Patchwork [3.11.y.z,extended,stable] Patch "Bluetooth: Fix triggering BR/EDR L2CAP Connect too early" has been added to staging queue

mail settings
Submitter Luis Henriques
Date May 14, 2014, 2:57 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/348827/
State New
Headers show


Luis Henriques - May 14, 2014, 2:57 p.m.
This is a note to let you know that I have just added a patch titled

    Bluetooth: Fix triggering BR/EDR L2CAP Connect too early

to the linux-3.11.y-queue branch of the 3.11.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.11.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.11.y.z tree, see



From 698909ec3b903927ca501beba17f9b9bfba52ece Mon Sep 17 00:00:00 2001
From: Johan Hedberg <>
Date: Fri, 11 Apr 2014 12:02:31 -0700
Subject: Bluetooth: Fix triggering BR/EDR L2CAP Connect too early

commit 9eb1fbfa0a737fd4d3a6d12d71c5ea9af622b887 upstream.

Commit 1c2e004183178 introduced an event handler for the encryption key
refresh complete event with the intent of fixing some LE/SMP cases.
However, this event is shared with BR/EDR and there we actually want to
act only on the auth_complete event (which comes after the key refresh).

If we do not do this we may trigger an L2CAP Connect Request too early
and cause the remote side to return a security block error.

Signed-off-by: Johan Hedberg <>
Signed-off-by: Marcel Holtmann <>
Signed-off-by: Luis Henriques <>
 net/bluetooth/hci_event.c | 6 ++++++
 1 file changed, 6 insertions(+)



diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4cc3ee0..b767ed9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2992,6 +2992,12 @@  static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
 	if (!conn)
 		goto unlock;

+	/* For BR/EDR the necessary steps are taken through the
+	 * auth_complete event.
+	 */
+	if (conn->type != LE_LINK)
+		goto unlock;
 	if (!ev->status)
 		conn->sec_level = conn->pending_sec_level;