Bluetooth: L2CAP: Accept incomplete SDU

fdanis-oss · intel-lab-lkp · commit 66ac9c5561fe · 2025-11-17T17:33:42.000+08:00
During OBEX Abort command, iOS may return an incomplete SDU packet which ends with the reply to the Abort command. During OBEX Abort command, iOS may return the L2CAP_SAR_END packet before the normal end of the SAR packets: < ACL Data TX: Handle 21 [2/8] flags 0x00 dlen 11 torvalds#194 [hci0] 14.923741 Channel: 3080 len 7 ctrl 0x060a [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Unsegmented TxSeq 5 ReqSeq 6 0a 06 ff 00 03 47 84 .....G. ... > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#382 [hci0] 19.701854 Channel: 65 len 1006 ctrl 0x460e [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Start (len 32767) TxSeq 7 ReqSeq 6 0e 46 ff 7f 90 7f ff 48 7f fc 43 48 41 52 53 45 .F.....H..CHARSE ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#383 [hci0] 19.701854 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#384 [hci0] 19.755918 Channel: 65 len 1006 ctrl 0xc610 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 8 ReqSeq 6 10 c6 6e 6f 73 61 69 72 65 73 64 65 73 69 67 6e ..nosairesdesign ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#385 [hci0] 19.775016 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#386 [hci0] 19.775024 Channel: 65 len 1006 ctrl 0xc612 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 9 ReqSeq 6 12 c6 69 63 6f 20 43 69 74 79 20 54 65 63 68 20 ..ico City Tech ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#387 [hci0] 19.775024 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#388 [hci0] 19.821542 Channel: 65 len 1006 ctrl 0xc614 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 10 ReqSeq 6 14 c6 6c 74 69 6e 67 20 50 61 72 74 6e 65 72 0d ..lting Partner. ... > ACL Data RX: Handle 21 flags 0x02 dlen 552 torvalds#389 [hci0] 19.821610 > ACL Data RX: Handle 21 flags 0x01 dlen 458 torvalds#390 [hci0] 19.821610 Channel: 65 len 1006 ctrl 0xc616 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: Continuation TxSeq 11 ReqSeq 6 16 c6 6c 74 69 6e 67 2e 63 6f 6d 0d 0a 55 49 44 ..lting.com..UID ... > ACL Data RX: Handle 21 flags 0x02 dlen 11 torvalds#391 [hci0] 19.821610 Channel: 65 len 7 ctrl 0x8618 [PSM 4101 mode Enhanced Retransmission (0x03)] {chan 0} I-frame: End TxSeq 12 ReqSeq 6 18 86 a0 00 03 3e 5d .....>] < ACL Data TX: Handle 21 [1/8] flags 0x00 dlen 12 torvalds#392 [hci0] 19.822491 L2CAP: Disconnection Request (0x06) ident 10 len 4 Destination CID: 3080 Source CID: 65 In this case the re-assembled packet should be 32767 bytes as defined in Start packet (torvalds#382), i.e. 33 segmented packets, but the End packet is sent as the 6th packet. The l2cap_reassemble_sdu() function returns error -EINVAL if reassembled packet size != expected size, triggering the L2CAP disconnection, which disconnects the OBEX session, preventing further OBEX actions. Log this, discard previous segmented packet data and only send data from SAR End packet to upstream. Closes: bluez/bluetooth-next#17 Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
@@ -5703,13 +5703,20 @@ static int l2cap_reassemble_sdu(struct l2cap_chan *chan, struct sk_buff *skb,
 		if (!chan->sdu)
 			break;
 
-		append_skb_frag(chan->sdu, skb,
-				&chan->sdu_last_frag);
+		if (chan->sdu->len + skb->len != chan->sdu_len) {
+			BT_DBG("Incomplete SDU, expected: %u received: %u", chan->sdu_len,
+			       chan->sdu->len + skb->len);
+			/* Discard previous data and keep only L2CAP_SAR_END data */
+			kfree_skb(chan->sdu);
+			chan->sdu = skb;
+			chan->sdu_last_frag = skb;
+			chan->sdu_len = skb->len;
+		} else {
+			append_skb_frag(chan->sdu, skb,
+					&chan->sdu_last_frag);
+		}
 		skb = NULL;
 
-		if (chan->sdu->len != chan->sdu_len)
-			break;
-
 		err = chan->ops->recv(chan, chan->sdu);
 
 		if (!err) {
