--- x/net/bluetooth/mgmt.c
+++ y/net/bluetooth/mgmt.c
@@ -2538,7 +2538,7 @@ static int send_hci_cmd_sync(struct hci_
 	struct sk_buff *skb;
 
 	skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cp->opcode),
-				le16_to_cpu(cp->params_len), cp->params,
+				cmd->param_len, cp->params,
 				cp->event, cp->timeout ?
 				secs_to_jiffies(cp->timeout) :
 				HCI_CMD_TIMEOUT);
--- x/net/bluetooth/hci_sync.c
+++ y/net/bluetooth/hci_sync.c
@@ -51,7 +51,7 @@ static void hci_cmd_sync_complete(struct
 struct sk_buff *hci_cmd_sync_alloc(struct hci_dev *hdev, u16 opcode, u32 plen,
 				   const void *param, struct sock *sk)
 {
-	int len = HCI_COMMAND_HDR_SIZE + plen;
+	int len = HCI_COMMAND_HDR_SIZE + plen + HCI_COMMAND_HDR_SIZE;
 	struct hci_command_hdr *hdr;
 	struct sk_buff *skb;