bluetooth: host: Fix premature semaphore giving

There was a semaphore in hci_core which was given to early when
receiving the BT_HCI_EVT_NUM_COMPLETED_PACKETS message from the
controller. This would sometimes cause an assert to happen in
function hci_num_completed_packets, where there would arise a
mismatch in the bookkept count, and actually stored nodes. More
concretely, due to premature semaphore giveing, the tx_pending node
would be have been removed in another context before it could be
fetched and moved to complete list in this function.

Signed-off-by: Fredrik Danebjer <frdn@demant.com>

Author: fredrikdanebjer

subsys/bluetooth/host/hci_core.c

@@ -598,8 +598,6 @@ static void hci_num_completed_packets(struct net_buf *buf)
 		while (count--) {
 			sys_snode_t *node;
 
-			k_sem_give(bt_conn_get_pkts(conn));
-
 			/* move the next TX context from the `pending` list to
 			 * the `complete` list.
 			 */
@@ -611,6 +609,8 @@ static void hci_num_completed_packets(struct net_buf *buf)
 				break;
 			}
 
+			k_sem_give(bt_conn_get_pkts(conn));
+
 			sys_slist_append(&conn->tx_complete, node);
 
 			/* align the `pending` value */