bluetooth: host: Fix premature semaphore giving

fredrikdanebjer · fredrikdanebjer · commit c8d52e0361c0 · 2025-04-29T09:03:55.000+02:00
There was a semaphore in hci_core which was given to early when
receiving the BT_HCI_EVT_NUM_COMPLETED_PACKETS message from the
controller. This would sometimes cause an assert to happen in
function hci_num_completed_packets, where there would arise a
mismatch in the bookkept count, and actually stored nodes. More
concretely, due to premature semaphore giveing, the tx_pending node
would be have been removed in another context before it could be
fetched and moved to complete list in this function.

Signed-off-by: Fredrik Danebjer &lt;frdn@demant.com&gt;
diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c
@@ -601,8 +601,6 @@ static void hci_num_completed_packets(struct net_buf *buf)
 		while (count--) {
 			sys_snode_t *node;
 
-			k_sem_give(bt_conn_get_pkts(conn));
-
 			/* move the next TX context from the `pending` list to
 			 * the `complete` list.
 			 */
@@ -614,6 +612,8 @@ static void hci_num_completed_packets(struct net_buf *buf)
 				break;
 			}
 
+			k_sem_give(bt_conn_get_pkts(conn));
+
 			sys_slist_append(&conn->tx_complete, node);
 
 			/* align the `pending` value */
