Bluetooth: L2CAP: Fix regressions caused by reusing ident

commit 761fb8ec8778f0caf2bba5a41e3cff1ea86974f3 upstream.

This attempt to fix regressions caused by reusing ident which apparently
is not handled well on certain stacks causing the stack to not respond to
requests, so instead of simple returning the first unallocated id this
stores the last used tx_ident and then attempt to use the next until all
available ids are exausted and then cycle starting over to 1.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 010f1a8fd15f827eac649211f88e2a8c5ad3cd19..5172afee5494332fdeb47c158fd036a2e5c6dda7 100644 (file)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -658,6 +658,7 @@ struct l2cap_conn {
        struct sk_buff          *rx_skb;
        __u32                   rx_len;
        struct ida              tx_ida;
+       __u8                    tx_ident;
 
        struct sk_buff_head     pending_rx;
        struct work_struct      pending_rx_work;

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b72f2da57257d913a8b4b53def1f25fa7027475b..29e23f20dc438d0ee1d78f0b4c1e758d421544ed 100644 (file)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -926,16 +926,39 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
 
 static int l2cap_get_ident(struct l2cap_conn *conn)
 {
+       u8 max;
+       int ident;
+
        /* LE link does not support tools like l2ping so use the full range */
        if (conn->hcon->type == LE_LINK)
-               return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
-
+               max = 255;
        /* Get next available identificator.
         *    1 - 128 are used by kernel.
         *  129 - 199 are reserved.
         *  200 - 254 are used by utilities like l2ping, etc.
         */
-       return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
+       else
+               max = 128;
+
+       /* Allocate ident using min as last used + 1 (cyclic) */
+       ident = ida_alloc_range(&conn->tx_ida, READ_ONCE(conn->tx_ident) + 1,
+                               max, GFP_ATOMIC);
+       /* Force min 1 to start over */
+       if (ident <= 0) {
+               ident = ida_alloc_range(&conn->tx_ida, 1, max, GFP_ATOMIC);
+               if (ident <= 0) {
+                       /* If all idents are in use, log an error, this is
+                        * extremely unlikely to happen and would indicate a bug
+                        * in the code that idents are not being freed properly.
+                        */
+                       BT_ERR("Unable to allocate ident: %d", ident);
+                       return 0;
+               }
+       }
+
+       WRITE_ONCE(conn->tx_ident, ident);
+
+       return ident;
 }
 
 static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,