* [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident
@ 2026-03-17 16:02 Luiz Augusto von Dentz
2026-03-17 17:25 ` [v1] " bluez.test.bot
2026-03-17 17:57 ` [PATCH v1] " Luiz Augusto von Dentz
0 siblings, 2 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-17 16:02 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This attempt to fix regressions caused by reusing ident which apparently
is not handled well on certain stacks causing the stack to not respond to
requests, so instead of simple returning the first unallocated id this
stores the last used tx_ident and then attempt to use the next until all
available ids are exausted and then cycle starting over to 1.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 39 +++++++++++++++++++++++++++--------
2 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 010f1a8fd15f..5172afee5494 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -658,6 +658,7 @@ struct l2cap_conn {
struct sk_buff *rx_skb;
__u32 rx_len;
struct ida tx_ida;
+ __u8 tx_ident;
struct sk_buff_head pending_rx;
struct work_struct pending_rx_work;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ead51dc0f3f1..4dbd7b1bd72f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -926,16 +926,37 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
static int l2cap_get_ident(struct l2cap_conn *conn)
{
- /* LE link does not support tools like l2ping so use the full range */
- if (conn->hcon->type == LE_LINK)
- return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
+ int ident;
- /* Get next available identificator.
- * 1 - 128 are used by kernel.
- * 129 - 199 are reserved.
- * 200 - 254 are used by utilities like l2ping, etc.
- */
- return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
+ /* LE link does not support tools like l2ping so use the full range */
+ if (conn->hcon->type == LE_LINK) {
+ /* Allocate ident using min as last used + 1 (cyclic) */
+ ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
+ 255, GFP_ATOMIC);
+ /* Force min 1 to start over */
+ if (ident < 0)
+ ident = ida_alloc_range(&conn->tx_ida, 1, 255,
+ GFP_ATOMIC);
+ } else {
+ /* Get next available identificator.
+ * 1 - 128 are used by kernel.
+ * 129 - 199 are reserved.
+ * 200 - 254 are used by utilities like l2ping, etc.
+ */
+
+ /* Allocate ident using min as last used + 1 (cyclic) */
+ ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
+ 128, GFP_ATOMIC);
+ /* Force min 1 to start over */
+ if (ident < 0)
+ ident = ida_alloc_range(&conn->tx_ida, 1, 128,
+ GFP_ATOMIC);
+ }
+
+ if (ident > 0)
+ conn->tx_ident = ident;
+
+ return ident;
}
static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* RE: [v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident
2026-03-17 16:02 [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident Luiz Augusto von Dentz
@ 2026-03-17 17:25 ` bluez.test.bot
2026-03-17 17:57 ` [PATCH v1] " Luiz Augusto von Dentz
1 sibling, 0 replies; 5+ messages in thread
From: bluez.test.bot @ 2026-03-17 17:25 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1068106
---Test result---
Test Summary:
CheckPatch PENDING 0.54 seconds
GitLint PENDING 0.54 seconds
SubjectPrefix PASS 0.06 seconds
BuildKernel PASS 27.06 seconds
CheckAllWarning PASS 29.69 seconds
CheckSparse PASS 28.44 seconds
BuildKernel32 PASS 25.51 seconds
TestRunnerSetup PASS 575.15 seconds
TestRunner_l2cap-tester PASS 28.26 seconds
TestRunner_iso-tester FAIL 35.32 seconds
TestRunner_bnep-tester PASS 6.23 seconds
TestRunner_mgmt-tester FAIL 116.16 seconds
TestRunner_rfcomm-tester PASS 9.30 seconds
TestRunner_sco-tester FAIL 18.56 seconds
TestRunner_ioctl-tester PASS 10.23 seconds
TestRunner_mesh-tester FAIL 12.50 seconds
TestRunner_smp-tester PASS 8.57 seconds
TestRunner_userchan-tester PASS 6.70 seconds
IncrementalBuild PENDING 0.70 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.112 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.736 seconds
Mesh - Send cancel - 2 Timed out 1.994 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident
2026-03-17 16:02 [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident Luiz Augusto von Dentz
2026-03-17 17:25 ` [v1] " bluez.test.bot
@ 2026-03-17 17:57 ` Luiz Augusto von Dentz
2026-03-18 13:33 ` Christian Eggers
1 sibling, 1 reply; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-17 17:57 UTC (permalink / raw)
To: linux-bluetooth, Christian Eggers
Hi Christian,
On Tue, Mar 17, 2026 at 12:03 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> This attempt to fix regressions caused by reusing ident which apparently
> is not handled well on certain stacks causing the stack to not respond to
> requests, so instead of simple returning the first unallocated id this
> stores the last used tx_ident and then attempt to use the next until all
> available ids are exausted and then cycle starting over to 1.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
> Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> include/net/bluetooth/l2cap.h | 1 +
> net/bluetooth/l2cap_core.c | 39 +++++++++++++++++++++++++++--------
> 2 files changed, 31 insertions(+), 9 deletions(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index 010f1a8fd15f..5172afee5494 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -658,6 +658,7 @@ struct l2cap_conn {
> struct sk_buff *rx_skb;
> __u32 rx_len;
> struct ida tx_ida;
> + __u8 tx_ident;
>
> struct sk_buff_head pending_rx;
> struct work_struct pending_rx_work;
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index ead51dc0f3f1..4dbd7b1bd72f 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -926,16 +926,37 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
>
> static int l2cap_get_ident(struct l2cap_conn *conn)
> {
> - /* LE link does not support tools like l2ping so use the full range */
> - if (conn->hcon->type == LE_LINK)
> - return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
> + int ident;
>
> - /* Get next available identificator.
> - * 1 - 128 are used by kernel.
> - * 129 - 199 are reserved.
> - * 200 - 254 are used by utilities like l2ping, etc.
> - */
> - return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
> + /* LE link does not support tools like l2ping so use the full range */
> + if (conn->hcon->type == LE_LINK) {
> + /* Allocate ident using min as last used + 1 (cyclic) */
> + ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
> + 255, GFP_ATOMIC);
> + /* Force min 1 to start over */
> + if (ident < 0)
> + ident = ida_alloc_range(&conn->tx_ida, 1, 255,
> + GFP_ATOMIC);
> + } else {
> + /* Get next available identificator.
> + * 1 - 128 are used by kernel.
> + * 129 - 199 are reserved.
> + * 200 - 254 are used by utilities like l2ping, etc.
> + */
> +
> + /* Allocate ident using min as last used + 1 (cyclic) */
> + ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
> + 128, GFP_ATOMIC);
> + /* Force min 1 to start over */
> + if (ident < 0)
> + ident = ida_alloc_range(&conn->tx_ida, 1, 128,
> + GFP_ATOMIC);
> + }
> +
> + if (ident > 0)
> + conn->tx_ident = ident;
> +
> + return ident;
> }
>
> static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
> --
> 2.53.0
>
Do you have any capacity to test the above with L2CAP/COS/CED/BI-29-C?
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident
2026-03-17 17:57 ` [PATCH v1] " Luiz Augusto von Dentz
@ 2026-03-18 13:33 ` Christian Eggers
2026-03-18 15:10 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 5+ messages in thread
From: Christian Eggers @ 2026-03-18 13:33 UTC (permalink / raw)
To: linux-bluetooth, Luiz Augusto von Dentz
Hi Luiz,
On Tuesday, 17 March 2026, 18:57:27 CET, Luiz Augusto von Dentz wrote:
> Hi Christian,
>
> On Tue, Mar 17, 2026 at 12:03 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > This attempt to fix regressions caused by reusing ident which apparently
> > is not handled well on certain stacks causing the stack to not respond to
> > requests, so instead of simple returning the first unallocated id this
> > stores the last used tx_ident and then attempt to use the next until all
> > available ids are exausted and then cycle starting over to 1.
> >
> > Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
> > Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
> > Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > include/net/bluetooth/l2cap.h | 1 +
> > net/bluetooth/l2cap_core.c | 39 +++++++++++++++++++++++++++--------
> > 2 files changed, 31 insertions(+), 9 deletions(-)
> >
> > diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> > index 010f1a8fd15f..5172afee5494 100644
> > --- a/include/net/bluetooth/l2cap.h
> > +++ b/include/net/bluetooth/l2cap.h
> > @@ -658,6 +658,7 @@ struct l2cap_conn {
> > struct sk_buff *rx_skb;
> > __u32 rx_len;
> > struct ida tx_ida;
> > + __u8 tx_ident;
> >
> > struct sk_buff_head pending_rx;
> > struct work_struct pending_rx_work;
> > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> > index ead51dc0f3f1..4dbd7b1bd72f 100644
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -926,16 +926,37 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
> >
> > static int l2cap_get_ident(struct l2cap_conn *conn)
> > {
> > - /* LE link does not support tools like l2ping so use the full range */
> > - if (conn->hcon->type == LE_LINK)
> > - return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
> > + int ident;
> >
> > - /* Get next available identificator.
> > - * 1 - 128 are used by kernel.
> > - * 129 - 199 are reserved.
> > - * 200 - 254 are used by utilities like l2ping, etc.
> > - */
> > - return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
> > + /* LE link does not support tools like l2ping so use the full range */
> > + if (conn->hcon->type == LE_LINK) {
> > + /* Allocate ident using min as last used + 1 (cyclic) */
> > + ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
> > + 255, GFP_ATOMIC);
> > + /* Force min 1 to start over */
> > + if (ident < 0)
> > + ident = ida_alloc_range(&conn->tx_ida, 1, 255,
> > + GFP_ATOMIC);
> > + } else {
> > + /* Get next available identificator.
> > + * 1 - 128 are used by kernel.
> > + * 129 - 199 are reserved.
> > + * 200 - 254 are used by utilities like l2ping, etc.
> > + */
> > +
> > + /* Allocate ident using min as last used + 1 (cyclic) */
> > + ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
> > + 128, GFP_ATOMIC);
> > + /* Force min 1 to start over */
> > + if (ident < 0)
> > + ident = ida_alloc_range(&conn->tx_ida, 1, 128,
> > + GFP_ATOMIC);
> > + }
> > +
> > + if (ident > 0)
> > + conn->tx_ident = ident;
> > +
> > + return ident;
> > }
> >
> > static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
> > --
> > 2.53.0
> >
>
> Do you have any capacity to test the above with L2CAP/COS/CED/BI-29-C?
Today my test system seems a little bit bitchy, so L2CAP/COS/CED/BI-29-C even
doesn't complete with my latest working version...
After applying this patch on top of my latest version (6.19.9 +
the BT patches I already submitted), I see a new error (log is below).
At 40344 ms, the connection request sent by the IUT has an identifier value of
'0' (just after wrapping around) which is not a valid identifier as of
Core Vol 3, part A, chapter 4 (page 1122):
"Signaling identifier 0x00 is an invalid identifier and shall never be used in any
command."
Any idea why the identifier used by the IUT wraps around from 255 to 0
instead of 1?
regards,
Christian
+40078 ms
Verdict Description: Received CMD:LE Credit Based Connection REQ:
Code: [20 (0x14)] Code
Identifier: [254 (0xFE)]
Length: [10 (0x000A)]
SPSM: [128 (0x0080)]
Source CID: [64 (0x0040)]
MTU: [672 (0x02A0)]
MPS: [23 (0x0017)]
Initial Credits: [30 (0x001E)]
+40078 ms
Verdict Description: Sent=LE Credit Based Connection RSP:
Code: [21 (0x15)] Code
Identifier: [0 (0x00)]
Length: [10 (0x000A)]
Destination CID: [79 (0x004F)]
MTU: [64 (0x0040)]
MPS: [64 (0x0040)]
Initial Credits: [2 (0x0002)]
Result: [0 (0x0000)] Connection Successful
+40078 ms
Send Event HCI!ACL_DATA_REQ{
connectionHandle=0x0010,
boundary=0x00,
broadcasting=0x00,
length=0x0012,
p_data[0]=0x0E
}
+40250 ms
Receive Event HCI?ACL_DATA{
connHandle=0x0010,
length=18,
boundaryFlag=0x02,
broadcastFlag=0x00
}
+40250 ms
Verdict Description: ReceivePacket!
receive=0E00050014FF0A0080004000A00217001E00, CID=5
+40250 ms
Verdict Description: Received CMD:LE Credit Based Connection REQ:
Code: [20 (0x14)] Code
Identifier: [255 (0xFF)]
Length: [10 (0x000A)]
SPSM: [128 (0x0080)]
Source CID: [64 (0x0040)]
MTU: [672 (0x02A0)]
MPS: [23 (0x0017)]
Initial Credits: [30 (0x001E)]
+40250 ms
Verdict Description: Sent=LE Credit Based Connection RSP:
Code: [21 (0x15)] Code
Identifier: [0 (0x00)]
Length: [10 (0x000A)]
Destination CID: [80 (0x0050)]
MTU: [64 (0x0040)]
MPS: [64 (0x0040)]
Initial Credits: [2 (0x0002)]
Result: [0 (0x0000)] Connection Successful
+40250 ms
Send Event HCI!ACL_DATA_REQ{
connectionHandle=0x0010,
boundary=0x00,
broadcasting=0x00,
length=0x0012,
p_data[0]=0x0E
}
+40344 ms
Receive Event HCI?ACL_DATA{
connHandle=0x0010,
length=18,
boundaryFlag=0x02,
broadcastFlag=0x00
}
+40344 ms
Verdict Description: ReceivePacket!
receive=0E00050014000A0080004000A00217001E00, CID=5
+40344 ms
Verdict Description: Received CMD:LE Credit Based Connection REQ:
Code: [20 (0x14)] Code
Identifier: [0 (0x00)]
Length: [10 (0x000A)]
SPSM: [128 (0x0080)]
Source CID: [64 (0x0040)]
MTU: [672 (0x02A0)]
MPS: [23 (0x0017)]
Initial Credits: [30 (0x001E)]
+40344 ms
Verdict Description: Sent=LE Credit Based Connection RSP:
Code: [21 (0x15)] Code
Identifier: [0 (0x00)]
Length: [10 (0x000A)]
Destination CID: [81 (0x0051)]
MTU: [64 (0x0040)]
MPS: [64 (0x0040)]
Initial Credits: [2 (0x0002)]
Result: [0 (0x0000)] Connection Successful
+40344 ms
Send Event HCI!ACL_DATA_REQ{
connectionHandle=0x0010,
boundary=0x00,
broadcasting=0x00,
length=0x0012,
p_data[0]=0x0E
}
+40422 ms
Indecisive: Received Identifier is not unique. Received=0
+40422 ms
Verdict Description: Received Identifier is not unique. Received=0
+40625 ms
Send Event HCI!HCI_RESET
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident
2026-03-18 13:33 ` Christian Eggers
@ 2026-03-18 15:10 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-18 15:10 UTC (permalink / raw)
To: Christian Eggers; +Cc: linux-bluetooth
Hi Christian,
On Wed, Mar 18, 2026 at 9:33 AM Christian Eggers <ceggers@arri.de> wrote:
>
> Hi Luiz,
>
> On Tuesday, 17 March 2026, 18:57:27 CET, Luiz Augusto von Dentz wrote:
> > Hi Christian,
> >
> > On Tue, Mar 17, 2026 at 12:03 PM Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > >
> > > This attempt to fix regressions caused by reusing ident which apparently
> > > is not handled well on certain stacks causing the stack to not respond to
> > > requests, so instead of simple returning the first unallocated id this
> > > stores the last used tx_ident and then attempt to use the next until all
> > > available ids are exausted and then cycle starting over to 1.
> > >
> > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=221120
> > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=221177
> > > Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
> > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > ---
> > > include/net/bluetooth/l2cap.h | 1 +
> > > net/bluetooth/l2cap_core.c | 39 +++++++++++++++++++++++++++--------
> > > 2 files changed, 31 insertions(+), 9 deletions(-)
> > >
> > > diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> > > index 010f1a8fd15f..5172afee5494 100644
> > > --- a/include/net/bluetooth/l2cap.h
> > > +++ b/include/net/bluetooth/l2cap.h
> > > @@ -658,6 +658,7 @@ struct l2cap_conn {
> > > struct sk_buff *rx_skb;
> > > __u32 rx_len;
> > > struct ida tx_ida;
> > > + __u8 tx_ident;
> > >
> > > struct sk_buff_head pending_rx;
> > > struct work_struct pending_rx_work;
> > > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> > > index ead51dc0f3f1..4dbd7b1bd72f 100644
> > > --- a/net/bluetooth/l2cap_core.c
> > > +++ b/net/bluetooth/l2cap_core.c
> > > @@ -926,16 +926,37 @@ int l2cap_chan_check_security(struct l2cap_chan *chan, bool initiator)
> > >
> > > static int l2cap_get_ident(struct l2cap_conn *conn)
> > > {
> > > - /* LE link does not support tools like l2ping so use the full range */
> > > - if (conn->hcon->type == LE_LINK)
> > > - return ida_alloc_range(&conn->tx_ida, 1, 255, GFP_ATOMIC);
> > > + int ident;
> > >
> > > - /* Get next available identificator.
> > > - * 1 - 128 are used by kernel.
> > > - * 129 - 199 are reserved.
> > > - * 200 - 254 are used by utilities like l2ping, etc.
> > > - */
> > > - return ida_alloc_range(&conn->tx_ida, 1, 128, GFP_ATOMIC);
> > > + /* LE link does not support tools like l2ping so use the full range */
> > > + if (conn->hcon->type == LE_LINK) {
> > > + /* Allocate ident using min as last used + 1 (cyclic) */
> > > + ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
> > > + 255, GFP_ATOMIC);
> > > + /* Force min 1 to start over */
> > > + if (ident < 0)
> > > + ident = ida_alloc_range(&conn->tx_ida, 1, 255,
> > > + GFP_ATOMIC);
> > > + } else {
> > > + /* Get next available identificator.
> > > + * 1 - 128 are used by kernel.
> > > + * 129 - 199 are reserved.
> > > + * 200 - 254 are used by utilities like l2ping, etc.
> > > + */
> > > +
> > > + /* Allocate ident using min as last used + 1 (cyclic) */
> > > + ident = ida_alloc_range(&conn->tx_ida, ++conn->tx_ident,
> > > + 128, GFP_ATOMIC);
> > > + /* Force min 1 to start over */
> > > + if (ident < 0)
> > > + ident = ida_alloc_range(&conn->tx_ida, 1, 128,
> > > + GFP_ATOMIC);
> > > + }
> > > +
> > > + if (ident > 0)
> > > + conn->tx_ident = ident;
> > > +
> > > + return ident;
> > > }
> > >
> > > static void l2cap_send_acl(struct l2cap_conn *conn, struct sk_buff *skb,
> > > --
> > > 2.53.0
> > >
> >
> > Do you have any capacity to test the above with L2CAP/COS/CED/BI-29-C?
>
> Today my test system seems a little bit bitchy, so L2CAP/COS/CED/BI-29-C even
> doesn't complete with my latest working version...
>
> After applying this patch on top of my latest version (6.19.9 +
> the BT patches I already submitted), I see a new error (log is below).
> At 40344 ms, the connection request sent by the IUT has an identifier value of
> '0' (just after wrapping around) which is not a valid identifier as of
> Core Vol 3, part A, chapter 4 (page 1122):
>
> "Signaling identifier 0x00 is an invalid identifier and shall never be used in any
> command."
>
> Any idea why the identifier used by the IUT wraps around from 255 to 0
> instead of 1?
Yeah, that seem to be a bug in the new version, let me check how to fix it.
> regards,
> Christian
>
>
>
> +40078 ms
> Verdict Description: Received CMD:LE Credit Based Connection REQ:
> Code: [20 (0x14)] Code
> Identifier: [254 (0xFE)]
> Length: [10 (0x000A)]
> SPSM: [128 (0x0080)]
> Source CID: [64 (0x0040)]
> MTU: [672 (0x02A0)]
> MPS: [23 (0x0017)]
> Initial Credits: [30 (0x001E)]
>
>
>
> +40078 ms
> Verdict Description: Sent=LE Credit Based Connection RSP:
> Code: [21 (0x15)] Code
> Identifier: [0 (0x00)]
> Length: [10 (0x000A)]
> Destination CID: [79 (0x004F)]
> MTU: [64 (0x0040)]
> MPS: [64 (0x0040)]
> Initial Credits: [2 (0x0002)]
> Result: [0 (0x0000)] Connection Successful
>
>
>
> +40078 ms
> Send Event HCI!ACL_DATA_REQ{
> connectionHandle=0x0010,
> boundary=0x00,
> broadcasting=0x00,
> length=0x0012,
> p_data[0]=0x0E
> }
>
>
> +40250 ms
> Receive Event HCI?ACL_DATA{
> connHandle=0x0010,
> length=18,
> boundaryFlag=0x02,
> broadcastFlag=0x00
> }
>
>
> +40250 ms
> Verdict Description: ReceivePacket!
> receive=0E00050014FF0A0080004000A00217001E00, CID=5
>
>
>
> +40250 ms
> Verdict Description: Received CMD:LE Credit Based Connection REQ:
> Code: [20 (0x14)] Code
> Identifier: [255 (0xFF)]
> Length: [10 (0x000A)]
> SPSM: [128 (0x0080)]
> Source CID: [64 (0x0040)]
> MTU: [672 (0x02A0)]
> MPS: [23 (0x0017)]
> Initial Credits: [30 (0x001E)]
>
>
>
> +40250 ms
> Verdict Description: Sent=LE Credit Based Connection RSP:
> Code: [21 (0x15)] Code
> Identifier: [0 (0x00)]
> Length: [10 (0x000A)]
> Destination CID: [80 (0x0050)]
> MTU: [64 (0x0040)]
> MPS: [64 (0x0040)]
> Initial Credits: [2 (0x0002)]
> Result: [0 (0x0000)] Connection Successful
>
>
>
> +40250 ms
> Send Event HCI!ACL_DATA_REQ{
> connectionHandle=0x0010,
> boundary=0x00,
> broadcasting=0x00,
> length=0x0012,
> p_data[0]=0x0E
> }
>
>
> +40344 ms
> Receive Event HCI?ACL_DATA{
> connHandle=0x0010,
> length=18,
> boundaryFlag=0x02,
> broadcastFlag=0x00
> }
>
>
> +40344 ms
> Verdict Description: ReceivePacket!
> receive=0E00050014000A0080004000A00217001E00, CID=5
>
>
>
> +40344 ms
> Verdict Description: Received CMD:LE Credit Based Connection REQ:
> Code: [20 (0x14)] Code
> Identifier: [0 (0x00)]
> Length: [10 (0x000A)]
> SPSM: [128 (0x0080)]
> Source CID: [64 (0x0040)]
> MTU: [672 (0x02A0)]
> MPS: [23 (0x0017)]
> Initial Credits: [30 (0x001E)]
>
>
>
> +40344 ms
> Verdict Description: Sent=LE Credit Based Connection RSP:
> Code: [21 (0x15)] Code
> Identifier: [0 (0x00)]
> Length: [10 (0x000A)]
> Destination CID: [81 (0x0051)]
> MTU: [64 (0x0040)]
> MPS: [64 (0x0040)]
> Initial Credits: [2 (0x0002)]
> Result: [0 (0x0000)] Connection Successful
>
>
>
> +40344 ms
> Send Event HCI!ACL_DATA_REQ{
> connectionHandle=0x0010,
> boundary=0x00,
> broadcasting=0x00,
> length=0x0012,
> p_data[0]=0x0E
> }
>
>
> +40422 ms
> Indecisive: Received Identifier is not unique. Received=0
>
>
>
> +40422 ms
> Verdict Description: Received Identifier is not unique. Received=0
>
>
>
> +40625 ms
> Send Event HCI!HCI_RESET
>
>
>
>
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-18 15:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17 16:02 [PATCH v1] Bluetooth: L2CAP: Fix regressions caused by reusing ident Luiz Augusto von Dentz
2026-03-17 17:25 ` [v1] " bluez.test.bot
2026-03-17 17:57 ` [PATCH v1] " Luiz Augusto von Dentz
2026-03-18 13:33 ` Christian Eggers
2026-03-18 15:10 ` Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox