From 379eb7a0ff808507f2ab1afd4432ae9ba122984f Mon Sep 17 00:00:00 2001 From: Fredrik Danebjer Date: Tue, 29 Apr 2025 07:44:08 +0200 Subject: [PATCH] bluetooth: host: Fix premature semaphore giving There was a semaphore in hci_core which was given to early when receiving the BT_HCI_EVT_NUM_COMPLETED_PACKETS message from the controller. This would sometimes cause an assert to happen in function hci_num_completed_packets, where there would arise a mismatch in the bookkept count, and actually stored nodes. More concretely, due to premature semaphore giveing, the tx_pending node would be have been removed in another context before it could be fetched and moved to complete list in this function. Signed-off-by: Fredrik Danebjer --- subsys/bluetooth/host/hci_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c index 0446860c0cf..3a1df20a475 100644 --- a/subsys/bluetooth/host/hci_core.c +++ b/subsys/bluetooth/host/hci_core.c @@ -598,8 +598,6 @@ static void hci_num_completed_packets(struct net_buf *buf) while (count--) { sys_snode_t *node; - k_sem_give(bt_conn_get_pkts(conn)); - /* move the next TX context from the `pending` list to * the `complete` list. */ @@ -611,6 +609,8 @@ static void hci_num_completed_packets(struct net_buf *buf) break; } + k_sem_give(bt_conn_get_pkts(conn)); + sys_slist_append(&conn->tx_complete, node); /* align the `pending` value */