From: Greg Kroah-Hartman Date: Tue, 31 Mar 2026 16:07:18 +0000 (+0200) Subject: 6.19-stable patches X-Git-Tag: v6.6.131~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fd21674201a6586abb60c42ad98bf3efe233674;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: bluetooth-l2cap-fix-regressions-caused-by-reusing-ident.patch --- diff --git a/queue-6.19/bluetooth-l2cap-fix-regressions-caused-by-reusing-ident.patch b/queue-6.19/bluetooth-l2cap-fix-regressions-caused-by-reusing-ident.patch new file mode 100644 index 0000000000..fd35d3009d --- /dev/null +++ b/queue-6.19/bluetooth-l2cap-fix-regressions-caused-by-reusing-ident.patch @@ -0,0 +1,81 @@ +From 761fb8ec8778f0caf2bba5a41e3cff1ea86974f3 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 17 Mar 2026 11:54:01 -0400 +Subject: Bluetooth: L2CAP: Fix regressions caused by reusing ident + +From: Luiz Augusto von Dentz + +commit 761fb8ec8778f0caf2bba5a41e3cff1ea86974f3 upstream. + +This attempt to fix regressions caused by reusing ident which apparently +is not handled well on certain stacks causing the stack to not respond to +requests, so instead of simple returning the first unallocated id this +stores the last used tx_ident and then attempt to use the next until all +available ids are exausted and then cycle starting over to 1. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177 +Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Christian Eggers +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/l2cap.h | 1 + + net/bluetooth/l2cap_core.c | 29 ++++++++++++++++++++++++++--- + 2 files changed, 27 insertions(+), 3 deletions(-) + +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -658,6 +658,7 @@ struct l2cap_conn { + struct sk_buff *rx_skb; + __u32 rx_len; + struct ida tx_ida; ++ __u8 tx_ident; + + struct sk_buff_head pending_rx; + struct work_struct pending_rx_work; +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -926,16 +926,39 @@ int l2cap_chan_check_security(struct l2c + + static int l2cap_get_ident(struct l2cap_conn *conn) + { ++ u8 max; ++ int ident; ++ + /* LE link does not support tools like l2ping so use the full range */ + if (conn->hcon->type == LE_LINK) +- return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC); +- ++ max = 255; + /* Get next available identificator. + * 1 - 128 are used by kernel. + * 129 - 199 are reserved. + * 200 - 254 are used by utilities like l2ping, etc. + */ +- return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC); ++ else ++ max = 128; ++ ++ /* Allocate ident using min as last used + 1 (cyclic) */ ++ ident = ida_alloc_range(&conn->tx_ida, READ_ONCE(conn->tx_ident) + 1, ++ max, GFP_ATOMIC); ++ /* Force min 1 to start over */ ++ if (ident <= 0) { ++ ident = ida_alloc_range(&conn->tx_ida, 1, max, GFP_ATOMIC); ++ if (ident <= 0) { ++ /* If all idents are in use, log an error, this is ++ * extremely unlikely to happen and would indicate a bug ++ * in the code that idents are not being freed properly. ++ */ ++ BT_ERR("Unable to allocate ident: %d", ident); ++ return 0; ++ } ++ } ++ ++ WRITE_ONCE(conn->tx_ident, ident); ++ ++ return ident; + } + + static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb, diff --git a/queue-6.19/series b/queue-6.19/series index 39a48d8cb8..907b278657 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -339,3 +339,4 @@ futex-fix-uaf-between-futex_key_to_node_opt-and-vma_.patch ext4-introduce-export_symbol_for_ext4_test-helper.patch ext4-fix-mballoc-test.c-is-not-compiled-when-ext4_ku.patch bug-avoid-format-attribute-warning-for-clang-as-well.patch +bluetooth-l2cap-fix-regressions-caused-by-reusing-ident.patch