5 files changed, 22 insertions, 5 deletions

diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index 262ebd1747d4..a65910bda381 100644
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -191,6 +191,7 @@ struct bt_sock {
         struct list_head accept_q;
         struct sock *parent;
         u32 defer_setup;
+        bool suspended;
 };
 
 struct bt_sock_list {
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 72eb187a5f60..6fb68a9743af 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -450,7 +450,7 @@ unsigned int bt_sock_poll(struct file *file, struct socket *sock, poll_table *wa
                         sk->sk_state == BT_CONFIG)
                 return mask;
 
-        if (sock_writeable(sk))
+        if (!bt_sk(sk)->suspended && sock_writeable(sk))
                 mask |= POLLOUT | POLLWRNORM | POLLWRBAND;
         else
                 set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6c065254afc0..53680fe84628 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2039,6 +2039,12 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
 
                 clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
 
+                if (ev->status && conn->state == BT_CONNECTED) {
+                        hci_acl_disconn(conn, 0x13);
+                        hci_conn_put(conn);
+                        goto unlock;
+                }
+
                 if (conn->state == BT_CONFIG) {
                         if (!ev->status)
                                 conn->state = BT_CONNECTED;
@@ -2049,6 +2055,7 @@ static inline void hci_encrypt_change_evt(struct hci_dev *hdev, struct sk_buff *
                         hci_encrypt_cfm(conn, ev->status, ev->encrypt);
         }
 
+unlock:
         hci_dev_unlock(hdev);
 }
 
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 94552b33d528..6f9c25b633a6 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4589,6 +4589,11 @@ int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
 
                 if (!status && (chan->state == BT_CONNECTED ||
                                                 chan->state == BT_CONFIG)) {
+                        struct sock *sk = chan->sk;
+
+                        bt_sk(sk)->suspended = false;
+                        sk->sk_state_change(sk);
+
                         l2cap_check_encryption(chan, encrypt);
                         l2cap_chan_unlock(chan);
                         continue;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 29122ed28ea9..04e7c172d49c 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -592,10 +592,14 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
                         sk->sk_state = BT_CONFIG;
                         chan->state = BT_CONFIG;
 
-                /* or for ACL link, under defer_setup time */
-                } else if (sk->sk_state == BT_CONNECT2 &&
-                                        bt_sk(sk)->defer_setup) {
-                        err = l2cap_chan_check_security(chan);
+                /* or for ACL link */
+                } else if ((sk->sk_state == BT_CONNECT2 &&
+                           bt_sk(sk)->defer_setup) ||
+                           sk->sk_state == BT_CONNECTED) {
+                        if (!l2cap_chan_check_security(chan))
+                                bt_sk(sk)->suspended = true;
+                        else
+                                sk->sk_state_change(sk);
                 } else {
                         err = -EINVAL;
                 }