[PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response

[PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response

[Stig Hornang]

Commit 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding
TX ident") changed ident allocation to use an IDA, releasing idents in
l2cap_put_ident() when the matching response command is received.

But identifiers allocated for commands that have no response defined
are never released. In particular L2CAP_LE_CREDITS is sent repeatedly for
the lifetime of an LE CoC channel, so a peer streaming data to the
host exhausts the 1-255 ident range after 254 credit packets. From
then on l2cap_get_ident() fails:

    kernel: Bluetooth: Unable to allocate ident: -28

and every subsequent L2CAP_LE_CREDITS packet is sent with ident 0,
which is invalid (Core Spec, Vol 3, Part A, Section 4: "Signaling
identifier 0x00 is an invalid identifier and shall never be used in
any command"). Remote stacks that validate the ident drop these
commands, never receive new credits, and the channel stalls
permanently. With default socket buffers this happens after roughly 0.5 MB
of received data (the exact amount depends on the socket receive buffer):

  < ACL Data TX: Handle 2048 flags 0x00 dlen 12
        LE L2CAP: LE Flow Control Credit (0x16) ident 0 len 4
          Source CID: 64
          Credits: 1

Release the ident immediately after sending L2CAP_LE_CREDITS since no
response will ever release it. Use a local variable instead of
chan->ident so that an ident that an EXT_FLOWCTL channel may be waiting on
(e.g. a pending reconfigure) is not overwritten by a credit packet.

Also add the missing L2CAP_LE_CONN_RSP case to l2cap_put_ident() so
idents allocated for outgoing L2CAP_LE_CONN_REQ commands are released
when the response arrives.

Fixes: 6c3ea155e5ee ("Bluetooth: L2CAP: Fix not tracking outstanding TX ident")
Assisted-by: Claude:claude-opus-4.8
Assisted-by: Fable:5
Signed-off-by: Stig Hornang <stig@hornang.me>
---
 net/bluetooth/l2cap_core.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4810,6 +4810,7 @@ static void l2cap_put_ident(struct l2cap
 	case L2CAP_ECHO_RSP:
 	case L2CAP_INFO_RSP:
 	case L2CAP_CONN_PARAM_UPDATE_RSP:
+	case L2CAP_LE_CONN_RSP:
 	case L2CAP_ECRED_CONN_RSP:
 	case L2CAP_ECRED_RECONF_RSP:
 		/* First do a lookup since the remote may send bogus ids that
@@ -6632,6 +6633,7 @@ static void l2cap_chan_le_send_credits(s
 	struct l2cap_conn *conn = chan->conn;
 	struct l2cap_le_credits pkt;
 	u16 return_credits = l2cap_le_rx_credits(chan);
+	int ident;

 	if (chan->mode != L2CAP_MODE_LE_FLOWCTL &&
 	    chan->mode != L2CAP_MODE_EXT_FLOWCTL)
@@ -6649,9 +6651,18 @@ static void l2cap_chan_le_send_credits(s
 	pkt.cid     = cpu_to_le16(chan->scid);
 	pkt.credits = cpu_to_le16(return_credits);

-	chan->ident = l2cap_get_ident(conn);
+	ident = l2cap_get_ident(conn);
+
+	l2cap_send_cmd(conn, ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);

-	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CREDITS, sizeof(pkt), &pkt);
+	/* L2CAP_LE_CREDITS has no response so the ident is never released by
+	 * l2cap_put_ident() - release it right away, otherwise the tx_ida
+	 * range is exhausted after 254 packets and from then on credits are
+	 * sent with the invalid ident 0, which some remote stacks ignore,
+	 * stalling the channel.
+	 */
+	if (ident > 0)
+		ida_free(&conn->tx_ida, ident);
 }

 void l2cap_chan_rx_avail(struct l2cap_chan *chan, ssize_t rx_avail)

Re: [PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response

[Stig Hornang]

Found out it was already reported and suggested fix here: https://bugzilla.kernel.org/show_bug.cgi?id=221629

Re: [PATCH] Bluetooth: L2CAP: fix tx ident leak for commands without a response

[Luiz Augusto von Dentz]

Hi Stig,

On Fri, Jun 12, 2026 at 11:58 AM Stig Hornang <stig@hornang.me> wrote:
>
> Found out it was already reported and suggested fix here: https://bugzilla.kernel.org/show_bug.cgi?id=221629

There was not a proper patch though so Id just add a Reported-by.

-- 
Luiz Augusto von Dentz

RE: Bluetooth: L2CAP: fix tx ident leak for commands without a response

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1110718

---Test result---

Test Summary:
CheckPatch                    PASS      0.46 seconds
VerifyFixes                   PASS      0.07 seconds
VerifySignedoff               PASS      0.07 seconds
GitLint                       PASS      0.18 seconds
SubjectPrefix                 PASS      0.06 seconds
BuildKernel                   PASS      19.74 seconds
CheckAllWarning               PASS      23.06 seconds
CheckSparse                   PASS      21.28 seconds
BuildKernel32                 PASS      20.47 seconds
TestRunnerSetup               PASS      415.18 seconds
TestRunner_l2cap-tester       PASS      47.98 seconds
IncrementalBuild              PASS      20.41 seconds



https://github.com/bluez/bluetooth-next/pull/310

---
Regards,
Linux Bluetooth