--- /dev/null
+From 761fb8ec8778f0caf2bba5a41e3cff1ea86974f3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 17 Mar 2026 11:54:01 -0400
+Subject: Bluetooth: L2CAP: Fix regressions caused by reusing ident
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 761fb8ec8778f0caf2bba5a41e3cff1ea86974f3 upstream.
+
+This attempt to fix regressions caused by reusing ident which apparently
+is not handled well on certain stacks causing the stack to not respond to
+requests, so instead of simple returning the first unallocated id this
+stores the last used tx_ident and then attempt to use the next until all
+available ids are exausted and then cycle starting over to 1.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
+Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 1 +
+ net/bluetooth/l2cap_core.c | 29 ++++++++++++++++++++++++++---
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -658,6 +658,7 @@ struct l2cap_conn {
+ struct sk_buff *rx_skb;
+ __u32 rx_len;
+ struct ida tx_ida;
++ __u8 tx_ident;
+
+ struct sk_buff_head pending_rx;
+ struct work_struct pending_rx_work;
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -926,16 +926,39 @@ int l2cap_chan_check_security(struct l2c
+
+ static int l2cap_get_ident(struct l2cap_conn *conn)
+ {
++ u8 max;
++ int ident;
++
+ /* LE link does not support tools like l2ping so use the full range */
+ if (conn->hcon->type == LE_LINK)
+- return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
+-
++ max = 255;
+ /* Get next available identificator.
+ * 1 - 128 are used by kernel.
+ * 129 - 199 are reserved.
+ * 200 - 254 are used by utilities like l2ping, etc.
+ */
+- return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
++ else
++ max = 128;
++
++ /* Allocate ident using min as last used + 1 (cyclic) */
++ ident = ida_alloc_range(&conn->tx_ida, READ_ONCE(conn->tx_ident) + 1,
++ max, GFP_ATOMIC);
++ /* Force min 1 to start over */
++ if (ident <= 0) {
++ ident = ida_alloc_range(&conn->tx_ida, 1, max, GFP_ATOMIC);
++ if (ident <= 0) {
++ /* If all idents are in use, log an error, this is
++ * extremely unlikely to happen and would indicate a bug
++ * in the code that idents are not being freed properly.
++ */
++ BT_ERR("Unable to allocate ident: %d", ident);
++ return 0;
++ }
++ }
++
++ WRITE_ONCE(conn->tx_ident, ident);
++
++ return ident;
+ }
+
+ static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
projects / thirdparty / kernel / stable-queue.git / commitdiff
