Bluetooth: L2CAP: Fix regressions caused by reusing ident

This attempt to fix regressions caused by reusing ident which apparently
is not handled well on certain stacks causing the stack to not respond to
requests, so instead of simple returning the first unallocated id this
stores the last used tx_ident and then attempt to use the next until all
available ids are exausted and then cycle starting over to 1.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Christian Eggers <ceggers@arri.de>

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 010f1a8fd15f827eac649211f88e2a8c5ad3cd19..5172afee5494332fdeb47c158fd036a2e5c6dda7 100644 (file)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -658,6 +658,7 @@ struct l2cap_conn {
        struct sk_buff          *rx_skb;
        __u32                   rx_len;
        struct ida              tx_ida;
+       __u8                    tx_ident;
 
        struct sk_buff_head     pending_rx;
        struct work_struct      pending_rx_work;

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 30fd6848938e462c9ff40245ebec5f360370cb2c..3de3e3c8e966b58c7d69b28de0aea0eddedbe76a 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -926,16 +926,39 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
 
 static int l2cap_get_ident(struct l2cap_conn *conn)
 {
+       u8 max;
+       int ident;
+
        /* LE link does not support tools like l2ping so use the full range */
        if (conn->hcon->type == LE_LINK)
-               return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
-
+               max = 255;
        /* Get next available identificator.
         *    1 - 128 are used by kernel.
         *  129 - 199 are reserved.
         *  200 - 254 are used by utilities like l2ping, etc.
         */
-       return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
+       else
+               max = 128;
+
+       /* Allocate ident using min as last used + 1 (cyclic) */
+       ident = ida_alloc_range(&conn->tx_ida, READ_ONCE(conn->tx_ident) + 1,
+                               max, GFP_ATOMIC);
+       /* Force min 1 to start over */
+       if (ident <= 0) {
+               ident = ida_alloc_range(&conn->tx_ida, 1, max, GFP_ATOMIC);
+               if (ident <= 0) {
+                       /* If all idents are in use, log an error, this is
+                        * extremely unlikely to happen and would indicate a bug
+                        * in the code that idents are not being freed properly.
+                        */
+                       BT_ERR("Unable to allocate ident: %d", ident);
+                       return 0;
+               }
+       }
+
+       WRITE_ONCE(conn->tx_ident, ident);
+
+       return ident;
 }
 
 static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,