevt(), leconncompleteevt(), hcileadvreportevt(), hcileextadvreportevt(), hciledirectadvreportevt(), hcilepasyncestablishedevt(), and hcilepastreceivedevt().